Exploiting VPN Flaws to Compromise Enterprise Networks
Before reading this blog please visit this previous blog to get to know what is it all about. This blog is to explain how and what is done to exploit VPN flaws
https://careertechnologycybersecurityindia.blogspot.com/2020/02/iranian-hackers-exploiting-vpn-flaws-to.html
The primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect (CVE-2019-11510), Palo Alto Networks' Global Protect (CVE-2019-1579), Fortinet FortiOS (CVE-2018-13379), and Citrix (CVE-2019-19781).
ClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting "1-day vulnerabilities in relatively short periods of time."
Upon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors.
Furthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file — named "combine.bat" — to stitch together these individual files and create an executable.
To perform these tasks and achieve persistence, the threat actors exploited tools such as Juicy Potato and Invoke the Hash to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include:
Once the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address.
In addition, the attackers used web shells in order to communicate with the servers located inside the target and upload files directly to a C2 server.
https://careertechnologycybersecurityindia.blogspot.com/2020/02/iranian-hackers-exploiting-vpn-flaws-to.html
The primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect (CVE-2019-11510), Palo Alto Networks' Global Protect (CVE-2019-1579), Fortinet FortiOS (CVE-2018-13379), and Citrix (CVE-2019-19781).
ClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting "1-day vulnerabilities in relatively short periods of time."
Upon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors.
Furthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file — named "combine.bat" — to stitch together these individual files and create an executable.
To perform these tasks and achieve persistence, the threat actors exploited tools such as Juicy Potato and Invoke the Hash to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include:
- STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.
- Port.exe - A tool to scan predefined ports and servers.
Once the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address.
In addition, the attackers used web shells in order to communicate with the servers located inside the target and upload files directly to a C2 server.
Comments
Post a Comment