Many enterprise VPN providers have had less than stellar years. It hasn’t been an opportune time to be in the business, particularly for enterprise providers who weren’t diligent with their upkeep and management. A great number of vulnerabilities were found and disclosed, in some cases far too late for the businesses utilizing those VPNs. Iranian hackers have had a field day with the misfortunes of others, and they’ve proven to be formidable opponents.
Disclosure Opened Windows for Eager, Prodigious Hackers
The time between a bug being disclosed and a bug being fixed is not typically very long, but in these cases, it happened to be just long enough. Researchers at ClearSky found that Iranian hackers were able to move at lightning speed, almost as though they were laying in wait for vulnerabilities to be exposed to unleash prepackaged hacking solutions.
According to ClearSky’s findings, APT groups in Iran are exceedingly fast and effective at exploiting one day vulnerabilities, sometimes making productive moves within ours of disclosure. Iranian hackers aren’t wasting any time, and their proficiency rivals that of well known Chinese and Russian hacking collectives.
The Affected Companies
Many companies utilizing Pulse Secure, Fortinet, Citrix, and Palo Alto Networks VPN services were impacted by hacks. Out of all companies utilizing those enterprise VPN providers, Iranian hackers seemed most interested in government, security, oil, aviation, IT, and telecom companies. The hacks seem to be more geared towards collecting information than gaining profit.
Establishing Backdoors
ClearSky has detailed what they believe the process was. Iranian attackers structured their attacks like a very clever hide-a-key system. They infiltrated enterprise networks just long enough to create another backdoor they could come through later. They’ve set themselves up for future and more fruitful attempts by giving themselves to keys to access the network, even when the vulnerabilities in their VPNs were patched. These attacks that involve lateral moves after a breach give hackers everything they need to continuously hit the same sweet spots.
Hackers had a whole host of tools at their disposal, including open source tools. Invoke the Hash and JuicyPotato were used in conjunction with more complex tools, like Serveo and Plink. Anything that couldn’t be accomplished with a modified pre-existing tool was created by the hackers themselves. They’ve made their own malware, and so far, that malware has proven to be effective enough to accomplish what the hackers were attempting to accomplish.
The Synergy of Hackers
China has powerful hacking collectives and groups. APT groups in China are responsible for massive attacks. Although it has not been clearly defined, it appears that there are multiple groups of Iranian hackers as well as individuals who are all working toward the same or similar goals. It appears that hacks launched from Iran come from at least three groups – APT33, APT34, and APT39.
This “power in numbers” scenario suggests that as Iranian hackers become more organized, they become more competent. The cybersecurity industry did not previously regard Iranian hackers as being among the most proficient threats, but recent developments have given enough cause for the world to rethink Iran’s role as it pertains to security threats.
What Are They Trying to Do?
The only thing researchers at ClearSky know with certainty is that these backdoors seem to prioritize surveillance. The implications of what else can be done via these backdoors is far darker than a simple spying operation. Iran has been discovered to be the origin for Dustman and ZeroCleare, two highly efficient pieces of data wiping malware. If either were to be utilized on a business or institution, vital data could be lost forever.
Industrial Control Systems are Iran’s favorite target – particularly global energy and oil. Iranian hackers have a tendency to aim for vulnerable spots with large industrial players first. There have been reported instances of malware that has successfully infiltrated ICS affiliated entities linking back to APT33, an Iranian hacking group. The FBI has warned all private sector firms supporting ICS that they’re more than just vulnerable targets – they may have already been hit.
Any business or entity impacted by the string of VPN breaches should do more than merely apply patches. Networks need to be scanned for signs of compromise, user lists and permissions need to be thoroughly scrutinized,
Choosing a Safe VPN Provider
Since Iranian hackers have shown a clearly established pattern of pouncing on vulnerabilities the moment they’re announced, it’s safe to assume that no one is out of the woods yet. If you need a VPN you can rely on, it is more important now than ever to thoroughly research providers. Many enterprise VPN companies will do the bare minimum to bring their services up to security standards, and the bare minimum is often not enough.
Choose a VPN provider with round the clock support and an active interest in bug reporting. Nothing will ever be without flaws, but a competent team capable for rapid and permanent fixes reduces the potential window of vulnerability that hacking groups may use to move laterally though a company and steal or hold data ransom.
If you are currently utilizing a VPN provider and you fear you may be in danger, check regularly for alerts and updates regarding the security of your service. Apply patches immediately, and do not hesitate to scan your network for signs of compromise. The earlier you catch an infiltrator, the less damage they’ll be capable of doing.