Iran-Based Cyber Actors Enabling Ransomware Attacks on US Organizations
Iran-based cyber actors are believed to be affiliated with the Government of Iran (GOI), have been conducting cyber intrusions targeting US organizations.
Introduction
On August 28, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) issued a joint Cybersecurity Advisory (CSA) warning about ongoing malicious activities by Iran-based cyber actors. These actors, believed to be affiliated with the Government of Iran (GOI), have been conducting cyber intrusions targeting US organizations across multiple sectors, including education, finance, healthcare, and defence. Their activities are primarily aimed at obtaining and maintaining access to networks, which are then leveraged by ransomware affiliates to deploy encryption attacks.
Report Overview
The Iran-based cyber actors, known by names such as Pioneer Kitten, Fox Kitten, and UNC757, have been active since 2017. Their operations have consistently targeted organizations in the United States and other countries like Israel, Azerbaijan, and the United Arab Emirates. The FBI’s analysis indicates that a significant portion of these operations is focused on providing network access to ransomware affiliates, facilitating encryption operations in exchange for a share of ransom payments.
The actors employ a variety of tactics, techniques, and procedures (TTPs) to gain initial access, persist, and evade detection on victim networks. They frequently exploit vulnerabilities in internet-facing devices, such as Citrix Netscaler, F5 BIG-IP, and Palo Alto Networks GlobalProtect VPN devices. Once inside, they deploy webshells, capture credentials, and create malicious accounts to establish long-term access.
The group’s recent activities have included mass scanning for vulnerabilities in Check Point Security Gateways and Palo Alto Networks’ devices. They have been observed leveraging the Shodan search engine to identify targets and deploying tools like NGROK and Ligolo for tunnelling and maintaining command and control (C2) over compromised systems. The FBI has also reported the group’s use of open-source tools like Meshcentral and AnyDesk for remote access.
The consequences of these intrusions are severe. Victim organizations face the threat of ransomware attacks, data theft, and prolonged unauthorized access to their networks. The ransomware affiliates, including groups like NoEscape, Ransomhouse, and ALPHV (aka BlackCat), collaborate closely with the Iranian actors to execute encryption operations, lock networks, and extort victims for payments. These activities pose a significant risk to the affected sectors, potentially disrupting critical services and exposing sensitive data.
Insights and Analysis
The advisory underscores that the group’s ransomware activities are independent of the Iranian government’s directives. However, their actions are aligned with Iranian state interests, mainly when targeting defence sectors and organizations in the Middle East. The group’s affiliation with the GOI is evident in their non-ransomware activities, which focus on stealing sensitive technical data from targeted networks.
Organizations are urged to apply patches for known vulnerabilities, particularly those in Citrix Netscaler, F5 BIG-IP, and Palo Alto Networks devices. Additionally, network defenders should review logs for indicators of compromise (IOCs) provided in the advisory and validate their security controls against the TTPs outlined by the FBI and CISA.
The joint advisory from the FBI, CISA, and DC3 highlights the ongoing threat posed by Iran-based cyber actors who collaborate with ransomware affiliates to target US organizations. By following the recommended mitigations and remaining vigilant, organizations can better defend against these malicious activities and protect their critical assets.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 138.68.90[.]19 | IP Address | Observed in use by the actors from January 2024 to August 2024. |
| 167.99.202[.]130 | IP Address | Observed in use by the actors from January 2024 to August 2024. |
| 78.141.238[.]182 | IP Address | Observed in use by the actors from July 2024 to August 2024. |
| 51.16.51[.]81 | IP Address | Observed in use by the actors from January 2024 to August 2024. |
| api.gupdate[.]net | Domain | Observed in use by the actors from September 2022 to August 2024. |
| githubapp[.]net | Domain | Observed in use by the actors from February 2024 to August 2024. |
MITRE ATT&CK Tactics and Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Reconnaissance | Search Open Technical Databases | T1596 | The actors used Shodan to identify internet infrastructure vulnerabilities. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of Citrix Netscaler, F5 BIG-IP, and other devices. |
| Persistence | Server Software Component: Web Shell | T1505.003 | Webshells deployed on compromised Netscaler devices. |
| Credential Access | Input Capture | T1056 | Capturing login credentials using webshells on compromised devices. |
| Command and Control | Remote Access Software | T1219 | Deployment of Meshcentral and AnyDesk for remote access. |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Disabling antivirus and security software using admin credentials. |
| Discovery | Query Registry | T1012 | Exporting registry hives and network firewall configurations. |
| Impact | Data Encrypted for Impact | T1486 | Collaboration with ransomware affiliates to lock victim networks. |
References
Comments ()