Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Where China leads, Iran follows: US warns of 'contract' hackers exploiting Citrix, Pulse Secure and F5 VPNs

Please just patch your infrastructure, begs US-CISA

Gareth Corfield Wed 16 Sep 2020  //  18:40 UTC

Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.

The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.

“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States”, said the agencies in a joint statement.

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds

READ MORE

The threat actor uses nmap to scan target networks before exploiting any of a host of CVEs to force its way within. Those include CVE-2019-11510 (Pulse Secure Connect’s remote entry vuln), CVE-2019-11539 (Pulse Secure remote code injection), CVE-2019-19781 (Citrix directory traversal), and CVE-2020-5902 (F5’s BIG-IP takeover vuln)

Once inside the target network, the Iranians do the usual thing: gain a foothold, establish persistence, and then steal data. In doing so they also make use of the China Chopper web shell, released as a separate advisory by US CISA. That shell also deploys a Powershell script that steals encrypted passwords from password manager app KeePass, as well as another utility that establishes an outbound remote desktop session.

The Iranians are said to make “significant” use of ngrok, which shows up as TCP port 443 connections to “external cloud-based infrastructure” as well as FRPC over network port 7557. CISA warned the world to patch the CVEs, especially the Citrix directory traversal flaw detailed in 2019-19781.

It is significant that the Iranians, identified only as Pioneer Kitten or UNC 757, appear to be copying Chinese TTPs. Crowdstrike said in a roundup that the crew has been active since 2017, describing them as “Highly opportunistic with a focus on Technology, Government, Defense and Healthcare” and speculating that they may be private contractors operating for the Iranian state, rather than units of the Iranian government themselves.

The group is also said to have been offering to sell access to compromised networks on “an underground forum”, something Crowdstrike thought may have been an unofficial side hustle from the Iranian government work. ®
Send us news
5 Comments

Singapore infosec boss warns China/West tech split will be bad for interoperability

When you decide not to trust a big chunk of the supply chain, tech (and trade) get harder

Huawei wants to take homegrown HarmonyOS phone platform worldwide

Chinese tech juggernaut eyes global expansion despite US tech restrictions

China creates 'Information Support Force' to improve networked defence capabilities

A day after FBI boss warns Beijing is poised to strike against US infrastructure

Intel preps export-friendly lower-power Gaudi 3 AI chips for China

Beijing will be thrilled by this nerfed silicon

Germany arrests trio accused of trying to smuggle naval military tech to China

Prosecutors believe one frikkin' laser did make its way to Beijing

US senator wants to put the brakes on Chinese EVs

Fears of low-cost invasion and data spies spark call for ban

WhatsApp, Threads, more banished from Apple App Store in China

Still available in Hong Kong and Macau, for now

China scientists talk of powering hypersonic weapon with cheap Nvidia chip

Jetson module can efficiently process computational fluid dynamics models

China orders its telcos to rip and replace US chips with homegrown silicon by 2027

There's no Huawei we saw that coming

Where there's a will, there's Huawei to develop one's own chipmaking kit

Export restrictions and sanctions working well, we see

TSMC expects customers to pay more for chips fabbed overseas

It'll be pricier, but there are geopolitical benefits, says CEO

ASML profits plunge 40% amid dip in chipmaking tool orders

Except in China, where customers accounted for almost half of the photolithography giant's top line