Iranian Hackers Exploiting Unpatched VulnerabilitiesCISA Alert Says 'Pioneer Kitten' Group Targeting US Businesses, Agencies
The hacking group "Pioneer Kitten," which has suspected ties to the Iranian government, is taking advantage of several unpatched vulnerabilities and using open source tools to target U.S. businesses as well as federal government agencies, according to the Cybersecurity and Infrastructure Security Agency.
See Also: Anatomy of a Modern Phishing Attack
A CISA alert issued Tuesday, which contains input from the FBI, notes that the Iranian hacking group, which is also called UNC757, is taking advantage of vulnerabilities in Pulse Secure, Citrix and F5 software.
The hacking group also is using open source tools to gain access and maintain a presence in networks, CISA says. For example, it’s using Nmap, a vulnerability and network scanning tool, to find open ports within vulnerable networks.
"This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence," according to CISA.
The Iranian hackers appear to be targeting a wide range of business sectors, including information technology, healthcare, financial insurance and media, as well as government agencies, according to CISA.
CISA says it has no evidence of data exfiltration in the Iranian hacker campaign, but it says data theft is likely "due to the use of 7-Zip and viewing of sensitive documents."
The CISA alert comes after security firm CrowdStrike released a report in August about how the Pioneer Kitten hacking group was zeroing in on vulnerable networks with unpatched vulnerabilities (see: Iranian Hackers Reportedly Selling Network Access to Others).
On Monday, CISA issued a similar alert about Chinese threat actors who are exploiting many of the same flaws at the Iranian group (see: CISA: Chinese Hackers Targeting US Agencies).
CISA notes the Iranian group has been exploiting these vulnerabilities:
- CVE-2019-11510, a file-reading vulnerability found in unpatched Pulse Secure Connect enterprise VPN servers. In February, researchers from security firm ClearSky warned that at least three advanced persistent threat groups with ties to Iran have been targeting these VPN servers for several months (see: Unpatched VPN Servers Hit by Apparent Iranian APT Groups).
- CVE-2019-11539, an authentication command injection vulnerability found in versions of Pulse Connect Secure products. In October 2019, the U.S. National Security Agency issued a warning that users should immediately patch this vulnerability to avoid any attacks from nation-state actors (see: NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm).
- CVE-2019-19781, an arbitrary code vulnerability found in Citrix Gateway and Citrix SD-WAN WANOP appliances. In December 2019, researchers at security firm Positive Technologies released a report that found this bug could affect some 80,000 companies in 158 countries (see: Citrix Vulnerability Could Affect 80,000 Companies: Report).
- CVE-2020-5902, a remote code execution vulnerability in F5's BIG-IP network products. In July, CISA published an alert warning that threat actors were exploiting this vulnerability to exfiltrate data, access networks, carry out commands, create or delete files and disable services (see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).
Despite warnings from security experts and government agencies, many organizations have yet to patch these flaws.
"It's safe to assume anyone who hasn't patched against CVE-2019-11510 or CVE-2019-19781 at this point has been compromised in some fashion," Troy Mursch, chief research officer at security firm Bad Packets, tells Information Security Media Group. "Patching alone isn't a cure-all either. Organizations continue to get hit with ransomware and other types of malware because they didn't invalidate the stolen credentials. These type of post-exploitation attacks were well documented by CISA earlier this year."
Open Source Tools
Once Pioneer Kitten has exploited unpatched flaws, the hackers use SSH tunneling techniques to create links between their infrastructure and the targeted networks by taking advantage of Microsoft's Remote Desktop Protocol, CISA notes.
The open source tools the Iranian hackers use include ChunkyTuna - a web shell that reverses connections to a server and can then be used to exfiltrate data. The hackers use another web shell called Tiny for remote access and tunneling as well as routing traffic, and they use the China Chopper web shell for uploading files and brute-forcing passwords, according to CISA.
Pioneer Kitten Activities
Since Pioneer Kitten was first spotted by security researchers in 2017, the hacking group has targeted numerous organizations and government agencies in the U.S., the Middle East and Israel, according to CrowdStrike,
Although the group has been linked to Iranian government, CrowdStrike noted that the group's sale of compromised network access, which began in July, might not have been sanctioned by the government because it might interfere with Iran's long-term espionage campaigns.
In February, ClearSky reported that Pioneer Kitten had previously worked with other Iranian-linked groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.