An Iran-backed threat group is aggressively scanning for vulnerable network appliances as part of efforts to land a foothold in target organisations, CISA has warned – it is particularly currently scanning for Check Point Security Gateways that are potentially vulnerable to CVE-2024-24919, a vulnerability exploited in the wild since April 2024.
“As of April 2024, these actors have [also] conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400,” said CISA in an August 28 advisory.
“Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices” the agency added – a sharp reminder of the extent to which network appliances like VPN or firewalls have become a key target of attackers; most are black boxes and users cannot run EDR or equivalent toolings on them for protection.
See also: Former teen hacker, turned CEO, puts spotlight on attack surface management
The threat group has hit the defense, education, finance, and healthcare sectors, as well as local government. The FBI – which co-authored the advisory – said the group is collaborating “directly with ransomware affiliates” without disclosing its Iranian state affiliations; initial campaigns were information-gathering ones, and the ransomware activity is “likely not sanctioned by the GOI” [Government of Iran] the FBI suggested.
This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, Parisite, RUBIDIUM, and and several others: “The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker ‘xplfinder’ in their channels” said CISA.
Once a foothold is established the attackers, among other techniques:
“Create malicious scheduled task SpaceAgentTaskMgrSHR in the Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll.
“This file has been observed being executed from the Windows Downloads directory. [The group also places] a malicious backdoor version.dll in C:\Windows\ADFS\ directory [and uses]a scheduled task to load malware through installed backdoors. Deploy of Meshcentral to connect with compromised servers for remote access…”
See also – The Big Interview with Eclypsium CEO Yuriy Bulygin
For C2 it has been seen:
- Installing AnyDesk as a backup access method.
- Enabling servers to use Windows PowerShell Web Access.
- Using the open source tunneling tool Ligolo.
- Using NGROK for outbound connections to a random subdomain
CISA and the FBI have IOCs and sensible mitigation guidance here.
They further warned that the group has breached cloud resources and used "this cloud infrastructure to conduct further cyber operations… The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization" they said, without sharing further TTPs on this particular activity.
As ever, prompt patching and phishing-resistant MFA go a long way to reducing risk.
Tenable, a security vendor that has been tracking the threat group, said it also continues to actively exploit "several legacy vulnerabilities... [we] performed a metadata analysis on these vulnerabilities and uncovered unique insights into CVE-2019-19781 and CVE-2022-1388. From our research, only about half of impacted assets have been successfully remediated. It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io... it is imperative to prioritize the remediation of legacy vulnerabilities alongside newer threats, ensuring a more comprehensive and robust security posture."
