Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label VPN vulnerabilities. Show all posts

VPN Services May Not Be as Secure as They Seem, Recent Research Finds

 

VPNs are widely known for their benefits, including preventing location-based overcharging, safeguarding online privacy, and enabling access to geographically restricted content like foreign Netflix libraries. Historically, VPNs have been considered safe, but a new investigation by Top10VPN challenges this assumption.

Collaborating with security researcher Mathy Vanhoef, Top10VPN uncovered critical vulnerabilities impacting over 4 million systems. These include VPN servers, home routers, mobile servers, and CDN nodes, with high-profile companies like Meta and Tencent among those affected. The findings, set to be presented at the USENIX 2025 conference in Seattle, highlight flaws in key protocols—IP6IP6, GRE6, 4in6, and 6in4—designed to secure data transmission.

According to the research, these protocols fail to ensure sender identity matches the authorized VPN user profile. This weakness allows attackers to exploit one-way proxies, repeatedly gaining unauthorized access undetected. By sending data packets using compromised protocols, hackers can launch denial-of-service (DoS) attacks or infiltrate private networks to steal sensitive information.

To mitigate these risks, experts recommend additional security mechanisms like IPsec or WireGuard, which ensure end-to-end encryption. These tools limit the ability to access VPN traffic data, decryptable only by the designated server.

The investigation revealed that VPN services and servers deemed insecure were concentrated in the US, Brazil, China, France, and Japan. Users are advised to select VPNs that incorporate robust encryption methods and to remain cautious when using such services. Independent testing of VPN security is essential for ensuring reliability and safety.

For those seeking trusted options, refer to independent reviews and comparisons of the best VPN services, which prioritize user security and encryption protocols.

Iran Cyber Attack: Fox Kitten Aids Ransomware Operations in the U.S

 

A new joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) has revealed updated details about the Iran-based cyber threat group known as Fox Kitten.

Fox Kitten, known for selling compromised corporate access on underground cybercriminal forums, collaborates with ransomware affiliates to further exploit their victims. Recently, the group has targeted organizations in the U.S. and abroad.

Also referred to as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, Fox Kitten has been engaged in cyberespionage since at least 2017. According to the FBI, this group is linked to the Iranian government and is involved in stealing sensitive technical data from various organizations. Their targets have included entities in Israel, Azerbaijan, Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the U.S., and potentially more.

Fox Kitten has conducted numerous network intrusion attempts against U.S. entities since 2017, focusing on schools, municipal governments, financial institutions, and healthcare facilities, with incidents reported as recently as August 2024. Dragos, an OT cybersecurity firm, noted that the group has also attacked industrial control system (ICS) entities by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.

The advisory noted that Fox Kitten operates under the guise of an Iranian company, Danesh Novin Sahand, which likely serves as a front for their malicious activities.

In 2020, Fox Kitten led "Pay2Key," an operation that demonstrated the group's capabilities beyond cyberespionage. Israeli-based ClearSky Cyber Security reported that ransomware attacks during this campaign targeted Israeli organizations with a previously unknown ransomware, likely as a propaganda effort to incite fear and panic. Stolen data was leaked online with messages such as "Pay2Key, Israel cyberspace nightmare!"

A 2020 report by CrowdStrike revealed that Fox Kitten also advertised access to compromised networks on underground forums, suggesting a diversification of their revenue streams alongside their government-backed intrusions.

Collaboration with Ransomware Affiliates
Fox Kitten collaborates with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing them with full network access in exchange for a share of the ransom. Beyond just access, Fox Kitten assists ransomware affiliates in locking victim networks and devising extortion strategies. However, the group remains vague about their Iran-based origin to their ransomware partners.

The joint advisory notes that the group often uses the aliases “Br0k3r” and “xplfinder” in their operations throughout 2024.

Technical Details
Fox Kitten uses the Shodan search engine to locate devices with vulnerabilities in specific technologies, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. Once these vulnerabilities are exploited, they:

  • Install web shells and capture login credentials, adding backdoor malware to maintain access.
  • Create new accounts with discreet names like “IIS_Admin” or “sqladmin$” on the compromised networks.
  • Gain control of administrative credentials to infiltrate domain controllers and other critical infrastructure components, often disabling existing security measures.
  • The advisory also lists several indicators of compromise, including the TOX identifiers for “Br0k3r,” which the SANS Institute previously exposed in 2023 as an Initial Access Broker selling access to networks in multiple countries, including the U.S., Canada, China, the U.K., France, Italy, Norway, Spain, India, Taiwan, and Switzerland. The U.S. remains a primary target, being the most ransomware-affected country as per MalwareBytes.
Fox Kitten promotes its access sales through a Tor-hosted website on various cybercriminal forums. The group's first website version highlighted sales that included full-domain control, domain admin credentials, Active Directory user credentials, DNS zones, and Windows Domain trusts.

How to Protect Your Business from Fox Kitten

To protect against Fox Kitten, organizations should:

  • Regularly update and patch VPNs, firewalls, operating systems, and software.
  • Monitor access to VPNs for unusual connections or attempts and use filtering to restrict access.
  • Analyze log files for any indicators of compromise mentioned in the advisory and investigate immediately.
  • Deploy security solutions across all endpoints and servers to detect suspicious activity.
  • The FBI and CISA advise against paying ransoms, as there's no guarantee of file recovery and payments could fund further criminal activities.