AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
A joint Cybersecurity Advisory highlights Iran-based cyber actor ransomware activity targeting U.S. organizations. The advisory includes CVEs exploited, alongside techniques, tactics and procedures used by the threat actors.
BackgroundOn August 28, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint Cybersecurity advisory (CSA) in coordination with The Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3). The advisory highlights the recent activities of Iranian threat actors conducting ransomware operations against US organizations across several industries including local government, defense, finance, education and healthcare as well as other countries including Israel, Azerbaijan and the United Arab Emirates.
The threat actors named in the advisory go by a few monikers including Pioneer Kitten, Fox Kitten, UNC757, Parasite, RUBIDIUM and Lemon Sandstorm. These actors have been observed to be collaborating with ransomware groups including NoEscape, Ransomhouse and ALPHV (aka BlackCat) to extort their victims. The technical aspects of the advisory highlight what techniques, tactics and procedures (TTPs) the threat actors have been observed using, including indicators of compromise (IOCs). The advisory flags six specific CVEs that are leveraged by the threat actors in the initial access phase of their attacks:
CVEDescriptionCVSSv3VPRCVE-2024-3400PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect1010CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability8.68.3CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Directory Traversal Vulnerability9.89.4CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated Remote Code Execution Vulnerability9.89CVE-2022-1388F5 BIG-IP iControl REST Remote Code Execution Vulnerability9.88.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.110*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 28 and reflects VPR at that time.
AnalysisCVE-2024-3400 is a remote code execution vulnerability that arises from a combination of two distinct bugs in PAN-OS, specifically affecting the GlobalProtect service. The first bug is related to how the GlobalProtect service handles session IDs. The service did not sufficiently validate the format of session IDs before storing them. This oversight allowed an attacker to store an empty file with a filename of their choosing, effectively setting the stage for the exploit. The second bug involves the assumption that filenames used within the system were system-generated and therefore trustworthy. This bug enabled the filenames, which were injected by the attacker in the first step, to be used as part of a command. An attacker can exploit these two bugs to execute remote shell commands without any prior authentication. Earlier this year, this vulnerability was exploited in-the-wild as a zero-day vulnerability and was tracked at the time by Palo Alto Networks Unit 42, calling the activity Operation MidnightEclipse.
CVE-2024-24919 is an information disclosure vulnerability affecting CheckPoint Security Gateway devices configured with either the remote Access VPN or Mobile Access Software Blades enabled. This vulnerability allows an unauthenticated remote attacker to read the contents of arbitrary files located on the affected appliance. This could allow an attacker to read sensitive files. An example of one such attack path is accessing the ‘/etc/shadow’ file, which could result in the extraction of password hashes for local accounts that could potentially be decrypted. This vulnerability was also exploited in-the-wild as a zero-day, around the same time security researchers also published a proof-of-concept (PoC).
CVE-2019-19781 is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, formerly known as NetScaler ADC and Netscaler Gateway. This vulnerability allows an attacker to send a specially crafted HTTP request that exploits the path traversal issue, enabling unauthorized access to restricted directories on the device. Through this access, the attacker can execute arbitrary code without any need for authentication, potentially resulting in remote code execution (RCE) on the affected device. This vulnerability has been widely abused by multiple threat actors over the years and has been featured prominently in our 2020, 2021 and 2022 Threat Landscape Reports. Additionally, it has been featured in multiple blogs from Tenable Research and has been included in multiple CSA’s from CISA and other government entities across the globe.
CVE-2023-3519 is a critical RCE vulnerability in Citrix ADC and Citrix Gateway that allows an unauthenticated attacker to execute arbitrary code on the vulnerable appliances. The attack can be performed over the network, making it particularly dangerous in environments where these devices are exposed to the internet. The vulnerability stems from improper handling of specific request data, leading to memory corruption that can be exploited to gain control of the system.
CVE-2022-1388 is an iControl REST RCE vulnerability in F5 BIG-IP devices stemming from an authentication bypass bug. The flaw resides in the iControl REST interface, where improper access control allows unauthenticated users to execute arbitrary system commands with root privileges. This vulnerability is particularly dangerous because it does not require user interaction or authentication, making it easy for attackers to exploit. Successful exploitation of CVE-2022-1388 can lead to complete system compromise, enabling attackers to take full control of the device, modify configurations, exfiltrate sensitive data and use the compromised device as a launching point for further attacks within the network.
CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure that allows remote attackers to execute arbitrary commands on the affected devices. This vulnerability occurs due to insufficient input validation in the administrative interface, which can be exploited by sending specially crafted HTTP requests. Successful exploitation can result in full system compromise, providing the attacker with the ability to execute commands with the highest privileges, potentially leading to data loss, system disruption or further propagation of malicious activity.
Legacy Vulnerabilities Remain a Looming Threat
An analysis of metadata performed by Tenable Research provides us with unique insight to two of these legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our research only about half of impacted assets have been successfully remediated. Legacy vulnerabilities present a significant risk, as threat actors frequently exploit unpatched vulnerabilities, particularly in SSL VPNs. This trend has been consistently highlighted by the Tenable Security Response Team (SRT) in their annual Threat Landscape Reports as mentioned in the section for CVE-2019-19781. To mitigate these risks, it is imperative to prioritize the remediation of legacy vulnerabilities alongside newer threats, ensuring a more comprehensive and robust security posture.
Source: Tenable Research
Ten of Thousands of Internet Facing Instances May Be Affected
It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io.
Source: Shodan.io
The results in the image above are based query results at the time this blog was composed and were obtained using the queries in the table below:
TechnologyDetection LogicQuery LinkPalo Alto Networks PAN-OSSearches for any PAN-OS instances.QueryF5 BIG-IPThe presence of "BIG-IP®- Redirect" in the title likely indicates a redirection page typically used in login portals or other access control scenarios managed by a BIG-IP device.QueryCitrix Application Delivery Controller (ADC) and GatewaySearches for favicon hash values for Citrix ADC, Gateway, AAA and VPN.QueryCheck Point Security GatewayQuery looks for servers with "Check Point SVN Foundation". This is intrinsically linked to Check Point Security Gateway devices, especially those configured with the Remote Access VPN or Mobile Access Software Blades.QueryIvanti Connect Secure and Ivanti Policy SecureQuery looks for a CGI script named "welcome.cgi" that is used to display a logo page component on the welcome or login page used by Ivanti / Pulse Secure.QuerySolutionEach of the vulnerabilities described in the CSA have been around for a period of time and each of the vendors have released the respective patches and mitigations. We recommend reviewing each of the vendors advisories shown below:
- Palo Alto Networks Security CVE-2024-3400 Advisory
- Check Point 2024-2024-24919 Advisory
- Citrix CVE-2019-19781 Advisory
- Citrix CVE-2023-3519 Advisory
- F5 CVE-2022-1388 Advisory
- Ivanti CVE-2024-21887 Advisory
Additionally, the CSA provides IoCs and technical details that may aid organizations in their incident response processes. We highly recommend reviewing the details outlined in the CSA. If your organization has assets that have not been patched for the CVE’s listed above, it’s possible that unpatched devices have been impacted due to the severity and frequency of attacks involving these vulnerabilities. As such, careful review of these systems and incident response processes may be needed to determine impact and scope of a potential compromise of unpatched systems.
Identifying affected systemsTenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in the CSA. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable Plugin Coverage
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page’s for CVE-2024-3400, CVE-2024-24919, CVE-2019-19781, CVE-2023-3519, CVE-2022-1388 and CVE-2024-21887. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Detection of legitimate tools used by adversaries and mentioned in the CSA:
ToolDetection Plugin IDAnyDeskPlugin ID 189953 - AnyDesk Installed (Windows)
Plugin ID 189955 - AnyDesk Installed (macOS)
Plugin ID 189973 - AnyDesk Installed (Linux)
Tenable Attack Path Techniques
MITRE ATT&CK IDDescriptionTenable Attack Path TechniquesT1012Query RegistryT1012_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1078.003Valid Accounts: Local AccountsT1078.003_WindowsT1098Account Manipulation: Additional Cloud Credentials/RolesT1133External Remote ServicesT1053Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1219Remote Access SoftwareT1219_WindowsT1482Domain Trust DiscoveryT1482_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK IDDescriptionIndicatorsT1078Dormant AccountsC-SLEEPING-ACCOUNTST1078Account with Possible Empty PasswordC-PASSWORD-NOT-REQUIREDT1078User Account Using Old PasswordC-USER-PASSWORDT1078Last Change of the Microsoft Entra SSO Account PasswordC-AAD-SSO-PASSWORDT1078AdminCount Attribute Set on Standard UsersC-ADMINCOUNT-ACCOUNT-PROPST1078Reversible Passwords in GPOC-REVER-PWD-GPOT1078Potential Clear-Text PasswordC-CLEARTEXT-PASSWORDT1078User Primary GroupC-DANG-PRIMGROUPIDT1078Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCYT1078Accounts With Never Expiring PasswordsC-PASSWORD-DONT-EXPIRET1078Kerberos Configuration on User AccountC-KERBEROS-CONFIG-ACCOUNTT1078Privileged Authentication Silo ConfigurationC-AUTH-SILOT1078ADCS Dangerous MisconfigurationsC-PKI-DANG-ACCESST1078Last Password Change on KRBTGT accountC-KRBTGT-PASSWORDT1078Dangerous Sensitive PrivilegesC-DANGEROUS-SENSITIVE-PRIVILEGEST1078Logon Restrictions for Privileged UsersC-ADMIN-RESTRICT-AUTHT1078Native Administrative Group MembersC-NATIVE-ADM-GROUP-MEMBERST1078Privileged Accounts Running Kerberos ServicesC-PRIV-ACCOUNTS-SPNT1078Application of Weak Password Policies on UsersC-PASSWORD-POLICYT1078Detection of Password WeaknessesC-PASSWORD-HASHES-ANALYSIST1078Recent Use of the Default Administrator AccountC-ADM-ACC-USAGET1078Domain with Unsafe Backward-Compatibility ConfigurationC-DSHEURISTICST1098Dangerous Rights in the AD SchemaC-ABNORMAL-ENTRIES-IN-SCHEMAT1098Mapped Certificates on AccountsC-SENSITIVE-CERTIFICATES-ON-USERT1098Vulnerable Credential Roaming Related AttributesC-CREDENTIAL-ROAMINGT1098Ensure SDProp ConsistencyC-SDPROP-CONSISTENCYT1098Verify Permissions Related to Microsoft Entra Connect AccountsC-AAD-CONNECTT1098User Primary GroupC-DANG-PRIMGROUPIDT1098Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCYT1098Shadow CredentialsC-SHADOW-CREDENTIALST1098Missing MFA for Non-Privileged AccountMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTT1098First-Party Service Principal With CredentialsFIRST-PARTY-SERVICE-PRINCIPAL-WITH-CREDENTIALST1098Missing MFA for Privileged AccountMISSING-MFA-FOR-PRIVILEGED-ACCOUNTTenable Web App Scanning
MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASCVEDescriptionPlugin IDCVE-2024-3400Palo Alto PAN-OS GlobalProtect Remote Code Execution114282CVE-2024-24919Check Point Quantum Gateway Directory Traversal114291CVE-2024-21887Ivanti Connect Secure 9.x / 22.x Authentication Bypass114165Get more information- Joint Cybersecurity Advisory: AA24-241A: Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
- Tenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
- Tenable Blog: CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild
- Tenable Blog: CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available
- Tenable Blog: CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available
- Tenable Blog: CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
- Tenable Blog: CVE-2022-1388: Authentication Bypass in F5 BIG-IP
- Tenable Blog: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CISAs 2022 Top Routinely Exploited Vulnerabilities (AA23-215A)
- Tenable’s 2020 Threat Landscape Retrospective
- Tenable’s 2021 Threat Landscape Retrospective
- Tenable’s 2022 Threat Landscape Report
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.