An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian government.
The FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3), recently published a joint cybersecurity alert warning organizations about the group. The advisory discusses the tactics, techniques, and procedures (TTPs) employed by Pioneer Kitten, the Indicators of Compromise (IoCs) and suggested steps for strengthening defenses against potential attacks.
Pioneer Kitten has been responsible for some network attacks in the United States, with their latest activities detected in August 2024. The group breaches organizational defenses to access networks, which they monetize by selling domain administrator credentials and full domain control on cybercriminal marketplaces. Recently, the group started using the services of affiliates of ransomware-as-a-service (RaaS) groups such as NoEscape, ALPHV/BlackCat, and Ransomhouse.
Recently, Pioneer Kitten stopped selling compromised network access. It now partners with RaaS groups to infiltrate networks, steal information, encrypt files, and extort the victims. Pioneer Kitten earns a percentage of the ransom payments. Members of Pioneer Kitten uses aliases like Br0k3r and xplfinder when communicating to conceal their Iranian origins from the cybercriminals they partner with. The group likewise operates under the guise of an Iranian IT firm called Danesh Novin Sahand, to mask their true malicious pursuits.
Pioneer Kitten used to conduct hacking and data leak activities and demand ransom payments. However, the FBI believes that the attacks are not always financially driven. One example was the 2020 hack and leak campaign called PayKey. This was considered as a strategy to sabotage the security of Israel-based cyberinfrastructure. While the attacks may end with file encryption, the group is thought to be primarily concerned with espionage, stealing sensitive data to give to the Iranian government. Still, these activities were not officially approved by the Iranian government.
Pioneer Kitten is known for utilizing the Shodan search engine to locate IP addresses of devices that have identified vulnerabilities. Once discovered, the group tries to exploit these flaws to gain initial access to the network. The group had previously targeted vulnerabilities such as Palo Alto Networks PAN-OS and GlobalProtect VPN (CVE-2024-3400), Pulse Secure/Ivanti VPN (CVE-2024-21887), BIG-IP F5 (CVE-2022-1388), and Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519). After gaining access, the group installs remote access tools like AnyDesk, activates Windows PowerShell Web Access, and employs open-source tunneling applications such as NGROK and Ligolo to set up outbound links to a random subdomain.
The cybersecurity alert provided by CISA, FBI, and DC3 includes IP addresses connected with Pioneer Kitten and urges all companies to examine their logs for any signs of these addresses. Companies are advised to promptly patch any vulnerabilities known to be targeted by the group and to scan their systems for unique identifiers and TTPs linked to Pioneer Kitten. Additionally, monitoring outbound web requests to suspicious domains, such as files ***.ngrok[.]io, and files.catbox[.]moe is recommended. Companies should also check and validate their security measures against the threat behaviors outlined in the advisory, which are mapped to the MITRE ATT&CK framework for organization threats. All these actions should be part of the HIPAA compliance effort of the healthcare sector.