Fox Kitten APT Gets a New Toy

Fox Kitten, also known as Parisite, is an Iran-linked group of elite hackers exploring the latest unpatched vulnerabilities in products and equipment of large private corporations and government networks.

What happened?

Recently, Fox Kitten was spotted targeting a new family of products used widely within the U.S. private and government sectors.
  • According to researchers, Fox Kitten has been exploiting a critical remote code execution vulnerability (CVE-2020-5902) in F5 Networks BIG-IP.
  • The hackers attempt to steal the legitimate credentials and use webshells to establish persistence on the server.
  • The actors also use additional tools such as NMAP and Angry IP scanner for internal reconnaissance, Mimikatz to capture credentials, and Juicy Potato for privilege escalation.

Fox Kitten’s backstory

  • Operating since summer 2019, Fox Kitten has been providing an initial footstep inside target networks to support several other Iranian hacker groups, such as Shamoon, Oilrig, and Chafer.
  • Earlier, Fox Kitten has attempted to infiltrate into a bunch of popular VPN products such as Pulse Secure "Connect" enterprise VPNs, Fortinet VPN servers, Palo Alto Networks Global Protect VPN servers, Citrix ADC servers, and Citrix network gateways.

BIG-IP vulnerability already on target

Fox Kitten is not the only threat actor targeting this newly discovered vulnerability. This particular vulnerability (CVE-2020-5902) in F5 Networks BIG-IP has been in the news since its disclosure on June 30, 2020.
  • With a CVSSv3 score of 10, several malicious actors have been attempting to exploit the vulnerability in the wild.
  • On July 28, Trend Micro released a report about a Mirai botnet downloader (detected as Trojan.SH.MIRAI.BOI), that was abusing this flaw, along with several other vulnerabilities.
  • Hackers had actually started scanning for this vulnerability in the wild just three days after it was released.


A word of caution

Hackers targeting any newly disclosed vulnerability is nothing new. However, the moves made by infamous threat groups such as Mirai and Fox Kitten APT indicates that threat actors are on their toes for exploiting this critical vulnerability. Experts say organizations must adopt a dynamic patch management process to make sure that their networks remain safe from such threats.