U.S. Agencies Sound Alarm on Rising Ransomware Attacks by Iranian Fox Kitten Group

Published: Aug 30, 2024

Security – 4

SHARE ARTICLE

Key Takeaways:

  • The Iranian state-sponsored Fox Kitten threat group is actively targeting critical sectors in the US and other countries.
  • Fox Kitten collaborates with ransomware operators, providing them with initial access to compromised networks and receiving a portion of the ransom collected.
  • The group is using cyber-espionage to steal technical data and intelligence from organizations worldwide.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning that the Iranian state-sponsored Fox Kitten threat group is aggressively targeting organizations across the US and other nations. These cybercriminals are exploiting vulnerabilities in VPN and firewall devices to steal sensitive data and deploy ransomware.

Fox Kitten, also known as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium, began its operations in 2017. CrowdStrike suspects that this threat actor is likely working as a contractor for the Iranian government. Federal agencies believe the group uses the Iranian firm “Danesh Novin Sahand” as a cover for its cyber-espionage activities and intelligence gathering on behalf of Iran.

The FBI and CISA report that the threat actor continues to infiltrate networks across multiple sectors, including healthcare, defense, education, and finance. These hackers steal technical data and information from US defense contractors, as well as from organizations in the United Arab Emirates, Azerbaijan, and Israel.

U.S. Agencies Sound Alarm on Rising Ransomware Attacks by Iranian Fox Kitten Group
Image Source: Twitter

What are the tactics used by the Fox Kitten group?

According to the joint cybersecurity advisory, the Iranian threat group is helping ransomware operators (such as ALPHV (BlackCat), Ransomhouse, and NoEscape) gain initial access to compromised networks. Fox Kitten then receives a percentage of the ransom collected by these ransomware operators. The threat actor also collaborates with ransomware affiliates to encrypt the victim’s networks.

“A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks,” the FBI and CISA warned. “The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.”

This isn’t the first time an Iran-based hacking group has been linked to malicious activities. Earlier this year, federal law enforcement agencies disclosed that Pioneer Kitten hackers were scanning for vulnerabilities in Palo Alto Networks PAN-OS and GlobalProtect VPNs, specifically targeting unpatched devices susceptible to CVE-2024-3400. Last month, the agencies also caught that the Iranian attackers had been scanning for weaknesses in Check Point Security Gateways vulnerable to CVE-2024-24919.

SHARE ARTICLE