<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js"> <head> <meta charset="utf-8" /> <link rel="canonical" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" /> <meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" /> <meta property="og:title" content="Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" /> <title>Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA</title> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/misc/components/progress.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/misc/components/ajax-progress.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tablesaw-base.css?snj5wy" /> <link rel="stylesheet" media="screen" href="/modules/contrib/responsive_tables_filter/css/tablesaw-responsive.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tables.columntoggle.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/customizations.css?snj5wy" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/extlink/css/extlink.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/accordion.frontend.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?snj5wy" /> <link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?snj5wy" /> <link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&amp;family=Public+Sans:wght@400;500;600;700&amp;display=swap" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?snj5wy" /> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/8359","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"gtm":{"tagId":null,"settings":{"data_layer":"dataLayer","include_classes":false,"allowlist_classes":"","blocklist_classes":"","include_environment":false,"environment_id":"","environment_token":""},"tagIds":["GTM-53QLXSL9"]},"gtag":{"tagId":"","consentMode":false,"otherIds":[],"events":[],"additionalConfigInfo":[]},"ajaxPageState":{"libraries":"eJxdj1FuxCAMRC9EwpGQAYfQOBhhk2xuX9pNt9r9GfmN7NHYoyo2JxwykJMVWi7J-a7KRazoRYNN2DBm5eYgBG4xc7GvaV4aF8USDT50bG82tl6B5htNYk6ETiHZNOSTZ_iCx7u5m9TljGITsQcyFRqkBnWVv-x_Z-6ldk9ZVoymodTROx8_SZ5Q3JJp_GefBOf0ZCOXKO7Wg6BRZvLQxoVsYm8yXRaMiQ93N4MCdGkOYokhTi-cQizmyHiK_dV559gJvwGrnYer","theme":"guswds","theme_token":null},"ajaxTrustedUrl":[],"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button,.usa-footer__contact-info","extCssInclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","extHideIcons":false,"mailtoClass":"mailto","telClass":"","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":1,"openTabsWithHash":1}},"user":{"uid":0,"permissionsHash":"0f75d40308887aebba0d5b0d2671305b73c9431902f86e672380a6dc6ab97d07"}}</script> <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script> <script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script> <script src="/core/misc/drupalSettingsLoader.js?v=10.3.6"></script> <script src="/core/misc/drupal.js?v=10.3.6"></script> <script src="/core/misc/drupal.init.js?v=10.3.6"></script> <script src="/core/assets/vendor/tabbable/index.umd.min.js?v=6.2.0"></script> <script src="/modules/contrib/google_tag/js/gtm.js?snj5wy"></script> <script src="/modules/contrib/google_tag/js/gtag.js?snj5wy"></script> <script src="/core/misc/progress.js?v=10.3.6"></script> <script src="/core/assets/vendor/loadjs/loadjs.min.js?v=4.3.0"></script> <script src="/core/misc/debounce.js?v=10.3.6"></script> <script src="/core/misc/announce.js?v=10.3.6"></script> <script src="/core/misc/message.js?v=10.3.6"></script> <script src="/core/misc/ajax.js?v=10.3.6"></script> <script src="/modules/contrib/google_tag/js/gtag.ajax.js?snj5wy"></script> </head> <body class="path-node not-front node-page node-page--node-type-advisory" id="top"> <div class="c-skiplinks"> <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a> </div> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-53QLXSL9" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="l-site-container"> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" /> </div> <div class="grid-col-fill tablet:grid-col-auto"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div> <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <div class="c-block c-global-header-btns c-global-btns"> <div class="l-constrain l-constrain"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/topics/election-security/election-threat-updates">Election Threat Updates</a><a class="c-button c-button--basic c-button--gray" href="/protect2024">#protect2024</a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> <div class="usa-overlay"></div> <header class="usa-header usa-header--extended" role="banner"> <div class="usa-navbar"> <div class="l-constrain"> <div class="usa-navbar__row"> <div class="c-block c-site-header"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblock" class="c-block c-block--provider-block-content c-block--id-block-contentbc4e6844-86b4-4e20-b163-a73bda3d1d76"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/header_logo_tagline_update.svg" alt="CISA logo image. America's Cyber Defense Agency, National Coordinator for Critical Infrastructure Security and Resilience"/></a></div></div> </div> </div> </div> </div> </div> <div class="c-block c-site-header-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblockmobile" class="c-block c-block--provider-block-content c-block--id-block-content283396c9-cd36-4ce3-b1e2-9b5576ab4f50"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/mobile_logo_wordmark.svg" alt="CISA Logo"/></a></div></div> </div> </div> </div> </div> </div> <div class="usa-navbar__search"> <div class="usa-navbar__search-header"> <p>Search</p> </div> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div> </div> </div> <button class="mobile-menu-button usa-menu-btn">Menu</button> </div> </div> </div> <div class="c-block c-tagline-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-mobiletaglinecontainer" class="c-block c-block--provider-block-content c-block--id-block-contentc8d12e9d-7e48-4708-90c1-563609c4b566"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><center><img src = "/sites/default/files/images/SVG/header_tagline_mobile_update.svg" alt = "America's Cyber Defense Agency" /></center></div></div> </div> </div> </div> </div> </div> <nav class="usa-nav" role="navigation" aria-label="Primary navigation"> <div class="usa-nav__inner l-constrain"> <div class="usa-nav__row"> <button class="usa-nav__close">Close</button> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div> </div> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item topics"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Topics</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/topics">Topics</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cybersecurity-best-practices"> <span>Cybersecurity Best Practices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cyber-threats-and-advisories"> <span>Cyber Threats and Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/critical-infrastructure-security-and-resilience"> <span>Critical Infrastructure Security and Resilience</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/election-security"> <span>Election Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/emergency-communications"> <span>Emergency Communications</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/industrial-control-systems"> <span>Industrial Control Systems</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/information-communications-technology-supply-chain-security"> <span>Information and Communications Technology Supply Chain Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/partnerships-and-collaboration"> <span>Partnerships and Collaboration</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/physical-security"> <span>Physical Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/risk-management"> <span>Risk Management</span> </a> </div> </div> </div> <div class="c-menu-feature-links"> <div class="c-menu-feature-links__title"> <a href="/audiences"> How can we help? </a> </div> <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a><a href="/audiences/faith-based-community">Faith-Based Community</a><a href="/audiences/executives">Executives</a><a href="/audiences/high-risk-communities">High-Risk Communities</a></div> </div> </div> </li> <li class="usa-nav__primary-item spotlight"> <a href="/spotlight" class="usa-nav__link" > <span>Spotlight</span> </a> </li> <li class="usa-nav__primary-item resources--tools"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Resources &amp; Tools</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/resources-tools">Resources &amp; Tools</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/all-resources-tools"> <span>All Resources &amp; Tools</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/services"> <span>Services</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/programs"> <span>Programs</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/resources"> <span>Resources</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/training"> <span>Training</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/groups"> <span>Groups</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events"> <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News &amp; Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/news-events">News &amp; Events</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/news"> <span>News</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/events"> <span>Events</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/cybersecurity-advisories"> <span>Cybersecurity Alerts &amp; Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/directives"> <span>Directives</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/request-speaker"> <span>Request a CISA Speaker</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/congressional-testimony"> <span>Congressional Testimony</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-conferences"> <span>CISA Conferences</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-live"> <span>CISA Live!</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item careers"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>Careers</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/careers">Careers</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/benefits-perks"> <span>Benefits &amp; Perks</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/hirevue-applicant-reasonable-accommodations-process"> <span>HireVue Applicant Reasonable Accommodations Process</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/general-recruitment-and-hiring-faqs"> <span>Hiring</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/resume-application-tips"> <span>Resume &amp; Application Tips</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/students-recent-graduates-employment-opportunities"> <span>Students &amp; Recent Graduates</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/veteran-and-military-spouse-employment-opportunities"> <span>Veteran and Military Spouses</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/work-cisa"> <span>Work @ CISA</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item about"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6"> <span>About</span> </button> <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/about">About</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/culture"> <span>Culture</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/divisions-offices"> <span>Divisions &amp; Offices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/regions"> <span>Regions</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/leadership"> <span>Leadership</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/doing-business-cisa"> <span>Doing Business with CISA</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/site-links"> <span>Site Links</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/reporting-employee-and-contractor-misconduct"> <span>Reporting Employee and Contractor Misconduct</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-github"> <span>CISA GitHub</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-central"> <span>CISA Central</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/2023YIR"> <span>2023 Year In Review</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us"> <span>Contact Us </span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us/subscribe-updates-cisa"> <span>Subscribe</span> </a> </div> </div> </div> </div> </li> </ul> <div class="c-block c-global-menu-btns c-global-btns"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/topics/election-security/election-threat-updates">Election Threat Updates</a><a class="c-button c-button--basic c-button--gray" href="/protect2024">#protect2024</a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> </div> </nav> </header> <div class="l-breadcrumb"> <div class="l-constrain"> <div class="l-breadcrumb__row"> <nav aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation"> <div class="l-constrain"> <div id="breadcrumb-label" class="c-breadcrumb__title u-visually-hidden">Breadcrumb</div> <ol class="c-breadcrumb__list"> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/">Home</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events">News & Events</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories">Cybersecurity Advisories</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A94">Cybersecurity Advisory</a> </li> </ol> </div> </nav> <div id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block"> <div class="c-block__content"> <div class="c-block__row"> <span>Share:</span> <div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div> <div class="social-sharing-buttons"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a&amp;title=Iran-Based%20Threat%20Actor%20Exploits%20VPN%20Vulnerabilities" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons__button share-facebook" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" /> </svg> </a> <a href="https://twitter.com/intent/tweet?text=Iran-Based%20Threat%20Actor%20Exploits%20VPN%20Vulnerabilities+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" target="_blank" title="Share to X" aria-label="Share to X" class="social-sharing-buttons__button share-x" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#x" /> </svg> </a> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons__button share-linkedin" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" /> </svg> </a> <a href="mailto:?subject=Iran-Based%20Threat%20Actor%20Exploits%20VPN%20Vulnerabilities&amp;body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons__button share-email" target="_blank" rel="noopener"> <svg width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" /> </svg> </a> </div> </div> </div> </div> </div> </div> </div> <main id="main" class="c-main" role="main" tabindex="-1"> <div class="l-content"> <div class="is-promoted l-full"> <div class="l-full__header"> <div class="c-page-title"> <div class="c-page-title__inner l-constrain"> <div class="c-page-title__row"> <div class="c-page-title__content"> <div class="c-page-title__meta">Cybersecurity Advisory</div> <h1 class="c-page-title__title"> <span>Iran-Based Threat Actor Exploits VPN Vulnerabilities</span> </h1> <div class="c-page-title__fields"> <div class="c-field c-field--name-field-last-updated c-field--type-datetime c-field--label-above"> <div class="c-field__label">Last Revised</div><div class="c-field__content"><time datetime="2020-09-15T12:00:00Z">September 15, 2020</time></div></div> <div class="c-field c-field--name-field-alert-code c-field--type-string c-field--label-above"> <div class="c-field__label">Alert Code</div><div class="c-field__content">AA20-259A</div></div> </div> </div> </div> <div class="c-page-title__decoration"></div> </div> </div> </div> <div class="l-full__main"> <div class="l-page-section l-page-section--rich-text"> <div class="l-constrain"> <div class="l-page-section__content"> <div> <h3>Summary</h3> </div> <p><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/matrices/enterprise/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor techniques.</em></p> <p>This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.</p> <p>This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf">Click here</a> for a PDF version of this report.</p> <div> <h3>Technical Details</h3> </div> <p>CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.</p> <p>After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.</p> <p>CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.</p> <p>Table 1 illustrates some of the common tools this threat actor has used.</p> <p><em>Table 1: Common exploit tools</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>Tool</p> </th> <th scope="col" role="columnheader"> <p>Detail</p> </th> </tr> </thead> <tbody> <tr> <td> <p>ChunkyTuna web shell</p> </td> <td>ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.</td> </tr> <tr> <td> <p>Tiny web shell</p> </td> <td>Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.</td> </tr> <tr> <td> <p>China Chopper web shell</p> </td> <td>China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.</td> </tr> <tr> <td>FRPC</td> <td>FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence.</td> </tr> <tr> <td>Chisel</td> <td>Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network.</td> </tr> <tr> <td>ngrok</td> <td>ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS.</td> </tr> <tr> <td>Nmap</td> <td>Nmap is used for vulnerability scanning and network discovery.</td> </tr> <tr> <td>Angry IP Scanner</td> <td>Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc.</td> </tr> <tr> <td>Drupwn</td> <td>Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.</td> </tr> </tbody> </table> <p><br><br> Notable means of detecting this threat actor:</p> <ul> <li>CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.</li> <li>The threat actor uses FRPC over port 7557.</li> <li><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a">Malware Analysis Report MAR-10297887-1.v1</a> details some of the tools this threat actor used against some victims.</li> </ul> <p>The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.</p> <ul> <li>Tiny web shell</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php<br><br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /netscaler/ns_gui/vpn/images/vpn_ns_gui.php<br><br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/tiny.php</code></p> <ul> <li>ChunkyTuna web shell</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/debug.php<br><br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/include.php<br><br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/whatfile</code></p> <ul> <li>Chisel</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/nstmp/chisel</code></p> <h3>MITRE ATT&amp;CK Framework</h3> <h4>Initial Access</h4> <p>As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.</p> <p><em>Table 2: Initial access techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1190/">T1190</a></p> </td> <td>Exploit Public-Facing Application</td> <td>The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902.</td> </tr> </tbody> </table> <h4>Execution</h4> <p>After gaining initial access, the threat actor began executing scripts, as shown in table 3.</p> <p><em>Table 3: Execution techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001</a></p> </td> <td>Command and Scripting Interpreter: PowerShell</td> <td>A PowerShell script (<code>keethief</code> and <code>kee.ps1</code>) was used to access KeePass data.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003</a></p> </td> <td>Command and Scripting Interpreter: Windows Command Shell</td> <td><code>cmd.exe</code> was launched via sticky keys that was likely used as a password changing mechanism.</td> </tr> </tbody> </table> <h4>Persistence</h4> <p>CISA observed the threat actor using the techniques identified in table 4 to establish persistence.</p> <p><em>Table 4: Persistence techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1053/003/">T1053.003</a></p> </td> <td>Scheduled Task/Job: Cron</td> <td>The threat actor loaded a series of scripts to <code>cron</code> and ran them for various purposes (mainly to access NetScaler web forms).</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1053/005/">T1053.005</a></p> </td> <td>Scheduled Task/Job: Scheduled Task</td> <td>The threat actor installed and used FRPC (<code>frpc.exe</code>) on both NetScaler and internal devices. The task was named <code>lpupdate</code> and the binary was named <code>svchost</code>, which was the reverse proxy. The threat actor executed this command daily.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a></p> </td> <td>Server Software Component: Web Shell</td> <td>The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008</a></p> </td> <td>Event Triggered Execution: Accessibility Features</td> <td>The threat actor used sticky keys (<code>sethc.exe</code>) to launch <code>cmd.exe</code>.</td> </tr> </tbody> </table> <h4>Privilege Escalation</h4> <p>CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.</p> <h4>Defense Evasion</h4> <p>CISA observed the threat actor using the techniques identified in table 5 to evade detection.</p> <p><em>Table 5: Defensive evasion techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1027/002/">T1027.002</a></p> </td> <td>Obfuscated Files or Information: Software Packing</td> <td>The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1036/004/">T1027.004</a></p> </td> <td>Obfuscated Files or Information: Compile After Delivery</td> <td>The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1245/">T1036.004</a></p> </td> <td>Masquerading: Masquerade Task or Service</td> <td>The threat actor used FRPC (<code>frpc.exe</code>) daily as reverse proxy, tunneling RDP over TLS. The FRPC (<code>frpc.exe</code>) task name was <code>lpupdate</code> and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1036/005/">T1036.005</a></p> </td> <td>Masquerading: Match Legitimate Name or Location</td> <td>The FRPC (<code>frpc.exe</code>) binary name was <code>svchost</code>, and the configuration file was <code>dllhost.dll</code>, attempting to masquerade as a legitimate Dynamic Link Library.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></p> </td> <td>Indicator Removal on Host: File Deletion</td> <td>To minimize their footprint, the threat actor ran <code>./httpd-nscache_clean</code> every 30 minutes, which cleaned up files on the NetScaler device.</td> </tr> </tbody> </table> <h4>Credential Access</h4> <p>CISA observed the threat actor using the techniques identified in table 6 to further their credential access.</p> <p><em>Table 6: Credential access techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001</a></p> </td> <td>OS Credential Dumping: LSASS Memory</td> <td>The threat actor used <code>procdump</code> to dump process memory from the Local Security Authority Subsystem Service (LSASS).</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003</a></p> </td> <td>OS Credential Dumping: Windows NT Directory Services (NTDS)</td> <td>The threat actor used Volume Shadow Copy to access credential information from the NTDS file.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a></p> </td> <td>Unsecured Credentials: Credentials in Files</td> <td>The threat actor accessed files containing valid credentials.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1555/">T1555</a></p> </td> <td>Credentials from Password Stores</td> <td>The threat actor accessed a <code>KeePass</code> database multiple times and used <code>kee.ps1</code> PowerShell script.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1558/">T1558</a></p> </td> <td>Steal or Forge Kerberos Tickets</td> <td>The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account.</td> </tr> </tbody> </table> <h4>Discovery</h4> <p>CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.</p> <p><em>Table 7: Discovery techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1018/">T1018</a></p> </td> <td>Remote System Discovery</td> <td>The threat actor used Angry IP Scanner to detect remote systems.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1083/">T1083</a></p> </td> <td>File and Directory Discovery</td> <td>The threat actor used WizTree to obtain network files and directory listings.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1087/">T1087</a></p> </td> <td>Account Discovery</td> <td>The threat actor accessed <code>ntuser.dat</code> and <code>UserClass.dat</code> and used Softerra LDAP Browser to browse documentation for service accounts.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1217/">T1217</a></p> </td> <td>Browser Bookmark Discovery</td> <td>The threat actor used Google Chrome bookmarks to find internal resources and assets.</td> </tr> </tbody> </table> <h4>Lateral Movement</h4> <p>CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.</p> <p><em>Table 8: Lateral movement techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1021/">T1021</a></p> </td> <td>Remote Services</td> <td>The threat actor used RDP with valid account credentials for lateral movement in the environment.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a></p> </td> <td>Remote Services: Remote Desktop Protocol</td> <td>The threat actor used RDP to log in and then conduct lateral movement.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a></p> </td> <td>Remote Services: SMB/Windows Admin Shares</td> <td>The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1021/004/">T1021.004</a></p> </td> <td>Remote Services: SSH</td> <td>The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive.&nbsp;</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1021/005/">T1021.005</a></p> </td> <td>Remote Services: Virtual Network Computing (VNC)</td> <td>The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1563/002/">T1563.002</a></p> </td> <td>Remote Service Session Hijacking: RDP Hijacking</td> <td>The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment.</td> </tr> </tbody> </table> <h4>Collection</h4> <p>CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.</p> <p><em>Table 9: Collection techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1005/">T1005</a></p> </td> <td>Data from Local System</td> <td>The threat actor searched local system sources to accessed sensitive documents.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1039/">T1039</a></p> </td> <td>Data from Network Shared Drive</td> <td>The threat actor searched network shares to access sensitive documents.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1213/">T1213</a></p> </td> <td>Data from Information Repositories</td> <td>The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1530/">T1530</a></p> </td> <td>Data from Cloud Storage Object</td> <td>The threat actor obtained files from the victim cloud storage instances.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1560/001/">T1560.001</a></p> </td> <td>Archive Collected Data: Archive via Utility</td> <td>The threat actor used 7-Zip to archive data.</td> </tr> </tbody> </table> <h4>Command and Control</h4> <p>CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).</p> <p><em>Table 10: Command and control techniques</em></p> <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap> <thead> <tr> <th scope="col" role="columnheader" data-tablesaw-priority="persist"> <p>ID</p> </th> <th scope="col" role="columnheader"> <p>Technique/Sub-Technique</p> </th> <th scope="col" role="columnheader"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1071/001/">T1071.001</a></p> </td> <td>Application Layer Protocol: Web Protocols</td> <td>The threat actor used various web mechanisms and protocols, including the web shells listed in table 1.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1105/">T1105</a></p> </td> <td>Ingress Tool Transfer</td> <td>The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes.</td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/techniques/T1572/">T1572</a></p> </td> <td>Protocol Tunneling</td> <td>The threat actor used <code>FRPC.exe</code> to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.</td> </tr> </tbody> </table> <h4>Exfiltration</h4> <p>CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.</p> <div> <h3>Mitigations</h3> </div> <h4>Recommendations</h4> <p>CISA and FBI recommend implementing the following recommendations.</p> <ul> <li>If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-031a">AA20-031A</a>.</li> <li>This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.</li> <li>If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. <ul> <li>If compromised, rebuild/reimage compromised NetScaler devices.</li> </ul> </li> <li>Routinely audit configuration and patch management programs.</li> <li>Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).</li> <li>Implement multi-factor authentication, especially for privileged accounts.</li> <li>Use separate administrative accounts on separate administration workstations.</li> <li>Implement the principle of least privilege on data access.</li> <li>Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.</li> <li>Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.</li> <li>Keep software up to date.</li> </ul> <div> <h3>Contact Information</h3> </div> <p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at <a href="mailto:%20CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="mailto:%20Central@cisa.dhs.gov">central@cisa.dhs.gov</a>.</p> <h3>Resources</h3> <p><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-031a">CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781</a><br><br> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-073a">CISA Alert AA20-073A: Enterprise VPN Security</a><br><br> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-107a">CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching</a><br><br> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-206a">CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902</a><br><br> <a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">CISA Security Tip: Securing Network Infrastructure Devices</a></p> <div> <h3>Revisions</h3> </div> <p>September 15, 2020: Initial Version</p> </div> </div> </div> <div class="l-constrain l-page-section--rich-text"> <div class="l-page-section__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p>This product is provided subject to this&nbsp;<a href="/notification" rel="nofollow noopener" target="_blank" title="Follow link">Notification</a>&nbsp;and this&nbsp;<a href="/privacy-policy" rel="nofollow noopener" target="_blank" title="Follow link">Privacy &amp; Use</a>&nbsp;policy.</p></div></div> </div> </div> </div> <div class="l-full__footer"> <div class="l-constrain"> <div class="l-page-section--rich-text"> <div class="l-page-section__content"> <div class="c-product-survey l-page-section--tags l-page-section--rich-text"> <div class="c-product-survey__top-bar"></div> <div class="c-product-survey__content-area"> <div class="c-product-survey__icon"></div> <div class="c-product-survey__text-area"> <h2>Please share your thoughts</h2> <p>We recently updated our anonymous <a href="https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a" target="_blank">product survey</a>; we’d welcome your feedback.</p> </div> </div> </div> </div> </div> </div> </div> </div> </div> </main> <footer class="usa-footer usa-footer--slim" role="contentinfo"> <div class="usa-footer__return-to-top"> <div class="l-constrain"> <a href="#">Return to top</a> </div> </div> <div class="usa-footer__upper"> <div class="l-constrain"> <ul class="c-menu c-menu--footer-main"> <li class="c-menu__item"> <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a> </li> <li class="c-menu__item"> <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a> </li> <li class="c-menu__item"> <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources &amp; Tools</a> </li> <li class="c-menu__item is-active-trail"> <a href="/news-events" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7332">News &amp; Events</a> </li> <li class="c-menu__item"> <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a> </li> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a> </li> </ul> </div> </div> <div class="usa-footer__main"> <div class="l-constrain"> <div class="usa-footer__main-row"> <div class="usa-footer__brand"> <a class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage"> <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span> </a> </div> <div class="usa-footer__contact"> <ul class="c-menu c-menu--social"> <li class="c-menu__item"> <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a> </li> <li class="c-menu__item"> <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a> </li> <li class="c-menu__item"> <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a> </li> <li class="c-menu__item"> <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a> </li> <li class="c-menu__item"> <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a> </li> <li class="c-menu__item"> <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a> </li> </ul> <div class="usa-footer__contact-info"> <span>CISA Central</span> <a href="tel:1-844-Say-CISA">1-844-Say-CISA</a> <a href="mailto:SayCISA@cisa.dhs.gov">SayCISA@cisa.dhs.gov</a> </div> </div> </div> </div> </div> <div class="usa-footer__lower"> <div class="l-constrain"> <div class="usa-footer__lower-row"> <div class="usa-footer__lower-left"> <div class="c-dhs-logo"> <div class="c-dhs-logo__seal">DHS Seal</div> <div class="c-dhs-logo__content"> <div class="c-dhs-logo__url">CISA.gov</div> <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div> </div> </div> <ul class="c-menu c-menu--footer"> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a> </li> <li class="c-menu__item"> <a href="/oedia" title="Equal Opportunity &amp; Accessibility" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21462">Equal Opportunity &amp; Accessibility</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a> </li> <li class="c-menu__item"> <a href="/no-fear-act" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21494">No FEAR Act</a> </li> <li class="c-menu__item"> <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a> </li> <li class="c-menu__item"> <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a> </li> <li class="c-menu__item"> <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a> </li> <li class="c-menu__item"> <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a> </li> <li class="c-menu__item"> <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a> </li> <li class="c-menu__item"> <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a> </li> </ul> </div> <div class="usa-footer__lower-right"> <iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0" ></iframe> </div> </div> </div> </div> </footer> </div> </div> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?snj5wy"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?snj5wy"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?snj5wy"></script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DHS&amp;subagency=CISA&amp;yt=true" id="_fed_an_ua_tag"></script> <script src="/modules/contrib/extlink/js/extlink.js?v=10.3.6"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?snj5wy"></script> <script src="/modules/contrib/responsive_tables_filter/js/tablesaw.min.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/tablesaw-init.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/Drupal/ajaxComplete.js?v=1.x"></script> <script src="/modules/contrib/responsive_tables_filter/js/customizations.js?v=1.x"></script> </body> </html>