Iran state-sponsored hackers collaborated with ransomware gangs to breach and extort U.S.-based organizations, a Cybersecurity and Infrastructure Safety Company (CISA) advisory revealed Wednesday.
Pioneer Kitten, a menace actor related to the federal government of Iran (GOI), labored with associates of the NoEscape, Ransomhouse and the now-defunct ALPHV/BlackCat in change for a portion of proceeds gained from assaults, in response to the joint advisory between CISA, the Federal Bureau of Investigation (FBI) and Division of Protection Cyber Crime Heart (DC3).
The members of Pioneer Kitten, also called Fox Kitten, UNC 757, Parisite, RUBIDIUM and Lemon Sandstorm, gave the impression to be conducting this apparently financially motivated exercise behind the GOI’s again, with officers noting the menace actors didn’t disclose their Iranian affiliation to the ransomware actors and appeared involved about authorities monitoring and publicity of cryptocurrency transaction exercise.
Along with providing ransomware teams preliminary entry to victims’ networks, aiding in encryption operations and serving to to strategize sufferer extortion, Pioneer Kitten additionally performed its personal information exfiltration, doubtless in help of the GOI, officers mentioned.
The advisory supplied an outline of Pioneer Kitten’s ways, strategies and procedures (TTPs), indicators of compromise (IOCs) and the vulnerabilities it exploits for preliminary entry whereas conducting its double-dipping scheme.
Iranian menace group targets Test Level, Palo Alto, Citrix, F5 and Ivanti vulnerabilities
In conducting each its Iran state-sponsored and ransomware-related actions, Pioneer Kitten scans for internet-facing property, corresponding to VPNs and firewalls, which can be susceptible to sure safety flaws.
The group traditionally focused unpatched Citrix Netscaler cases susceptible to CVE-2019-19781 or CVE-2023-3519, in addition to F5 BIG-IP methods susceptible to CVE-2022-1388.
Extra just lately, the group exploited Ivanti VPNs through CVE-2024-21887 and Palo Alto Networks PAN-OS firewalls through CVE-2024-3400. As of July 2024, the group was scanning IP addresses internet hosting Test Level Safety Gateways, doubtless searching for to use CVE-2024-24919, the advisory acknowledged.
Tenable Analysis, in a Wednesday advisory coinciding with the CISA joint advisory, famous that many property affected by these vulnerabilities haven’t but been patched.
“An evaluation of metadata carried out by Tenable Analysis gives us with distinctive perception to 2 of those legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our analysis solely about half of impacted property have been efficiently remediated,” the researchers wrote.
As well as, greater than 60,000 Test Level Safety Gateway cases, almost 45,000 PAN-OS firewalls, greater than 9,000 Ivanti VPNs and greater than 9,000 BIG-IP methods, probably susceptible to the listed CVEs, had been found in a Shodan search by Tenable. The CISA advisory notes that Pioneer Kitten is thought to make use of Shodan to find probably susceptible units.
Most of those internet-exposed cases are positioned in the USA, and Israel, which can also be recognized to be focused by Pioneer Kitten, had the very best variety of uncovered Test Level Safety Gateways, adopted by the U.S.
Each the federal government and Tenable advisories strongly urge organizations to patch the vulnerabilities focused by Pioneer Kitten. Federal authorities additionally advise organizations to watch their networks for site visitors from IP addresses listed underneath Pioneer Kitten’s IOCs and take a look at their safety methods towards the TTPs utilized by Pioneer Kitten, that are additionally listed within the advisory.
The joint advisory additionally notes that Pioneer Kitten is thought to leverage victims’ cloud computing sources for additional assaults, and that the group might persist in victims’ networks even after vulnerabilities have been patched.
