Critical infrastructure providers and other organizations in the U.S. are facing a heightened risk of malicious cyberattacks from Iran-linked actors, according to threat researchers and U.S. officials.
The FBI and Cybersecurity and Infrastructure Security Agency last week issued a joint warning with the Department of Defense Cyber Crime Center about Iran collaborating with criminal ransomware groups to attack key industries in the U.S. and other foreign countries.
The group, known as Pioneer Kitten, has been collaborating with high-profile ransomware actors, including AlphV, Ransomhouse and NoEscape, in exchange for a cut of the ransom payments, officials said. The Iran-lined actors were seen scanning IP addresses as recently as July for Check Point Security Gateways that were potentially vulnerable to CVE-2024-24919.
The Check Point vulnerability, first disclosed in late May, allowed attackers to read information on internet-connected gateways with remote access VPN or mobile access enabled.
Federal officials said the threat actors were seen as recently as April scanning for IP addresses hosting Palo Alto Networks PAN-OS or GlobalProtect VPN devices. These scans likely involved CVE-2024-3400.
Palo Alto Networks said attackers across the globe are scanning for the vulnerability along with other vendor device flaws, and researchers at Unit 42 are tracking the Iran-linked threat actor, Michael Sikorski, VP and CTO of Unit 42, said via email. The firm has provided customers with mitigation advice.
The Palo Alto Networks command injection vulnerability, with a maximum severity of 10, could allow an unauthenticated attacker to execute arbitrary code with root privileges.
The state-linked actors have previously targeted vulnerabilities linked to Citrix NetScaler, including CVE-2023-3519, as well as F5 Big-IP devices, including CVE-2022-1388.
Researchers from Tenable said the advisory highlights the fact that only about half of the vulnerable assets have been properly remediated.
“Patching these vulnerabilities often involves complex processes, potential downtime and risk of disrupting critical services,” Rody Quinlan, staff research engineer at Tenable, said.
Beyond those concerns, many organizations have issues with legacy systems, resource constraints, and require extensive testing before applying patches, Quinlan said. This can create delays in addressing these critical vulnerabilities.
More action afoot
Meanwhile, Microsoft researchers last week warned that Peach Sandstorm, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps, has deployed a custom, multistage backdoor that researchers called Tickler. Microsoft said the Peach Sandstorm threat activity is separate from the hacking outlined in the warnings from CISA and the FBI.
The backdoor is being used to attack federal and state governments, oil and gas, satellite and communications sectors both in the U.S. and United Arab Emirates. Peach Sandstorm is continuing to conduct password-spray attacks against the education sector as well as satellite, defense and government sectors.
Researchers have also seen the threat actor launch social engineering attacks dating back to 2021 against targets in those sectors via LinkedIn.
Before deploying the Tickler malware, the attackers abused Azure infrastructure of targeted organizations for command and control.
CISA officials declined to comment on the Iran-linked threat activity beyond what was issued in the advisory.