A new security report alleges that Iranian hackers have accessed private company data by exploiting VPN software designed to protect corporate networks.
The paper, from Israeli firm ClearSky Cyber Security, has found that flaws in VPNs can serve as a route into otherwise protected systems. Additionally, these exploits can leave backdoors for hackers to continue to infiltrate the systems, even once the flaw has been patched.
According to ClearSky, the activity is “among Iran’s most continuous and comprehensive campaigns revealed until now.” We take a look at the methods being used, and how companies can protect themselves.
What do the Hackers Want?
Unfettered access to private systems can be devastating for a hacked company. Once deep into a company system, hackers can install ransomware, or simply bring a company to its knees with malware. While there have been cases in the past of Iranian agents installing these types of software onto foreign systems, this doesn't appear to be the aim for the groups identified in the report.
The report from ClearSky, which dubs the activity “Fox Kitten”, shows that the main goal has been to access information, steal data and perform reconnaissance.
“During our analysis of the different targets, we have seen that the attackers are manually sifting the relevant intelligence before sending it back to Iran. After marking all the desired files, the material will be compressed into WinRAR or 7-ZIP files, and only then will be sent to the attackers.” – ClearSky Cyber Security report
As for the targets, they have to date been companies which hold valuable information to the Iranians, suggesting an espionage intent, not a financial motive. The report does conclude though, that this method could be used to spread destructive malware, if desired. Countries including the USA, Israel, France, Poland, Germany and others have been targeted, and in the sectors of IT, defence, electricity, oil and aviation. The map below shows were the counties were the most activity has taken place, with the red countries being identified as the most frequently attacked:
More on this – learn where Iran sits in our Internet Censorship Rankings report
How are Iranian Hackers Exploiting VPNs?
According to the report from ClearSky, there are several methods being adopted by the hackers, but the most popular has been utilising exploits in VPN software used by the companies. While such vulnerabilities are usually patched very quickly to prevent nefarious activity, ClearSky has reason to believe that the hackers are leveraging these bugs as soon as they are made public, in the window before the software is fixed.
While this might seem on the surface to only provide a small amount of time for company data to be accessed, the report shows that hackers are installing back doors, using self-developed tools, which allow for continued and regular access, long after the original vulnerability has been patched.
Some of the exploits name-checked in the report mention VPN software solutions including Pulse Secure, Fortinet FortiOS and Palo Alto Networks. In the case of Palo Alto Networks, a vulnerability was recently used to implement a malware attack on the national oil company of Bahrain by Iranian state-sponsored hackers.
Once in, it could be sometime before the activity is noticed. The infiltration can be so discreet that there is a chance that the company affected may never actually be aware of the attack, or the ongoing data mining.
According to the report, it's believed that the Iranian hacking groups have been using these methods to successfully for the past three years, and in that time have stolen information from dozens of companies around the world.
How Can Companies Protect Themselves?
Given that the hackers are using newly found exploits in VPN software before these have been patched, it might appear that there is little companies can do to stay safe. However, ClearSky Cyber Security has offered some practical tips for those concerned:
- Review the VPN platforms being used by your organization. How essential are they, and how transparent is the security reporting and patch-fixing?
- According to ClearSky, companies have anywhere between 24 hours and a week before a publicly revealed exploit becomes a genuine security concern.
- Constant monitoring of VPN systems is a must. They should be regularly checked for unusual activity, as well as constantly updated as soon as the latest software becomes available.
- After each update, reset passwords for all users. Adopting two-factor authentication is also recommended.
- Regularly check logs for new users that may not be legitimate. In these hacks, new user accounts were created to allow continued access to the systems.
See our guide to the most secure VPNs for home use