Iran-sponsored cyber espionage group Fox Kitten [4] [7], also known as Pioneer Kitten [2] [3] [4] [5] [8], has been actively collaborating with ransomware groups since at least 2017.
Description
Fox Kitten [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], identified by Microsoft as one of six Iranian state-backed groups involved in cyber-enabled information theft [10], has targeted various US entities, including schools [2] [7] [9], governments [1] [2] [3] [4] [6] [7] [8] [9] [10], financial institutions [4] [7], and healthcare facilities [4] [7] [9]. The group has also targeted organizations in the US, Israel [2] [3] [4] [5] [7] [10], Azerbaijan [2] [3] [4] [5] [7] [10], and the UAE [3] [7], focusing on sectors such as finance, defense [2] [3] [4] [5] [7] [8] [9] [10], healthcare [3] [4] [5] [7] [8] [9] [10], and education [3] [8] [10]. Fox Kitten has been observed selling access to compromised networks on underground forums and exploiting vulnerabilities in VPN devices and other externally exposed services to gain initial access to victim networks. The group has been strategizing with ransomware affiliates on how to extort ransoms from victims [10], exploiting vulnerabilities in VPN devices from multiple vendors. Once gaining access to a network [10], Fox Kitten deploys various tactics such as capturing login credentials [10], deploying Web shells [10], creating rogue accounts [10], loading malware [10], moving laterally [10], and escalating privileges [10]. The group continues to pose a significant threat to organizations by exploiting known vulnerabilities and targeting critical infrastructure [10]. Fox Kitten is believed to be working on behalf of the Iranian state to steal sensitive information and occasionally undermine the security of Israel-based cyber infrastructure with ransomware attacks like Pay2Key [4]. In addition to state-sponsored activities [4], Fox Kitten has also been involved in ransomware attacks [4] [7], collaborating with affiliates to lock victim networks and extort ransom payments.
Conclusion
Organizations should assess their defenses against Fox Kitten’s tactics and follow the technical details provided by the FBI to defend against attacks. Paying ransom does not guarantee file recovery and may encourage further attacks [9]. Fox Kitten’s activities have significant impacts on organizations and critical infrastructure, highlighting the importance of cybersecurity measures and vigilance in defending against cyber threats.
References
[1] https://www.csoonline.com/article/3498397/iranian-threat-actors-targeting-businesses-and-governments-cisa-microsoft-warn.html
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
[3] https://thehackernews.com/2024/08/us-agencies-warn-of-iranian-hacking.html
[4] https://www.helpnetsecurity.com/2024/08/28/pioneer-kitten-iranian-hackers-partnering-with-ransomware-affiliates/
[5] https://www.picussecurity.com/resource/blog/pioneer-kitten-cisa-alert-aa24-241a
[6] https://www.scmagazine.com/news/iran-backed-hackers-partner-with-ransomware-gangs-cisa-advisory-warns
[7] https://www.infosecurity-magazine.com/news/iran-hackers-secretly-aid/
[8] https://www.attackiq.com/2024/08/29/response-to-cisa-advisory-aa24-241a/
[9] https://me.pcmag.com/en/security/25559/fbi-iranian-hackers-are-working-with-ransomware-groups-targeting-the-us
[10] https://www.darkreading.com/threat-intelligence/irans-fox-kitten-group-aids-ransomware-attacks-on-us-targets
