TTCSIRT-360.09.15.20: TT-CSIRT ADVISORY – Iran-Based Threat Actor Exploits VPN Vulnerabilities

An analysis of threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757.

This Iran-based threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.

The Iran-based malicious cyber actor has been found targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors.

For further information and support, please visit the following link:
https://us-cert.cisa.gov/ncas/alerts/aa20-259a

If you have any queries or comments with regards to this advisory, please feel free to contact TTCSIRT via contacts@ttcsirt.gov.tt