Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations

Tenable Blog Header Research Advisory

A joint Cybersecurity Advisory highlights Iran-based cyber actor ransomware activity targeting U.S. organizations. The advisory includes CVEs exploited, alongside techniques, tactics and procedures used by the threat actors.

Background

On August 28, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint Cybersecurity advisory (CSA) in coordination with The Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3). The advisory highlights the recent activities of Iranian threat actors conducting ransomware operations against US organizations across several industries including local government, defense, finance, education and healthcare as well as other countries including Israel, Azerbaijan and the United Arab Emirates.

The threat actors named in the advisory go by a few monikers including Pioneer Kitten, Fox Kitten, UNC757, Parasite, RUBIDIUM and Lemon Sandstorm. These actors have been observed to be collaborating with ransomware groups including NoEscape, Ransomhouse and ALPHV (aka BlackCat) to extort their victims. The technical aspects of the advisory highlight what techniques, tactics and procedures (TTPs) the threat actors have been observed using, including indicators of compromise (IOCs). The advisory flags six specific CVEs that are leveraged by the threat actors in the initial access phase of their attacks:

CVEDescriptionCVSSv3VPR
CVE-2024-3400PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect1010
CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability8.68.3
CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Directory Traversal Vulnerability9.89.4
CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated Remote Code Execution Vulnerability9.89
CVE-2022-1388F5 BIG-IP iControl REST Remote Code Execution Vulnerability9.88.4
CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.110

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 28 and reflects VPR at that time.

Analysis

CVE-2024-3400 is a remote code execution vulnerability that arises from a combination of two distinct bugs in PAN-OS, specifically affecting the GlobalProtect service. The first bug is related to how the GlobalProtect service handles session IDs. The service did not sufficiently validate the format of session IDs before storing them. This oversight allowed an attacker to store an empty file with a filename of their choosing, effectively setting the stage for the exploit. The second bug involves the assumption that filenames used within the system were system-generated and therefore trustworthy. This bug enabled the filenames, which were injected by the attacker in the first step, to be used as part of a command. An attacker can exploit these two bugs to execute remote shell commands without any prior authentication. Earlier this year, this vulnerability was exploited in-the-wild as a zero-day vulnerability and was tracked at the time by Palo Alto Networks Unit 42, calling the activity Operation MidnightEclipse.

CVE-2024-24919 is an information disclosure vulnerability affecting CheckPoint Security Gateway devices configured with either the remote Access VPN or Mobile Access Software Blades enabled. This vulnerability allows an unauthenticated remote attacker to read the contents of arbitrary files located on the affected appliance. This could allow an attacker to read sensitive files. An example of one such attack path is accessing the ‘/etc/shadow’ file, which could result in the extraction of password hashes for local accounts that could potentially be decrypted. This vulnerability was also exploited in-the-wild as a zero-day, around the same time security researchers also published a proof-of-concept (PoC).

CVE-2019-19781 is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, formerly known as NetScaler ADC and Netscaler Gateway. This vulnerability allows an attacker to send a specially crafted HTTP request that exploits the path traversal issue, enabling unauthorized access to restricted directories on the device. Through this access, the attacker can execute arbitrary code without any need for authentication, potentially resulting in remote code execution (RCE) on the affected device. This vulnerability has been widely abused by multiple threat actors over the years and has been featured prominently in our 2020, 2021 and 2022 Threat Landscape Reports. Additionally, it has been featured in multiple blogs from Tenable Research and has been included in multiple CSA’s from CISA and other government entities across the globe.

CVE-2023-3519 is a critical RCE vulnerability in Citrix ADC and Citrix Gateway that allows an unauthenticated attacker to execute arbitrary code on the vulnerable appliances. The attack can be performed over the network, making it particularly dangerous in environments where these devices are exposed to the internet. The vulnerability stems from improper handling of specific request data, leading to memory corruption that can be exploited to gain control of the system.

CVE-2022-1388 is an iControl REST RCE vulnerability in F5 BIG-IP devices stemming from an authentication bypass bug. The flaw resides in the iControl REST interface, where improper access control allows unauthenticated users to execute arbitrary system commands with root privileges. This vulnerability is particularly dangerous because it does not require user interaction or authentication, making it easy for attackers to exploit. Successful exploitation of CVE-2022-1388 can lead to complete system compromise, enabling attackers to take full control of the device, modify configurations, exfiltrate sensitive data and use the compromised device as a launching point for further attacks within the network.

CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure that allows remote attackers to execute arbitrary commands on the affected devices. This vulnerability occurs due to insufficient input validation in the administrative interface, which can be exploited by sending specially crafted HTTP requests. Successful exploitation can result in full system compromise, providing the attacker with the ability to execute commands with the highest privileges, potentially leading to data loss, system disruption or further propagation of malicious activity.

Legacy Vulnerabilities Remain a Looming Threat

An analysis of metadata performed by Tenable Research provides us with unique insight to two of these legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our research only about half of impacted assets have been successfully remediated. Legacy vulnerabilities present a significant risk, as threat actors frequently exploit unpatched vulnerabilities, particularly in SSL VPNs. This trend has been consistently highlighted by the Tenable Security Response Team (SRT) in their annual Threat Landscape Reports as mentioned in the section for CVE-2019-19781. To mitigate these risks, it is imperative to prioritize the remediation of legacy vulnerabilities alongside newer threats, ensuring a more comprehensive and robust security posture.

Source: Tenable Research

Ten of Thousands of Internet Facing Instances May Be Affected

It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io.

Source: Shodan.io

The results in the image above are based query results at the time this blog was composed and were obtained using the queries in the table below:

TechnologyDetection LogicQuery Link
Palo Alto Networks PAN-OSSearches for any PAN-OS instances.Query
F5 BIG-IPThe presence of "BIG-IP®- Redirect" in the title likely indicates a redirection page typically used in login portals or other access control scenarios managed by a BIG-IP device.Query
Citrix Application Delivery Controller (ADC) and GatewaySearches for favicon hash values for Citrix ADC, Gateway, AAA and VPN.Query
Check Point Security GatewayQuery looks for servers with "Check Point SVN Foundation". This is intrinsically linked to Check Point Security Gateway devices, especially those configured with the Remote Access VPN or Mobile Access Software Blades.Query
Ivanti Connect Secure and Ivanti Policy SecureQuery looks for a CGI script named "welcome.cgi" that is used to display a logo page component on the welcome or login page used by Ivanti / Pulse Secure.Query

Solution

Each of the vulnerabilities described in the CSA have been around for a period of time and each of the vendors have released the respective patches and mitigations. We recommend reviewing each of the vendors advisories shown below:

Additionally, the CSA provides IoCs and technical details that may aid organizations in their incident response processes. We highly recommend reviewing the details outlined in the CSA. If your organization has assets that have not been patched for the CVE’s listed above, it’s possible that unpatched devices have been impacted due to the severity and frequency of attacks involving these vulnerabilities. As such, careful review of these systems and incident response processes may be needed to determine impact and scope of a potential compromise of unpatched systems.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in the CSA. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page’s for CVE-2024-3400, CVE-2024-24919, CVE-2019-19781, CVE-2023-3519, CVE-2022-1388 and CVE-2024-21887. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Detection of legitimate tools used by adversaries and mentioned in the CSA:

Tenable Attack Path Techniques

MITRE ATT&CK IDDescriptionTenable Attack Path Techniques
T1012Query RegistryT1012_Windows
T1059.001Command and Scripting Interpreter: PowerShellT1059.001_Windows
T1078.002Valid Accounts: Domain AccountsT1078.002_Windows
T1078.003Valid Accounts: Local AccountsT1078.003_Windows
T1098Account Manipulation: Additional Cloud Credentials/Roles

T1098.001_AWS

T1098.001_Azure

T1098.003_AWS

T1098.003_Azure

T1133External Remote Services

T1133_AWS

T1133_Azure

T1133_Windows

T1053Scheduled Task/Job: Scheduled TaskT1053.005_Windows
T1219Remote Access SoftwareT1219_Windows
T1482Domain Trust DiscoveryT1482_Windows

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

MITRE ATT&CK IDDescriptionIndicators
T1078Dormant AccountsC-SLEEPING-ACCOUNTS
T1078Account with Possible Empty PasswordC-PASSWORD-NOT-REQUIRED
T1078User Account Using Old PasswordC-USER-PASSWORD
T1078Last Change of the Microsoft Entra SSO Account PasswordC-AAD-SSO-PASSWORD
T1078AdminCount Attribute Set on Standard UsersC-ADMINCOUNT-ACCOUNT-PROPS
T1078Reversible Passwords in GPOC-REVER-PWD-GPO
T1078Potential Clear-Text PasswordC-CLEARTEXT-PASSWORD
T1078User Primary GroupC-DANG-PRIMGROUPID
T1078Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCY
T1078Accounts With Never Expiring PasswordsC-PASSWORD-DONT-EXPIRE
T1078Kerberos Configuration on User AccountC-KERBEROS-CONFIG-ACCOUNT
T1078Privileged Authentication Silo ConfigurationC-AUTH-SILO
T1078ADCS Dangerous MisconfigurationsC-PKI-DANG-ACCESS
T1078Last Password Change on KRBTGT accountC-KRBTGT-PASSWORD
T1078Dangerous Sensitive PrivilegesC-DANGEROUS-SENSITIVE-PRIVILEGES
T1078Logon Restrictions for Privileged UsersC-ADMIN-RESTRICT-AUTH
T1078Native Administrative Group MembersC-NATIVE-ADM-GROUP-MEMBERS
T1078Privileged Accounts Running Kerberos ServicesC-PRIV-ACCOUNTS-SPN
T1078Application of Weak Password Policies on UsersC-PASSWORD-POLICY
T1078Detection of Password WeaknessesC-PASSWORD-HASHES-ANALYSIS
T1078Recent Use of the Default Administrator AccountC-ADM-ACC-USAGE
T1078Domain with Unsafe Backward-Compatibility ConfigurationC-DSHEURISTICS
T1098Dangerous Rights in the AD SchemaC-ABNORMAL-ENTRIES-IN-SCHEMA
T1098Mapped Certificates on AccountsC-SENSITIVE-CERTIFICATES-ON-USER
T1098Vulnerable Credential Roaming Related AttributesC-CREDENTIAL-ROAMING
T1098Ensure SDProp ConsistencyC-SDPROP-CONSISTENCY
T1098Verify Permissions Related to Microsoft Entra Connect AccountsC-AAD-CONNECT
T1098User Primary GroupC-DANG-PRIMGROUPID
T1098Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCY
T1098Shadow CredentialsC-SHADOW-CREDENTIALS
T1098Missing MFA for Non-Privileged AccountMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT
T1098First-Party Service Principal With CredentialsFIRST-PARTY-SERVICE-PRINCIPAL-WITH-CREDENTIALS
T1098Missing MFA for Privileged AccountMISSING-MFA-FOR-PRIVILEGED-ACCOUNT

Tenable Web App Scanning

MITRE ATT&CK IDDescriptionIndicators
T1190Exploit Public-Facing ApplicationT1190_WAS
CVEDescriptionPlugin ID
CVE-2024-3400Palo Alto PAN-OS GlobalProtect Remote Code Execution114282
CVE-2024-24919Check Point Quantum Gateway Directory Traversal114291
CVE-2024-21887Ivanti Connect Secure 9.x / 22.x Authentication Bypass114165

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.