As of August 2024, Iran-based cyber actors continue to exploit U.S. and foreign organizations across multiple sectors.
The primary sectors targeted are education, finance, healthcare, defense, and local government entities. Not only that even some of the countries include Israel, Azerbaijan, and UAE.
The CISA and FBI consider that part of conducting and performing these operations against U.S. organizations is the initial stage of gaining network access to affiliate actors for obtaining potential ransomware deployment.
Affiliated with Iran’s government, these threat actors, also known to utilize cyberspace, conduct computer network operations for the GOI (Government of Iran) interests, collecting critical technical information from Israeli and Azerbaijani companies.
Their tactics, techniques, and procedures (TTPs) include exploiting VPN vulnerabilities.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Technical Analysis
Since 2017, Iranian cyber actors known or suspected of being associated with Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm, Br0k3r, and Petfinder have been active in hacking into the systems of U.S. institutions, including schools, governments, banks, and healthcare services.
According to Google report, Their methods often depend on exploiting specific CVEs, such as CVE-2024-24919 in Check Point Security Gateways, CVE-2024-3400 in Palo Alto Networks PAN-OS, CVE-2019-19781 and CVE-2023-3519 in Citrix Netscaler, CVE-2022-1388 in F5 BIG-IP, and CVE-2024-21887 in Pulse Secure/Ivanti VPNS.
They use Shodan for reconnaissance and leverage tools like webshells (netscaler.php, ctxHeaderLogon.php), Meshcentral, and AnyDesk for persistence and remote access.
The actors abuse a GUI by creating and modifying scheduled tasks, SpaceAgentTaskMgrSHR.
The actors misuse various Microsoft SysInternals applications using DLL side-loading methods and compromised credentials, where privilege escalation and defense bypassing are done or planned.
They use the System Administrator Tool also known as PowerShell, which includes the ISE, and tunneled tools such as Ligolo, Ngrok, etc for C2.
The group has partnered with ransomware actors such as NoEscape, Ransomhouse, or ALPHV (BlackCat) to rent access to the networks and help with encrypting the files.
They also run hack-and-leak campaigns or a variant of them known as “Pay2Key” and engage in state espionage, using covers such as Danesh Novin Sahand (ID: 14007585836).
Their activities align with Iranian interests, as they target computer networks defended by the United States and Middle Eastern states, while still running independent cybercrime extortion schemes that go against the Iranian government.
Mitigations
Here below we have mentioned all the mitigations:-
- Review logs for traffic with IPs and indicators.
- Apply patches for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519.
- Investigate for stolen credentials if the network was compromised before patching.
- Check systems for specific usernames, NGROK, Ligolo, and webshells.
- Monitor for outbound requests to files.catbox[.]moe and ***.ngrok[.]io.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial