On August 28^th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) issued an urgent advisory warning security teams about efforts undertaken by Iran-based threat actors to target and exploit U.S. and foreign organizations using ransomware attacks.  Detailed information about this threat and the associated IOCs and TTPs can be seen on Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations. 

This blog will share an overview of the threat and our coverage for these threat actors. As a SafeBreach customer, you will have access to all the attacks listed below and more to validate your organizational security controls against this state-sponsored APT group.

US CERT ALERT AA24-241A (Fox Kitten)

According to the advisory, a specific group of Iranian threat actors have consistently targeted U.S. and international organizations between 2017 and 2024. These organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. The authoring agencies have identified this Iranian threat group as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. They also refer to themselves by the moniker Br0k3r and have also been operating under a moniker xplfinder. According to the FBI, this threat group’s activity is consistent with being sponsored by the Iranian state. These threat actors have also targeted defense sector organizations in  Israel, Azerbaijan, and the United Arab Emirates.

Most of the attacks by the threat group are conducted with the goal of obtaining and maintaining access to victim networks to launch ransomware attacks in the future. These threat actors have also collaborated with several ransomware affiliates (NoEscape, Ransomhouse, and ALPHV /BlackCat) to enable encryption operations in exchange for a percentage of the ransom payments. Threat actors also closely strategize with ransomware affiliates on how to lock victim networks and how to extort them for maximum ransom.

They have conducted several hack-and-leak campaigns by stealing victim data and using a .onion site to leak victim data. According to the FBI, the threat actor activity is consistent with Iranian state interests, intending to steal sensitive information for the benefit of Government of Iran (GOI).

Technical Details

Initial Access – According to the information available, these state-sponsored threat actors rely on exploiting remote external services on internet-facing assets to gain initial access to victim networks. These include exploiting several CVEs like CVE-2024-24919, CVE-2024-3400, CVE-2019-19781, CVE-2023-3519, and CVE-2022-1388.

Persistence and Credential Theft – They typically use the Shodan search engine to identify and enumerate IP addresses that host those devices vulnerable to the above listed CVEs. Once they gain access to victim networks, they typically use the following techniques to maintain persistence and steal credentials:

• Capture login credentials using webshells on compromised Netscaler devices and append them to a file named netscaler.1 in the same directory as the webshell.
• Create a directory /var/vpn/themes/imgs/ on Citrix Netscaler decides to deploy a webshell and add several malicious files to the directory.
• Create the directory /xui/common/images/ on targeted IP addresses.
• Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain”.
• Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network.
• Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder.
• Place a malicious backdoor version.dll in C:\Windows\ADFS\ directory
• Use a scheduled task to load malware through installed backdoors.
• Deployment of Meshcentral to connect with compromised servers for remote access.

Execution, Privilege Escalation, and Defense Evasion – The following techniques are used to execute their malicious objectives:

• Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications.
• Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks.
• Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level.
• Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted.
• Use a compromised administrator account to initiate a remote desktop session to another server on the network.

Command and Control – The following tools and techniques are used to establish C&C communications:

• Install “AnyDesk” remote access program as a backup access method.
• Enable servers to use Windows PowerShell Web Access.
• Use the open source tunneling tool Ligolo.
• Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain.

Exfiltration of Stolen Data – After successfully stealing sensitive victim data, these threat actors collaborate with ransomware affiliates by providing them access to victim networks, locking victim networks, and even devising strategies to extort victims. They do so in exchange for a percentage of the ransom payments. Stolen data is also leveraged to further malicious goals of the GOI.

Important Note for SafeBreach Customers – Coverage for AA24-241A

As soon as details were made available, the SafeBreach Labs team mapped existing attacks in the Hacker’s Playbook to this US-CERT alerts  immediately. It is important to note that existing SafeBreach customers already had a comprehensive level of coverage against the tactics and techniques leveraged by the Fox Kitten threat group identified in the advisory. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.

Existing IOC-Based Attacks Related to AA24-241

• BlackCat Ransomware
  • #8475 – Transfer of BlackCat ransomware over HTTP/S
  • #8971 – Transfer of BlackCat (8ce1) ransomware over HTTP/S
  • #8478 – Email BlackCat ransomware as a compressed attachment
  • #7328 – Execute the BlackCat (ALPHV) ransomware on user files
  • #8970 – Pre-execution phase of BlackCat ransomware (Linux)
  • #8474 – Pre-execution phase of BlackCat ransomware (Linux)
  • #8473 – Write BlackCat ransomware to disk
  • #8977 – Transfer of BlackCat (5a42) ransomware over HTTP/S
  • #8976 – Transfer of BlackCat (5a42) ransomware over HTTP/S
  • #8979 – Email BlackCat (5a42) ransomware as a compressed attachment
  • #8975 – Write BlackCat (5a42) ransomware to disk
  • #8974 – Email BlackCat (8ce1) ransomware as a compressed attachment
  • #8978 – Email BlackCat (5a42) ransomware as a compressed attachment
  • #8973 – Email BlackCat (8ce1) ransomware as a compressed attachment
  • #8477 – Email BlackCat ransomware as a compressed attachment
  • #8969 – Write BlackCat ransomware to disk
  • #8476 – Transfer of BlackCat ransomware over HTTP/S
  • #8972 – Transfer of BlackCat (8ce1) ransomware over HTTP/S
• Ransomhouse
  • #10043 – Transfer of Ransomhouse malgent (f82f2c) trojan over HTTP/S
  • #10038 – Email Ransomhouse decxk (d53973) trojan as a compressed attachment
  • #10035 – Pre-execution phase of Ransomhouse decxk (d53973) trojan (Linux)
  • #10039 – Email Ransomhouse decxk (d53973) trojan as a compressed attachment
  • #10042 – Transfer of Ransomhouse malgent (f82f2c) trojan over HTTP/S
  • #10049 – Transfer of Ransomhouse babyk (e3005d) trojan over HTTP/S
  • #10045 – Email Ransomhouse malgent (f82f2c) trojan as a compressed attachment
  • #10044 – Email Ransomhouse malgent (f82f2c) trojan as a compressed attachment
  • #10048 – Transfer of Ransomhouse babyk (e3005d) trojan over HTTP/S
  • #10051 – Email Ransomhouse babyk (e3005d) trojan as a compressed attachment
  • #10047 – Pre-execution phase of Ransomhouse babyk (e3005d) trojan (Linux)
  • #10046 – Write Ransomhouse babyk (e3005d) trojan to disk
  • #10050 – Email Ransomhouse babyk (e3005d) trojan as a compressed attachment
  • #10041 – Pre-execution phase of Ransomhouse malgent (f82f2c) trojan (Windows)
  • #10036 – Transfer of Ransomhouse decxk (d53973) trojan over HTTP/S
  • #10037 – Transfer of Ransomhouse decxk (d53973) trojan over HTTP/S
  • #10040 – Write Ransomhouse malgent (f82f2c) trojan to disk
• NoEscape Ransomware
  • #9272 – Pre-execution phase of NoEscape (2bc0d8) ransomware (Windows)
  • #9273 – Transfer of NoEscape (2bc0d8) ransomware over HTTP/S
  • #9281 – Email NoEscape (4a3e58) ransomware as a compressed attachment
  • #9278 – Transfer of NoEscape (4a3e58) ransomware over HTTP/S
  • #9274 – Transfer of NoEscape (2bc0d8) ransomware over HTTP/S
  • #9275 – Email NoEscape (2bc0d8) ransomware as a compressed attachment
  • #9279 – Transfer of NoEscape (4a3e58) ransomware over HTTP/S
  • #9280 – Email NoEscape (4a3e58) ransomware as a compressed attachment
  • #9276 – Email NoEscape (2bc0d8) ransomware as a compressed attachment
  • #9277 – Write NoEscape (4a3e58) ransomware to disk
  • #9271 – Write NoEscape (2bc0d8) ransomware to disk

Existing Behavioral Attacks Related to AA24-241A

• T1482-  Domain Trust Discovery
  • #2306 -Domain Trust Discovery (host level)
  • #6800- Domain Controller discovery using user credentials (host level)
  • #6799- Domain Controller discovery using interactive session token (host level)
• T1053- Scheduled Task/Job
  • #1357- Create Cron scheduled task (host level)
  • #1269- Creating Windows schedule task (schtasks.exe) (host level)
  • #7638- Scheduled Service Using Systemd Timers (host level)
  • #7639- Scheduled tasks using At (Windows) (host level)
  • #9980- Create Cron scheduled task executing curl command (lateral movement)
  • #214- Scheduled task creation over SMB (lateral movement)
  • #9979- Create Cron scheduled task executing touch file (host level)
  • #2164- Scheduled Task (host level)
• T1136.001- Create Account : Local Account
  • #2189- Account Manipulation (host level)
  • #2170- Create Account (Windows) (host level)
  • #7170- Add a local administrator (Windows) (host level)
• T1190- Exploit Public-Facing Application
  • #6993- Remote exploitation of F5 BIG-IP vulnerability CVE-2022-1388 RCE
  • #5570- Directory Traversal of Citrix ADC vulnerability CVE-2019-19781
  • #9992- Remote exploitation of PAN-OS command injection CVE-2024-3400 (WAF)
  • #9482- Remote exploitation of Ivanti Connect Secure vulnerability chain CVE-2023-46805 CVE-2024-21887 (WAF)
• T1059.001- Command and Scripting Interpreter : PowerShell
  • (2267- Add an exclusion to Windows Defender using PowerShell (host level)
• T1562.001- Impair Defenses : Disable or Modify Tools
  • #2389- Modify Firewall Rules using netsh.exe (host level)
  • #7144- Unregister anti malware scanning interface providers (host level)
  • #8024- EDR evasion by overriding `ntdll` hooked functions (host level)
  • #8023- EDR evasion by overriding `ntdll` .text section (host level)
  • #7835- Disable Windows Defender From Registry (host level)
  • #5107- Stop a service using net stop command (host level)
  • #7834- Add Exclusions to Windows Defender (host level)
• T1562.010- Impair Defenses : Downgrade Attack
  • #6804- Downgrading powershell version (host level)
• T1012- Query Registry
  • #2194- Extract Credentials from the Registry using System Commands (host level)
• T1505.003- Server Software Component : Web Shell
  • #228- R57 Run Shell Command (lateral movement)
  • #232- WSO2 Webshell- Execute Whoami command (lateral movement)
• T1056- Input Capture
  • #7219- Collection – Keylogger (Windows) (host level)
• T1078.002- Valid Accounts : Domain Accounts
  • #6473- Agentless lateral movement via RDP (host level)

What You Should Do Now

SafeBreach customers can now validate their security controls against these TTPs in multiple ways.

Method 1 –  You can go to the “SafeBreach Scenarios” page and choose the AA24-241A scenario

Method 2 – From the Attack Playbook, select and filter attacks related to AA24-241A. Additionally, you can refer to the list above as well to ensure a comprehensive level of coverage.

Method 3 – From the Known Threat Series report, select the US-CERT Alert AA24-241A report and select Run Simulations, which will run all attack methods.

Additional References

1. Fox Kitten, UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm, Group G0117 | MITRE ATT&CK® 
2. PIONEER KITTEN: Targets & Methods [Adversary Profile] (crowdstrike.com)
3. NoEscape – SentinelOne
4. RansomHouse – SentinelOne
5. Pay2Key, Software S0556 | MITRE ATT&CK®
6. Pay2Key Ransomware Alert – Check Point Research

NOTE – FBI and CISA recommend continually validating your security program, at scale, in a production environment to ensure optimal performance against growing threat of advanced cyber threats. Additional recommendations can be seen in the advisory (linked below):

• Review available logs for IP addresses in the advisory for indications of traffic with your organization’s network in the provided timeframes.
• Apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519.
• Check your systems for the unique identifiers and TTPs used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of webshells in specific directories.
• For additional recommendations, please review the advisory in detail.