The Iranian government-backed cybercriminals are actively hacking into US and foreign networks, targeting sensitive data and deploying ransomware. They are exploiting vulnerabilities in VPN and firewall devices from manufacturers like Check Point, Citrix, and Palo Alto Networks, according to US government agencies.
In a security advisory issued today, the FBI, CISA, and DC3 warn that Pioneer Kitten continues to target American schools, banks, hospitals, defense organizations, and government agencies, as well as targets in Israel, Azerbaijan, and the United Arab Emirates.
These attacks, which support the Iranian government, involve stealing technical data from US defense contractors and organizations in Israel and Azerbaijan.
The FBI confirms that most attacks on American targets are financially motivated and not state-sanctioned.
The FBI states that a significant percentage of the threat actors intend to collaborate with ransomware affiliate actors to deploy ransomware against US organizations. They have observed Pioneer Kitten working with ransomware-as-a-service gangs like NoEscape, Ransomhouse, and ALPHV/BlackCat.
The joint alert highlights the Iranian cyber actors’ involvement in ransomware attacks, emphasizing their close collaboration with ransomware affiliates to lock victim networks and strategize on extortion tactics.
Recent reports have pointed to Iran’s involvement in various cyber activities, including election meddling efforts and ransomware attacks. OpenAI banned accounts linked to an Iranian crew spreading fake news, and Google and Microsoft have warned of ongoing attacks targeting political parties’ candidates.
Today’s warning focuses on Pioneer Kitten, a government-backed gang that has been active since 2017.
Pioneer Kitten
In 2020, CISA and the FBI issued a warning about Pioneer Kitten targeting a wide range of US industry sectors to steal sensitive information. The group uses aliases like “Br0k3r” and “xplfinder” on Tor and social media platforms, and operates under the cover of an Iranian IT company, Danesh Novin Sahand.
Pioneer Kitten exploits vulnerabilities in devices like Citrix Netscaler and BIG-IP F5 to gain initial access. They have recently targeted Check Point Security Gateways devices vulnerable to CVE-2024-24919.
In April, the Iranian hackers were scanning for Palo Alto Networks PAN-OS and GlobalProtect VPNs vulnerabilities, indicating efforts to exploit devices susceptible to critical vulnerabilities like CVE-2024-3400.
Pioneer Kitten uses various tactics once they gain access, including stealing login information with webshells, disabling security software, creating new accounts, installing backdoors, and exfiltrating data.
The alert includes IP addresses and domains used by Pioneer Kitten, urging organizations to block or investigate any suspicious activity.
These hackers have also been targeting cloud environments, leveraging cloud services accounts to conduct malicious activities against multiple organizations.
The FBI and CISA warn organizations to be vigilant as these Iranian cyber actors may be using compromised cloud services for cyber espionage purposes. It is crucial to stay updated and secure against these evolving threats.