Iranian Hackers Collaborate with Ransomware Gangs for Extortion

August 28, 2024

Pioneer Kitten, an Iran-based hacking group, is reportedly infiltrating organizations across multiple sectors in the United States, including defense, education, finance, and healthcare. The group is believed to be affiliated with the Iranian government and has been operational since 2017.

The group is suspected of collaborating with various ransomware operations to extort their victims. The FBI, CISA, and the Defense Department's Cyber Crime Center issued a joint advisory warning about the group's activities. The threat actors are reportedly selling domain admin credentials and full domain control privileges on cyber marketplaces under the aliases 'Br0k3r' and 'xplfinder'.

The advisory also noted that the hackers were working directly with ransomware affiliates to enable encryption operations, receiving a share of the ransom payments. The threat actors have reportedly collaborated with ransomware affiliates including NoEscape, Ransomhouse, and ALPHV (aka BlackCat). The agencies stated, "The Iranian cyber actors' involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims."

The report further indicates that Pioneer Kitten does not disclose its nationality or origin to its ransomware partners. The group has been scanning for potentially vulnerable Check Point Security Gateways (CVE-2024-24919) since July 2024, and since April 2024, has been conducting mass scans for Palo Alto Networks PAN-OS and GlobalProtect VPN devices, likely in search of devices vulnerable to a high severity command injection vulnerability (CVE-2024-3400).

Historically, the group has targeted organizations using exploits such as Citrix Netscaler CVE-2019-19781 and CVE-2023-3519, and BIG-IP F5 devices using CVE-2022-1388. Pioneer Kitten has also attempted to sell access to compromised networks on underground forums, suggesting a diversification of their revenue streams.

In September 2020, a joint advisory from CISA and the FBI warned that Pioneer Kitten has the capability and likely the intent to deploy ransomware on victim networks and has been spotted selling access to compromised network infrastructure online.

The FBI's analysis suggests that the hackers are associated with the Government of Iran (GOI) and use the 'Danesh Novin Sahand' Iranian company name as a cover. They have also been linked to data theft attacks targeting organizations in Israel and Azerbaijan in support of the GOI's interests.

Related News

• TAG-100: A New Cyber Threat Actor Leveraging Open-Source Tools for Global Attacks
• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities
• Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action
• Oracle WebLogic Server Vulnerability Under Active Exploitation

Latest News

• APT-C-60 Group Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor
• Unprotected LLM Servers Expose Sensitive Corporate and Health Data
• Windows 'Downdate' Tool Allows Downgrade Attacks on Updated Systems
• Chinese Hacking Group Volt Typhoon Exploits Versa Director Zero-Day Vulnerability
• Google Patches Tenth Chrome Zero-Day Exploited in 2024