Iran and China Exploit Similar Flaws at the Same Time. Coincidence?

Pioneer Kitten, also known as UNC757, is an Iranian APT group that specializes in exploiting several known yet unpatched vulnerabilities, along with open source tools. Recently, CISA and FBI have issued an alert to warn administrators and network defenders, urging them to protect and safeguard their organizations from the group’s attack.

The latest attack campaign

As revealed in the recent CISA alert, the group is specifically targeting organizations in IT, government, healthcare, financial, insurance, and media sectors across the U.S.
  • The group leverages several critical exploits in VPNs and networking equipment including Pulse Connect Secure (CVE-2019-11510 and CVE-2019-11539), Citrix servers (CVE-2019-19781), and the F5 Networks BIG-IP load balancers (CVE-2020-5902).
  • Hackers deploy open-source tools such as ChunkyTuna, ngrok, Mimikatz, Juicy Potato, and SSHMinion among others to conduct internal reconnaissance post-exploitation.
  • In addition, the hackers have used SSH tunneling techniques to create links between their infrastructure and the targeted networks by taking advantage of Microsoft's Remote Desktop Protocol.

Same flaws different actor

Just a few days ago, CISA issued a similar alert about a similar activity from Chinese threat actors targeting federal agencies across the U.S. The Chinese threat actors were found exploiting similar flaws in common enterprise products including F5 BIG-IP (CVE-2020-5902), Citrix VPN appliances (CVE-2019-19781), Pulse Secure VPN servers (CVE-2019-11510), and Microsoft Exchange Server (CVE-2020-0688).

Earlier this year

The ClearSky research team in February reported that Pioneer Kitten had previously worked with other Iranian hacker groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.

Ending notes

Continuous targeting of organizations for known flaws reflects how a large number of organizations are missing out on baisc security hygiene. Experts recommend that organizations need to ensure a robust patch management approach and frequent audits to ensure safety.