Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools

News
By
published

Firewalls and VPNs being used to crack into networks

Technology background with national flag of Iran. 3D rendering
(Image credit: Shutterstock / HTGanzo)

Firewalls and VPNs are being used as a point of entry for Iranian state-sponsored hackers, tracked as Pioneer Kitten, looking to gain access to American schools, banks, hospitals, defense sector firms, and government agencies.

The attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA).

Pioneer Kitten’s objectives are likely to be intelligence gathering operations to steal data from US defense contractors in line with the wider aims of the Iranian government, as well as fundraising by providing access to ransomware groups.

State-sponsored hackers team up with ransomware gangs

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the advisory says.

Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to provide access to their targets.

The has been exploiting a number of known vulnerabilities, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates and Azerbaijan.

Another Iranian state-sponsored group has also been acting on behalf of the Iranian Islamic Revolutionary Guards Corps to gather intelligence on US satellite communications using a custom built malware dubbed Tickler.

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the statement continued. “The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims.”

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.