Threat Signal Report
Multiple Agency Threat Alerts Issued for Iranian Threat Actor Activity
On September 15th, the United States Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), released a joint Technical Advisory and Malware Analysis Report that has attributed malicious cyber activity to contractors working for the Iranian government; specifically - groups known as Pioneer Kitten and UNC757.
The Technical Advisory and Malware Analysis Report provides in-depth analysis of Iranian-sponsored activity and malware used to target United States governmental interests and U.S.-based infrastructure. This includes using open source exploitation tools to scan for known vulnerabilities. Specific vulnerabilities relating to gateway and VPN technologies were scanned for. Targeted verticals include information technology, government, healthcare, financial, insurance, and media sectors across the United States.
What Other Information was Provided in this Report?
The Technical Alert provided further insight into the TTPs (tactics, techniques and procedures) of the threat actors contracted by the Iranian government. Techniques observed for this threat actor include the port scanning of targeted networks using publicly available tools such as Nmap to identify open public facing ports to exploit. The threat actor will try and leverage known vulnerabilities of network gateway and VPN hardware providers, such as CVE-2019-11510 (Remote Code Execution - Pulse Secure), CVE-2019-11539 (Remote Code Execution - Pulse Secure), CVE-2019-19781 (Arbitrary Code Execution - Citrix), and CVE-2020-5902 (Remote Command Execution - F5 Networks).
Once access to the victim network and administrator or root level access has been obtained, the threat actor will deploy various malicious webshells on the victim network to obtain a foothold and to further pivot within.
These webshells are:
In addition to the malicious webshells and open source tools, another tool utilized was "KeeThief," which allows the attacker to access encrypted credentials stored by KeePass password management software on Microsoft Windows platforms. According to the report, the threat actor was observed selling access to compromised network infrastructure on underground hacking forums. The report highlights that this threat actor also has the capability and possible motivation to deploy ransomware on compromised infrastructures. The threat actor has been observed to have used open source operating system based tools to conduct further reconnaissance, such as Chisel, grok, fast reverse proxy (FRP), Angry IP Scanner, Drupwn, and LDAP Directory Browser.
According to the report, specific vulnerabilities targeted by Chinese MSS threat actors appear to be similar to the Technical Advisory published on September 14. Is this correct?
Yes, CVE's exploited by this threat actor were observed exploiting the same vulnerabilities, with the exception of the Microsoft Exchange Server vulnerability (CVE-2020-0688). For reference, CVE's shared by both groups are:
CVE-2020-5902: F5 Big-IP Vulnerability
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
CVE-2019-11510: Pulse Secure VPN Servers
This appears to be merely coincidental as these were high profile and publicly known vulnerabilities.
What is the Severity of Impact?
The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.
What is the status of AV/IPS and Web Filtering coverage?
FortiGuard Labs has coverage in place for the vulnerabilities and exploitation tools mentioned in this technical alert.
Customers running the latest definition sets are protected by the following (AV) signatures:
Customers running the latest definition sets are protected by the following (IPS) signatures:
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|