Article Details

Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear. The government-backed crew also enjoys ransomware as a side hustle. Iranian government-backed cybercriminals have been hacking into US and foreign networks as recently as this month to steal sensitive data and deploy ransomware, and they're breaking in via vulnerable VPN and firewall devices from Check Point, Citrix, Palo Alto Networks and other manufacturers, according to Uncle Sam. In a joint security advisory issued today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) warned network defenders that Pioneer Kitten continues to exploit American schools, banks, hospitals, defense-sector orgs, and government agencies, along with targets in Israel, Azerbaijan, and the United Arab Emirates. These attacks include network intrusions to steal sensitive technical data from US defense contractors, along with Israel- and Azerbaijan-based organizations, in support of the Iranian government, we're told. Most of the attacks against American targets, however, are financially motivated and not state-sanctioned, according to the FBI and friends. "The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware," the joint alert says.  Recently, federal law enforcement agencies have spotted Pioneer Kitten (aka Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) working with ransomware-as-a-service gangs NoEscape, Ransomhouse and ALPHV/BlackCat. IRGC's Peach Sandstorm back in attack mode with a brand-new backdoor A different Iran government-linked group, this one believed to operate as the hacking arm of the Iranian Islamic Revolutionary Guard Corps (IRGC), has been using a new custom backdoor, dubbed Tickler, between April and June, according to Microsoft. Redmond's threat hunters track the IRGC gang as Peach Sandstorm, and say the new malware has been used in attacks targeting the satellite, communications equipment, oil and gas, and federal and state government sectors in the US and the United Arab Emirates. The cyber spies also used Azure cloud infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). The first Tickler malware sample spotted was sent via an archive file named Network Security[.]zip along with benign PDF files used as decoy documents. "The sample collects the network information from the host and sends it to the C2 URI via HTTP POST request, likely as a means for the threat actor to orient themselves on the compromised network," according to Microsoft Threat Intelligence. It appears Peach Sandstorm has since improved the malware, as the second sample, sold[.]dll, is a Trojan dropper that downloads additional payloads from the C2 server. This includes a backdoor, a batch script to set persistence for this backdoor, and legitimate files: msvcp140[.]dll, LoggingPlatform[.]dll, vcruntime140[.]dll, and Microsoft.SharePoint.NativeMessaging[.]exe. These are all Windows signed binaries that Microsoft surmises are used for DLL sideloading. "The Iranian cyber actors' involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims," according to the US agencies. "The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin." This new warning follows multiple instances of finger pointing against Iran for its malicious cyber activities. Last week, US authorities named Iran as the likely source of a recent hack-and-leak attack against former US president and current candidate Donald Trump amid multiple reports of Iranian crews intensifying their election meddling efforts.  Earlier this month, OpenAI banned ChatGPT accounts linked to an Iranian crew suspected of spreading fake news on social media sites about the US presidential campaigns, and both Google and Microsoft have warned of ongoing attacks targeting both political parties' candidates. Today's warning, however, focuses on a different government-backed gang, which CISA and the FBI say has been active since 2017.  Pioneer Kitten In 2020, CISA and the FBI published a similar warning about Pioneer Kitten breaking into a similarly wide range of US industry sectors to steal credentials and other sensitive information. The group refers to itself as "Br0k3r" and "xplfinder" on their Tor and social media sites, and also uses an Iranian IT company, Danesh Novin Sahand, likely as a cover for its malicious cyber activities. While Pioneer Kitten has historically abused years-old bugs in Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519) and BIG-IP F5 (CVE-2022-1388) devices to gain initial access to victim organizations. As of July, they have been scanning the Shodan search engine for IP addresses hosting Check Point Security Gateways devices that are vulnerable to CVE-2024-24919, which the software vendor in June warned was under active exploitation. A few months earlier, in April, the feds caught the Iranians scanning for vulnerable Palo Alto Networks PAN-OS and GlobalProtect VPNs. The crew was likely conducting reconnaissance and probing for unpatched devices vulnerable to CVE-2024-3400, a critical command-injection flaw that received a 10 out of 10 CVSS severity rating. Side note: multiple proof-of-concept exploits exist for CVE-2024-3400, so if you haven't updated your Palo Alto Networks firewall/VPN yet, if Iran's not sitting on your device right now, someone else likely is. After successfully exploiting a vulnerable device, Pioneer Kitten performs the usual criminal activities. They use webshells to steal login info and maintain network access. With the stolen admin-level credentials, the crooks disable antivirus and other security software.  They also create new accounts — observed names include "sqladmin$," "adfsservice," "IIS_Admin," "iis-admin," and "John McCain" — and request exemptions from the zero-trust application and security policies for various tools they intend to deploy. And then, they install backdoors to load malware and exfiltrate data. In the feds' joint alert, they include a list of IP addresses and domains that Pioneer Kitten has been using this year, so it's a good idea to check out the list and then block — or at least investigate — any of these addresses. However, the Iranian hackers have also been known to break into companies' cloud environments and use this infrastructure for cyber espionage operations targeting other organizations.  "The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization," the alert notes. "The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims."