Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools

News
By published

Firewalls and VPNs being used to crack into networks

Technology background with national flag of Iran. 3D rendering
(Image credit: Shutterstock / HTGanzo)

Firewalls and VPNs are being used as a point of entry for Iranian state-sponsored hackers, tracked as Pioneer Kitten, looking to gain access to American schools, banks, hospitals, defense sector firms, and government agencies.

The attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA).

Pioneer Kitten’s objectives are likely to be intelligence gathering operations to steal data from US defense contractors in line with the wider aims of the Iranian government, as well as fundraising by providing access to ransomware groups.

State-sponsored hackers team up with ransomware gangs

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the advisory says.

Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to provide access to their targets.

The has been exploiting a number of known vulnerabilities, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates and Azerbaijan.

Another Iranian state-sponsored group has also been acting on behalf of the Iranian Islamic Revolutionary Guards Corps to gather intelligence on US satellite communications using a custom built malware dubbed Tickler.

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the statement continued. “The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
The best free firewall
Palo Alto warns another major firewall hack has been detected
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
China
Chinese hackers targeting Juniper Networks routers, so patch now
China
Chinese hackers develop effective new hacking technique to go after business networks
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
Latest in Pro
Squarespace
Build a website for less with 10% off Squarespace subscriptions
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Latest in News
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems
More about pro
Ransomware

Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone

Biometrics add another layer of security to passwordless authentication
Global Special Forces server

AI server designed for Chinese military use wins major global design award in Europe
See more latest
Most Popular
Global Special Forces server
AI server designed for Chinese military use wins major global design award in Europe
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Gemini 2.0
Gemini Deep Research just got even smarter and it’s now free for everyone to try - here's why you should give it a go
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems
Google Gemini with Search history access. Image says "Get help from AI that gets you"
Google just gave Gemini a superpower by allowing it to access your Search history - here's why I'm excited and also a little terrified