This threat report is about a threat actor associated with the Iranian nation state using multiple vulnerabilities in common products to install web shells. This is part of a concerted effort to attack the VPN and remote work infrastructure of US organizations. The three platforms being targeted are F5 load balancers, Juniper Pulse Secure, and Citrix.
Tactics, Techniques, and Procedures
About CVE-2019-19781: The weakness is caused by an inability for the affected Citrix products to handle specified web request, which leads to the execution of remote code or a possible directory traversal event. There is a chance that successful exploitation of this vulnerability would result in a bad actor gaining access to internal network resources. Vulnerabilities like this are often used by bad actors to gain initial access to the network before using other methods to move laterally in the environment.
Related Reading: Citrix CVE-2019-19781: The Facts
About CVE-2020-5902: This is a vulnerability with the TMUI (Traffic Management User Interface) which is a key configuration utility within the system. The vulnerability can be exploited by both authenticated and unauthenticated attackers using the designated management port. The attacker can execute system commands and modify the system in myriad ways which may result in a total compromise of the BIG-IP. Systems in appliance mode are also affected by this vulnerability.
Related Reading: F5 BIG-IP Vulnerability May Allow Total Compromise
About CVE-2019-11539: This vulnerability allows an authenticated attacker to utilize the administrative interface to perform command injection. Successful exploitation may allow the attacker to modify the system or install malicious software.
The affected products are as follows: Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1
Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1.
About CVE-2019-11510: This vulnerability allows an unauthenticated attacker to send a specially crafted URI (Uniform Resource Identifier) request to a vulnerable system. The crafted request gives bad actors the ability to pull usernames and passwords in plaintext from a vulnerable endpoint.
The affected software versions are listed as follows: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.
The threat actor utilizes the vulnerabilities listed above as a method for gaining initial access to the network. Once successful exploitation of one of those vulnerabilities has been achieved, the bad actor uses one of three web shells: ChunkyTuna, Tiny, or China Chopper. The web shells allow the operator to perform command execution, directory enumeration, gathering and executing new payloads, and data exfiltration.
There is also a modified version of the China Chopper web shell that listens for any new inbound HTTP requests from the bad actor.
Some other tools were utilized for maintaining persistence and performing lateral movement. The first tool being used is an open source piece of software called FRP which allows a user to tunnel connections using RDP (Remote Desktop Protocol). The other open source tool is KeeThief which allows the bad actor the ability to decrypt credentials stored in the popular password manager KeePass. The decrypted credentials can then be used to laterally move around the network in conjunction with FRP.
Related Reading: NOTROBIN Malware Exploiting Citrix CVE-2019-19781
What This Means to You
- May result in the successful compromise of key infrastructure pieces.
- May lead to the successful compromise of sensitive user accounts on the network.
- Could allow for the exfiltration of sensitive information or trade secrets.
What You Can Do About Iranian Web Shells Attacks
It is highly encouraged that you implement the patches linked below and add the indicators of compromise to your blocklist.
To avoid Iranian web shells attacks, it is highly encouraged that you implement the patches linked below and add the indicators of compromise to your blocklist.
- Patch Link for CVE-2019-11510 and CVE-2019-11539: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- CVE-2020-5902 Patch: https://support.f5.com/csp/article/K52145254
- Citrix Links:
- Citrix Patches:
- Citrix Gateway: https://www.citrix.com/downloads/citrix-gateway/
- Original Citrix Post: https://support.citrix.com/article/CTX267027
- Mitigation Commands: https://support.citrix.com/article/CTX267679
- Citrix Patches:
Other Useful Information
- Blocklist: https://us-cert.cisa.gov/sites/default/files/publications/MAR-10297887-1.v1.stix.xml
8 Steps to Take if You’ve Been Breached
With the prevalence, severity and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.