Iran’s state-sponsored Fox Kitten threat group has been identified by the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) as actively aiding ransomware actors in their attacks on organizations in the US and beyond. According to a recent joint cybersecurity advisory released by the two government agencies, the threat group is exploiting its access to victim networks in various sectors such as finance, defense, healthcare, and education in an attempt to monetize their activities.
The ongoing efforts by Fox Kitten to support ransomware attacks are distinct from their previous campaigns targeting sensitive technical data from organizations in the US, Israel, and Azerbaijan. The FBI and CISA warn that a significant portion of the group’s cyber activities in the US involve obtaining and maintaining technical access to victim networks to facilitate future ransomware attacks. The threat actors have been observed offering full domain control privileges and domain admin credentials to networks globally.
Fox Kitten, also known as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium, is a well-known threat actor believed to have started operations in 2017 and potentially acts as a contractor for the Iranian government. The group is suspected of using an Iranian company, Danesh Novin Sahand, as a front for its cyber-espionage and intelligence gathering operations on behalf of Tehran.
In recent years, Fox Kitten has been observed attempting to sell access to compromised networks on underground forums and has targeted vulnerabilities in organizations’ Internet-facing assets to gain unauthorized access. Microsoft, tracking Fox Kitten as Rubidum, has identified the group as one of six Iranian state-backed groups engaging in various cyber-enabled activities against US entities. The threat actor has also been listed as actively targeting VPN vulnerabilities by security experts.
The latest CISA-FBI advisory highlights Fox Kitten’s involvement in providing initial access to ransomware operators such as ALPHV, Ransomhouse, and NoEscape in exchange for a percentage of the ransom payments collected. The group has collaborated with ransomware affiliates to encrypt victim networks and negotiate ransom payments. Despite these activities, the threat actors have not disclosed their Iranian location or ties to the country.
Fox Kitten’s modus operandi involves exploiting vulnerabilities in VPN devices and other externally exposed services on enterprise networks. Recent attacks have targeted zero-day bugs in Check Point VPNs, Palo Alto Networks’ PAN-OS, Citrix Netscaler, and BIG-IP F5 devices. Once inside a network, the threat actors aim to capture login credentials, deploy Web shells, create rogue accounts, load malware, move laterally, and escalate privileges.
The success of Fox Kitten’s attacks is partly attributed to the failure of many organizations to mitigate vulnerabilities that the group targets. An analysis by Tenable revealed that a significant number of assets affected by the vulnerabilities exploited by Fox Kitten remain unpatched. The prevalence of potentially vulnerable devices provides ample opportunities for threat actors to gain initial access to networks.
In light of these findings, organizations are urged to prioritize patching and securing their systems to mitigate the risk posed by threat actors like Fox Kitten. The collaboration between law enforcement agencies and cybersecurity experts remains crucial in combating these sophisticated cyber threats.