March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – TA505 Active Again – Fresh IoCs
September 4, 2020Rewterz Threat Alert – Multi-Platform SMAUG Sold as RaaS
September 4, 2020Rewterz Threat Alert – TA505 Active Again – Fresh IoCs
September 4, 2020Rewterz Threat Alert – Multi-Platform SMAUG Sold as RaaS
September 4, 2020
Severity
High
Analysis Summary
Pioneer Kitten is an Iranian APT group which has been spotted selling corporate-network credentials on hacker forums. This hacker group has utilised open-source tools to compromise remote external services.They also rely on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion to exploit and gain access to their targets. Following vulnerabilities were found being exploited by this APT group.
CVE-2020-5902
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
CVE-2019-11510
A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. This vulnerability has already been exploited in the wild.
CVE-2019-19781
Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution. This vulnerability has already been exploited in the wild.
Impact
- Credential Theft
- Unauthorized Access
Remediation
Refer to previous advisories about these vulnerabilities and make sure all affected products have been patched.
- https://rewterz.com/rewterz-news/rewterz-threat-advisory-multiple-vulnerabilities-in-f5s-big-ip-allow-full-system-compromise
- https://rewterz.com/threats/rewterz-threat-advisory-cve-2019-11510-continued-exploitation-of-pulse-secure-vpn-vulnerability
- https://rewterz.com/rewterz-news/rewterz-threat-advisory-cve-2019-19781-citrix-patches-flaw-in-citrix-adc-11-1-and-12-0