Securing Organization Network Entry Points

According to a recent report by CrowdStrike Intelligence, a recent malicious campaign called “Pioneer Kitten” has started to sell access to compromised company networks on online black market forums, demonstrating the increasing important of securing company networks against cyberattack.

In the world of COVID-19, many companies are relying on remote connections and VPNs for remote employees to work from home. This has the potential to open avenues of cyber threat to an organization’s network.

In the Pioneer Kitten attack, industrial organization and government and non-governmental organizations were targeted in a wide geographical region. The group behind this cyberattack campaign has been identified to use tools including MASSCAN, Dsniff, and Ngrok in their attacks.

MASSCAN is a tool that scans potential targets for information to be used against them. It is often used by attackers to narrow the scope of their attack to victims that are potentially more vulnerable. MASSCAN is able to scan the internet within 6 minutes, and can transmit 10 million packets per second from a single machine.

Dsniff is a tool that can steal and decode authentication data from many protocols. When used alongside ARP or DNS spoofing, this can be used to steal sensitive passwords and other authentication information from standard and switch-based networks.

Finally, Ngrok is a tool that provides internet access to corporate networks that have been hidden by Network Address Translation (NAT) or firewalls.

Pioneer Kitten exploits vulnerabilities in VPN and network devices in order to gain access to user accounts and personal information. Specifically it exploits the following vulnerabilities:

CVE-2019-11510 – This is a known vulnerability of the Pulse Secure Pulse Connect VPN, which when exploited allows an attacker to gain access to see Plainview user passwords and other data. Plainview text is written in English, meaning that it can be read by any user without decryption.

CVE-2019-9781 – This is a vulnerability in Citrix Application Delivery Controllers that allow for an attacker to execute arbitrary code on a device that has not had the latest security patch applied.

CVE-2020-5902 – this vulnerability is in F5 BIG-IP devices, and is particularly dangerous. Exploitation of these devices can cause complete corporate network compromises.

Once an attacker gains access to corporate networks, they are able to launch various cyberattacks including ransomware. In recent ransomware attacks, malicious actors have been seen to work together with “affiliates” in a relationship known as “ransomware-as-a-service”, where a ransomware developer works with a malicious affiliate to collaborate against a victim.

How to prevent unauthorized access to corporate networks

Keeping software up-to-date remains one of the most effective ways of protecting your organization’s network. New threats are constantly being identified and patched against. It is essential that you ensure that your devices have these latest security updates applied at all times.

Ensure that credentials are up-to-date and changed often. This is particularly true for compromised devices. Oftentimes, it is not enough to cleanse the network of the malicious software and update latest security drivers. It is also essential to change all passwords that may have been compromised in order to ensure that the network is secure post-attack.

Don’t fall victim to cyberattack. Call us at +1 888 366 4443 or email us at info@gige.ca for a consultation on network security today.