Infosec pros need to tighten the security of devices allowing remote access following a report that an Iranian group is selling compromised network access to North American and Middle East-based organizations, says a Canadian expert.
“Organizations need to redouble their efforts around network security, particularly making sure that patches are in place, that monitoring is done and that they’ve put the right controls around the devices to minimize their attack surface,” said Robert Capps, vice-president of marketplace innovation at Mastercard’s Vancouver-based cybersecurity arm NuData Security. “The fact that these kinds of attacks are happening shows organizations aren’t doing one or more of those three things.”
Capps was commenting on a report this week from security vendor Crowdstrike that an Iranian-based threat group it dubs Pioneer Kitten has recently been selling stolen access to unnamed organizations. This group, which may have been active since 2017, is known for being interested in quietly accessing firms in the technology, government, defence and healthcare sectors, all of which are of interest to the government of Iran, the report says.
But lately, something changed.
“In late July 2020 an actor assessed to be associated with Pioneer Kitten was identified as advertising to sell access to compromised networks on an underground forum,” says the report, while suggesting the group is trying to diversify its revenue stream. The types of organizations the actor associated with Pioneer Kitten claims to have compromised would be of significant intelligence value to the Iranian government, it says. But it suggests selling access as a sideline would unlikely to have been approved by the Iranian government because if the group was caught it would have “significant negative impacts on potential intelligence collection operations.”
This particular group is known to specialize in attacking vulnerable remote external services such as unpatched or poorly-secured VPN appliances and Microsoft Windows Remote Desktop Protocol (RDP) services to achieve initial access, says the report.
Among the exploits used are including CVE-2019-11510 (for Pulse Secure VPNs), CVE-2019-19781 (for Citrix Application Delivery Controllers/Gateways) and most recently CVE-2020-5902 (for F5 BIG-IP application delivery controller.
A common attack tool is SSH tunnelling through open-source tools such as Ngrok. The group also uses a custom tool called SSHMinion for communication with implants and hands-on-keyboard activity via RDP.
“We’re seeing more attacks on infrastructure and less on endpoints that hold data,” said Capps. “What’s interesting here is these attackers aren’t just compromising to steal data, they’re selling that access to other organizations who will use it for nefarious purposes.”
Defenders must ensure internet-accessible networking devices are patched, he said, and access log files are monitored. Firewall rules and route access control lists should limit access to networked devices to only what’s required for the mission. So, he said, for a VPN coming inbound other ports shouldn’t be open for services aren’t needed.
After that, monitoring traffic in and out of the device for odd patterns of behaviour may be useful.