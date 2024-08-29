Hackers sponsored by the Iranian government are acting as go-betweens and initial access brokers to target environments on behalf of financially motivated ransomware gangs, including big names such as ALPHV/BlackCat, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.

In an advisory published this week, CISA and its law enforcement partners, including the FBI, revealed that the Iranian advanced persistent threat (APT) group tracked variously as Pioneer Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm has been conducting malicious cyber operations aimed at deploying ransomware attacks to obtain, maintain and develop network access.

“These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware,” the CISA said.

“This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against US organisations since 2017 and as recently as August 2024. Compromised organisations include US-based schools, municipal governments, financial institutions and healthcare facilities.”

The FBI had previously observed the group attempting to monetise their access to victim organisations on underground markets, and now assesses that a “significant percentage” of its activity – at least in the US – is focused on selling this access on to Russian-speaking cyber crime gangs.

But there is now evidence that this relationship seems to run even deeper. Indeed, the Feds now believe Pioneer Kitten has been “collaborating directly” with ransomware affiliates to receive a cut of the ransom payments in exchange for their assistance.

“These actors have collaborated with the ransomware affiliates NoEscape, RansomHouse, and ALPHV (aka BlackCat),” said the CISA.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategise on approaches to extort victims.

“The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.”

US alert to increased Iranian threat The new warning from the Cybersecurity and Infrastructure Security Agency and other authorities is the latest in a string of alerts and allegations made by the US in regard to malicious Iranian cyber activity. Tehran is already in the frame for a hack on the campaign of Republican presidential candidate Donald Trump, and its advanced persistent threats (APTs) are likely gearing up to conduct further influence operations aimed at undermining the November 2024 election. Meanwhile, earlier this week, Microsoft highlighted the activities of Peach Sandstorm, an Iranian APT that is using a novel, customised, multi-stage backdoor malware dubbed Tickler against targets in the satellite, communications, oil and gas, and government sectors, and in a separate report, Google Cloud’s Mandiant warned that Iran appears to have created a network of social media accounts and fake websites that are being used to target its own people, including members of the worldwide Iranian diaspora who left the country in great numbers following the 1979 revolution.

Thwarting the Kitten A Pioneer Kitten-enabled ransomware attack generally seems to begin with the exploitation of remote external services on internet-facing assets. In recent weeks, the gang has been observed using Shodan to identify IP addresses hosting Check Point Security Gateways vulnerable to CVE-2024-24919, but it is also known to have exploited CVE-2024-3400 in Palo Alto Networks PAN-OS and GlobalProtect VPN, as well as older vulnerabilities in Citrix and F5 BIG-IP. Addressing these issues should be priority number one for security teams in at-risk organisations. Once beyond this first hurdle, the group’s modus operandi is in most regards a fairly standard one – it seeks to further its goals by capturing login credentials on Netscaler devices via a deployed webshell, elevates its privileges by hijacking or creating new accounts, often with exemptions to zero-trust policies, places backdoors to load malware, and tries to disable antivirus software and lower security settings. It also sets up a daily Windows service task for persistence as mitigation occurs. When it comes to command and control, Pioneer Kitten is known to use the AnyDesk remote access programme and to enable servers to use Windows PowerShell Web Access. It also favours Ligolo, an open source tunnelling tool, and NGROK to create outbound connections. The full CISA advisory contains more technical details on its attack chain.