Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets

Iran's state-sponsored Fox Kitten threat group is actively abetting ransomware actors in attacks against organizations in the US and other countries, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) warned this week.

The ongoing activity appears to be an effort by the threat actor to monetize its access to victim networks across multiple sectors, including finance, defense, healthcare, and education. It is separate from Fox Kitten's continued campaigns to steal sensitive technical data from organizations in the US, Israel, and Azerbaijan, the two government agencies said in a joint cybersecurity advisory this week.

Initial Access Broker

 "A significant percentage of the group's US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks," the FBI and CISA warned. "The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide."

Fox Kitten is a relatively well-known threat actor that different security vendors variously track as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium. CrowdStrike believes the group first began operations in 2017 and is likely a contractor for the Iranian government. The FBI and CISA think the group is using an Iranian company, Danesh Novin Sahand, as cover for its cyber-espionage and other intelligence gathering operations for Tehran.

Starting as far back as 2020, CrowdStrike observed the group attempting to sell access on underground forums to networks it had compromised. Fox Kitten actors were likely doing this without any approval from their Iranian-government sponsors. In many instances where Fox Kitten gained access to a victim network, they did so via exploits that targeted vulnerabilities in an organization's Internet-facing assets.

In 2021, Microsoft, which tracks Fox Kitten as Rubidum, identified the threat actor as one of six Iranian state-backed groups engaged in a wide range of cyber-enabled information theft, disruption, and destructive activities against US entities. Earlier this year, Securin listed Fox Kitten among a group of threat actors it described as most actively targeting VPN vulnerabilities and other remote access products from multiple vendors.

This week's CISA-FBI advisory identified Fox Kitten as providing the operators of ransomware strains such as ALPHV (or BlackCat), Ransomhouse, and NoEscape with initial access to compromised networks in return for a percentage of any ransom they might collect. In many instances, the Iranian threat group has worked with ransomware affiliates to encrypt victim networks and strategized with them on how to extort ransoms. The FBI said that Fox Kitten actors are engaging with ransomware actors without disclosing their location in Iran or their ties to the country.

Old Tactics, New Vulns

The group's initial access methods in recent attacks have been the same as always: exploiting vulnerabilities in VPN devices and other externally exposed services on enterprise networks. Most recently, Fox Kitten actors have targeted CVE-2024-24919, a now-patched zero-day bug in Check Point VPNs to try and break into a victim network. The threat actor has also been spotted going after CVE-2024-3400, a zero-day bug in Palo Alto Networks' PAN-OS; CVE-2019-19781 and CVE-2023-3519 in Citrix Netscaler; and CVE-2022-1388 in BIG-IP F5 devices, CISA and the FBI said.

Once Fox Kitten gains access to a network, its game plan — depending on the type of system it has compromised — is to capture login credentials, deploy Web shells, create rogue accounts, load malware, move laterally, and escalate privileges.

The fact that many organizations have not mitigated some of the vulnerabilities that Fox Kitten is targeting may be helping the threat actor in its attacks. An analysis that Tenable performed, for instance, found that barely half of all assets affected by CVE-2019-19781 and CVE-2022-1388, two flaws that Fox Kitten is targeting, are remediated. "It's not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io," a search engine for discovering Internet-connected devices, Tenable said in a blog post this week.