Security News > 2020 > February > APT Groups Planting Backdoors: Report

APT Groups Planting Backdoors: Report
2020-02-17 22:48

Now, security firm ClearSky says that at least three advanced persistent threat groups, all with apparent ties to the Iranian government, have been joining the fray and hitting unpatched Fortinet, Pulse Secure and Palo Alto Networks VPN servers and Citrix remote gateways.

Specific flaws needing to be patched include CVE-2019-11510 in Pulse Secure's VPN SSL servers, CVE-2018-13379 in Fortigate's SSL VPN servers, and CVE-2019-1579 in Palo Alto Network VPN servers, all of which ClearSky says Fox Kitten is now exploiting.

These vulnerabilities have previously been used by other cybercrime groups to spread malware, such as ransomware, but the three apparent Iranian groups have increasingly started to use these flaws for their own purposes - namely to attempt to steal data, ClearSky says.

"The most successful and significant attack vector used by the Iranian APT groups in the last three years has been the exploitation of known vulnerabilities in systems with unpatched VPN and services, in order to infiltrate and take control over critical corporate information storage," according to the ClearSky report.

The apparent Iranian APT groups are using the vulnerabilities in the VPN and servers and remote systems to gain a foothold in networks, ClearSky researchers say.


News URL

https://www.inforisktoday.com/apt-groups-planting-backdoors-report-a-13733

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-07-19 CVE-2019-1579 Use of Externally-Controlled Format String vulnerability in Paloaltonetworks Pan-Os
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.
network
high complexity
paloaltonetworks CWE-134
8.1
2019-06-04 CVE-2018-13379 Path Traversal vulnerability in Fortinet Fortios and Fortiproxy
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
network
low complexity
fortinet CWE-22
critical
9.8
2019-05-08 CVE-2019-11510 Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
network
low complexity
ivanti CWE-22
critical
10.0