The US FBI has passed an alert last week warning companies about attacks from Iranian cyberespionage groups. Though the official statement didn’t name the group, a cybersecurity expert has related it to be Fox Kitten, a spear tip cyber attacker that exploits bugs in high-end devices of firms to install backdoors. And now, they’re up exploiting F5’s BIG-IP devices.
FBI Warns US Companies of New Attacking Campaign
The Federal Bureau of Investigation has previously warned US companies in China about possible backdoor malware, and also about using the outdated Windows 7 OS. And now, it came up with a new alert to US private companies about Iranian hackers exploiting a well-known device from F5, the BIG-IP.
The BIG-IP from F5 is a multi-networking device used by several companies. This gadget is now vested with a vulnerability, tracked as CVE-2020-5902, that is being exploited by Fox Kitten (or Parisite) group.
It’s a cyber-espionage group backed by the Iranian government, which spearheads the cyberattacks for their government. They actively look for newly published exploits with Proof-of-concept technicals to attack adversaries.
As reported by Dragos and ClearSky, the group has previously exploited
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Fortinet VPN servers running FortiOS (CVE-2018-13379)
- Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
The group exploits the vulnerability to install a web shell or backdoor in the machine, and since it’s connected to the company’s network, could give access to the entire network eventually. Also, it passes these installed backdoors to other APTs like Shamoon, Chafer, Oilrig, etc for further exploitation like stealing data or ransomware.
Though the FBI didn’t specifically mention it as Fox Kitten, a cybersecurity analyst who previously worked for the government and now for a private firm said to ZDNet based on the FBI’s hints of previous attacks. Since the BIG-IP devices are used extensively in wild, it’s advised to update them to the latest firmware or keeping a tab on any suspicious behavior in the network communications.
