The Cybersecurity and Infrastructure Security Agency (CISA), with contributions from the Federal Bureau of Investigation (FBI), has published a report detailing nefarious activities originating in Iran, targeting several U.S. agencies. Pioneer Kitten and UNC757 were named as malicious actors in the report.
Using various tactics, techniques and procedures (TTPs), it was reported that the affected products/networks were exploited for several months. Among the exploited vulnerabilities are well known CVEs, such as CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902. According to the CISA report, “The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network.” The report goes on to add – “Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks .”
After gaining a foothold on the targeted network, the threat actors attain privilege escalation and install various web shells. Later, this network is kept infected for several months to exfiltrate data. The threat actors have dependency on Open Source tools to conduct reconnaissance as well as shells to gain remote access, which are listed below:
Tool | Detail |
ChunkyTuna web shell | ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. |
Tiny web shell | Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. |
China Chopper | China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. |
FRPC (Fast Reverse Proxy) | FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. |
Chisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. |
ngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. |
Nmap | Nmap is used for vulnerability scanning and network discovery. |
Angry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. |
Drupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. |
Table Source: CISA
According to the report, ngrok was widely used and appeared as TCP port 443 on wire connections to external cloud-based infrastructure, FRPC over port 7557 and a detailed report was published regarding malware analysis and its related activities.
The report also states that if a Citrix Netscalar network is compromised by exploiting CVE-2019-19781, the following file paths can be used to detect web shells:
Tiny web shell
/netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php
/netscaler/ns_gui/vpn/images/vpn_ns_gui.php
/var/vpn/themes/imgs/tiny.php
ChunkyTuna web shell
/var/vpn/themes/imgs/debug.php
/var/vpn/themes/imgs/include.php
/var/vpn/themes/imgs/whatfile
Chisel
/var/nstmp/chisel
The CISA and FBI report includes comprehensive information of how the threat actors gain initial access to privilege escalation to take control of the entire network for a prolonged period of time.
Affected Products/Networks:
- Pulse Secure virtual private network (VPN)
- Citrix NetScaler
- F5 vulnerabilities
Advisory
https://us-cert.cisa.gov/ncas/alerts/aa20-259a
Mitigations
CISA and FBI have published the following recommendations in their official
- If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert AA20-031A.
- This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.
- If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest.
- If compromised, rebuild/reimage compromised NetScaler devices. Routinely audit configuration and patch management programs.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
- Implement multi-factor authentication, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Implement the principle of least privilege on data access.
- Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
- Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.
- Keep software up to date.
Detection
Qualys customers can scan their network with QID(s) 38771,150273, 372305, 38791 and 373106 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References
https://us-cert.cisa.gov/ncas/alerts/aa20-073a
https://us-cert.cisa.gov/ncas/alerts/aa20-107a
https://us-cert.cisa.gov/ncas/alerts/aa20-206a
https://us-cert.cisa.gov/ncas/tips/ST18-001
https://us-cert.cisa.gov/ncas/alerts/aa20-031a
https://us-cert.cisa.gov/ncas/alerts/aa20-259a
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a