On August 28, 2024, the United States Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the Tactics, Techniques and Procedures (TTPs), mitigation strategies, and detection methods associated with an Iran-based adversary that targets organizations across several sectors in the US and other countries such as Israel, Azerbaijan and the United Arab Emirates.

Pioneer Kitten, also known as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, is a highly opportunistic Iranian threat actor with ties to the Iranian government that has been active since at least 2017. This adversary targets entities across multiple sectors, including government, defense, healthcare, finance, and education, focusing on sensitive information likely of intelligence interest to Iran.

Pioneer Kitten has been observed acting as an access broker, selling access to compromised networks on underground forums and has collaborated with various ransomware affiliates, including NoEscape, RansomHouse, and ALPHV , by providing them with access to networks to extort victims in exchange for a percentage of the ransom payments. These intrusions rely mostly on the exploitation of remote external services on internet-facing assets to gain initial access.

Claroty

The CSA also details that in late 2020, Pioneer Kitten was observed conducting a hack-and-leak campaign known as Pay2Key, leaking victims’ data on an .onion site. The FBI assesses that this operation aimed at undermining the security of Israel-based cyber infrastructure.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by Pioneer Kitten during its latest activities to help customers test their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors of an opportunistic adversary whose techniques remain an ongoing threat to various industry sectors worldwide.
  • Assess their security posture against activities focused on obtaining sensitive information.
  • Continuously validate detection and prevention pipelines against a threat that sustains worldwide espionage operations.

[CISA AA24-241A] Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This assessment template emulates the Tactics, Techniques and Procedures (TTPs) exhibited by Pioneer Kitten during its latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by the adversary at each stage of their attacks.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Hijack Execution Flow: DLL Side-Loading (T1547.001): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).

2. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create Account: Local Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario attempts to create a new scheduled task for persistence using the schtasks utility.

3. Credential Access

Consists of techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: Security Account Manager (T1003.002): This scenario attempts to save a copy of the HKLM\SYSTEM registry hive to a temporary file by executing the native Windows reg save command.

4. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Network Configuration Discovery (T1016): This scenario executes netsh firewall show all command to display information about firewall rules configured in the system.

5. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario executes Invoke-WebRequest to emulate the communication with a web service to post data.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. Hijack Execution Flow: DLL Side-Loading (T1574.002):

Malware will commonly use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

3a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against a sophisticated threat. With data generated from continuous testing and the use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.