Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools
Firewalls and VPNs being used to crack into networks
Firewalls and VPNs are being used as a point of entry for Iranian state-sponsored hackers, tracked as Pioneer Kitten, looking to gain access to American schools, banks, hospitals, defense sector firms, and government agencies.
The attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA).
Pioneer Kitten’s objectives are likely to be intelligence gathering operations to steal data from US defense contractors in line with the wider aims of the Iranian government, as well as fundraising by providing access to ransomware groups.
State-sponsored hackers team up with ransomware gangs
“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the advisory says.
Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to provide access to their targets.
The has been exploiting a number of known vulnerabilities, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates and Azerbaijan.
Another Iranian state-sponsored group has also been acting on behalf of the Iranian Islamic Revolutionary Guards Corps to gather intelligence on US satellite communications using a custom built malware dubbed Tickler.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the statement continued. “The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims.”
More from TechRadar Pro
- Chinese government hackers infiltrate at least two top US ISPs
- These are the best VPN with antivirus
- Take a look at our pick of the best identity theft protection
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.