In early February of this year, it became public knowledge tjhat hacking groups based out of the country of Iran were actively exploiting vulnerabilities in Virtual Private Network (VPN) software. Vendors with exploitable software include Pulse Secure, Palo Alto Networks, Fortinet, and Citrix. According to researchers at ClearSky, the exploits, though, may actually date back as far as 2017, when two Advanced Persistent Threat (APG) groups known as APT33-Elfin and APT39-Chafer joined forces to target networks in Israel, the United States, and other allied nations of the two.
Unlike many high-profile, Denial of Service (DoS) and defacing attacks for which credit is quickly taken by hackers and hacking groups sympathetic to U.S. adversaries, these groups operated stealthily in order to achieve a much more lucrative and long-term goal. Specifically, the hacks of vulnerable VPN software are perpetuated in order to gain a foothold within a network that can remain long after the point of ingress has been patched. Essentially, the Iranian groups in question used the VPN vulnerability only as a point of ingress. According to a ZDNet article on the subject, the hackers only needed the few hours of lead time provided by the then “zero-day” vulnerability to gain access to the internal networks of undisclosed – and likely unaware – networks.
The pros of the attack vector are various. First and foremost, exploiting the software that is specifically designed to secure remote network connectivity is ingenious. This is based upon the fact that most companies focus remediating vulnerabilities via traditionally-exploited vectors with notable names, such as Adobe and Microsoft. Another one is the fact that the hackers only needed to leverage the VPN vulnerabilities a single time, in order to set up backdoors through which they could later return to harvest something even more important, the terabytes of data stored within. A pro within a pro is that the manner in which they are believed to have set up the backdoors, via methods such as establishing RDP links over SSH tunneling, masks much of their presence and, on top of that, encrypts the data being exfiltrated. This makes it very probable that many companies who have been hacked via this method are still none the wiser.
Quite honestly, the strategy undertaken by Iranian hackers really has no cons. They exploited a zero-day vulnerability within what is generally considered to be a security-minded software and planted nearly undetectable backdoors. Unique – and although hesitantly said, innovative – hacking approaches such this VPN one will once again require Cybersecurity professionals to “up their game” and add one more “high profile” concern to the already long list of attack vectors which must be protected against. Additionally, it serves as a good reminder to even the general user that security updates and other patches for all software on their computers should be installed as soon as it becomes available. As displayed by this case, to do otherwise is just asking for cyber trouble.