The Iranian-based malicious cyber actor associated to this report is known to target industries associated to information technology, government, healthcare, financial, and insurance across the US. The threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. Once the actor exploits these vulnerabilities, open source web shells and/or modified versions of the web shells are used to further entrench into a victim network. The web shells are publicly known as ChunkyTuna, Tiny, and China Chopper web shells.
Web shells provide the hackers with the ability to execute code on the victim systems, enumerate directories, deploy additional payloads, steal data, and navigate the victim network. Additional components can be employed to expand the attacker’s command and control (C&C) capabilities.
CISA’s report reveals that an Iranian threat actor targeting IT, government, healthcare, financial, and insurance organizations across the United States was observed employing the ChunkyTuna, Tiny, and China Chopper web shells in their attacks.
The same actor, the report reveals, was observed targeting well-known vulnerabilities, including those in Pulse Secure virtual private network (VPN), Citrix Application Delivery Controller (ADC) and Gateway, and F5’s BIG-IP ADC products.
At the end of August, Crowdstrike revealed that the Iran-based cyber-espionage group known as PIONEER KITTEN, PARISITE, UNC757, and FOX KITTEN, which is believed to be operating on behalf of the Iranian government, has been targeting the same vulnerabilities in opportunistic attacks on numerous sectors.
CISA, which does not name the Iranian threat actor referenced in their new report, details the functionality of 19 malicious files, many of which are components of the China Chopper web shell.
The web shell supports the delivery and execution of JavaScript code, but also includes components to listen for incoming HTTP connections from the attacker server (an application service provider (ASP) application), and to enable directory enumeration, payload execution, and data exfiltration capabilities.
A version of the open source project FRP was also employed, for the tunneling of various types of connections (a February 2020 ClearSky report also revealed the use of FRP in FOX KITTEN attacks), and a PowerShell shell script was used to access encrypted credentials stored by Microsoft’s KeePass password management software.
“The adversary may have used the ‘FRP’ utility to tunnel outbound Remote Desktop Protocol (RDP) sessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also provides the persistent ability to navigate throughout the victim’s network when inside the perimeter. Leveraging the ‘KeeThief’ utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts outside of the victim’s network,” CISA says.
CISA’s report also details 7 additional files that were identified as ChunkyTuna and Tiny web shells, and which are meant to provide operators with the ability to pass commands and data from remote servers.
Related: Iranian Hackers Target Critical Vulnerability in F5’s BIG-IP
Related: Iranian Hackers Exploited Enterprise VPN Flaws in Major Campaign
Related: Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files
