FBI blames Iranian hackers for attacks on F5 network devices

They are a group called Fox Kitten. It paves the way for attacks by other Iranian hackers such as Shamoon and Oilrig. At least two companies are said to have already been hacked via unpatched network devices from F5 Networks.

The US Federal Bureau of Investigation (FBI) warns of hacker attacks on government agencies and companies. The attackers allegedly supported by the Iranian government take vulnerabilities in VPN-Solutions from multiple providers as well as Citrix ‘ADC servers targeted. New to their arsenal is a security vulnerability in F5 Networks’ Big-IP network devices.

Hacker (Image: Shutterstock)Although the FBI does not name the hackers responsible for the latest attacks, it does refer to their previous activities, including attacks on Connect VPNs from Pulse Secure and Citrix Gateways, which are attributed to Iranian hackers.

According to sources from ZDNet USA, the hacking group is referred to in security circles as Fox Kitten or Parasite. A former cybersecurity analyst who now works for the private sector even described the group as the “spearhead” of Iranian hackers. Your task is to create the first access to the systems of victims so that they can then be exploited by groups with Shamoon (APT33), Oilrig (APT34) or Chafer.

Fox Kitten is also said to have specialized in attacks on high-quality network equipment. In doing so, they apparently take advantage of the fact that not all companies are able to patch currently reported vulnerabilities immediately. As soon as they manage to compromise a network device, they should set up a web shell or a back door as access for other hackers.

According to analyzes by security providers ClearSky and Dragos, Fox Kitten has been active since summer 2019. Since then, the hackers have also targeted Fortinet VPN servers and Palo Alto Networks’ Global Protect VPN servers.

With the current break-ins in Big-IP devices from F5, the investigators have so far found no preferences for certain branches of the economy. Thus, according to the FBI, any company that uses an unpatched Big IP device is a possible target. The FBI therefore calls on all those affected to use the existing patches to ward off possible break-ins.

“After the VPN server has been successfully compromised, the actors receive legitimate access data and establish persistence on the server via web shells. The actors carry out internal reconnaissance using tools such as NMAP and Angry IP scanners. The actors use Mimikatz to capture credentials while they are on the network, and Juicy Potato to expand user rights, ”the FBI describes a typical attack. “The actors create new users while on the network; the FBI has observed that an account known to have been created by the actors is called ‘Sqladmin $’. “

Apparently at least two attacks against Big IP devices in the USA have been successful so far. It is not known which companies were hacked.

To new heights with SkySQL, the ultimate MariaDB cloud

In this webinar we will introduce you to SkySQL, explain the architecture and explain the differences to other systems such as Amazon RDS a. You’ll also get a glimpse into the product roadmap, a live demo, and learn how you can get SkySQL up and running in minutes.

Leave a Reply

Your email address will not be published.