A new joint cybersecurity advisory from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crimes Center has exposed new information about the infamous Iran-based threat actor known as Fox Kitten.
The group sells corporate access it gains on underground cybercriminal forums and actively collaborates with ransomware affiliates to help victims demand ransoms. The threat actor has set its sights on infiltrating the United States and other foreign organizations in recent weeks.
Who is Fox Kitten?
Fox Kitten, also known as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, is a threat actor that has been actively committing cyber espionage since at least 2017.
The FBI said the group is associated with the Iranian government and supports the theft of sensitive technical data against various organizations, according to the advisory. The threat actor has targeted companies in the Middle East, including Israel and Azerbaijan, but also companies in Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the United States, and possibly more.
According to the advisory, Fox Kitten has carried out a high volume of computer network intrusion attempts against US organizations since 2017. Its targets have included US-based schools, municipal governments, financial institutions, and healthcare facilities, with incidents as recent as August 2024.
Cybersecurity firm OT Dragos said the threat actor also targeted ICS-related entities by exploiting vulnerabilities in virtual private network devices.
The advisory also revealed that the group uses “the name of the Iranian company Danesh Novin Sahand (identification number 14007585836), likely as a covert IT entity for the group’s malicious cyber activities.”
More than cyber espionage
In 2020, the “Pay2Key” operation led by Fox Kitten demonstrated that the threat actor could pursue objectives other than facilitating cyber espionage.
According to Israeli company ClearSky Cyber Security, the ransomware attacks targeted Israeli organizations with previously unreported ransomware, but the attack campaign was likely propaganda to cause fear and create panic in Israel. The data stolen during the attacks was publicly exposed on a leak site that mentioned “Pay2Key – the nightmare of Israel’s cyberspace!”, as shown in the report.
Another report, published by cybersecurity firm CrowdStrike in 2020, revealed that the threat actor was also advertising the sale of access to compromised networks on an underground forum. Researchers consider this activity to be a possible attempt to diversify revenue streams, alongside targeted intrusions in support of the Iranian government.
Collaboration with ransomware affiliates
Once Fox Kitten gains access to victims’ networks, the group collaborates with some NoEscape ransomware affiliates, RansomHouse, and ALPHV/BlackCat. The threat actor provides full access to the ransomware affiliates in exchange for a percentage of the ransom payments.
According to the FBI, Fox Kitten does not just provide access to compromised networks. The group works closely with ransomware affiliates to lock down victims' networks and devise strategies to extort them. However, the group does not reveal its location in Iran to its ransomware affiliates' contacts and does not disclose its origin.
The joint notice reveals that the group refers to itself by the nickname “Br0k3r” and has used “xplfinder” on its channels in 2024.
Technical details
Fox Kitten uses the Shodan search engine to identify IP addresses hosting devices vulnerable to specific exploits, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPN, or PanOS firewalls.
Once the vulnerabilities are exploited, the threat actor:
- It plants webshells and captures login credentials before creating malicious tasks to add backdoor malware and further compromise the system.
- It uses compromised credentials to create new accounts on victims’ networks using discreet names such as “IIS_Admin” or “sqladmin$”.
- Gains control of administrator credentials to log on to domain controllers and other parts of the infrastructure. Existing security and antivirus software are also disabled.
'Br0k3r' has been active for over a year
The joint advisory provides several risk indicators, but also lists TOX identifiers for the nickname “Br0k3r.” TOX is a peer-to-peer instant messaging software designed to provide secure communications and uses unique keys to identify users.
The unique TOX identifier for “Br0k3r” was previously exposed in 2023 by the SANS Institute as an initial access broker selling access to corporate networks in different countries including the US, Canada, China, UK, France, Italy, Norway, Spain, India, Taiwan, and Switzerland.
It is no surprise to see the threat actor targeting the US, as it is the country most affected by ransomware according to cybersecurity firm MalwareBytes.
Taking advantage of cybercriminal forums
The threat actor provided a unique Tor-hosted website to advertise its access on various cybercriminal forums.
An early version of Br0k3r's website indicates that each sale contains full control of the domain, including domain administrator credentials, Active Directory user credentials, DNS zones and objects, and Windows domain trusts.
A second version of the website launched around August 2023 states that “there are numerous active ransomware groups working with me in a considerable percentage.”
How to protect your business from this threat
The initial attack method employed by Fox Kitten involves exploiting known vulnerabilities in various internet-connected devices, in particular corporate VPNs or firewall devices. To protect themselves from this cyberthreat, businesses should:
- Update and patch your VPN and firewall devices to avoid falling prey to such vulnerabilities.
- Update and patch all operating systems, and software should be updated and patched.
- Control who has access to VPNs to detect suspicious connections or connection attempts. A filter should also be used on VPN devices, so that employees can only connect from their regular internet connection when necessary.
- Review and analyze log files. Any discovery of an indicator of compromise provided in the joint report should result in immediate investigation.
- Deploy security solutions on every endpoint and server to detect suspicious activity.
Finally, the FBI and CISA do not recommend paying the ransom, as there is no guarantee that victims will recover their encrypted files and such payments could also fund other criminal activities.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.