That’s particularly troubling, which is especially unfortunate given on the work-at-home reality brought on by COVID-19, according to a blog post from Claroty.

Remote code execution (RCE) vulnerabilities affecting VPN implementations primarily used to provide remote access to operational technology (OT) networks pose a risk to industries like oil and gas, water utilities and electric utilities that industrial control systems (ICS).

Secure connectivity to remote sites has been even more crucial to energy utilities’ operators and third-party vendors to dial into customer sites and provide maintenance and monitoring.

“Vulnerable remote access servers can serve as highly effective attack surfaces for threat actors targeting VPNs,” the blog stated.

Claroty tested the security posture of a few popular remote-access solutions, including cloud-based, field-based and client-based, and found critical vulnerabilities in all.

Flaws included the improper handling of some of the HTTP request headers provided by the client for the cloud-based Secomea GateManager. This could allow an attacker to remotely exploit a server to achieve RCE without any authentication required.

“If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN,” researchers said in the blog, adding that Claroty notified Secomea of the CVE-2020-14500 critical vulnerability and a patch has been available since July 16.

Claroty found exploitation of the Moxa EDR-G902/3 industrial VPN servers could result in an attacker could use a specially crafted HTTP request to trigger a stack-based, overflow vulnerability (CVE-2020-14511) in the system web server and carry out RCE without the need for any credentials. In addition, an attacker can provide a large cookie and trigger a stack-based overflow in the system.

Moxa issued a patch on June 9, following being alerted by Claroty on April 13.

Claroty’s analysis of eWon’s eCatcher remote-access ICS solution, resulting in a critical stack-buffer overflow bug (CVE-2020-14498) that can be exploited to achieve RCE by visiting a malicious website or opening a malicious email which contains a specifically crafted HTML element, potentially triggering the vulnerability.

Claroty researchers notified HMS Networks of what it found on May 12, and a patch has been available since July 14.

“When we consider for a moment the risk outlined by the recent joint advisory from the NSA and CISA, they were referencing both OT systems that are directly connected to the Internet as well as those that could be reached by exploited remote access capabilities established for the enterprise and/or their service providers to monitor and manage these systems remotely,” said Curtis Simpson, CISO at Armis. “Today’s disclosures ultimately mean that a greater number of OT systems that were previously protected behind a firewall and VPN service are now potentially reachable and remotely exploitable by bad actors.” He urged affected vendors to “consider the immediate call to action in the NSA and CISA joint advisory, as it very much applies to these exposures.”

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it’s a new protocol that not all security products are capable of monitoring. Second, it’s encrypted by default, while DNS is cleartext.

Oilrig has a history with DNS exfiltration channels

The fact that Oilrig was one of the first APTs (Advanced Persistent Threats — a term used to describe government-backed hacking groups) to deploy DoH is also not a surprise.

Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.

In the May campaign, Kaspersky said Oilrig exfiltrated data via DoH to COVID-19-related domains.

During the same month, Reuters independently reported about a spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.

Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran’s top military entity.

But while Oilrig is the first publicly reported APT to use DoH, it is now the first malware operation to do so, in general. Godlua, a Lua-based Linux malware strain was the first to deploy DoH as part of its DDoS botnet in July 2019, according to a report from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360.