A recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3) warns of increased collaboration between Pioneer Kitten, an Iranian state-backed threat actor, and various ransomware groups.
The advisory highlights how Iranian threat actors are leveraging relationships with affiliates of NoEscape, Ransomhouse and the defunct ALPHV/ BlackCat to launch attacks more efficiently. The threat actors obtain and develop network access in support of the Government of Iran, then work with ransomware affiliates to deploy ransomware in exchange for a portion of proceeds gained from the attacks.
By exploiting vulnerabilities in widely used software, the threat actors gain initial access to networks, exfiltrate data, and then deploy ransomware. Common entry points include internet-facing assets such as unpatched VPNs and firewalls. These threat actors have recently exploited Citrix Netscaler vulnerabilities, Ivanti VPNs, Palo Alto Networks firewalls, and cloud computing resources.
The collaboration between these hacking groups and ransomware gangs underscores the growing sophistication of cyber threats. CISA’s advisory recommends that organizations patch all known vulnerabilities and regularly monitor and log suspicious network activities. The advisory also includes specific information organizations should watch out for including:
- A list of IP addresses and domain identifiers recently used by the threat actors;
- A list of tactics, techniques, and procedures used by the actors when operating on compromised networks;
- Known CVE vulnerabilities that have been exploited; and
- A list of bitcoin address values observed to be associated with the threat actors.