Rewterz Threat Alert – Pioneer Kitten APT Sells Corporate Network Access, Exploits Vulnerabilities

September 4, 2020

Severity

High

Analysis Summary

Pioneer Kitten is an Iranian APT group which has been spotted selling corporate-network credentials on hacker forums. This hacker group has utilised open-source tools to compromise remote external services.They also rely on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion to exploit and gain access to their targets. Following vulnerabilities were found being exploited by this APT group.

CVE-2020-5902

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

CVE-2019-11510

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. This vulnerability has already been exploited in the wild.
CVE-2019-19781

Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution. This vulnerability has already been exploited in the wild.

Impact

Credential Theft
Unauthorized Access

Remediation

Refer to previous advisories about these vulnerabilities and make sure all affected products have been patched.