Skip to main content

Fox Kitten – Iranian Malware Campaign Exploiting Vulnerable VPN Servers To Hack The Organizations Internal Networks

fox kitten

Researchers discovered a widespread Iranian malware campaign called Fox Kitten that targeting the several organization networks by exploiting the Vulnerabilities in VPN.
The organization its targets are mainly related to IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.
Once the attacker successfully exploited the network, they are gaining the persistence access to the internal system and foothold in the networks of numerous companies.
Fox Kitten campaign believed to be originated from Iran, and infamous Iranian offensive group APT34-OilRig are behind this attack also researchers suspected that this campaign has some connection with PT33-Elfin and APT39-Chafer groups.
Large infrastructure is used for this campaign to perform a various malicious operation on behalf of the attack including:
  • Develop and maintain access routes to the targeted organizations
  • Steal valuable information from the targeted organizations
  • Maintain a long-lasting foothold at the targeted organizations
  • Breach additional companies through supply-chain attacks
As we have reported several malicious campaigns that involved by the APT34 threat actors group and among those attacks, This is one of the high profile targeting cyberattack that currently encounter by the ClearSky researchers.
During the attack, Threat actors are using several hacking tools that contain several open sources tool available on the internet and some of them are self-developed on their own.

Exploiting Bugs for The Initial Breach

Threat actors from APT 34 initially breaching the targeted organization network by exploiting the vulnerabilities in VPN such as Pulse Secure VPN, Fortinet VPN, and Global Protect by Palo Alto Networks.
Once the obtain the network, an attacker using a variety of communication tools, including opening RDP links over SSH tunneling for encrypted communication and try to maintain the access in the infected network.
Fox Kitten
There are several hacking tools are identified that includes self-developed tools: STSRCheck, POWSSHNET, VBScript, Socket-based backdoor over cs.exe, Port.exe and open souce tools such as Invoke the Hash, JuicyPotato, and some of the legitimate tools including Ngrok, FRP, Serveo, Putty and Plink .
These tools are using various purposes in this attack such as privilege escalation, foothold ensuring, and creating a gap for RDP connection and information theft.
According to the ClearSky research ” The main VPN systems exploited by the attackers are Pulse Secure Connect, Global Protect (by Palo Alto Networks), and Fortinet FortiOS. We assess with a high probability that vulnerabilities in Citrix will be used by the attackers as well. “
Researchers also found that the attackers created a special local admin user at the infected network to maintain the high permissions at the station even if the password of the station owner’s main user will be changed.
After gaining successful access to the targeted computer, attackers start moving files from the compromised computer to their own computers through the exfiltration channel.
“This stage’s main concept is establishing the ability to connect, through RDP, to the target company, categorizing relevant files either by looking at them online or through filename lists, and then exfiltrating them to the attacker in different ways. Researchers said”.
At the end of the attack, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization.

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...