Iranian Hackers Reportedly Selling Network Access to OthersCrowdStrike: 'Pioneer Kitten' Sells Access to Vulnerable VPN Servers
A hacking group with links to Iran's government has been selling access to vulnerable VPN servers on underground forums, according to CrowdStrike.
"Pioneer Kitten," which has been in operation since 2017, has targeted numerous organizations and government agencies in the U.S., the Middle East and Israel, according to a new CrowdStrike report.
Members of the hacking group have recently started selling access to vulnerable corporate and government networks on various underground sites in an effort to generate cash for the hackers, the report states.
"In late July 2020, an actor assessed to be associated with Pioneer Kitten was identified as advertising to sell access to compromised networks on an underground forum," according to the report. "That activity is suggestive of a potential attempt at revenue stream diversification on the part of Pioneer Kitten, alongside its targeted intrusions in support of the Iranian government."
The CrowdStrike analysis notes that it's not clear if this sale of network access is sanctioned by the Iranian government, because it might interfere with long-term espionage campaigns. Pioneer Kitten, which is also referred to as Fox Kitten and Parisite, has been known to target defense, healthcare and technology companies as well as government agencies, according to the report.
The Pioneer Kitten hackers establish their initial access by exploiting several well-known vulnerabilities in VPN servers, CrowdStrike says (see: CISA Warns Patched Pulse Secure VPNs Still Vulnerable).
These exploited vulnerabilities include:
- CVE-2019-11510: A file-reading vulnerability found in unpatched Pulse Secure Connect enterprise VPN servers. In February, researchers from security firm ClearSky warned that at least three advanced persistent threat groups with ties to Iran have been targeting these VPN servers for several months (see: Unpatched VPN Servers Hit by Apparent Iranian APT Groups).
- CVE-2019-19781: An arbitrary code vulnerability found in Citrix Gateway and Citrix SD-WAN WANOP appliances. In December 2019, researchers at security firm Positive Technologies released a report that this bug could affect some 80,000 companies in 158 countries (see: Citrix Vulnerability Could Affect 80,000 Companies: Report).
- CVE-2020-5902: A remote code execution vulnerability in F5's BIG-IP networks products. In July, the U.S. Cybersecurity and Infrastructure Security Agency published an alert warning that threat actors are exploiting this vulnerability to exfiltrate data, access networks, carry out commands, create or delete files and disable services (see: CISA: Attackers Are Exploiting F5 BIG-IP Vulnerability).
After successfully beaching the VPN servers, the Pioneer Kitten hackers use tactics such as SSH tunneling to create links between their infrastructure and the targeted networks through Microsoft's Remote Desktop Protocol, according to the CrowdStrike report.
In addition, the hackers use open-source tools, such as Ngrok, as well as custom malware, such as SSHMinion, to maintain persistence and carry out commands through the RDP connection, the report states.
"Pioneer Kitten tradecraft is characterized by a pronounced reliance on exploits of remote external services on internet-facing assets to achieve initial access to victims, as well as an almost total reliance on open-source tooling during operations," according to the report.
In a February report published by ClearSky, researchers noted that Pioneer Kitten has previously worked with other Iranian-linked groups, such as OilRig and Shamoon, to provide them with access to vulnerable networks.