U.S. Agencies Warn of Iranian Cyber Groups Partnering with Ransomware Affiliates
U.S. Agencies Warn of Iranian Cyber Groups Partnering with Ransomware Affiliates
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have issued a joint advisory alerting of elevated risks associated with an Iranian cyber actor group known by various monikers such as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm, Br0k3r, and xplfinder. This group has been implicated in a series of cyberattacks aimed primarily at U.S. organizations across government, education, finance, healthcare, and defense sectors, as well as international targets, including Israel, Azerbaijan, and the United Arab Emirates. The FBI’s analysis suggests that these operations aim to facilitate ransomware attacks through collaboration with ransomware affiliates and support espionage activities favorable to the Government of Iran (GOI). "The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan)," reports the government agencies.
The intelligence offered by US agencies demonstrated a wide range of attack techniques employed by these actors. Their intrusions begin with the exploitation of vulnerabilities in external services to gain initial network access. Associated targeted vulnerabilities include those found in Citrix Netscaler, F5 BIG-IP, Pulse Secure/Ivanti VPNs, and PanOS firewalls, with specific CVEs such as CVE-2019-19781, CVE-2023-3519, CVE-2022-1388, and CVE-2024-3400 being exploited. Following initial access, these actors deploy webshells some with php extensions—to harvest login credentials. To maintain persistence within the network, they have been observed creating user accounts with names like “sqladmin$,” “adfsservice,” and “John McCain.” Their methods also include creating scheduled tasks to load their malware and configuring exceptions to zero-trust applications and security policies for tools they deploy within compromised networks.
Further detailing their post-exploitation activities, lateral movement to other hosts is facilitated through the credentials gathered from the webshells deployed on compromised networking devices, which impair systems by disabling security defenses and downgrading PowerShell versions. They conduct enumeration to gather sensitive system, network, and user information. For command and control, they utilize tools like AnyDesk, PowerShell Web Access, and tunneling tools such as ngrok and Ligolo. Their activities culminate in ransomware attacks, conducted in partnership with ransomware groups ALPHV/BlackCat, NoEscape and RansomHouse while simultaneously pilfering sensitive data that could be of strategic interest to the Iranian government.
The advisory highlights several mitigation strategies recommended for organizations to defend against Iranian cyber activity. Key recommendations include patching affected systems with the latest security updates, particularly for the vulnerabilities exploited by this group. Organizations are also urged to apply system hardening and firewall guidelines to prevent unauthorized access. Monitoring for unusual outbound traffic, especially to command and control servers, and monitoring systems for unfamiliar user accounts or scheduled tasks can be critical steps in identifying potential breaches. The government agencies advise immediate application of their detailed mitigation strategies to protect against these high-level threats and reduce the risk of significant damage from such state-sponsored cyber activities.