A new joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) has revealed updated details about the Iran-based cyber threat group known as Fox Kitten.
Fox Kitten, known for selling compromised corporate access on underground cybercriminal forums, collaborates with ransomware affiliates to further exploit their victims. Recently, the group has targeted organizations in the U.S. and abroad.
Also referred to as Pioneer Kitten, UNC757, Parasite, Rubidium, and Lemon Sandworm, Fox Kitten has been engaged in cyberespionage since at least 2017. According to the FBI, this group is linked to the Iranian government and is involved in stealing sensitive technical data from various organizations. Their targets have included entities in Israel, Azerbaijan, Australia, Finland, Ireland, France, Germany, Algeria, Turkey, the U.S., and potentially more.
Fox Kitten has conducted numerous network intrusion attempts against U.S. entities since 2017, focusing on schools, municipal governments, financial institutions, and healthcare facilities, with incidents reported as recently as August 2024. Dragos, an OT cybersecurity firm, noted that the group has also attacked industrial control system (ICS) entities by exploiting vulnerabilities in Virtual Private Network (VPN) appliances.
The advisory noted that Fox Kitten operates under the guise of an Iranian company, Danesh Novin Sahand, which likely serves as a front for their malicious activities.
In 2020, Fox Kitten led "Pay2Key," an operation that demonstrated the group's capabilities beyond cyberespionage. Israeli-based ClearSky Cyber Security reported that ransomware attacks during this campaign targeted Israeli organizations with a previously unknown ransomware, likely as a propaganda effort to incite fear and panic. Stolen data was leaked online with messages such as "Pay2Key, Israel cyberspace nightmare!"
A 2020 report by CrowdStrike revealed that Fox Kitten also advertised access to compromised networks on underground forums, suggesting a diversification of their revenue streams alongside their government-backed intrusions.
Collaboration with Ransomware Affiliates
Fox Kitten collaborates with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing them with full network access in exchange for a share of the ransom. Beyond just access, Fox Kitten assists ransomware affiliates in locking victim networks and devising extortion strategies. However, the group remains vague about their Iran-based origin to their ransomware partners.
The joint advisory notes that the group often uses the aliases “Br0k3r” and “xplfinder” in their operations throughout 2024.
Technical Details
Fox Kitten uses the Shodan search engine to locate devices with vulnerabilities in specific technologies, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPNs, or PanOS firewalls. Once these vulnerabilities are exploited, they:
- Install web shells and capture login credentials, adding backdoor malware to maintain access.
- Create new accounts with discreet names like “IIS_Admin” or “sqladmin$” on the compromised networks.
- Gain control of administrative credentials to infiltrate domain controllers and other critical infrastructure components, often disabling existing security measures.
- The advisory also lists several indicators of compromise, including the TOX identifiers for “Br0k3r,” which the SANS Institute previously exposed in 2023 as an Initial Access Broker selling access to networks in multiple countries, including the U.S., Canada, China, the U.K., France, Italy, Norway, Spain, India, Taiwan, and Switzerland. The U.S. remains a primary target, being the most ransomware-affected country as per MalwareBytes.
Fox Kitten promotes its access sales through a Tor-hosted website on various cybercriminal forums. The group's first website version highlighted sales that included full-domain control, domain admin credentials, Active Directory user credentials, DNS zones, and Windows Domain trusts.
How to Protect Your Business from Fox Kitten
To protect against Fox Kitten, organizations should:
- Regularly update and patch VPNs, firewalls, operating systems, and software.
- Monitor access to VPNs for unusual connections or attempts and use filtering to restrict access.
- Analyze log files for any indicators of compromise mentioned in the advisory and investigate immediately.
- Deploy security solutions across all endpoints and servers to detect suspicious activity.
- The FBI and CISA advise against paying ransoms, as there's no guarantee of file recovery and payments could fund further criminal activities.
