On August 28, 2024, the FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) issued a joint Cybersecurity Advisory (CSA) to alert U.S. organizations about Iranian-sponsored cyber actors exploiting vulnerabilities to gain network access, which they sell to ransomware affiliates. The FBI warned that the group’s primary objective is to gain full domain control, including administrative credentials, which are sold on cyber marketplaces to ransomware affiliates. The FBI has observed these actors collaborating with ransomware groups to lock down victim networks and devise strategies for extorting victims, often receiving a portion of the ransom payments.
Contact one of our Cybersecurity Fraud Attorneys today to navigate you through the process and help you with your case.
Understanding the Threat Actors
Since 2017, these cyber actors have conducted numerous intrusion and exploitation attacks, targeting U.S. and international schools, municipal governments, financial institutions, and healthcare facilities. One of their primary objectives is to steal sensitive information from countries and organizations aligned with Iran’s state interests, including targets in Israel, Azerbaijan, the UAE, and the U.S. defense sector. This activity has led the FBI to conclude that the group is likely linked to the Iranian government, though the FBI does not believe Iran officially sanctions their ransomware activities.
The group is known by various names in the private sector, including “Pioneer Kitten,” “Fox Kitten,” and “Lemon Sandstorm.” It refers to itself as “Br0k3r” and “xplfinder” in online channels. It also uses the name of the Iranian company Danesh Novin Sahand as a front for its malicious cyber activities.
Understanding the Group’s Tactics, Techniques, and Procedures (TTPs)
These cyber actors begin by conducting reconnaissance on potential victim networks, similar to reconnaissance missions in warfare. In cyberspace, they gather critical information by probing internet-facing assets such as firewalls, intrusion detection systems, and network configurations to assess defenses and identify vulnerabilities for future exploitation.
The FBI has observed the group using tools like Shodan to scan IP addresses hosting Check Point Security Gateways in search of vulnerabilities like CVE-2024-24919. They also perform mass scans of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices, looking for vulnerabilities like CVE-2024-3400. Historically, they have exploited vulnerabilities like CVE-2019-19781 and CVE-2023-3519 in Citrix Netscaler devices, and CVE-2022-1388 in BIG-IP F5 devices. Once they discover vulnerable assets, they attempt to exploit them to gain initial network access.
After gaining access, the attackers use webshells on compromised Netscaler devices to capture login credentials. If the victim patches the vulnerability, the attackers quickly deploy additional webshells to maintain access. Once persistent access is established, the group creates new local accounts with names like “sqladmin$,” “adfsservice,” “IIS_Admin,” and “John McCain.” They then request exemptions from zero-trust security policies for their tools. To ensure ongoing access, the attackers install backdoors and schedule malicious tasks, including malware deployment. They also escalate privileges, disable security software, and attempt to white-list their tools using compromised administrator credentials.
Collaborating with Ransomware Affiliates
Once the network is fully infiltrated, the group works with ransomware affiliates, such as NoEscape, Ransomhouse, and ALPHV (BlackCat), to execute ransomware attacks. In addition to collaborating on ransomware strategies, the group steals sensitive data from the victim’s network, likely in support of Iran’s state agenda.
Mitigation Actions
The FBI and CISA have recommended that all organizations implement the following mitigations:
- Review audit logs for the IP addresses provided in the advisory to detect potential traffic within the organization’s network.
- Check for historical activity or incidents related to the indicators provided in the alert.
- Apply patches for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519, though patching alone may not fully mitigate existing compromises.
- Look for unique identifiers and TTPs used by these actors on compromised networks.
- Monitor for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io.
If your organization suspects a compromise, it can (and should!) report the incident to the FBI’s Internet Crime Complaint Center (IC3) or your local FBI Field Office.
Additionally, report suspicious or malicious cyber activity to CISA via its Incident Reporting Form, 24/7 Operations Center (report@cisa.gov), or by calling 1-844-Say-CISA (1-844-729-2472). When reporting, include the date, time, and location of the incident, type of activity, number of affected individuals, equipment used, and a designated point of contact.
Using the FCA to Report an Organization’s Failure to Protect Government and Personal Data
What if your organization does not even have audit logs to review, has no one monitoring for intrusions, and has failed to implement basic cybersecurity provisions—despite your warnings and warnings like these from the FBI and CISA?
The Department of Justice’s Civil Cyber Fraud initiative exists to leverage the False Claims Act and whistleblowers to root out companies who do not properly protect customer’s Personal Health Information (PHI), government IP, Controlled Unclassified Information (CUI), or other sensitive data despite its obligation to do so. If you have been fighting this battle at your organization, knowing that threat actors like these are active and malicious is probably keeping you awake at night. Let us help.
Contact us for a free consultation that focuses on whether the violations you are seeing are actionable, what you can do to report it, what protections exist, and how to navigate the process. We are here and ready to help you sleep well again!