AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
A joint Cybersecurity Advisory highlights Iran-based cyber actor ransomware activity targeting U.S. organizations. The advisory includes CVEs exploited, alongside techniques, tactics and procedures used by the threat actors.
Background
On August 28, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint Cybersecurity advisory (CSA) in coordination with The Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3). The advisory highlights the recent activities of Iranian threat actors conducting ransomware operations against US organizations across several industries including local government, defense, finance, education and healthcare as well as other countries including Israel, Azerbaijan and the United Arab Emirates.
The threat actors named in the advisory go by a few monikers including Pioneer Kitten, Fox Kitten, UNC757, Parasite, RUBIDIUM and Lemon Sandstorm. These actors have been observed to be collaborating with ransomware groups including NoEscape, Ransomhouse and ALPHV (aka BlackCat) to extort their victims. The technical aspects of the advisory highlight what techniques, tactics and procedures (TTPs) the threat actors have been observed using, including indicators of compromise (IOCs). The advisory flags six specific CVEs that are leveraged by the threat actors in the initial access phase of their attacks:
CVE | Description | CVSSv3 | VPR |
---|---|---|---|
CVE-2024-3400 | PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect | 10 | 10 |
CVE-2024-24919 | Check Point Security Gateway Information Disclosure Vulnerability | 8.6 | 8.3 |
CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Directory Traversal Vulnerability | 9.8 | 9.4 |
CVE-2023-3519 | Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated Remote Code Execution Vulnerability | 9.8 | 9 |
CVE-2022-1388 | F5 BIG-IP iControl REST Remote Code Execution Vulnerability | 9.8 | 8.4 |
CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability | 9.1 | 10 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 28 and reflects VPR at that time.
Analysis
CVE-2024-3400 is a remote code execution vulnerability that arises from a combination of two distinct bugs in PAN-OS, specifically affecting the GlobalProtect service. The first bug is related to how the GlobalProtect service handles session IDs. The service did not sufficiently validate the format of session IDs before storing them. This oversight allowed an attacker to store an empty file with a filename of their choosing, effectively setting the stage for the exploit. The second bug involves the assumption that filenames used within the system were system-generated and therefore trustworthy. This bug enabled the filenames, which were injected by the attacker in the first step, to be used as part of a command. An attacker can exploit these two bugs to execute remote shell commands without any prior authentication. Earlier this year, this vulnerability was exploited in-the-wild as a zero-day vulnerability and was tracked at the time by Palo Alto Networks Unit 42, calling the activity Operation MidnightEclipse.
CVE-2024-24919 is an information disclosure vulnerability affecting CheckPoint Security Gateway devices configured with either the remote Access VPN or Mobile Access Software Blades enabled. This vulnerability allows an unauthenticated remote attacker to read the contents of arbitrary files located on the affected appliance. This could allow an attacker to read sensitive files. An example of one such attack path is accessing the ‘/etc/shadow’ file, which could result in the extraction of password hashes for local accounts that could potentially be decrypted. This vulnerability was also exploited in-the-wild as a zero-day, around the same time security researchers also published a proof-of-concept (PoC).
CVE-2019-19781 is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, formerly known as NetScaler ADC and Netscaler Gateway. This vulnerability allows an attacker to send a specially crafted HTTP request that exploits the path traversal issue, enabling unauthorized access to restricted directories on the device. Through this access, the attacker can execute arbitrary code without any need for authentication, potentially resulting in remote code execution (RCE) on the affected device. This vulnerability has been widely abused by multiple threat actors over the years and has been featured prominently in our 2020, 2021 and 2022 Threat Landscape Reports. Additionally, it has been featured in multiple blogs from Tenable Research and has been included in multiple CSA’s from CISA and other government entities across the globe.
CVE-2023-3519 is a critical RCE vulnerability in Citrix ADC and Citrix Gateway that allows an unauthenticated attacker to execute arbitrary code on the vulnerable appliances. The attack can be performed over the network, making it particularly dangerous in environments where these devices are exposed to the internet. The vulnerability stems from improper handling of specific request data, leading to memory corruption that can be exploited to gain control of the system.
CVE-2022-1388 is an iControl REST RCE vulnerability in F5 BIG-IP devices stemming from an authentication bypass bug. The flaw resides in the iControl REST interface, where improper access control allows unauthenticated users to execute arbitrary system commands with root privileges. This vulnerability is particularly dangerous because it does not require user interaction or authentication, making it easy for attackers to exploit. Successful exploitation of CVE-2022-1388 can lead to complete system compromise, enabling attackers to take full control of the device, modify configurations, exfiltrate sensitive data and use the compromised device as a launching point for further attacks within the network.
CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure that allows remote attackers to execute arbitrary commands on the affected devices. This vulnerability occurs due to insufficient input validation in the administrative interface, which can be exploited by sending specially crafted HTTP requests. Successful exploitation can result in full system compromise, providing the attacker with the ability to execute commands with the highest privileges, potentially leading to data loss, system disruption or further propagation of malicious activity.
Legacy Vulnerabilities Remain a Looming Threat
An analysis of metadata performed by Tenable Research provides us with unique insight to two of these legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our research only about half of impacted assets have been successfully remediated. Legacy vulnerabilities present a significant risk, as threat actors frequently exploit unpatched vulnerabilities, particularly in SSL VPNs. This trend has been consistently highlighted by the Tenable Security Response Team (SRT) in their annual Threat Landscape Reports as mentioned in the section for CVE-2019-19781. To mitigate these risks, it is imperative to prioritize the remediation of legacy vulnerabilities alongside newer threats, ensuring a more comprehensive and robust security posture.
Source: Tenable Research
Ten of Thousands of Internet Facing Instances May Be Affected
It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io.
Source: Shodan.io
The results in the image above are based query results at the time this blog was composed and were obtained using the queries in the table below:
Technology | Detection Logic | Query Link |
---|---|---|
Palo Alto Networks PAN-OS | Searches for any PAN-OS instances. | Query |
F5 BIG-IP | The presence of "BIG-IP®- Redirect" in the title likely indicates a redirection page typically used in login portals or other access control scenarios managed by a BIG-IP device. | Query |
Citrix Application Delivery Controller (ADC) and Gateway | Searches for favicon hash values for Citrix ADC, Gateway, AAA and VPN. | Query |
Check Point Security Gateway | Query looks for servers with "Check Point SVN Foundation". This is intrinsically linked to Check Point Security Gateway devices, especially those configured with the Remote Access VPN or Mobile Access Software Blades. | Query |
Ivanti Connect Secure and Ivanti Policy Secure | Query looks for a CGI script named "welcome.cgi" that is used to display a logo page component on the welcome or login page used by Ivanti / Pulse Secure. | Query |
Solution
Each of the vulnerabilities described in the CSA have been around for a period of time and each of the vendors have released the respective patches and mitigations. We recommend reviewing each of the vendors advisories shown below:
- Palo Alto Networks Security CVE-2024-3400 Advisory
- Check Point 2024-2024-24919 Advisory
- Citrix CVE-2019-19781 Advisory
- Citrix CVE-2023-3519 Advisory
- F5 CVE-2022-1388 Advisory
- Ivanti CVE-2024-21887 Advisory
Additionally, the CSA provides IoCs and technical details that may aid organizations in their incident response processes. We highly recommend reviewing the details outlined in the CSA. If your organization has assets that have not been patched for the CVE’s listed above, it’s possible that unpatched devices have been impacted due to the severity and frequency of attacks involving these vulnerabilities. As such, careful review of these systems and incident response processes may be needed to determine impact and scope of a potential compromise of unpatched systems.
Identifying affected systems
Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in the CSA. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable Plugin Coverage
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page’s for CVE-2024-3400, CVE-2024-24919, CVE-2019-19781, CVE-2023-3519, CVE-2022-1388 and CVE-2024-21887. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Detection of legitimate tools used by adversaries and mentioned in the CSA:
Tool | Detection Plugin ID |
---|---|
AnyDesk | Plugin ID 189953 - AnyDesk Installed (Windows) |
Tenable Attack Path Techniques
MITRE ATT&CK ID | Description | Tenable Attack Path Techniques |
---|---|---|
T1012 | Query Registry | T1012_Windows |
T1059.001 | Command and Scripting Interpreter: PowerShell | T1059.001_Windows |
T1078.002 | Valid Accounts: Domain Accounts | T1078.002_Windows |
T1078.003 | Valid Accounts: Local Accounts | T1078.003_Windows |
T1098 | Account Manipulation: Additional Cloud Credentials/Roles | |
T1133 | External Remote Services | |
T1053 | Scheduled Task/Job: Scheduled Task | T1053.005_Windows |
T1219 | Remote Access Software | T1219_Windows |
T1482 | Domain Trust Discovery | T1482_Windows |
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK ID | Description | Indicators |
---|---|---|
T1078 | Dormant Accounts | C-SLEEPING-ACCOUNTS |
T1078 | Account with Possible Empty Password | C-PASSWORD-NOT-REQUIRED |
T1078 | User Account Using Old Password | C-USER-PASSWORD |
T1078 | Last Change of the Microsoft Entra SSO Account Password | C-AAD-SSO-PASSWORD |
T1078 | AdminCount Attribute Set on Standard Users | C-ADMINCOUNT-ACCOUNT-PROPS |
T1078 | Reversible Passwords in GPO | C-REVER-PWD-GPO |
T1078 | Potential Clear-Text Password | C-CLEARTEXT-PASSWORD |
T1078 | User Primary Group | C-DANG-PRIMGROUPID |
T1078 | Domain Controllers Managed by Illegitimate Users | C-DC-ACCESS-CONSISTENCY |
T1078 | Accounts With Never Expiring Passwords | C-PASSWORD-DONT-EXPIRE |
T1078 | Kerberos Configuration on User Account | C-KERBEROS-CONFIG-ACCOUNT |
T1078 | Privileged Authentication Silo Configuration | C-AUTH-SILO |
T1078 | ADCS Dangerous Misconfigurations | C-PKI-DANG-ACCESS |
T1078 | Last Password Change on KRBTGT account | C-KRBTGT-PASSWORD |
T1078 | Dangerous Sensitive Privileges | C-DANGEROUS-SENSITIVE-PRIVILEGES |
T1078 | Logon Restrictions for Privileged Users | C-ADMIN-RESTRICT-AUTH |
T1078 | Native Administrative Group Members | C-NATIVE-ADM-GROUP-MEMBERS |
T1078 | Privileged Accounts Running Kerberos Services | C-PRIV-ACCOUNTS-SPN |
T1078 | Application of Weak Password Policies on Users | C-PASSWORD-POLICY |
T1078 | Detection of Password Weaknesses | C-PASSWORD-HASHES-ANALYSIS |
T1078 | Recent Use of the Default Administrator Account | C-ADM-ACC-USAGE |
T1078 | Domain with Unsafe Backward-Compatibility Configuration | C-DSHEURISTICS |
T1098 | Dangerous Rights in the AD Schema | C-ABNORMAL-ENTRIES-IN-SCHEMA |
T1098 | Mapped Certificates on Accounts | C-SENSITIVE-CERTIFICATES-ON-USER |
T1098 | Vulnerable Credential Roaming Related Attributes | C-CREDENTIAL-ROAMING |
T1098 | Ensure SDProp Consistency | C-SDPROP-CONSISTENCY |
T1098 | Verify Permissions Related to Microsoft Entra Connect Accounts | C-AAD-CONNECT |
T1098 | User Primary Group | C-DANG-PRIMGROUPID |
T1098 | Domain Controllers Managed by Illegitimate Users | C-DC-ACCESS-CONSISTENCY |
T1098 | Shadow Credentials | C-SHADOW-CREDENTIALS |
T1098 | Missing MFA for Non-Privileged Account | MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT |
T1098 | First-Party Service Principal With Credentials | FIRST-PARTY-SERVICE-PRINCIPAL-WITH-CREDENTIALS |
T1098 | Missing MFA for Privileged Account | MISSING-MFA-FOR-PRIVILEGED-ACCOUNT |
Tenable Web App Scanning
MITRE ATT&CK ID | Description | Indicators |
---|---|---|
T1190 | Exploit Public-Facing Application | T1190_WAS |
CVE | Description | Plugin ID |
---|---|---|
CVE-2024-3400 | Palo Alto PAN-OS GlobalProtect Remote Code Execution | 114282 |
CVE-2024-24919 | Check Point Quantum Gateway Directory Traversal | 114291 |
CVE-2024-21887 | Ivanti Connect Secure 9.x / 22.x Authentication Bypass | 114165 |
Get more information
- Joint Cybersecurity Advisory: AA24-241A: Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
- Tenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
- Tenable Blog: CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild
- Tenable Blog: CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available
- Tenable Blog: CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available
- Tenable Blog: CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
- Tenable Blog: CVE-2022-1388: Authentication Bypass in F5 BIG-IP
- Tenable Blog: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CISAs 2022 Top Routinely Exploited Vulnerabilities (AA23-215A)
- Tenable’s 2020 Threat Landscape Retrospective
- Tenable’s 2021 Threat Landscape Retrospective
- Tenable’s 2022 Threat Landscape Report
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
- Exposure Management
- Vulnerability Management
- Exposure Management