Fox Kitten APT Continues to Exploit U.S. and Foreign Organizations, New Infrastructure Revealed
Censys conducted an independent investigation of the IOC profiles mentioned in the FBI/CISA report. Their research identified new patterns in the threat group’s infrastructure that could indicate previously undetected hosts linked to Fox Kitten
Introduction
On August 28, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory (CSA). The advisory warned that as of August 2024, Iran-based threat group “Fox Kitten” continues to target U.S. and foreign organizations using known vulnerabilities to gain access to sensitive networks.
The report included 17 Indicators of Compromise (IOCs) with detailed information on affected hosts and domains but advised defenders to investigate these indicators before taking action, cautioning that automatic blocking may not always be effective.
Report Overview
Leveraging their global internet scanning capabilities, Censys conducted an independent investigation of the IOC profiles mentioned in the FBI/CISA report. Their research identified new patterns in the threat group’s infrastructure that could indicate previously undetected hosts linked to Fox Kitten. This analysis also revealed new active hosts that share characteristics with those outlined in the advisory, including matching domains and Autonomous Systems (AS).
Among their findings, Censys reported two active hosts that appear to match domain IOCs and AS patterns from Hosts D, E, and G in the advisory. These hosts show unusual patterns of behaviour and open services/ports, which may signify involvement in future attacks. Additionally, Censys identified timeframes outside the official report that reveal potential activity from Fox Kitten that predates the listed dates.
Insights and Analysis
Censys’ investigation focused on unique host patterns connected to the IOCs in the advisory, which included analyzing certificates and IPs linked to the reported domains. A common characteristic among these hosts is a high number of open HTTP ports, many of which are associated with software such as Ivanti Connect Secure, F5 BIG-IP, and JetBrains Team City. These findings suggest the hosts may have been configured to lure threat hunters or internet scanners.
Several IOCs in the advisory were found to have been active for periods longer than initially reported, indicating that some attacks might have started earlier than August 2024. For example, Host C was observed as early as May 2024, although the CSA lists its first appearance in July.
The Censys report also uncovered three domain IOCs active on current infrastructure that were not mentioned in the official advisory. This includes one domain, githubapp[.]net, which remains active on several hosts that share ASNs with the hosts listed in the FBI/CISA report.
The ability of Fox Kitten to continually adapt and build new infrastructure poses ongoing challenges for defenders. The reuse of certain Autonomous Systems, geolocations, and certificates across multiple hosts suggests that the group has been able to evade detection by modifying their attack infrastructure incrementally.
Organizations that could be affected by these attacks include those in critical infrastructure sectors, financial institutions, and government networks. The discovery of new IOCs connected to Fox Kitten highlights the persistent risk posed by advanced persistent threat (APT) groups and the need for vigilant network monitoring.
Censys emphasized that while the active hosts they discovered may not yet have been used in attacks, their unusual characteristics and proximity to known Fox Kitten infrastructure make them worthy of inclusion in defenders’ watchlists. The research highlighted the importance of looking beyond the specific IOCs mentioned in advisories and taking a more holistic approach to monitoring potential threat vectors.
- Investigate Hosts: Organizations should investigate the hosts and domains identified in the advisory, including those newly discovered by Censys, to determine if they are part of Fox Kitten’s infrastructure.
- Monitor for Activity: Security teams should closely monitor for any activity involving IOCs from the CSA as well as the additional hosts identified by Censys. This includes monitoring certificates and open ports commonly associated with Fox Kitten attacks.
- Use Dynamic Threat Detection: Leveraging dynamic threat detection methods that analyze host profiles over time can help defenders detect infrastructure changes used by APT groups like Fox Kitten.
Conclusion
Fox Kitten remains an active and evolving threat to both U.S. and foreign organizations. By analyzing patterns in IPs, domains, and certificates, Censys has uncovered new hosts that appear to be linked to the group, offering defenders the chance to stay one step ahead. Ongoing monitoring and investigation of these indicators will be key to mitigating the risks posed by Fox Kitten’s infrastructure.
The Censys report underscores the importance of continuous threat hunting and highlights the evolving tactics used by APT groups to evade detection. Organizations are encouraged to use this information to update their security policies and threat detection strategies.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| api.gupdate[.]net | Domain | Observed in forward DNS records of Host C, possibly related to Fox Kitten infrastructure. |
| githubapp[.]net | Domain | Active on Host G and others, coincides with Fox Kitten activity. |
| login.forticloud[.]online | Domain | No current observation but linked to Fox Kitten IOCs through certificate names. |
| fortigate.forticloud[.]online | Domain | Not observed historically, linked through matching certificate patterns on related hosts. |
| cloud.sophos[.]one | Domain | Seen on Host K, aligns with Fox Kitten’s identified infrastructure. |
| 64.176.165[.]17 | IP Address | Active host not mentioned in the advisory but shares AS and patterns with Fox Kitten IOCs. |
| 70.34.218[.]77 | IP Address | Active host with similar characteristics to known Fox Kitten hosts. |
| 18.130.251[.]165 | IP Address | Active host, similar infrastructure patterns identified by Censys. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Fox Kitten is known to exploit publicly available applications. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Fox Kitten has been observed obfuscating host details and infrastructure. |
| Persistence | Valid Accounts | T1078 | Likely use of valid accounts to maintain access once compromised. |
References
Rachel Hannenberg
Comments ()