This post is also available in:
עברית (Hebrew)
The Federal Bureau of Investigation (FBI) has issued warnings regarding Iranian state-sponsored hackers, who are involved in trading access to organizations for financial gain, including organizations in education, finance, healthcare, and defense in Israel, the US, Azerbaijan, and the UAE.
Operating under various aliases such as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, or Lemon Sandstorm, these Iranian cyber actors are also known as Br0k3r or “xplfinder” in their communication channels. While their primary role is to conduct state-sponsored computer network exploitation (CNE) operations against Iran’s enemies, such as Israel, their activities extend to selling unauthorized access to companies globally.
A recent cybersecurity advisory by FBI, CISA, and DC3 reveals that these Iranian actors are collaborating with ransomware affiliates to facilitate encryption attacks in exchange for a share of the ransom payments. The advisory highlights their involvement with ransomware groups like NoEscape, Ransomhouse, and ALPHV (also known as BlackCat). Beyond selling initial access, these hackers actively assist ransomware affiliates by teaching them various tactics, such as locking computer networks and devising strategies for extortion. The FBI also notes that these actors might deliberately obscure their Iranian location and nationality when interacting with ransomware affiliates.
The tactics employed by these actors have evolved from those used in the Pay2Key operation, a significant cyber campaign against Israeli companies in 2020. This operation, likely aimed at destabilizing Israeli cyber infrastructure, involved running a leak site on the dark web and publicizing stolen data to undermine security.
As of August 2024, the FBI warns that these Iranian threat actors are targeting a range of foreign entities, including schools, municipal governments, financial institutions, and healthcare facilities. Their activities align with Iranian state interests, often targeting nations such as Israel, Azerbaijan, and the United Arab Emirates. The FBI assesses that these ransomware activities are likely not directly authorized by the Iranian government, as the actors have expressed concerns about government monitoring of cryptocurrency transactions linked to their operations.
Iranian cyber actors typically initiate attacks by exploiting vulnerabilities in remote external services. Recent tactics include scanning IP addresses for vulnerabilities such as CVE-2024-24919 affecting Check Point Security Gateways. Previously, they have targeted devices with vulnerabilities in Palo Alto Networks PAN-OS and GlobalProtect VPN.
To infiltrate systems, they use open-source tools like the Shodan search engine to identify vulnerabilities and capture login credentials through web shells. Once inside, they establish persistence by creating accounts, requesting security policy exemptions, deploying backdoors, and installing malicious payloads.
For command and control, these actors utilize tools such as AnyDesk, PowerShell Web Access, Ligolo, and NGROK. The FBI and CISA have identified numerous IP addresses and bitcoin wallets associated with their activities. They recommend that organizations implement specific mitigations, including monitoring for suspicious IP addresses, applying patches, and checking for unique identifiers related to these cyber actors.
Authorities advise against paying ransoms, as it does not guarantee file recovery and only encourages further malicious activities.
