Iranian Hackers Targeting, Exploiting VPN Flaws of US Healthcare, IT Orgs

September 16, 2020 - Hackers with ties to Iran are exploiting flaws found in commonly used Virtual Private Networks (VPNs) across a range of federal agencies and businesses, including those in the healthcare and IT sectors, according to a joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Agency and the FBI. 

It appears the threat actors are connected to a hacking group known as Pioneer Kitten and UNC757, based on an analysis of indicators of compromise (IOCs) and tactics, techniques, and procedures. The group is actively exploiting several known vulnerabilities in Pulse Secure VPNs, Citrix NetScaler, and F5 network solutions. 

CISA and the FBI have repeatedly warned throughout the year that hackers are actively targeting these vulnerabilities. In fact, threat actors have successfully exploited Pulse Secure VPNs using stolen credentials, even if the organization has applied the patch. 

In the latest widespread campaign, officials observed the threat actor using these vulnerabilities to gain access to a victim’s network and maintaining persistent access on successfully exploited networks for several months using a variety of techniques. 

The threat actors are primarily targeting industries associated with healthcare, insurance, government, information technology, financial, and media sectors across the country, by first leveraging mass scanning and tools like Nmap to identify networks with any open, vulnerable ports. 

READ MORE: FBI, CISA Alert of Surge in Vishing Cyberattacks on Remote Workers

Further, the attacks rely on exploiting remote external services on internet-facing assets to gain initial access. The hackers heavily leverage open-source and operating system tooling to perform malicious activity, such as ngrok; fast reverse proxy; Lightweight Directory Access Protocol (LDAP) directory browser; and web shells.

The CISA alert contains a full list of these common exploit tools. The group is significantly leveraging ngrok, which can appear as a TCP port 443 connection to the external cloud-based infrastructure, and they’re also using FRPC over port 7557. 

When a vulnerable endpoint is found, the hacker will then exploit flaws connected to the VPN infrastructure to break into a network. Once inside, the threat actor obtains administrator-level credentials and installs web shells to maintain persistence on the network. 

It appears the attacks are designed to maintain presence on the network and exfiltrate data. Officials also observed the hackers selling access to compromised network infrastructures through dark web hacking forums.

The FBI believes the hacking group is capable of deploying ransomware onto the victim’s network, which may also be their intent. 

READ MORE: IBM: Remote Exploit Flaw Found in Millions of Connected IoT Devices

“Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests,” officials explained.  

“CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network,” they added. 

The hackers are also using several means to evade detection, including software packing and compiling after delivery through obfuscated files or information; masquerading by matching a legitimate name or location, or hiding in tasks or services; and file deletion via indicator removal on the host. 

Specifically, the actor has been observed running a cleaning tool every 30 minutes to clean up files on the NetScaler device to minimize their footprint. Alternatively, they use the FRPC daily to reverse the proxy and tunnel Remote Desktop Protocol (RDP) over the TLS connection. 

In other instances, the hackers have hidden their activity via ngrok. 

READ MORE: Remote Attacks on Cloud Service Targets Rose 630% Amid COVID-19

CISA warned the threat actors are also using several techniques to learn more about the victim’s network, such as leveraging Angry IP Scanner to find remote systems and WizTree to gain access to network files and directory listings, and accessing ntuser.dat and UserClass.dat, as well as Softerra LDAP Browser to view documentation on service accounts. 

The hackers have even used Google Chrome bookmarks to discover internal resources and assets. 

Lastly, the threat actors are leveraging remote services, especially RDP, to proliferate across the network, including installing TightVNC server and client pervasively on compromised endpoints and servers as a lateral movement tool. 

CISA and the FBI provided a host of mitigation recommendations to defend against these attacks, which begins with patching the affected servers to harden defenses. Organizations should always ensure software is kept up to date. 

Further, administrators should routinely audit configuration and patch management programs and monitor network traffic for unexpected or unapproved protocols, particularly outbound to the internet, such as RDP and SMB. 

Multi-factor authentication should be implemented on all applicable ports, but especially for privileged accounts, RDP, and remote access solutions, employing jump boxes for access. Administrators should set up separate administrative accounts for each administration workstation and implement the principle of least privilege for all data access. 

Lastly, endpoint defense tools should be deployed across the network, which should routinely be assess for proper function and whether it’s updated. 

If compromise of the Windows Active Directory is suspected, administrators should conduct remediation of the active directory forest. If it’s indeed compromised, a rebuild or reimage of the NetScaler device is needed.

Healthcare organizations should also review previous VPN security recommendations that can help bolster endpoint security, especially as use of these remote connections have rapidly expanded amid the COVID-19 crisis.