Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
Summary:
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities. Dubbed Pioneer Kitten (aka Fox Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm), the FBI assesses this group to be associated with the Government of Iran (GOI), noting that Pioneer Kitten has conducted network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan). To help organizations defend against Pioneer Kitten attacks, the FBI, CISA, and DC3 have published detailed tactics, techniques, and procedures employed by the group as well as a list of IOCs associated with Pioneer Kitten intrusions.
Security Officer Comments:
A significant percentage of Pioneer Kitten’s US-focused cyber activity has been steered towards obtaining and maintaining technical access to victim networks to enable further ransomware attacks. Pioneer Kitten has been observed collaborating directly with ransomware affiliates, providing these affiliates with full domain control domain control privileges, as well as domain admin credentials, to numerous networks worldwide. Notable affiliates of Pioneer Kitten include NoEscape, Ransomhouse, and ALPHV (aka BlackCat). In addition to providing initial access, Pioneer Kitten has worked closely with these groups to lock victim networks and strategize on approaches to extort victims. For every successful ransomware deployment, the FBI states that Pioneer Kitten is provided a percentage of the ransom payments. While Pioneer Kitten has had a history of working with ransomware affiliates, it’s important to note that this group “directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI,” according to the FBI.
Suggested Corrections:
The FBI and CISA recommend all organizations implement the following mitigations:
- The FBI and CISA published a list of IP addresses and domains observed in use by the actors. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
- Apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519 [CPG 1.E].
- Be advised, patching for the above referenced CVEs may be insufficient to mitigate malicious activity if your network has already been compromised by these actors while the network device was vulnerable. Additional investigation into the use of stolen credentials (e.g., via the webshell on Netscaler devices) is strongly encouraged to identify threat actor attempts to establish footholds on other parts of the network [CPG 3.A].
- Check your systems for the unique identifiers and TTPs used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of webshells in specific directories [CPG 3.A].
- Check your systems for outbound web requests to files.catbox[.]moe and **.ngrok[.]io [CPG 3.A].
Link(s):
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a