Today, Crowdstrike (a Cyber Security firm) said in their report that one of Iran’s state-sponsored hacking groups has been spotted selling access to compromised corporate networks on an underground hacking forum. The company identified the group with the codename Pioneer Kitten, which is an alternative designation for the group, also known as Parisite and Fox Kitten.
Take access by exploiting critical flaws in VPN
The group, which Crowdstrike believes is a contractor for the Iranian regime, has spent 2 years (2019 and 2020) to hacking into corporate networks via critical flaws in Virtual Private Networks (VPNs) and Networking equipment, such as:
- Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510) – An unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading flaw. Affected version (Pulse Secure Pulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4).
- Fortinet VPN servers running FortiOS (CVE-2018-13379) – An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS version 6.0.0-6.0.4, 5.6.3-5.6.7 and 5.4.6-5.4.12 under SSL VPN web portal allows an unauthenticated remote attacker to download system files via special crafted HTTP resource requests.
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579) – Remote Code Execution in PAN-OS version 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect web Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated attacker to execute arbitrary code.
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781) – A bug was discovered in Citrix Application Delivery Controller (ADC) and Gateway. Affected Version (10.5, 11.1, 12.0, 12.1, and 13.0). They allow Directory Traversal.
- F5 Networks BIG-IP load balancers (CVE-2020-5902) – The Traffic Management User Interface (TMUI), also referred to as the Configuration utility in BIG-IP, has a Remote Code Execution flaw in undisclosed pages.Affected Version (15.0.0-188.8.131.52, 14.1.0-184.108.40.206, 13.1.0-220.127.116.11, 12.1.0-18.104.22.168, and 11.6.1-22.214.171.124).
The Iran’s state-sponsored hacking groups has been breaching network devices using the above flaws, planting backdoors, and then providing access to other Iranian hacking groups, such as APT33 (Shamoon), Chafer or Oilrig (APT34). According to reports from cyber-security firms Dragos and ClearSky.
These other hacking groups would then come in, expand the “initial access” Pioneer Kitten managed to obtain by moving laterally across a network using more advanced malwares and exploits, and then searching and stealing sensitive info likely of interest to the Iranian government.
However, in today’s report, Crowdstrike says that since at least July 2020, Pioneer Kitten has also been spotted selling access to some of these compromised networks on hacking forums. Crowdstrike believes the Iran’s state-sponsored hacking group is merely trying to diversify its revenue stream and monetize networks that have no intelligence value for Iranian intelligence services.
Classic targets of this hacking group usually include companies and governments in the US, Israel, and other Arabic countries in the Middle East. Targeted sectors have usually included defense, technology, healthcare and government. Anything else is most likely out of scope for Iranian government state sponsored hackers, and very likely to be made available on hacking forums to other groups. Today, the biggest customers of “initial access brokers” (like Pioneer Kitten) are usually ransomware groups.
Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook.