The attacker is targeting virtual private networks and cloud computing vulnerabilities, and has been present in victim networks for several months.
Government systems are among those being targeted by a threat actor who industry sources believe is a contractor for the Iranian government and is exploiting vulnerabilities in virtual private networks and cloud computing software, ostensibly to exfiltrate data, federal agencies warn.
“Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests,” reads an advisory the Cybersecurity and Infrastructure Security Agency and FBI released Tuesday. “The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.”
Technical details of the advisory describe the tactics and techniques of an attacker officials now associate with a group that goes by the names “Pioneer Kitten” and “UNC757.” The Justice Department reportedly plans to soon issue indictments for Iran-related hackers.
“CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States,” the advisory reads. “The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits [Common Vulnerabilities and Exposures] related to VPN infrastructure to gain initial access to a targeted network.”
The threat actor also relied heavily on a vulnerability in NetScaler, an application delivery controller made by the software-as-a-service company Citrix that is used to speed up operations in cloud environments.
“The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781,” the advisory reads.
CISA issued an alert urging organizations to patch the CVE in January, noting that once an attacker is inside an affected device, they can stay there even after their original avenue for reaching it is closed.
“Compromised systems cannot be remediated by applying software patches that were released to fix the vulnerability,” the alert said.
The threat actor has been collecting credentials, including by accessing password managers such as KeyPass, and used 7-Zip to archive data.
CISA said it has not yet observed any data actually being exfiltrated but encourages organizations to “monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet.”
Mitigations also include employing multifactor authentication and enacting least privilege principles for data access, patching the Citrix vulnerability, and—if already compromised—rebuilding the NetScaler devices.