Iranian state-sponsored actors known as Pioneer Kitten have evolved into access brokers for ransomware gangs, monetizing network access while conducting espionage aligned with Iranian interests. A joint FBI, CISA, and DC3 advisory urges organizations to patch vulnerabilities and monitor for indicators of compromise to strengthen defenses. #PioneerKitten #LemonSandstorm #xplfinder #ALPHV #BlackCat #NoEscape #Pay2Key #FBI #CISA #DC3
Keypoints
- Iranian state-sponsored actors (e.g., Pioneer Kitten, Lemon Sandstorm) are targeting critical infrastructure in the U.S. and allies, expanding into access brokering for ransomware groups.
- The operations have a dual purpose: monetizing network access for ransomware affiliates and conducting espionage aligned with Iranian government interests.
- Targeted sectors include Education, Finance, Healthcare, and Defense, with adaptive tactics that continuously exploit vulnerabilities in widely used network devices.
- They sell domain control to ransomware groups such as ALPHV/BlackCat and NoEscape, and have engaged in hack-and-leak operations to damage reputations.
- Information warfare activities (hack-and-leak) indicate a strategic shift beyond ransom collection, aiming to pressure targets publicly.
- Authorities urge immediate patching of known CVEs, vigilant monitoring, and review of logs for outbound traffic to suspicious domains as key mitigations.
MITRE Techniques
- [T1596] Search Open Technical Databases – Use Shodan to identify vulnerable internet infrastructure. – “Iranian cyber actors use Shodan (Shodan[.]io) to identify internet infrastructure hosting devices vulnerable to particular CVEs.”
- [T1190] Exploit Public-Facing Application – Scan and exploit public-facing networking devices. – “Scan and exploit public-facing networking devices, including the following devices and associated CVEs: Citrix Netscaler (CVEs-2019-19781 and CVE-2023-3519) …”
- [T1133] External Remote Services – Create directories on targeted IP addresses. – “Create directories on targeted IP addresses.”
- [T1505.003] Web Shell – Capture credentials via deployed webshells. – “Capture credentials via deployed webshells.”
- [T1136.001] Create Local Account – Create local accounts on victim networks. – “Create local accounts on victim networks.”
- [T1098] Account Manipulation – Request exemptions to zero-trust applications. – “Request exemptions to zero-trust applications.”
- [T1053] Scheduled Task/Job – Implement scheduled tasks for persistence. – “Implement scheduled tasks for persistence.”
- [T1078.003] Valid Accounts: Local Accounts – Repurpose compromised credentials to log into applications. – “Repurpose compromised credentials to log into applications.”
- [T1078.002] Valid Accounts: Domain Accounts – Repurpose administrative credentials of network admins to log into domain controllers and other infrastructure. – “Repurpose administrative credentials of network admins to log into domain controllers and other infrastructure.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – Disable antivirus and security software using admin credentials. – “Disable antivirus and security software using admin credentials.”
- [T1562.010] Downgrade Defense: PowerShell Policies – Lower PowerShell policies to a less secure level. – “lower PowerShell policies to a less secure level.”
- [T1056] Input Capture – Capture login credentials via webshells. – “Capture login credentials via webshells.”
- [T1059.001] Command and Scripting – Initiate remote desktop sessions using admin accounts. – “Initiate remote desktop sessions using admin accounts.”
- [T1012] Query Registry – Export registry hives and firewall configurations. – “Export registry hives and firewall configurations.”
- [T1219] Remote Access Software – Install remote access programs like AnyDesk. – “Install remote access programs like AnyDesk.”
- [T1572] Protocol Tunneling – Use tunneling tools for outbound connections. – “Use tunneling tools for outbound connections.”
Indicators of Compromise
- [IP Address] Recent IOCs – 138.68.90[.]19, 167.99.202[.]130, and other 2024 observations (First Seen Jan 2024; Most Recently Observed Aug 2024)
- [IP Address] Recent IOCs – 78.141.238[.]182 (First Seen Jul 2024; Most Recently Observed Aug 2024)
- [Domain] Recent IOCs – api.gupdate[.]net (First Seen Sep 2022; Most Recently Observed Aug 2024), githubapp[.]net (First Seen Feb 2024; Most Recently Observed Aug 2024)
- [Bitcoin Address] Public BTC addresses linked to actors – bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0, bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs
- [IP Address] Historical IOCs – 18.134.0[.]66 (First Seen Sep 2023; Most Recently Observed Nov 2023), 193.149.190[.]248 (First Seen Sep 2023; Most Recently Observed Jan 2024)
- [Domain] Historical IOCs – login.forticloud[.]online, fortigate.forticloud[.]online, cloud.sophos[.]one (observed Oct–Nov 2023)