Iranian State-Sponsored Hackers Have Become Access Brokers for Ransomware Gangs
2024-9-5 19:31:22 Author: cyble.com(查看原文) 阅读量:12 收藏

Iranian state-backed actors operating under aliases like “Pioneer Kitten” are increasingly targeting critical infrastructure – and expanding their activities into brokering access for ransomware affiliates.

Key Takeaways

  • A group of Iranian state-sponsored hackers has evolved into access brokers for ransomware gangs, targeting critical U.S. and allies’ sectors like education, finance, healthcare, and defense.
  • The FBI, CISA, and DC3 have issued a joint advisory highlighting the dual nature of these threat actors’ activities, which include both monetizing network access and conducting espionage aligned with Iranian government interests.
  • The hackers, known by names like “Pioneer Kitten” and “Lemon Sandstorm,” are highly adaptive, continuously evolving their methods to exploit vulnerabilities in widely used network devices and selling domain control to ransomware groups like ALPHV (BlackCat) and NoEscape.
  • Beyond ransomware, the group has engaged in hack-and-leak operations aimed at causing reputational damage rather than securing a ransom, signaling a shift towards information warfare.
  • The advisory urges organizations to patch known vulnerabilities immediately, stay vigilant, and monitor for indicators of compromise, including unauthorized installs and outbound traffic to suspicious domains.

Overview

They move silently across networks, leveraging every vulnerability left unpatched, exploiting gaps with surgical precision. The group of Iran-based threat actors—active since at least 2017—has become a persistent and formidable threat, targeting U.S. organizations across vital sectors such as education, finance, healthcare, and defense. These cybercriminals aren’t just isolated hackers; they operate with a level of sophistication that suggests state sponsorship, and their ultimate goals are far-reaching and deeply concerning.

The FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have issued a joint advisory warning about these Iran-based actors. Their operations reveal a dual purpose: monetizing network access by collaborating with ransomware affiliates and engaging in espionage activities aligned with Iranian government interests. U.S. organizations, particularly those in critical infrastructure, are urged to take action and bolster their defenses.

Technical Details

The threat group, known by various names like “Pioneer Kitten,” “Fox Kitten,” “Lemon Sandstorm,” and more recently, “xplfinder,” has demonstrated adaptability in its tactics. From exploiting vulnerabilities in widely used network devices to selling domain control privileges on dark web marketplaces, they have continuously evolved their methods to stay ahead of defensive measures.

Their modus operandi involves not just gaining access but maintaining it—often for future ransomware attacks. They offer full domain control to ransomware groups like ALPHV (also known as BlackCat) and NoEscape, receiving a cut from the ransom payments. These actors are not only gatekeepers to compromised networks but active participants in planning and executing ransomware campaigns.

The group’s tactics extend beyond traditional cybercrime. In some instances, they’ve conducted hack-and-leak operations, where they publicly expose sensitive information to destabilize and pressure their targets. The Pay2Key campaign in 2020, which targeted Israeli organizations, is one such example. By leaking stolen data on the dark web and tagging media outlets, they aimed to cause reputational damage rather than secure a ransom, signaling a strategic shift towards information warfare.

In addition to Israel, Azerbaijan and the UAE have also been targets.

The threat actors’ methods are mapped meticulously to the MITRE ATT&CK framework—a widely recognized matrix that categorizes cyberattack tactics and techniques. Initial intrusions often occur through internet-facing assets like firewalls and VPNs, with the group exploiting known vulnerabilities such as CVE-2024-3400 in Palo Alto Networks’ PAN-OS. Once inside, they use tools like Shodan to identify vulnerable devices and deploy webshells to capture credentials, laying the groundwork for deeper infiltration.

The TAs have also mastered persistence by deploying backdoors and creating new user accounts, often masquerading as legitimate services. Their ability to evade detection and maintain long-term access makes them particularly dangerous, as they can strike at any time, often when least expected.

The FBI and CISA advisory provides a detailed list of indicators of compromise (IOCs) and recommendations for mitigating the threat posed by these actors. Organizations are urged to apply patches for known vulnerabilities immediately and review their logs for signs of compromise, particularly looking for outbound traffic to suspicious domains. The use of tools like NGROK for tunneling and Ligolo for maintaining remote access requires constant network scrutiny to detect unauthorized activities.

Conclusion

The evolving tactics of these Iran-based cyber actors highlight the growing complexity and danger of cyber threats today. Organizations in the U.S. and allied countries must not only defend against ransomware but also be prepared for state-sponsored espionage and information warfare. As the line between criminal and nation-state activities blurs, the stakes for cybersecurity have never been higher.

For those in critical sectors, the time to act is now.

MITRE ATT&CK Tactics and Techniques

See Table 1 to Table 9 for all referenced threat actor tactics and techniques.

1. Reconnaissance
Technique TitleIDUse or Assessed Use
Search Open Technical DatabasesT1596Iranian cyber actors use Shodan (Shodan[.]io) to identify internet infrastructure hosting devices vulnerable to particular CVEs.
2. Initial Access
Technique TitleIDUse or Assessed Use
Exploit Public-Facing ApplicationT1190Iranian cyber actors scan and exploit public-facing networking devices, including the following devices and associated CVEs: Citrix Netscaler (CVEs-2019-19781 and CVE-2023-3519) F5 BIG-IP (CVE-2022-1388) Pulse Secure/Ivanti VPNs (CVE-2024-21887) PanOS firewalls (CVE-2024-3400) Check Point Security Gateways (CVE-2024-24919)
External Remote ServicesT1133Iranian cyber actors create /xui/common/images/ directory on targeted IP addresses.
3. Persistence
Technique TitleIDUse or Assessed Use
Server Software Component: Web ShellT1505.003Iranian cyber actors capture login credentials on compromised Netscaler devices via deployed webshell; create a directory on Netscaler devices for webshell deployment; deploy webshells on compromised Netscaler devices in two directories (observed closely after system owning patching); and place the malicious backdoor version.dll.
Create Account (Local Account)T1136.001Iranian cyber actors create local accounts on victim networks.
Account ManipulationT1098Iranian cyber actors request exemptions to zero-trust application for tools they intend to deploy.
Scheduled Task/JobT1053Iranian cyber actors implement a scheduled task that uses a DLL side-loading technique and a scheduled task that loads malware through back doors.
Server Software ComponentT1505Iranian cyber actors implement the daily creation of a Windows service task for persistence as detection and mitigation occur.
4. Privilege Escalation
Technique TitleIDUse or Assessed Use
Valid Accounts: Local AccountsT1078.003Iranian cyber actors repurpose compromised credentials (e.g., from a Netscaler device) to log into other applications.
Valid Accounts: Domain AccountsT1078.002Iranian cyber actors repurpose administrative credentials of network admins to log into domain controllers and other infrastructure.
5. Defense Evasion
Technique TitleIDUse or Assessed Use
Impair Defenses: Disable or Modify ToolsT1562.001Iranian cyber actors use administrator credentials to disable antivirus and security software.
Impair Defenses: Disable or Modify ToolsT1562.001Iranian cyber actors attempt to enter security exemption tickets to the network security device or contractor to get their tools allowlisted.
Impair Defenses: Downgrade AttackT1562.010Iranian cyber actors lower PowerShell policies to a less secure level.
6. Credential Access
Technique TitleIDUse or Assessed Use
Input CaptureT1056 Iranian cyber actors capture login credentials on compromised Netscaler devices via a deployed webshell.
7. Execution
Technique TitleIDUse or Assessed Use
Command and ScriptingT1059.001Iranian cyber actors use an admin account to initiate a remote desktop session to start Microsoft Windows PowerShell ISE.
Command and Scripting InterpreterT1059.001Iranian cyber actors enable servers to use Windows PowerShell Web Access.
8. Discovery
Technique TitleIDUse or Assessed Use
Query RegistryT1012Iranian cyber actors export registry hives and network firewall configurations.
Domain Trust DiscoveryT1482Iranian cyber actors exfiltrate account usernames from the domain controller and access configuration files and logs.
 9. Command and Control
Technique TitleIDUse or Assessed Use
Remote Access SoftwareT1219Iranian cyber actors install “AnyDesk” remote access program. Iranian cyber actors deploy Meshcentral to connect with compromised servers for remote access.
Protocol TunnelingT1572Iranian cyber actors use ligolo / ligolo-ng for open source tunneling and ngrok[.]io NGROK to create outbound connections to a random subdomain.

Indicators of Compromise (IOCs)

List of public-facing networking devices exploited and associated CVEs:

  • Citrix Netscaler (CVEs-2019-19781 and CVE-2023-3519)
  • F5 BIG-IP (CVE-2022-1388)
  • Pulse Secure/Ivanti VPNs (CVE-2024-21887)
  • PanOS firewalls (CVE-2024-3400)
  • Check Point Security Gateways (CVE-2024-24919)

Check for unauthorized install of:

  •  “AnyDesk” remote access program
  •  Meshcentral
  • Open source tunneling tool Ligolo (ligolo/ligolo-ng)
  • ngrok[.]io NGROK to create outbound connections to a random subdomain

IP Address and Domain Identifiers

The IP addresses and domains listed below were observed in use by the threat actors in the specified timeframes in 2024.

Recent IOCs
IndicatorFirst SeenMost Recently Observed Date
138.68.90[.]19January 2024August 2024
167.99.202[.]130January 2024August 2024
78.141.238[.]182July 2024August 2024
51.16.51[.]81January 2024August 2024
51.20.138[.]134February 2024August 2024
134.209.30[.]220March 2024August 2024
13.53.124[.]246February 2024August 2024
api.gupdate[.]netSeptember 2022August 2024
githubapp[.]netFebruary 2024August 2024

The table below reflects historical IP addresses and domains associated with these actors.

Historical IOCs
IndicatorFirst SeenMost Recently Observed Date
18.134.0[.]66September 2023November 2023
193.149.190[.]248September 2023January 2024
45.76.65[.]42September 2023December 2023
206.71.148[.]78October 2023January 2024
193.149.187[.]41October 2023November 2023
login.forticloud[.]onlineOctober 2023November 2023
fortigate.forticloud[.]onlineOctober 2023November 2023
cloud.sophos[.]oneOctober 2023November 2023

The FBI also listed the bitcoin addresses linked to the Iranian threat actors:

  • bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0
  • bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs
  • bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh
  • bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky
  • bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp
  • bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc
  • bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr
  • bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne
  • bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq
  • bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm
  • bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8
  • bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980
  • bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9
  • bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489

Related


文章来源: https://cyble.com/blog/iranian-state-sponsored-hackers-have-become-access-brokers-for-ransomware-gangs/
如有侵权请联系:admin#unsafe.sh