Threat Signal ReportMultiple Agency Threat Alerts Issued for Iranian Threat Actor Activity
Description
On September 15th, the United States Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), released a joint Technical Advisory and Malware Analysis Report that has attributed malicious cyber activity to contractors working for the Iranian government; specifically - groups known as Pioneer Kitten and UNC757.
The Technical Advisory and Malware Analysis Report provides in-depth analysis of Iranian-sponsored activity and malware used to target United States governmental interests and U.S.-based infrastructure. This includes using open source exploitation tools to scan for known vulnerabilities. Specific vulnerabilities relating to gateway and VPN technologies were scanned for. Targeted verticals include information technology, government, healthcare, financial, insurance, and media sectors across the United States.
What Other Information was Provided in this Report?
The Technical Alert provided further insight into the TTPs (tactics, techniques and procedures) of the threat actors contracted by the Iranian government. Techniques observed for this threat actor include the port scanning of targeted networks using publicly available tools such as Nmap to identify open public facing ports to exploit. The threat actor will try and leverage known vulnerabilities of network gateway and VPN hardware providers, such as CVE-2019-11510 (Remote Code Execution - Pulse Secure), CVE-2019-11539 (Remote Code Execution - Pulse Secure), CVE-2019-19781 (Arbitrary Code Execution - Citrix), and CVE-2020-5902 (Remote Command Execution - F5 Networks).
Once access to the victim network and administrator or root level access has been obtained, the threat actor will deploy various malicious webshells on the victim network to obtain a foothold and to further pivot within.
These webshells are:
ChunkyTuna
Tiny
ChinaChopper
In addition to the malicious webshells and open source tools, another tool utilized was "KeeThief," which allows the attacker to access encrypted credentials stored by KeePass password management software on Microsoft Windows platforms. According to the report, the threat actor was observed selling access to compromised network infrastructure on underground hacking forums. The report highlights that this threat actor also has the capability and possible motivation to deploy ransomware on compromised infrastructures. The threat actor has been observed to have used open source operating system based tools to conduct further reconnaissance, such as Chisel, grok, fast reverse proxy (FRP), Angry IP Scanner, Drupwn, and LDAP Directory Browser.
According to the report, specific vulnerabilities targeted by Chinese MSS threat actors appear to be similar to the Technical Advisory published on September 14. Is this correct?
Yes, CVE's exploited by this threat actor were observed exploiting the same vulnerabilities, with the exception of the Microsoft Exchange Server vulnerability (CVE-2020-0688). For reference, CVE's shared by both groups are:
CVE-2020-5902: F5 Big-IP Vulnerability
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances
CVE-2019-11510: Pulse Secure VPN Servers
This appears to be merely coincidental as these were high profile and publicly known vulnerabilities.
What is the Severity of Impact?
The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.
What is the status of AV/IPS and Web Filtering coverage?
FortiGuard Labs has coverage in place for the vulnerabilities and exploitation tools mentioned in this technical alert.
Customers running the latest definition sets are protected by the following (AV) signatures:
MSIL/KeeThief.A!tr.pws
Customers running the latest definition sets are protected by the following (IPS) signatures:
China.Chopper.Web.Shell.Client.Connection
CVE-2020-5902
F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal
CVE-2019-19781
Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal
CVE-2019-11510
Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure