Irans Fox Kitten Group Aids Ransomware Attacks on US Targets

In a joint advisory, CISA and the FBI described the activity as a likely attempt by the group to monetize access to networks it already has compromised.

Irans state-sponsored Fox Kitten threat group is actively abetting ransomware actors in attacks against organizations in the US and other countries, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) warned this week.
The ongoing activity appears to be an effort by the threat actor to monetize its access to victim networks across multiple sectors, including finance, defense, healthcare, and education. It is separate from Fox Kittens continued campaigns to steal sensitive technical data from organizations in the US, Israel, and Azerbaijan, the two government agencies said
in a joint cybersecurity advisory
this week.
A significant percentage of the groups US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks, the FBI and CISA warned. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.
Fox Kitten is a relatively well-known threat actor that different security vendors variously track as
Pioneer Kitten
, UC757, Parisite, Lemon Sandstorm, and Rubidium.
CrowdStrike believes the group first began operations in 2017
and is likely a contractor for the Iranian government. The FBI and CISA think the group is using an Iranian company, Danesh Novin Sahand, as cover for its cyber-espionage and other intelligence gathering operations for Tehran.
Starting as far back as 2020, CrowdStrike observed the group attempting to sell access on underground forums to networks it had compromised. Fox Kitten actors were likely doing this without any approval from their Iranian-government sponsors. In many instances where Fox Kitten gained access to a victim network, they did so via exploits that targeted vulnerabilities in an organizations Internet-facing assets.
In 2021, Microsoft, which tracks Fox Kitten as Rubidum, identified the threat actor as
one of six Iranian state-backed groups
engaged in a wide range of cyber-enabled information theft, disruption, and destructive activities against US entities. Earlier this year,
Securin
listed Fox Kitten among a group of threat actors it described as most actively
targeting VPN vulnerabilities
and other remote access products from multiple vendors.
This weeks CISA-FBI advisory identified Fox Kitten as providing the operators of ransomware strains such as ALPHV (or BlackCat), Ransomhouse, and NoEscape with initial access to compromised networks in return for a percentage of any ransom they might collect. In many instances, the Iranian threat group has worked with ransomware affiliates to encrypt victim networks and strategized with them on how to extort ransoms. The FBI said that Fox Kitten actors are engaging with ransomware actors without disclosing their location in Iran or their ties to the country.
The groups initial access methods in recent attacks have been the same as always: exploiting vulnerabilities in VPN devices and other externally exposed services on enterprise networks. Most recently, Fox Kitten actors have targeted
CVE-2024-24919
, a now-patched zero-day bug in Check Point VPNs to try and break into a victim network. The threat actor has also been spotted going after
CVE-2024-3400
, a zero-day bug in Palo Alto Networks PAN-OS;
CVE-2019-19781
and
CVE-2023-3519
in Citrix Netscaler; and
CVE-2022-1388
in BIG-IP F5 devices, CISA and the FBI said.
Once Fox Kitten gains access to a network, its game plan — depending on the type of system it has compromised — is to capture login credentials, deploy Web shells, create rogue accounts, load malware, move laterally, and escalate privileges.
The fact that many organizations have not mitigated some of the vulnerabilities that Fox Kitten is targeting may be helping the threat actor in its attacks. An analysis that Tenable performed, for instance, found that barely half of all assets affected by CVE-2019-19781 and CVE-2022-1388, two flaws that Fox Kitten is targeting, are remediated. Its not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io, a search engine for discovering Internet-connected devices,
Tenable said
in a blog post this week.

Last News
▸ SMBs can enhance security via Cloud in 4 ways. ◂ Discovered: 26/12/2024 Category: security	▸ Google and Facebook reassure U.K.: No snooping. ◂ Discovered: 26/12/2024 Category: security	▸ New startup offers human verification process. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Irans Fox Kitten Group Aids Ransomware Attacks on US Targets