Iran: A significant number of security bugs were disclosed last year pertaining to major VPN providers such as Pulse Secure, Palo Alto, Fortinet, and Citrix. A new report indicates that the Iranian government took notice of those vulnerabilities and set their cyber-units to work on exploiting them. According to research done by ClearSky, the Iranian hackers used this access to target companies within the “IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors.” In some instances, Iranian hackers were seen exploiting the VPN flaws within hours of the public disclosure of the bugs. Throughout this campaign of exploiting the VPN flaws, the hackers worked to quickly install backdoor access on enterprise systems to allow for easier access to corporate networks at a later date. The operation appears to have been designed to take place in two phases: phase one is the breach of the enterprise networks through the VPN vulnerabilities, then phase two involves moving laterally within victim networks with a collection of various tools.
Many still look at Iranian hackers as being less capable than other state-sponsored threat groups. However, the quick action, directed focus, and employed methods of this campaign should be an eye-opener for many that Iran has greater cyber capabilities than they are often given credit for. Binary Defense’s MDR solution is capable of detecting lateral movement within our client’s networks. Early detection of lateral movement can be vital in containing an intruder and managing the damage done during an attack. More information can be found at https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/