The Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security, with input from the FBI, issued an alert on September 15, 2020 warning that an Iran-based threat actor is known to have penetrated a number of networks, and may be planning to deploy ransomware in addition to other malicious activity.
They have primarily targeted US enterprises and organizations in the IT, government, healthcare, financial, insurance and media sectors.
Who is this threat actor?
The threat actor is an Iran-based group variously known as “Pioneer Kitten,” “UNC757,” “Fox Kitten,” and “Parisite.” It appears to be a contractor supporting the Iranian government’s espionage or disruption goals; however, it also seems to be pursuing its own financial interests. A report from Crowdstrike claims that Pioneer Kitten is “highly opportunistic with a focus on technology, government, defense and healthcare.” The Crowdstrike report also notes that someone associated with Pioneer Kitten tried to sell access to compromised networks (probably without Iranian government authorization.)
Mode of attack
Using scanning tools, backdoor creators and open source tooling, including Nmap, FRPC, ngrok, and tiny web shell, this cybercrime gang identifies open ports, then exploits several known Common Vulnerabilities and Exposures (CVEs) against a range of popular VPNs to access targeted networks. CVEs that CISA and the FBI have observed the group using include:
Once they’ve gained access, the cyber criminals obtain administrator-level credentials and move laterally through the networks, executing scripts, obtaining access credentials, learning the victim environments, and establishing persistence. Their primary goal seems to be espionage – maintaining an ongoing presence for purposes of collecting and exfiltrating data.
The CISA report specifies an extensive list of the exploit tools this cybercriminal gang uses, as well as details on how some of the detected attacks were implemented.
The most notable “tells” indicating that your system may have been attacked by this threat actor are:
- Use of ngrok, which manifests as TCP port 443 connections to external cloud-based infrastructure.
- Use of FRPC over port 7557.
Additional details about tools used by Pioneer Kitten are available in Malware Analysis Report MAR-10297887-1.v1 .
Prevention and Mitigation
Several actions can help organizations avoid becoming victims of an attack by Pioneer Kitten or other malicious actors, or to mitigate the damage if an attack does breach your defenses:
- Make sure you have a system in place to keep all software up to date, and to install security patches as soon as they become available.
- Implement multi-factor authentication.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
- Implement the principle of least privilege on data access.
- Deploy key endpoint and network defense tools.
- If you suspect your network has been compromised, see the CISA resources list appended below for additional recommendations. Contact a local FBI field office or report to the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail.
Let’s dive a bit more into a few of these recommended mitigations.
Least Privilege Controls for Data Access
There are a number of ways to implement least privilege access. Due to the complexity of creating, implementing and keeping per-user level policies up-to-date, especially in enterprise-scale organizations, most organizations tend to opt for role or department based polices. This creates, in essence, in less privilege access rather than least privilege, since access requirements may vary for each individual, and all needs must be covered in a group policy, and falls short of the cybersecurity ideal of customized access rights for each individual user.
ZTEdge Simplified Remote Application Access, changes this by using ML-based automated policy building to make it simple to implement true least privilege access controls down to the individual user level, even in a large organization. With ZTEdge, the users have no network layer visibility, so they can’t even see applications they lack permission to access. This substantially reduces the damage that a malicious actor such as Pioneer Kitten can cause if they did manage to exploit an unpatched VPN or firewall vulnerability or otherwise hack into your network.
Network Traffic Monitoring
Network traffic monitoring is likewise often too challenging and labor-intensive to implement on a level that is sufficiently granular to identify specific threat sources. EAI helps in this area as well by providing easy to use dashboards, drilldowns and trend analysis on network traffic details, including user-level, application-level, and location-level views of the data. This data helps IT and security teams spot anomalous activity so it can be quickly investigated, contained, and mitigated. See more information on the ZTEdge solution here.
Endpoint Defense Tools
Remote browser isolation (RBI) is a key endpoint defense against malware attacks in general, although based on the warning, it does not for this specific threat. Infected websites and malicious URLs delivered via phishing emails are key vectors for ransomware and other malware, so keeping all web content away from endpoints is an important strategy for protecting organizational networks and resources from attack. RBI accomplishes this by executing web content in virtual browsers that are isolated in containers in the cloud. Safe rendering data is streamed to user endpoints, enabling full interaction with websites. As such, RBI protects endpoints from attack without hampering the internet use that is key to business productivity today.
For more information about this warning, see the following CISA resources.
CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
CISA Alert AA20-073A: Enterprise VPN Security
CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CISA Security Tip: Securing Network Infrastructure Devices