Iranian APT Exploits Edge Vulnerabilities in US Infrastructure

Iranian state-sponsored threat actors have successfully breached the networks of a US airport, a financial institution, and a software company, according to SecurityWeek. These activities, attributed to an APT group known as Pioneer Kitten (also identified as Fox Kitten or UNC757), demonstrate a persistent focus on US critical infrastructure. The campaign, observed since February 2024, highlights a concerning evolution where nation-state actors collaborate with or facilitate Ransomware operations to achieve financial or disruptive objectives.

Analysis of Iranian APT Targeted Sectors

The selection of targets—including aviation and banking—suggests that the actors are prioritizing sectors where downtime or data loss has the highest impact. By securing a foothold in these environments, the group provides Lateral Movement opportunities for other malicious entities. Intelligence suggests that these actors often serve as initial access brokers, selling access to compromised networks to ransomware affiliates like NoEscape or RansomHouse. This blurred line between state-sponsored espionage and cybercrime complicates attribution and increases the risk of high-impact disruptive attacks.

CVE-2024-24919 Check Point Exploitation and Initial Access

A primary TTP used by the group involves the exploitation of vulnerabilities in perimeter security appliances. Specifically, the actors have been observed utilizing CVE-2024-24919, an information disclosure CVE affecting Check Point Security Gateways. This vulnerability allows an unauthenticated attacker to read sensitive information on the gateway, which can lead to the theft of credentials or Privilege Escalation.

In addition to Check Point devices, the group has exploited CVE-2024-3400, a critical RCE vulnerability in Palo Alto Networks PAN-OS. By weaponizing these edge-facing vulnerabilities, the actors bypass traditional Phishing methods, gaining direct entry into the target’s internal network infrastructure. Once inside, they typically deploy web shells or establish C2 channels to maintain persistence.

Technical Details and Persistence Mechanisms

Upon gaining access, Pioneer Kitten focuses on credential harvesting and account creation to ensure long-term access. According to the federal advisory cited by SecurityWeek, the group often creates new user accounts or modifies existing ones to evade detection by EDR solutions. They have been known to use legitimate administrative tools to blend in with normal network traffic, a technique frequently mapped in the MITRE ATT&CK framework as ‘Living off the Land’.

How to Detect Iranian APT Persistence

To identify potential compromises, security teams should focus on anomalous outbound traffic from edge devices and the creation of unauthorized local accounts on sensitive servers. Effective detection strategies include:

• Monitoring for unauthorized attempts to access /etc/shadow or other sensitive system files via Check Point gateways.
• Auditing SIEM logs for unusual API calls or command execution originating from Palo Alto Networks GlobalProtect interfaces.
• Reviewing SOC alerts for the use of AnyDesk or other remote desktop software not authorized by corporate policy.

Recommended Mitigations

Defenders should treat these threats with high priority given the actors’ history of facilitating ransomware. The following actions are recommended:

1. Immediate Patching: Apply the latest security updates for all Check Point and Palo Alto Networks appliances. Ensure that the fix for CVE-2024-24919 is fully implemented.
2. Credential Hygiene: Reset passwords for any accounts that may have been exposed through vulnerable edge devices and enforce multi-factor authentication across all external-facing services.
3. Review IoCs: Regularly ingest and scan for any IoC provided by CISA and the FBI related to Iranian state-sponsored activity.
4. Network Segmentation: Implement a Zero Trust architecture to limit the ability of attackers to move laterally from a compromised edge device to the core data center.