Iran state-sponsored hackers collaborated with ransomware gangs to breach and extort U.S.-based organizations, a Cybersecurity and Infrastructure Security Agency (CISA) advisory revealed Wednesday.
Pioneer Kitten, a threat actor associated with the government of Iran (GOI), worked with affiliates of the NoEscape, Ransomhouse and the now-defunct ALPHV/BlackCat in exchange for a portion of proceeds gained from attacks, according to the joint advisory between CISA, the Federal Bureau of Investigation (FBI) and Department of Defense Cyber Crime Center (DC3).
The members of Pioneer Kitten, also known as Fox Kitten, UNC 757, Parisite, RUBIDIUM and Lemon Sandstorm, appeared to be conducting this apparently financially motivated activity behind the GOI’s back, with officials noting the threat actors did not disclose their Iranian affiliation to the ransomware actors and appeared concerned about government monitoring and exposure of cryptocurrency transaction activity.
In addition to offering ransomware groups initial access to victims’ networks, assisting in encryption operations and helping to strategize victim extortion, Pioneer Kitten also conducted its own data exfiltration, likely in support of the GOI, officials said.
The advisory provided an overview of Pioneer Kitten’s tactics, techniques and procedures (TTPs), indicators of compromise (IOCs) and the vulnerabilities it exploits for initial access while conducting its double-dipping scheme.
Iranian threat group targets Check Point, Palo Alto, Citrix, F5 and Ivanti vulnerabilities
In conducting both its Iran state-sponsored and ransomware-related activities, Pioneer Kitten scans for internet-facing assets, such as VPNs and firewalls, that are vulnerable to certain security flaws.
The group historically targeted unpatched Citrix Netscaler instances vulnerable to CVE-2019-19781 or CVE-2023-3519, as well as F5 BIG-IP systems vulnerable to CVE-2022-1388.
More recently, the group exploited Ivanti VPNs via CVE-2024-21887 and Palo Alto Networks PAN-OS firewalls via CVE-2024-3400. As of July 2024, the group was scanning IP addresses hosting Check Point Security Gateways, likely seeking to exploit CVE-2024-24919, the advisory stated.
Tenable Research, in a Wednesday advisory coinciding with the CISA joint advisory, noted that many assets affected by these vulnerabilities have not yet been patched.
“An analysis of metadata performed by Tenable Research provides us with unique insight to two of these legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our research only about half of impacted assets have been successfully remediated,” the researchers wrote.
In addition, more than 60,000 Check Point Security Gateway instances, nearly 45,000 PAN-OS firewalls, more than 9,000 Ivanti VPNs and more than 9,000 BIG-IP systems, potentially vulnerable to the listed CVEs, were discovered in a Shodan search by Tenable. The CISA advisory notes that Pioneer Kitten is known to use Shodan to discover potentially vulnerable devices.
Most of these internet-exposed instances are located in the United States, and Israel, which is also known to be targeted by Pioneer Kitten, had the highest number of exposed Check Point Security Gateways, followed by the U.S.
Both the government and Tenable advisories strongly urge organizations to patch the vulnerabilities targeted by Pioneer Kitten. Federal authorities also advise organizations to monitor their networks for traffic from IP addresses listed under Pioneer Kitten’s IOCs and test their security systems against the TTPs used by Pioneer Kitten, which are also listed in the advisory.
The joint advisory also notes that Pioneer Kitten is known to leverage victims’ cloud computing resources for further attacks, and that the group may persist in victims’ networks even after vulnerabilities have been patched.
