AdvisoriesCISAAA24-241AAugust 28, 2024
August 28, 2024
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Defense Cyber Crime Center (DC3) have issued a joint Cybersecurity Advisory (CSA). As of August 2024, this advisory warns of ongoing cyber operations by Iran-based actors targeting organizations in the U.S. and abroad.
These operations affect various sectors including education, finance, healthcare, and defense. Local government entities in the U.S., Israel, Azerbaijan, and the United Arab Emirates are also targeted. The FBI assesses that a significant portion of these operations aim to establish network access. This access is then used in collaboration with ransomware affiliates to deploy ransomware.These Iran-based actors are believed to be associated with the Government of Iran (GOI). They also conduct espionage activities, such as the theft of sensitive technical data from organizations in Israel and Azerbaijan.
The advisory provides details on the tactics, techniques, and procedures (TTPs) used by these actors, along with indicators of compromise (IOCs). It references similar activities highlighted in a 2020 advisory concerning the exploitation of VPN vulnerabilities by Iranian actors.
The Iranian cyber actors behind this activity have been conducting extensive cyber intrusions since 2017. They are known in the private sector by names such as Pioneer Kitten, Fox Kitten, UNC757, and Lemon Sandstorm. These actors, who operate under various monikers including "xplfinder," have developed a sophisticated operation. Their activities involve both monetizing access to compromised networks and collaborating directly with ransomware affiliates to deploy ransomware.
Initial access is typically achieved through the exploitation of vulnerabilities in public-facing networking devices. The group has been observed scanning for vulnerabilities such as CVE-2024-24919 in Check Point Security Gateways and CVE-2024-3400 in Palo Alto Networks PAN-OS. Historical exploitation includes CVE-2019-19781 (Citrix Netscaler) and CVE-2022-1388 (F5 BIG-IP).
The actors use tools like Shodan to identify vulnerable IP addresses. After gaining access, they deploy webshells and create malicious directories to maintain persistence.Once inside the network, the actors engage in credential theft. They create new accounts and request exemptions to security policies to deploy their tools. They use DLL side-loading techniques and backdoors to execute malware. Compromised administrator credentials are leveraged to disable security software and lower security policies, thus evading detection.
The actors have been observed using remote desktop sessions to execute PowerShell commands. They employ various tools for command and control, including AnyDesk, Ligolo, and NGROK, to maintain access and tunnel traffic.The FBI has linked these actors to hack-and-leak campaigns, such as the 2020 Pay2Key operation. This operation targeted Israeli organizations with the apparent goal of undermining Israel's cybersecurity posture rather than obtaining ransom payments. This highlights the dual nature of the group's activities: financial gain through ransomware and state-sponsored espionage and influence operations.
Be immediately notified of new advisories and associated security tests
