Access to Corporate Network: Why It’s Important to Secure This Entry Point

A hacker group specializing in gaining and maintaining access to corporate networks has been observed selling access to compromised corporate networks to other threat actors on underground forums. This highlights the importance of securing access to your organization’s network.

An actor assessed to be associated with the hacker group behind the malicious campaign called “Pioneer Kitten”, also known as “Parisite” and “Fox Kitten”, has begun selling access to compromised corporate networks on underground forums since late July of this year, this according to the recent report released by CrowdStrike Intelligence.

Access to Corporate Networks

COVID-19 has forced many companies to open access to their corporate networks to remote workers. This opening unleashed a Pandora’s box of new cyberthreats, especially to unprepared organizations.

For years, however, threat actors have exploited select access to corporate networks. With more organizations now allowing their workers to remotely access corporate networks, the field for exploitation has widened for threat actors.

The malicious campaign called Pioneer Kitten, for instance, was first observed in the wild in 2017 by industrial control system (ICS) security firm Dragos. The campaign was then called by Dragos as Parisite, a campaign that targeted industrial organizations as well as government and non-governmental organizations in broad geographic locations.

In February 2020, the research team ClearSky reported that the malicious campaign that the team called “Fox Kitten” affected dozens of companies and organizations around the world in the last three years. According to the ClearSky research team, this campaign was first revealed by Dragos in 2017.

The group behind Pioneer Kitten, alternately known as Parisite and Fox Kitten, uses publicly available tools such as MASSCAN, Dsniff, and Ngrok. MASSCAN is a scanning tool that gives malicious actors more information about their targets, that is, narrowing the scope of their attack. It’s reported that MASSCAN scans the entire internet in under 6 minutes, transmitting 10 million packets per second from a single computer.

Dsniff, meanwhile, is capable of capturing and decoding authentication information for various protocols. When Dsniff is used together with ARP and/or DNS spoofing techniques it can be used to gain password and authentication information from both normal and switch-based networks.

Ngrok, meanwhile, is an application that gives a user internet access to corporate networks hidden behind Network address translation (NAT) or a Firewall. Ngrok, however, only grants external access to internal systems once a user gains access to the network.

To gain initial access to corporate networks, the group behind Pioneer Kitten, alternately known as Parisite and Fox Kitten exploits security vulnerabilities in VPN services and network appliances. The group specifically exploits the following security vulnerabilities:

• CVE-2019-11510: This security vulnerability in Pulse Secure Pulse Connect Secure VPN could allow an unauthenticated remote attacker to view cached plaintext user passwords and other sensitive information.

• CVE-2019-19781: This security vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway could allow an unauthenticated remote attacker to perform arbitrary code execution.

• CVE-2020-5902: This security vulnerability in F5 BIG-IP products (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) could result in a complete system compromise.

Hardening the access security of your organization’s network is essential as once threat actors gain access, they can do anything on it such as steal sensitive data or plant ransomware. Ransomware operators nowadays work together with other threat actors, known as “affiliates” in the scheme called “ransomware-as-a-service (RaaS)”. Affiliates buy the ransomware program from the ransomware developer, launch the ransomware on victims’ networks and pay the developer a percentage of the proceeds of the ransomware attacks.

Ransomware affiliates, on their part, buy access to targets’ networks from the “Initial Access Brokers” – actors who specialize in obtaining initial network access from a variety of sources and transforming this initial access to a wider network compromise.

Preventive and Mitigating Measures Against Illegal Access to Corporate Networks

Here are some cybersecurity best practices in preventing or mitigating illegal access to corporate networks:

• Keep all software up to date.

It’s important to keep VPNs and network appliances up to date as these can be used by threat actors to illegally access your organization’s network. To date, Pulse Secure, Citrix and F5 have all issued a corresponding security update, also known as a patch, to the above-mentioned security vulnerabilities.

• Use Strong Authentication Methods

It’s important to note that applying the patch alone isn’t enough to stop threat actors from illegally accessing your organization’s network. Authentication details such username and passwords once stolen can be re-used even after the applicable patch is applied.

In the case, for instance, of the security vulnerability CVE-2019-11510 in Pulse Secure Pulse Connect Secure VPN, applying the patch won’t block attackers who’ve previously compromised your organization’s network if the stolen username and password remain unchanged. This is the reason why stolen credentials are still valuable and are being sold online by threats actors to other threat actors.

After applying the necessary patch, it’s important to change the username and password. It also helps to use multi-factor authentication to add another layer of defense to your organization’s network.

While your employees work from home facing uncertainty, we at GenX work hard to make sure that your remote access remains secure and your business uninterrupted.

Call us today at (416) 920-3000 or email sales@genx.ca to schedule an evaluation of your infrastructure, and we will show you how to protect your business from cybercriminals, fast and on budget.