Key Takeaways:
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning that the Iranian state-sponsored Fox Kitten threat group is aggressively targeting organizations across the US and other nations. These cybercriminals are exploiting vulnerabilities in VPN and firewall devices to steal sensitive data and deploy ransomware.
Fox Kitten, also known as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium, began its operations in 2017. CrowdStrike suspects that this threat actor is likely working as a contractor for the Iranian government. Federal agencies believe the group uses the Iranian firm “Danesh Novin Sahand” as a cover for its cyber-espionage activities and intelligence gathering on behalf of Iran.
The FBI and CISA report that the threat actor continues to infiltrate networks across multiple sectors, including healthcare, defense, education, and finance. These hackers steal technical data and information from US defense contractors, as well as from organizations in the United Arab Emirates, Azerbaijan, and Israel.
According to the joint cybersecurity advisory, the Iranian threat group is helping ransomware operators (such as ALPHV (BlackCat), Ransomhouse, and NoEscape) gain initial access to compromised networks. Fox Kitten then receives a percentage of the ransom collected by these ransomware operators. The threat actor also collaborates with ransomware affiliates to encrypt the victim’s networks.
“A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks,” the FBI and CISA warned. “The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.”
This isn’t the first time an Iran-based hacking group has been linked to malicious activities. Earlier this year, federal law enforcement agencies disclosed that Pioneer Kitten hackers were scanning for vulnerabilities in Palo Alto Networks PAN-OS and GlobalProtect VPNs, specifically targeting unpatched devices susceptible to CVE-2024-3400. Last month, the agencies also caught that the Iranian attackers had been scanning for weaknesses in Check Point Security Gateways vulnerable to CVE-2024-24919.