A recent joint cybersecurity advisory from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crime Center exposed new information about the infamous Iran-based threat actor known as Fox Kitten. The group sells corporate access obtained through cyber attacks on underground forums and collaborates with ransomware affiliates to extort victims.
Fox Kitten, also known as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, has been actively committing cyberespionage since at least 2017. The FBI associates the group with the Iranian government, supporting the theft of sensitive technical data against various organizations. The group has targeted companies in several countries, including the US, Australia, Finland, Ireland, France, and Germany.
Fox Kitten uses the Shodan search engine to identify vulnerabilities in internet-facing appliances. The group exploits these vulnerabilities to plant webshells, capture login credentials, and create malicious tasks to compromise the system. They also use compromised credentials to create new accounts on victims’ networks and gain control of admin credentials.
To protect from Fox Kitten’s cyber threat, companies should:
The FBI and the CISA advise against paying the ransom, as there is no guarantee of recovering encrypted files, and the payments may fund other criminal activities.
Fox Kitten, an Iranian threat actor, is a group associated with the Iranian government that supports cyberespionage activities against various organizations. This group is also involved in ransomware attacks, collaborating with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat. In this type of collaboration, they exchange hacked network access for a share of the ransom payment.
They have targeted the U.S. and many other countries by exploiting vulnerabilities, particularly in Virtual Private Network appliances. To identify vulnerable devices, they use the Shodan search engine. The group plants webshells and captures login credentials to gain control over the systems, which they use to create malicious tasks, and introduce malware.
To prevent vulnerability of their systems to such attacks, organizations should take the following precautions:
In general, this cyber threat suggests how Iranian threat actors have resorted to more destructive means to access more corporate networks and gain control over them.