Firewalls and VPNs are being used as entry points for Iranian state-sponsored hackers, identified as Pioneer Kitten, seeking to gain access to US schools, banks, hospitals, defense companies, and government agencies.
Attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cybercrime Center (DC3), and the Cybersecurity and Infrastructure Security Agency (CISA).
Pioneer Kitten is likely targeting intelligence-gathering operations to steal data from U.S. defense contractors in line with the Iranian government’s broader goals, as well as raising funds by providing access to ransomware groups.
“The FBI assesses that a significant percentage of these threat actors’ operations against U.S. organizations are aimed at obtaining and developing network access and then collaborating with ransomware-affiliated actors to deploy ransomware,” the advisory said.
Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm) has been observed working with the ALPHV/BlackCat, NoEscape, and Ransomhouse ransomware groups to provide access to their targets.
The group has been exploiting a number of known vulnerabilities, including CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates, and Azerbaijan.
Another Iranian state-sponsored group has also been acting on behalf of Iran's Islamic Revolutionary Guard Corps to gather intelligence on US satellite communications using custom-built malware dubbed Tickler.
“The FBI believes that a significant percentage of these threat actors’ operations against U.S. organizations are aimed at gaining and developing network access and then collaborating with affiliated ransomware actors to deploy ransomware,” the statement continued. “The FBI observed this technique being used against the U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud service accounts to conduct malicious cyber activities and attack other victims.”
