CISA Alert: Iran-based Threat Actor Exploits VPN Vulnerabilities

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a new alert about an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. CISA developed the alert with contributions from the FBI. According to the alert, the threat actor was observed exploiting publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 to gain initial access to targeted networks. Once inside a successfully exploited network, the actor’s goals appear to be maintaining access for several months using multiple means of persistence and exfiltrating data. The alert contains further technical details of the activity, including techniques categorized by the MITRE ATT&CK framework, as well as a list of mitigation measures. CISA has also issued a Malware Analysis Report (MAR-10297887-1.v1) that details some of the tools this threat actor used against some victims. CISA recommends that network administrators use the information in these products to identify a potential compromise of their network, reduce exposure to Iranian government malicious cyber activity and protect their organization from future attacks. Read the alert at CISA.