DHS/CISA Cyber Security Alert: Iran-Based Threat Actor Exploits VPN Vulnerabilities

Critical Infrastructure Colleagues and Partners,


Today, CISA and FBI are issuing a joint cybersecurity advisory about Iranian-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Exploiting publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 are the methods this threat actor has been observed using to gain initial access to targeted networks. Once inside a successfully exploited network, these actors’ goals appear to be maintained access for several months using multiple means of persistence and exfiltrate data.


Also, CISA is issuing Malware Analysis Report (MAR-10297887-1.v1) that details some of the tools this threat actor used against some victims.


Network administrators can use this joint advisory to identify a potential compromise of their network, reduce exposure to Iranian government malicious cyber activity and protect their organization from future attacks. The tactics, techniques, and procedures (TTPs); indicators of compromise (IOCs); and exploited CVEs observed being used by this threat actor are provided. The techniques are mapped to the MITRE ATT&CK Framework to further assist organizations with detecting and mitigating this threat.


The advisory can be found here https://us-cert.cisa.gov/ncas/alerts/aa20-259a and MAR can be found here https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a.

We encourage you to share this information widely.


Steve Lyddon
Protective Security Advisor, Region V, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 | steven.lyddon@cisa.dhs.gov


AA20-259A details observed Iranian threat actor activity, specifically the exploitation of vulnerabilities in Pulse Secure VPN, Citrix NetScaler, and F5 Big-IP devices. The observed activity is similar to that reported in AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity (TLP:WHITE), available here: https://us-cert.cisa.gov/ncas/alerts/aa20-258a.


Additional CISA Resources


U.S. Department of Homeland Security
Northrup Grumman in support of
CISA | IOD | CISA Central