A new joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) has revealed updated details about the Iran-based cyber threat group known as Fox Kitten.

Fox Kitten, known for selling compromised corporate access on underground cybercriminal forums, collaborates with ransomware affiliates to further exploit their victims. Recently, the group has targeted organizations in the U.S. and abroad.

Also referred to as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, Fox Kitten has been engaged in cyberespionage since at least 2017. According to the FBI, this group is linked to the Iranian government and is involved in stealing sensitive technical data from various organizations. Their targets have included entities in Israel, Azerbaijan, Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the U.S., and potentially more.

Fox Kitten has conducted numerous network intrusion attempts against U.S. entities since 2017, focusing on schools, municipal governments, financial institutions, and healthcare facilities, with incidents reported as recently as August 2024. Dragos, an OT cybersecurity firm, noted that the group has also attacked industrial control system (ICS) entities by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.

The advisory noted that Fox Kitten operates under the guise of an Iranian company, Danesh Novin Sahand, which likely serves as a front for their malicious activities.

In 2020, Fox Kitten led "Pay2Key," an operation that demonstrated the group's capabilities beyond cyberespionage. Israeli-based ClearSky Cyber Security reported that ransomware attacks during this campaign targeted Israeli organizations with a previously unknown ransomware, likely as a propaganda effort to incite fear and panic. Stolen data was leaked online with messages such as "Pay2Key, Israel cyberspace nightmare!"

A 2020 report by CrowdStrike revealed that Fox Kitten also advertised access to compromised networks on underground forums, suggesting a diversification of their revenue streams alongside their government-backed intrusions.

Fox Kitten collaborates with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing them with full network access in exchange for a share of the ransom. Beyond just access, Fox Kitten assists ransomware affiliates in locking victim networks and devising extortion strategies. However, the group remains vague about their Iran-based origin to their ransomware partners.

The joint advisory notes that the group often uses the aliases “Br0k3r” and “xplfinder” in their operations throughout 2024.

Fox Kitten uses the Shodan search engine to locate devices with vulnerabilities in specific technologies, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. Once these vulnerabilities are exploited, they:

Fox Kitten promotes its access sales through a Tor-hosted website on various cybercriminal forums. The group's first website version highlighted sales that included full-domain control, domain admin credentials, Active Directory user credentials, DNS zones, and Windows Domain trusts.

To protect against Fox Kitten, organizations should: