Share this article on:
A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities.
The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks.
Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an authentication command injection vulnerability, CVE-2019-11539, in Pulse Secure Pulse Connect Secure software.
The remote code execution vulnerability CVE-2019-19781, which affects Citrix Gateway and Citrix SD-WAN WANOP appliances, is also being exploited along with the CVE-2020-5902 remote code execution vulnerability in F5’s BIG-IP network products.
Once access to networks has been gained, the hackers obtain admin credentials and install web shells such as ChunkyTuna, Tiny, and China Chopper for further entrenchment. They rely heavily on open source and operating system tooling to conduct operations, such as Lightweight Directory Access Protocol (LDAP) directory browser, ngrok, and fast reverse proxy (FRP). Plink and TightVNC are often used for lateral movement.
The hackers have been observed using several methods to evade detection, such as hiding tasks and services, software packing, compile after delivery, and masquerading files as legitimate Dynamic Link Library files. The hackers have also been observed cleaning files on compromised NetScaler devices every 30 minutes to minimize their footprint.
CISA suspects the hackers are stealing data due to the use of tools such as 7-Zip and the ChunkyTuna web shell, although no evidence has been found confirming that to be the case. The hackers are also known to have viewed sensitive documents on compromised networks and have been selling access to compromised organizations on a hacking forum.
While Pioneer Kitten has links to the Iranian government and supports the government’s interests, the hackers also conduct attacks for financial gain and are suspected of having the capabilities to deploy ransomware on victims’ networks.
Pioneer Kitten has attacked government agencies and organizations in several different sectors including healthcare, information technology, finance, insurance, and media organizations in the United States.
Detecting and Preventing Attacks
Many of the attacks involve the exploitation of vulnerabilities for which patches have been released, but not yet applied. The best defense against attacks is to apply patches promptly.
In addition to patching the F5, Citrix, and Pulse Secure vulnerabilities, it is important to investigate whether the vulnerabilities have already been exploited.
The hacking group makes significant use of ngrok to expose a local port to the Internet. This activity may appear as TCP port 443 connections to external cloud-based infrastructure and FRPC is used over port 7557.
CISA has included other Indicators of Compromise (IoCs) in the cybersecurity advisory along with several mitigations that should be implemented to further reduce the risk of attack.