A new security alert from the FBI indicates that a group of Iranian hackers are on a spree of compromising the BIG-IP products manufactured by F5 Networks, making use of a known vulnerability that was discovered by security researchers in early July. The alert has been linked by cybersecurity reporters to “Fox Kitten,” a threat actor with known ties to the Iranian government.
Iranian hackers exploiting CVE-2020-5902?
Though the FBI’s security alert did not name a specific culprit, independent security researchers have told ZDNet and other media outlets that they believe the group called “Fox Kitten” or “Parisite” is behind the attacks. One security analyst described this group to ZDNet as the “spear tip” for Iran’s state-sponsored hacking programs, establishing an “initial beachhead” to open the door for other threat actors. The attempts appear to have been going on since early July and are directed at a wide range of both government organizations and private businesses.
This particular group of Iranian hackers has been active since at least mid-2019, and has an established pattern of going on runs of exploiting known vulnerabilities while there are still lots of unpatched systems in the wild. This group used exploits published in 2019 to go after a number of VPN services including Pulse Secure, Fortinet and Palo Alto Networks. It has also attacked Citrix “ADC” servers and Citrix network gateways. Fox Kitten usually focuses on establishing longer-term access for bigger Iranian hacking groups such as APT 33 (“Shamoon”) and APT 34 (“Oilrig”). These groups either attempt to covertly exfiltrate sensitive information, or install ransomware on target networks.
The FBI indicates that the Iranian hackers have not given up on combing for these older vulnerabilities, but their recent work has been focused on a more recent exploit called CVE-2020-5902. This vulnerability impacts a number of products in the BIG-IP line and is considered extremely serious, allowing an attacker to potentially gain full system access. The Iranian hackers are indiscriminate in their approach, simply scanning broad swaths of the internet for BIG-5 devices running known vulnerable software versions. The vulnerability can be fixed by installing the most recent BIG-IP version, but as with many of these security issues there are always quite a few clients that are very slow to take note and update.
The FBI notification also warns that the Iranian hackers are not the only group actively targeting this vulnerability; it has been spotted recently as part of a Mirai-based DDoS botnet.
Endpoint attacks trending up during Covid-19?
Tal Zamir, Co-Founder and CEO of Hysolate, notes a trend in hacked networks that were exploited via endpoints: “The FBI’s warning of Iranian hackers tactics is yet the latest confirmation that attackers always look for the easiest way to establish their foothold – which happen to be these vulnerable endpoints. Vulnerabilities in hardware devices such as these are a common “low hanging fruit” for attackers. In fact, we must not forget that endpoints (laptops/desktops) are one of the most commonly targeted devices by attackers – 70% of breaches start on the endpoint.”
There is good evidence to indicate that hackers are looking more and more toward dispersed endpoints as the Covid-19 pandemic rages on and companies shift to new and unfamiliar remote work models and volume. While improperly secured personal devices and home WiFi networks are two very obvious targets of opportunity in this scenario, this recent incident with the Iranian hackers indicates that attackers will move along the entire chain looking for weaknesses and openings. In this case, the target was a load balancing service that is known to widely be in use by enterprise-scale companies (including quite a few on the Fortune 500 if its own advertising is to be believed) and has likely been taken up even more in recent months due to changing business continuity needs.
In addition to targeting individual end users with things like spearphishing and adware attacks, hacking teams are clearly keeping up with new vulnerability disclosures and milking them for everything they are worth as organizations lag behind in installing necessary patches and upgrading to new software versions. Some recent data indicates that it takes the average organization about one month plus an added week to get around to installing new security updates, with the worst offenders letting their critical patches lag for over a year. In this particular case, even a month would have been far too slow; CVE-2020-5902 was first disclosed in late June, and the Iranian hackers were already underway with large-scale operations combing for vulnerable targets by early July.
This also brings up the point that hackers, both state-sponsored and of the independent cyber criminal variety, are increasingly following the opportunities in the Covid-19 setting. It is necessary to assume that large-scale and widespread exploitation of any newly disclosed vulnerability will begin within just a few days.
Vulnerability impacts a number of products in the BIG-IP line and is considered extremely serious, allowing an attacker to potentially gain full system access. #cybersecurity #respectdata
Click to Tweet
Zamir supplied some parting advice for organizations looking to keep on top of this new reality of constant vigilance for new vulnerabilities and immediate patching: “Organizations are advised to inventory and assess the security of all of the connected devices being used – everything from access card systems & connected security cameras to traditional connected devices like endpoints and network access control systems. To ensure corporate data is protected without reducing user productivity, laptops and computers should be equipped with a secure, isolated operating system from which to access sensitive databases and systems.”
While IT departments are likely overburdened with the sheer amount of vulnerabilities being disclosed, there are tools to help. The most important basic element is prioritization of “high risk” vulnerabilities and those with high Common Vulnerability Scoring System (CVSS) scores, as substantial nation-state resources will likely be bent toward developing working exploits immediately. While automation tools cannot be relied on entirely to keep networks up to date, they can help tremendously with prioritizing these high-risk items.