FBI warns of attacks on F5 Devices by Iranian State-Sponsored Group

The US Federal Bureau of Investigation warned US companies via a Private Industry Notification that Iranian state-sponsored hackers are actively targeting the US private and government sectors, according to an article recently published by ZDNet. The latest alert warning of Iranian state-sponsored activity follows an alert published in February which again warned private industry partners of campaigns distributing the Kwampirs malware. The latest alert does not mention names but given the examples of previous attacks listed in the alert, researchers have determined that those responsible for the latest attack campaign form part of the advanced persistent threat (APT) group Fox Kitten.

Fox Kitten or Parisite is seen by the InfoSec community as the “spear tip” of Iranian cyber operations, often creating a beachhead for other groups to exploit. The group primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices. The devices targeted by the group tend to be used by large corporations and government departments, with previous campaigns actively targeting companies in the IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security sectors of multiple states around the world. Typically once the targeted network is compromised the group will install a web shell or backdoor onto the vulnerable device. This grants the group future access to the compromised network which can be used by them or other Iranian groups.

The FBI alert warns that the attackers have upgraded their toolset by now being able to exploit vulnerability CVE-2020-5902. The flaw was disclosed to F5 customers in early July and that the company’s popular BIG-IP products, a multi-purpose network device, are affected.

iranian hackers attack f5 devices

The flaw has been described by F5 as follows,

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in a complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed to the data plane; only the control plane is affected.
Note: All information present on an infiltrated system should be considered compromised. This includes, but is not limited to, logs, configurations, credentials, and digital certificates.”

According to the FBI alert, as published by ZDNet, the law enforcement body informs that,

“Following successful compromise of the VPN server, the actors obtain legitimate credentials and establish persistence on the server through webshells. The actors conduct internal reconnaissance post-exploitation using tools such as NMAP and Angry IP scanner. The actors deploy Mimikatz to capture credentials while on the network, and Juicy Potato for privilege escalation. The actors create new users while on the network [...]

The actors use several applications for command and control (C2) while exploiting victim networks, including Chisel (C2 tunnel), ngrok, Plink, and SSHNET (reverse SSH shell). When tracking suspected C2 activity, the FBI advises that C2 activity with ngrok may be with external infrastructure associated with ngrok.”

While the alert does not mention names, the tactics mentioned above are eerily similar to those deployed by Fox Kitten in previous campaigns. The FBI further noted that the group is not targeting a particular sector, rather any organization with unpatched BIG-IP devices. US companies have been advised to patch their F5 devices to prevent successful intrusions. It is believed that there are two unconfirmed victims of the campaign to date, based on unnamed sources. What is known for certain is that it is not only Iranian groups targeting the above-mentioned vulnerability. Multiple hacker groups began exploiting this bug within two days after details and proof-of-concept exploits became public, and in recent weeks, an exploit for the BIG-IP bug has even been spotted part of the Mirai botnet.

Fox Kitten

Much about what we know about Fox Kitten is down to the research conducted by two security firms, Clear Sky and Dragos. Those reports detailed how the group, during the summer of 2019, used the same tactics mentioned above to target the following vulnerabilities and devices:

  • Pulse Secure "Connect" enterprise VPNs (CVE-2019-11510)
  • Fortinet VPN servers running FortiOS (CVE-2018-13379)
  • Palo Alto Networks "Global Protect" VPN servers (CVE-2019-1579)
  • Citrix "ADC" servers and Citrix network gateways (CVE-2019-19781)

The group’s activity since 2017 can be summarised as follows:

  • The Iranian APT groups have succeeded to penetrate and steal information from dozens of companies around the world in the past three years.
  • The most successful and significant attack vector used by the Iranian APT groups in the last three years has been the exploitation of known vulnerabilities in systems with unpatched VPN and RDP services, to infiltrate and take control over critical corporate information storages.
  • This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.
  • We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix).
  • Iranian APT groups have developed good technical offensive capabilities and can exploit 1-day vulnerabilities in relatively short periods, starting from several hours to a week or two.
  • Since 2017, we identify Iranian APT groups focusing on IT companies that provide a wide range of services to thousands of companies. Breaching those IT companies is especially valuable because through them one can reach the networks of additional companies.
  • After breaching the organizations, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network. As a result, identifying and closing one access point does not necessarily deny the capability to carry on operations inside the network.
  • We assess with a medium-high probability that Iranian APT groups (APT34 and APT33) share attack infrastructures. Furthermore, it can be one group that was artificially marked in recent years as two or three separate APT groups.
  • The time needed to identify an attacker on a compromised network is long and varies between months to not at all. The existing monitoring capability for organizations to identify and block an attacker that entered through remote communication tools is difficult to impossible.

According to the research done by Dragos, the campaign detected by researchers specifically targeted US companies and infrastructure residing in the power and electricity sector. Those campaigns researched by Clear Sky detailed attacks on companies based in Israel from a variety of sectors. In the full report the tactics employed by Fox Kitten again mirror those highlighted in the FBI report. The assertion by the InfoSec community that Fox Kitten acts as the spear tip is also confirmed by the shared infrastructure with other Iranian state-sponsored groups such as OilRig. Attribution of the campaign to Fox Kitten was based off several facts including the use of known Iranian infrastructure as well as Persian found in specific pieces of code. While the FBI alert has not been published to the wider public, the Clear Sky report suggests organizations take several security measures to prevent falling victim to a Fox Kitten attack. These include:

  • The timeframe given to install a security patch after the vulnerability has been published has shortened and we assess it to be between 24 hours and a week between the vulnerability’s publication and the moment it becomes a real threat for the organization.
  • Checking outward-facing systems, including different VPN systems, is critically important for the company. There is a need for constant monitoring, making sure that the systems are constantly updated, and preventing unneeded exposure of the administration interfaces to the outside world. We also assess that there is a need to try and minimize the systems to the bare minimum. Recheck of security updates to VPN systems is to be routinely performed as well.
  • After each update performed on core corporate systems, including VPN systems, it is recommended to reset all passwords to all end-users in the organization and to oblige all users to re-connect to the services, to identify unwanted connections. Additionally, if it is possible, it is recommended to create a two-step authentication to the corporate core systems.
  • It is recommended to use VPN services that keep logs on different media (preferably nonerasable) during communication.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal