The behavior was described as likely an attempt by the group to commercialize access to networks it has already penetrated in a joint advisory from CISA and the FBI.
“A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks,” cautioned both the FBI and CISA. “The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.”
Various security providers follow Fox Kitten, also known as Pioneer Kitten, UC757, Parisite, Lemon Sandstorm, and Rubidium. Fox Kitten is a pretty well-known threat actor. According to CrowdStrike, the outfit most likely works as a contractor for the Iranian government and started operating in 2017. The FBI and CISA believe the group is disguising its cyber-espionage and other intelligence-gathering activities for Tehran under the Iranian business Danesh Novin Sahand.
Microsoft, which monitors Fox Kitten as Rubidum, recognized the threat actor in 2021 as one of six Iranian state-backed organizations involved in a variety of damaging, disruptive, and information-theft actions using cyberspace against US organizations. Securin identified Fox Kitten as one of the threat actors who it said were most actively pursuing VPN vulnerabilities and other remote access devices from various suppliers earlier this year.
According to this week’s CISA-FBI advisory, Fox Kitten gives the operators of ransomware variants including ALPHV (also known as BlackCat), Ransomhouse, and NoEscape early access to infected networks in exchange for a portion of whatever ransom they manage to collect. The Iranian threat group has frequently collaborated with ransomware groups to encrypt victim networks and has developed extortion schemes with them. According to the FBI, actors from Fox Kitten are interacting with ransomware actors without revealing their whereabouts or connections to Iran.
The threat actor’s attacks may be aided by the fact that numerous businesses have not addressed some of the vulnerabilities that Fox Kitten is targeting. For example, a Tenable investigation discovered that just about half of all assets impacted by the two vulnerabilities that Fox Kitten is targeting, CVE-2019-19781 and CVE-2022-1388, have been fixed. Given that Shodan.io, a search engine for locating Internet-connected devices, has tens of thousands of potentially vulnerable devices for each of the key technologies, it is not surprising that threat actors are using these vulnerabilities to get first access.
