Supposedly Iranian government-sponsored cybercriminal groups exploit VPN server vulnerabilities in their malicious campaigns to create backdoors in companies around the world. According to a report by specialists from the Israeli company ClearSky, Iranian cybercriminals are attacking enterprises in the field of information technology, telecommunications, oil and gas industry, aviation, as well as state companies.
According to experts, "Iranian APT groups have good technical capabilities to carry out attacks and are able to use the so-called 1-day vulnerabilities in relatively short periods of time after their disclosure." In some cases, criminals exploited vulnerabilities in VPN services within hours of publishing information about them.
In 2019, Iranian criminals exploited vulnerabilities found in Pulse Secure “Connect” VPN (CVE-2019-11510), Fortinet FortiOS VPN (CVE-2018-13379) and Palo Alto Networks “Global Protect” VPN (CVE-2019-1579) ). Attacks on these systems began last summer and continue in 2020. The main targets of attackers are to penetrate corporate networks, move around internal systems, and install backdoors for further use.
Attackers abuse Sticky Keys to gain administrator rights on Windows systems, use JuicyPotato and Invoke the Hash tools, as well as legitimate system administration software such as Putty, Plink, Ngrok, Serveo, or FRP.
As part of the attacks, the criminals use the following tools: STSRCheck (to detect open ports), POWSSHNET (for RDP tunneling over SSH), VBScripts custom scripts to download TXT files from the C&C server and combine them into an executable file, Port .exe (a tool to scan the IP addresses of predefined ports).
At least three Iranian groups - APT33 (Elfin, Shamoon), APT34 (Oilrig) and APT39 (Chafer) - are behind attacks on VPN servers around the world, the researchers suggest.
