Pioneer Kitten: Iranian hackers partnering with ransomware affiliates
A group of Iranian hackers – dubbed Pioneer Kitten by cybersecurity researchers – is straddling the line between state-contracted cyber espionage group and initial access provider (and partner in crime) for affiliates of several ransomware groups.
“The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin,” US security agencies say.
Also, “the group’s ransomware activities are likely not sanctioned by the [Government of Iran (GOI)], as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.”
Iranian hackers working with ransomware affiliates
Pioneer Kitten – also known as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm in the cybersecurity research community – is an group that refers to itself as “xplfinder” and, more recently “Br0k3r”.
Since 2017, they have been finding ways to break into the networks of US-based schools, municipal governments, financial institutions, and healthcare facilities, as well as US defense sector networks and those of companies in Israel, Azerbaijan and United Arab Emirates.
The attacks perpetrated on behalf and interest of the Iranian state are usually aimed at stealing sensitive information. Occasionally – the FBI assesses – they have also been aimed at undermining the security of Israel-based cyber infrastructure (e.g., with Pay2Key ransomware).
But, at the same time, these “guns for hire” are also set on lining their own pockets.
“The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates [NoEscape, RansomHouse, ALPHV] to enable encryption operations in exchange for a percentage of the ransom payments,” the FBI, CISA and the Department of Defense noted.
“[Their] involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims.”
Pioneer Kitten’s TTPs
The groups starts the intrusions by looking for internet infrastructure hosting devices – historically Citrix Netscaler and F5 BIG-IP, more recently Pulse Secure/Ivanti VPNs, Palo Alto Networks firewalls, and Check Point Security Gateways – vulnerable to specific n-day vulnerabilities.
Once they exploit the flaws and compromise the devices, they proceed to capture login credentials, install web shells, create accounts on victim networks, install backdoors, etc.
They use the compromised credentials and created accounts to log into other applications and domain controllers, disable security software, initiate remote desktop sessions, lower PowerShell policies to a less secure level and try to get their attack tools allowlisted.
They are known for using the legitimate AnyDesk software as a backup access method, Ligolo for protocol tunneling, and Ngrok for creating outbound connections.
The agencies have shared mitigations and both recent indicators of compromise to help defenders detect and fight off attacks and historical ones for tracking and attribution purposes.