U.S. agencies issued a cybersecurity advisory alerting critical infrastructure organizations about cyber actors, identified in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm. Additionally, the group refers to themselves as Br0k3r, and since 2024, they have been using the moniker ‘xplfinder’ in their communications. These groups are targeting and exploiting organizations in the education, finance, healthcare, and defense sectors, as well as local government entities in the U.S. and other countries, including Israel, Azerbaijan, and the United Arab Emirates.
“FBI investigations conducted as recently as August 2024 assess that cyber actors like Pioneer Kitten are connected with the Government of Iran (GOI) and linked to an Iranian information technology (IT) company,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) partnered with the Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3). “Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access. These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware.”
The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities.
The advisory highlights similarities to a previous advisory, Iran-based threat actor exploits VPN vulnerabilities published on Sept. 15, 2020, and provides known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The information and guidance in the advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.
FBI analysis and investigation indicate the group’s activity is consistent with a cyber hacker with Iranian state sponsorship. The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks.
The advisory noted that the hackers offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. “More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat),” it added.
The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.
Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key. The actors operated a [dot]onion site, reachable through the Tor browser, hosted on cloud infrastructure registered to an organization previously compromised by the actors. The actors created the server leveraging their prior access to this victim.
Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise including on social media, tagging accounts of victims and media organizations, and leaking victim data on their [dot]onion site. While this technique has traditionally been used to influence victims to pay ransom, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key as an information operation aimed at undermining the security of Israel-based cyber infrastructure.
“The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks,” the advisory revealed. “As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices.”
It added that the hackers were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. “Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.”
The advisory detailed that the hackers have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400).
The advisory also revealed that the hackers reuse compromised credentials obtained from exploiting networking devices, such as Citrix Netscaler, to gain access to other applications, including Citrix XenDesktop. They also try to repurpose the administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks, use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level.
Additionally, the hackers export system registry hives and network firewall configurations on compromised servers; and exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs, presumably to gather network and user account information for use in further exploitation efforts.
After infiltrating victim networks, the actors collaborate with ransomware affiliates, including NoEscape, Ransomhouse, and ALPHV (aka BlackCat), in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims. The hackers also conduct what is assessed to be a separate set of malicious activity, stealing sensitive data from victims, likely in support of the GOI.
The FBI and CISA recommend all organizations implement mitigations to improve their cybersecurity posture based on the Iranian cyber group’s activity. The FBI judges the group’s targeting is primarily based on the identification of devices vulnerable to CVEs identified. As such, any U.S. organization deploying software with these vulnerabilities may be targeted for further exploitation and should follow this guidance to defend against exploitation by this group.
These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against common and impactful threats and TTPs.
The FBI and CISA recommend that critical infrastructure organizations review available logs for IP addresses for indications of traffic with the organization’s network in the provided timeframes; and apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519. They also suggest checking systems for the unique identifiers and TTPs used by the hackers when operating on compromised networks, including the creation of specific usernames, the use of NGROK and Ligolo, and the deployment of webshells in specific directories.
Apart from applying mitigations, the FBI and CISA recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. They also suggest testing existing security controls inventory to assess how they perform against the ATT&CK techniques described.