PARISITE
Exploits known VPN vulnerabilities and open-source pentesting tools for reconnaissance, initial access, C2.
THREAT DESCRIPTION
PARISITE targets various industrial verticals including aerospace, oil and gas, and multiple utilities including water, electric, and gas. PARISITE’s broad geographic targeting includes entities in the US, the Middle East, Europe, and Australia. Although PARISITE appears focused on industrial organizations with industrial control system (ICS) implementations and related entities, its targeting activity also includes government and non-governmental organizations.
Dragos identified PARISITE activity targeting ICS-related entities using known virtual private network (VPN) vulnerabilities. These vulnerabilities affect Fortinet, PulseSecure, and Palo Alto Networks VPN appliances. PARISITE’s current focus of targeting vulnerable VPN appliances indicates an interest in initial access to enterprise networks, including industrial networks.
PARISITE infrastructure and capabilities date from at least 2017, indicating operations since at least that time. PARISITE uses known open source penetration testing tools for reconnaissance and to establish encrypted communications. This aligns with other activity groups increasingly using publicly available tools and resources as opposed to customized malware once achieving initial access.
At this time, PARISITE does not appear to have an ICS-specific disruptive or destructive capability, demonstrating only initial access and enabling further operations for MAGNALLIUM.
Dragos identified PARISITE activity targeting ICS-related entities using known virtual private network (VPN) vulnerabilities. These vulnerabilities affect Fortinet, PulseSecure, and Palo Alto Networks VPN appliances. PARISITE’s current focus of targeting vulnerable VPN appliances indicates an interest in initial access to enterprise networks, including industrial networks.
PARISITE infrastructure and capabilities date from at least 2017, indicating operations since at least that time. PARISITE uses known open source penetration testing tools for reconnaissance and to establish encrypted communications. This aligns with other activity groups increasingly using publicly available tools and resources as opposed to customized malware once achieving initial access.
At this time, PARISITE does not appear to have an ICS-specific disruptive or destructive capability, demonstrating only initial access and enabling further operations for MAGNALLIUM.
Date: Since 2017
ADVERSARY
- No links to tracked activity groups
CAPABILITIES
- Exploiting known VPN vulnerabilities; SSH.NET, MASSCAN, dsniff, Impacket
VICTIM
- Oil & Gas, Aerospace, Utilities, Government, NGOs
- US, Middle East, Australia, Europe
INFRASTRUCTURE
- Adversary controlled domains & infrastructure for C2 & delivery
- Tor exit node to launch attacks
ICS IMPACT
- Operations focus on ICS-related organizations, limited to IT network actions for initial access and information collection
