Photo credit: www.darkreading.com
Recent warnings from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have highlighted the involvement of Iran’s state-sponsored Fox Kitten threat group in facilitating ransomware attacks against entities in the United States and beyond. This partnership with ransomware actors aims to make financial gains through compromised networks spanning various sectors including finance, defense, healthcare, and education. This activity is distinct from Fox Kitten’s ongoing attempts to exfiltrate sensitive technical information from organizations in the US, Israel, and Azerbaijan, as indicated in a joint cybersecurity advisory released this week.
Initial Access Broker
The FBI and CISA pointed out that a considerable portion of Fox Kitten’s cyber activities aimed at the US is geared towards maintaining access to victim networks for potential future ransomware assaults. The group’s operations include offering full domain control and administrative credentials across numerous compromised networks globally.
Fox Kitten is identified by various threat intelligence vendors under different monikers such as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium. According to CrowdStrike, this group may have begun its operations as early as 2017, potentially acting as a contractor for the Iranian government. It is believed that Fox Kitten is utilizing an Iranian firm, Danesh Novin Sahand, as a front for its cyber-espionage and intelligence operations aligned with Tehran’s interests.
As early as 2020, CrowdStrike noted that the group attempted to market access to the compromised networks on underground forums, suggesting these efforts may not have been sanctioned by Iranian authorities. Fox Kitten often exploited vulnerabilities linked to Internet-facing assets to infiltrate organizations.
In 2021, Microsoft, which tracks the group as Rubidium, associated Fox Kitten with other Iranian state-sponsored groups involved in a broad range of cyber-enabled theft, disruption, and other harmful activities targeting US interests. More recently, Securin pointed out that Fox Kitten is one of the most active groups exploiting vulnerabilities related to VPN services and various remote access solutions from multiple vendors.
In the latest advisory issued by CISA and the FBI, Fox Kitten is linked to providing ransomware operators—including those utilizing strains like ALPHV (BlackCat), Ransomhouse, and NoEscape—with initial access to compromised systems, in exchange for a share of any ransom payments. The group not only collaborates with ransomware affiliates to encrypt networks but also devises extortion strategies, often concealing its identity as Iranian actors during engagements.
Old Tactics, New Vulnerabilities
The group’s methods for gaining initial access remain consistent, primarily targeting vulnerabilities in VPN devices and other services exposed to the internet. Recently, Fox Kitten has sought to exploit CVE-2024-24919, a zero-day vulnerability in Check Point VPNs, as well as CVE-2024-3400 in Palo Alto Networks’ PAN-OS; CVE-2019-19781 and CVE-2023-3519 affecting Citrix Netscaler; and CVE-2022-1388 in BIG-IP F5 devices, according to the findings from CISA and the FBI.
Once access is achieved, Fox Kitten’s strategies can vary based on the system compromised but commonly include actions such as capturing user credentials, deploying web shells, creating unauthorized accounts, loading malware, moving laterally across the network, and escalating privileges for further exploitation.
The persistence of vulnerabilities within organizations appears to facilitate Fox Kitten’s operations. Research by Tenable reveals that only about half of the assets affected by CVE-2019-19781 and CVE-2022-1388—key weaknesses targeted by Fox Kitten—have received remediation. According to Tenable, “It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io.”
Source
www.darkreading.com