Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Iranian Hackers Exploiting Unpatched Vulnerabilities

CISA Alert Says 'Pioneer Kitten' Group Targeting US Businesses, Agencies
Iranian Hackers Exploiting Unpatched Vulnerabilities

The hacking group "Pioneer Kitten," which has suspected ties to the Iranian government, is taking advantage of several unpatched vulnerabilities and using open source tools to target U.S. businesses as well as federal government agencies, according to the Cybersecurity and Infrastructure Security Agency.

See Also: August Spotlight | Automated Threat Intelligence Correlation

A CISA alert issued Tuesday, which contains input from the FBI, notes that the Iranian hacking group, which is also called UNC757, is taking advantage of vulnerabilities in Pulse Secure, Citrix and F5 software.

The hacking group also is using open source tools to gain access and maintain a presence in networks, CISA says. For example, it’s using Nmap, a vulnerability and network scanning tool, to find open ports within vulnerable networks.

"This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence," according to CISA.

The Iranian hackers appear to be targeting a wide range of business sectors, including information technology, healthcare, financial insurance and media, as well as government agencies, according to CISA.

CISA says it has no evidence of data exfiltration in the Iranian hacker campaign, but it says data theft is likely "due to the use of 7-Zip and viewing of sensitive documents."

The CISA alert comes after security firm CrowdStrike released a report in August about how the Pioneer Kitten hacking group was zeroing in on vulnerable networks with unpatched vulnerabilities (see: Iranian Hackers Reportedly Selling Network Access to Others).

On Monday, CISA issued a similar alert about Chinese threat actors who are exploiting many of the same flaws at the Iranian group (see: CISA: Chinese Hackers Targeting US Agencies).

CVEs Exploited

CISA notes the Iranian group has been exploiting these vulnerabilities:

Despite warnings from security experts and government agencies, many organizations have yet to patch these flaws.

"It's safe to assume anyone who hasn't patched against CVE-2019-11510 or CVE-2019-19781 at this point has been compromised in some fashion," Troy Mursch, chief research officer at security firm Bad Packets, tells Information Security Media Group. "Patching alone isn't a cure-all either. Organizations continue to get hit with ransomware and other types of malware because they didn't invalidate the stolen credentials. These type of post-exploitation attacks were well documented by CISA earlier this year."

Open Source Tools

Once Pioneer Kitten has exploited unpatched flaws, the hackers use SSH tunneling techniques to create links between their infrastructure and the targeted networks by taking advantage of Microsoft's Remote Desktop Protocol, CISA notes.

The open source tools the Iranian hackers use include ChunkyTuna - a web shell that reverses connections to a server and can then be used to exfiltrate data. The hackers use another web shell called Tiny for remote access and tunneling as well as routing traffic, and they use the China Chopper web shell for uploading files and brute-forcing passwords, according to CISA.

Pioneer Kitten Activities

Since Pioneer Kitten was first spotted by security researchers in 2017, the hacking group has targeted numerous organizations and government agencies in the U.S., the Middle East and Israel, according to CrowdStrike,

Although the group has been linked to Iranian government, CrowdStrike noted that the group's sale of compromised network access, which began in July, might not have been sanctioned by the government because it might interfere with Iran's long-term espionage campaigns.

In February, ClearSky reported that Pioneer Kitten had previously worked with other Iranian-linked groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.