This article is more than 1 year old

Where China leads, Iran follows: US warns of 'contract' hackers exploiting Citrix, Pulse Secure and F5 VPNs

Please just patch your infrastructure, begs US-CISA

Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.

The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.

“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States”, said the agencies in a joint statement.

china hacking

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds


The threat actor uses nmap to scan target networks before exploiting any of a host of CVEs to force its way within. Those include CVE-2019-11510 (Pulse Secure Connect’s remote entry vuln), CVE-2019-11539 (Pulse Secure remote code injection), CVE-2019-19781 (Citrix directory traversal), and CVE-2020-5902 (F5’s BIG-IP takeover vuln)

Once inside the target network, the Iranians do the usual thing: gain a foothold, establish persistence, and then steal data. In doing so they also make use of the China Chopper web shell, released as a separate advisory by US CISA. That shell also deploys a Powershell script that steals encrypted passwords from password manager app KeePass, as well as another utility that establishes an outbound remote desktop session.

The Iranians are said to make “significant” use of ngrok, which shows up as TCP port 443 connections to “external cloud-based infrastructure” as well as FRPC over network port 7557. CISA warned the world to patch the CVEs, especially the Citrix directory traversal flaw detailed in 2019-19781.

It is significant that the Iranians, identified only as Pioneer Kitten or UNC 757, appear to be copying Chinese TTPs. Crowdstrike said in a roundup that the crew has been active since 2017, describing them as “Highly opportunistic with a focus on Technology, Government, Defense and Healthcare” and speculating that they may be private contractors operating for the Iranian state, rather than units of the Iranian government themselves.

The group is also said to have been offering to sell access to compromised networks on “an underground forum”, something Crowdstrike thought may have been an unofficial side hustle from the Iranian government work. ®

More about


Send us news

Other stories you might like