Firewalls and VPNs are being used as a point of entry for Iranian state-sponsored hackers, tracked as Pioneer Kitten, looking to gain access to American schools, banks, hospitals, defense sector firms, and government agencies.
The attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA).
Pioneer Kitten’s objectives are likely to be intelligence gathering operations to steal data from US defense contractors in line with the wider aims of the Iranian government, as well as fundraising by providing access to ransomware groups.
“The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the advisory says.
Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to provide access to their targets.
The has been exploiting a number of known vulnerabilities, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates and Azerbaijan.
Another Iranian state-sponsored group has also been acting on behalf of the Iranian Islamic Revolutionary Guards Corps to gather intelligence on US satellite communications using a custom built malware dubbed Tickler.
“The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the statement continued. “The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims.”
