Where China leads, Iran follows: US warns of 'contract' hackers exploiting Citrix, Pulse Secure and F5 VPNs

Please just patch your infrastructure, begs US-CISA

5 Got Tips?

Where Chinese hackers exploit, Iranians aren’t far behind. So says the US Cybersecurity and Infrastructure Security Agency, which is warning that malicious persons from Iran are exploiting a slew of vulns in VPN products from Citrix, F5 Networks and Pulse Secure.

The warning mirrors one issued earlier this week for exactly the same vendors, except with China as the malevolent party instead of Iran.

“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States”, said the agencies in a joint statement.

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds


The threat actor uses nmap to scan target networks before exploiting any of a host of CVEs to force its way within. Those include CVE-2019-11510 (Pulse Secure Connect’s remote entry vuln), CVE-2019-11539 (Pulse Secure remote code injection), CVE-2019-19781 (Citrix directory traversal), and CVE-2020-5902 (F5’s BIG-IP takeover vuln)

Once inside the target network, the Iranians do the usual thing: gain a foothold, establish persistence, and then steal data. In doing so they also make use of the China Chopper web shell, released as a separate advisory by US CISA. That shell also deploys a Powershell script that steals encrypted passwords from password manager app KeePass, as well as another utility that establishes an outbound remote desktop session.

The Iranians are said to make “significant” use of ngrok, which shows up as TCP port 443 connections to “external cloud-based infrastructure” as well as FRPC over network port 7557. CISA warned the world to patch the CVEs, especially the Citrix directory traversal flaw detailed in 2019-19781.

It is significant that the Iranians, identified only as Pioneer Kitten or UNC 757, appear to be copying Chinese TTPs. Crowdstrike said in a roundup that the crew has been active since 2017, describing them as “Highly opportunistic with a focus on Technology, Government, Defense and Healthcare” and speculating that they may be private contractors operating for the Iranian state, rather than units of the Iranian government themselves.

The group is also said to have been offering to sell access to compromised networks on “an underground forum”, something Crowdstrike thought may have been an unofficial side hustle from the Iranian government work. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Iran's RampantKitten spy crew were snooping on expats and dissidents for six years

So says Check Point, piecing together Telegram-busting malware clues

Iran says it staved off cyber attack but doesn't blame US

Here's a rundown of some of the Middle East's cyber argy-bargy

Oil be damned: Iran-based crooks flinging malware at Middle Eastern energy plants again – research

ZeroCleare wipes up where Shamoon left off

Cyber-wrath of Iran for top general's assassination hasn't progressed beyond snooping and nicking logins... yet

Boring! Where are teh 1337 h4x? We want 1337 h4x

Iran kills the internet for its people's own good as riots grip the Middle Eastern nation

Country offline for third day in response to protests

China, Russia and Iran all attacking US elections and using some nasty new tactics, says Microsoft

UK political parties probed, too, reckons Redmond as it wades into debate with call for extra election security funding

Iran military manages to keep a straight face while waggling miracle widget that 'can detect coronavirus from 100m away'

Video Nothing says serious engineering like a collapsible radio aerial

Cyber-warnings, cyber-speculation over cyber-Iran's cyber-retaliation cyber-plans post-Soleimani assassination

Experts reckon regional infrastructure is in the cross-hairs

The eagle has handed.... scientists a serious text message bill after flying through Iran, Pakistan

A bird on the band is worth more than your entire research budget

Iran's blame-it-on-Bitcoin 'leccy shortage probably isn't a US hack cover story... yet

Comment But just imagine Stuxnet: Consumer Edition

Tech Resources

Webcast Slide Deck | Remote and branch office IT success

As organisations are becoming more digital and dispersed, it is increasingly important to have an agile approach to delivering IT at remote, branch (ROBO) and edge locations

[Report] Real Stories From Rapid7 Penetration Testers

Hoodies off. Shoes on. Step into the attacker mindset.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.

Breach and Attack Simulation For Dummies

This ebook covers attacks on your network. But not the ones you expect — these are actually coming from you.