Warnings went out this week to infosec leaders about two groups of Iranian threat actors attacking American and other organizations.
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Defense Department’s Cyber Crime Centre said a group of Iranian hackers are working with ransomware gangs on attacks.
“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access,” said the joint report. “They work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims.”
This gang calls itself Br0k3r or xplfinder, but is known by researchers by a number of other names, including Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.
Interestingly, after getting network access and stealing data, it doesn’t tell the ransomware gangs it is associated with the government of Iran.
In fact, the report said, the contact with ransomware gangs likely isn’t sanctioned by the Iranian government. This conclusion comes because Pioneer Kitten members have been caught worrying about government monitoring of their cryptocurrency movements.
Separately, Microsoft warned that an Iranian state-sponsored threat actor has been deploying a new custom multi-stage backdoor to hack into government and private sector organizations in the US and the United Arab Emirates.
Both reports include indicators of compromise that defenders should watch for.
Pioneer Kitten attack
The CISA/FBI report said Pioneer Kitten is going after organizations across several sectors in the US, including government, education, finance, healthcare, and defense. It’s also targeting other countries, including Israel, Azerbaijan, and the United Arab Emirates.
It looks for holes in VPNs that could lead to lateral movement on corporate networks. For example, as of July it has been scanning for IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. It’s a vulnerability disclosed by Check Point in May in all of its Security Gateways with IPsec VPN in Remote Access VPN community enabled, and in the Mobile Access software blade.
As of April, Pioneer Kitten members have been scanning IP addresses hosting Palo Alto Networks’ PAN-OS and GlobalProtect VPN devices as well. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. This group has also exploited unpatched Citrix Netscaler and BIG-IP F5 devices.
After exploiting vulnerable devices, the gang captures login credentials using web shells, then plants a backdoor. The stolen credentials are then used to get admin passwords to log into domain controllers and other infrastructure. Eventually they create local accounts, request exemptions from zero-trust applications for tools they want to deploy, and steal data.
Then the actors strike deals with ransomware gangs (including NoEscape, Ransomhouse, and AlphV/ BlackCat]). In exchange for a percentage of the ransom payments, the ransomware gangs or affiliates get access to victim networks.
The FBI and CISA warn that Pioneer Kitten is known to leverage information obtained through intrusions into cloud-computing resources associated with victim organizations. “The actors have used this cloud infrastructure to conduct further cyber operations targeting other organizations … The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims. The FBI has observed instances of the actors using compromised cloud service accounts to transmit data stolen from other compromised organizations.”
Recommendations
The FBI and CISA recommend that all organizations:
- review available logs for IP addresses listed in the report for indications of attacker traffic within their IT network;
- apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519. Patching may be insufficient to mitigate malicious activity if a network has already been compromised by these actors while the network device was vulnerable. Additional investigation into the use of stolen credentials (e.g., via the web shell on Netscaler devices) is strongly encouraged to identify threat actor attempts to establish footholds on other parts of the network;
- check IT systems for the unique identifiers and techniques used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of web shells in specific directories;
- check IT systems for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io.
Peach Sandstorm attack
In its report, Microsoft said an Iranian gang it believes operates on behalf of the Iranian Islamic Revolutionary Guard Corps. is going after American federal and state departments, oil and gas producers, satellite service providers, communications equipment makers, and educational institutions.
It dubbed this gang Peach Sandstorm. Under Microsoft’s naming convention, all groups associated with Iran have the suffix “Sandstorm.”
Its activity “is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operation,” the report said.
Among the gang’s main tactics are password spray attacks. These are attacks that involve trying to authenticate to an account using a single password or a list of commonly used passwords.
As far back as 2021, targeted individuals were discovered on LinkedIn and possibly then tricked by social engineering lures on the site.
What’s new, Microsoft said, is that, between April and July, Peach Sandstorm has used new tactics. They include leveraging fraudulent Microsoft Azure subscriptions for command and control — Microsoft has alerted affected organizations and disrupted this abuse of Azure — and deploying a new custom multi-stage backdoor Microsoft calls Tickler.
Defenders should watch for an archive file named Network Security.zip, which includes an .exe with the Tickler malware, and for a Trojan dropper named sold.dll.
Here’s another example of Peach Sandstorm tactics detailed by Microsoft: After hacking into a European defense organization, the gang moved laterally using the Windows SMB (Server Message Block) protocol. This protocol, which is used for sharing files, printers, and other resources on a network, has been misused by many threat actors. Microsoft offers this advice to network admins for preventing SMB from being used as an attack tool.
In another attack, against a Middle East-based satellite operator, Peach Sandstorm compromised a user using a malicious ZIP file delivered via a Microsoft Teams message, followed by dropping Active Directory (AD) Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat actors for malicious purposes.
Recommendations
To harden networks against Peach Sandstorm, the report offers a wide number of recommendations. These include:
- resetting account passwords and revoking session cookies for any accounts targeted with a password spray attack. Make sure any multifactor authentication setting changes made by an attacker on an account are also revoked;
- for those using Azure, implement the Azure Security Benchmark;
- give employees only the access privileges they need for their roles;
- secure remote access applications such as Windows RDP or Virtual Desktop with MFA.