Iranian hackers are teaming up with ransomware gangs to break into companies via VPN and firewall tools
Firewalls and VPNs are being used as entry points for Iranian state-sponsored hackers known as Pioneer Kitten who want to gain access to U.S. schools, banks, hospitals, defense contractors and government agencies.
According to a US government report, the attackers gained access through vulnerable devices from Check Point, Citrix and Palo Alto Networks. joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the Cybersecurity and Infrastructure Security Agency (CISA).
Pioneer Kitten’s goals likely include gathering intelligence to steal data from U.S. defense contractors, in line with broader Iranian government objectives, and raising funds by providing access to ransomware groups.
“The FBI estimates that a significant percentage of these threat actors’ operations against U.S. organizations are intended to gain and develop network access and then work with ransomware partners to deploy ransomware,” the advisory said.
Pioneer Kitten (also known as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to gain access to their targets.
A number of known vulnerabilities are being exploited, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, and CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also targeted organizations in Israel, the United Arab Emirates and Azerbaijan.
Another Iranian state-sponsored group is gathering intelligence on U.S. satellite communications on behalf of Iran’s Islamic Revolutionary Guard Corps, using specially developed malware called Tickler.
“The FBI estimates that a significant percentage of these threat actors’ operations against U.S. organizations are designed to gain and develop network access and then work with ransomware partners to deploy ransomware,” the statement continued. “The FBI has observed this craft being used against the U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromise your organization, they may abuse your cloud services accounts to conduct malicious cyber activity and target other victims.”