Iranian hackers leverage VPN vulnerabilities to install backdoors in corporate and government networks.
On February 16th, cybersecurity firm ClearSky revealed that they had uncovered a persistent and long-running campaign by Iranian-backed hacker groups to infiltrate computer networks by exploiting known CVEs in VPN solutions from companies such as Pulse Secure, Fortinet, Palo Alto Networks, and Citrix. In some cases, attacks would begin on the targeted VPNs within hours of new CVEs being disclosed. Once the hackers had penetrated the target networks, they installed back doors that would enable them to continue accessing the network even after the vulnerabilities had been patched. Industrial sectors that were targeted include IT and computing, utilities, defense, petroleum, and aviation.
The installed backdoors are difficult to detect and remove. ClearSky warns of the possibility of large-scale infrastructure attacks in the future since the hackers could activate all the backdoors at once to bring down utilities, communications, and transportation networks across the country.
Leveraging Public CVEs for Nefarious Purposes
Mitre Corporation operates and maintains the National Cybersecurity FFRDC for the purpose of identifying and sharing information-security vulnerabilities in publicly released software packages so that security professionals might understand, remediate, or avoid vulnerable software more efficiently.
Now it appears the CVEs are being exploited by hacking groups such as the Iranian-backed groups ClearSky identifies as APT34-OilRig, APT33-Elfin and APT39-Chafer in what they call the “Fox Kitten Campaign.”
In Fox Kitten, APTs such as OilRig use known vulnerabilities such as those published for the Pulse Secure “Connect” VPN (CVE-2019-11510), the Fortinet FortiOS VPN (CVE-2018-13379), and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579). For each of these CVEs, an attacker can gain unauthenticated access to various network functions through flaws in the VPN software.
For example, with CVE-2019-11510, “an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file read.” In other words, by identifying the VPN and sending a particular Uniform Resource Identifier, hackers can read files that are supposed to be protected by the VPN without logging in to the VPN.
Furthermore, the Iranian APT groups were able to exploit 1-day vulnerabilities in relatively short time frames, from a few hours to a week or two from the date a CVE was published. Iranian groups are able to engineer ways to exploit newly discovered vulnerabilities and then apply those methodologies to targeted VPNs, which suggests an advanced ability to rapidly identify targeted VPNs.
Why VPNs are Easy Targets
The beauty of VPNs are that they act as doorways to safe and secure information and private communication from anywhere on the Internet. This is possible because VPNs have gateways with fixed, global IP addresses with open communication ports that allow employees or trusted users to find the doorway into the network, and then, theoretically, use a safe key to authenticate and pass through into the trusted space within.
This convenience turns in a dark direction when hackers combine known global IP addresses of VPN gateways with CVEs to bypass the authentication process and gain access to resources inside the VPN, as the APTs involved with the Fox Kitten campaign have.
The open port that resides at the global public IP address where the VPN is hosted is the root cause of the current security dilemma. A VPN server by definition must reside at a routable global IP address and provide an open port where legitimate users can initiate a connection and log in with their username and password. The problem is that open ports are also vulnerable to unsolicited inbound traffic. Anyone can initiate a connection, and thus malicious parties can use stolen credentials, attempt to guess logins by brute force, leverage social engineering trickery or exploit bugs in the VPN server software to gain access to the network.
remote.it Eliminates the Vulnerability of Open Ports
remote.it was created by networking industry veterans seeking to solve the persistent security problems related to port forwarding and global IP addresses. The public visibility and availability of devices on the internet, especially those with open ports intended to provide remote access, has been, until recently, a necessary and seemingly unavoidable security compromise since the inception of TCP/IP networking.
If one creates a private network that doesn’t depend on users finding the gateway with a public global IP address and then using an open port to log in, one can eliminate a major attack surface used by hackers to break into networks.
The remote.it virtual private internet (VPI) solution creates a private network where the VPN gateway is 100% reachable over the internet by legitimate users, but where the open ports are gone, rendering the gateway completely invisible to non-legitimate users. In this way, remote.it is addressing the number one vulnerability of the world’s entire installed base of VPNs without changing the existing VPN software.
remote.it acts as a network overlay onto existing TCP/IP networks, enabling private authentication and private network routing. Devices on the VPI have managed access to the resources within the VPI just as one might have when accessing a VPN. The difference is, permissions are defined with each user or device account. There is no way for a hacker to bypass authentication to simply “access everything” nor is there any particular network device to target, as is the case with VPNs.
Eliminate Your Open Ports
Your online security shouldn’t have a permanent attack surface on the internet just because traditional VPNs have always done it that way. New approaches to networking are enabling companies to create innovative security solutions such as with virtual private internets from remote.it.
remote.it is free for developers and simple to license and deploy for enterprises. Get started in ten minutes with our quick start process, and enable any device with remote.it by installing our sub-200K networking daemon. We support small and large scale bulk registration and management of fleets of IoT devices.