Pioneer Kitten Attack Detection: CISA, DC3, and FBI Warn of Iranian State-Sponsored Actors Collaborating With Ransomware Gangs to Target U.S. and Middle East
Table of contents:
On August 28, 2024, a joint advisory was released by the FBI, the Department of Defense, and CISA, alerting cybersecurity professionals about a surge in operations by Iran-linked adversaries. These actors are increasingly collaborating with ransomware gangs to target education, finance, healthcare, state bodies, and defense industry sectors. Known as Pioneer Kitten, state-sponsored hacking collective is actively working to infiltrate and gain access to the networks of targeted organizations, intending to partner with ransomware operators to execute ransomware attacks. Notably, most of the instructions start with exploitation of internet-facing assets that harbor specific n-day vulnerabilities.
Detecting Pioneer Kitten Attacks
State-sponsored hacking collectives have been on the rise in recent years. This trend poses a growing menace for cyber defenders due to the increasing scope and sophistication of attackers’ toolkits. Iranian APT groups remain among the most active collectives in Q1 2024, sharing the top spot with Chinese, North Korean, and russian actors.
The latest cyber-espionage activity covered in AA24-241A CISA Advisory urges cybersecurity practitioners to enhance their defense against Pioneer Kitten (aka Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm) currently partnering with ransomware operators to deploy malicious payloads and steal sensitive data from organizations in the US and Middle East. SOC Prime Platform for collective cyber defense offers a collection of dedicated Sigma rules to identify related malicious activity paired with advanced threat detection & hunting solutions to smooth out threat investigation.
Press the Explore Detections button below and immediately drill down to a tailored detection stack addressing Pioneer Kitten TTPs described in AA24-241A CISA Advisory. All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, rules are enriched with extensive metadata, including threat intel references, attack timelines, and recommendations.
Cyber defenders seeking more rules to address TTPs linked to Pioneer Kitten APT might search Threat Detection Marketplace using custom tags based on the group identifiers: “Pioneer Kitten,” “Fox Kitten,” “UNC757,” “Parisite,” “RUBIDIUM,” “Lemon Sandstorm.”
As Pioneer Kitten hackers were observed to exploit a set of known vulnerabilities for the initial access, security practitioners can access dedicated collections of Sigma rules addressing exploitation attempts for CVEs in the limelight using the links below.
Sigma Rules to Detect CVE-2024-24919 Exploitation Attempts
Sigma Rules to Detect CVE-2024-3400 Exploitation Attempts
Sigma Rules to Detect CVE-2019-19781 Exploitation Attempts
Sigma Rules to Detect CVE-2023-3519 Exploitation Attempts
Sigma Rules to Detect CVE-2022-1388 Exploitation Attempts
Also, to streamline threat investigation, security professionals might use Uncoder AI, the industry-first AI co-pilot for Detection Engineering, to instantly hunt for indicators of compromise provided in the related advisory. Uncoder AI acts as an IOC packager, enabling cyber defenders to effortlessly interpret IOCs and generate tailored hunting queries. These queries can then be seamlessly integrated into their preferred SIEM or EDR systems for immediate execution.
Pioneer Kitten Attack Analysis
The most recent security advisory by the FBI, the Department of Defense Cyber Crime Center (DC3), and CISA notifies defenders of the increasing risks related to the massive offensive operation orchestrated by the Iranian state-sponsored actors. Specifically, AA24-241A alert details the activity of the Pioneer Kitten group focusing on U.S. organizations since 2017 and identified in the private sector by several names, such as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. The group, directly linked to the Government of Iran (GOI), frequently refers to itself under the moniker of “xplfinder” or “Br0k3r.”
According to US federal agencies, the Pioneer Kitten collaborates with multiple ransomware gangs to launch attacks against organizations in the United States, Israel, Azerbaijan, and the United Arab Emirates. Iranian hackers involved in these operations deliberately obscure their location within Iran and remain intentionally vague about their nationality and origins when interacting with their ransomware partners. Separate from their ransomware activities, thу Pioneer Kitten group is also running a broader campaign focused on stealing “sensitive technical data” from organizations in Israel and Azerbaijan.
The Pioneer Kitten group has been uncovered to directly collaborate with nefarious ransomware groups like NoEscape, Ransomhouse, and ALPHV (BlackCat), assisting in encryption operations in exchange for a share of the ransom. Their role extends beyond providing access—they actively work with other ransomware affiliates to lock down victim networks and plan extortion strategies.
The FBI has also linked this group to hack-and-leak campaigns, such as the Pay2Key operation in late 2020. In this campaign, the actors used the .onion site hosted on cloud infrastructure from a previously compromised organization. After stealing data, they publicized the breach on social media, tagging victims and media outlets, and leaked the data online. Unlike typical ransomware attacks, Pay2Key appeared to be an information operation aimed at disrupting Israel’s cyber infrastructure rather than being primarily financially motivated.
GOI-linked actors gain initial access to victim networks by weaponizing vulnerabilities in remote external services on public-facing assets. In the latest campaign, they have been observed scanning IP addresses with Check Point Security Gateways for vulnerabilities related to CVE-2024-24919. In mid-spring 2024, they were likely searching for systems vulnerable to CVE-2024-3400 as an initial access vector. In addition, they are known to have taken advantage of Citrix Netscaler flaws, including CVE-2019-19781, and the BIG-IP iControl REST vulnerability (CVE-2022-1388).
After exploiting vulnerable instances, Pioneer Kitten uses several techniques to maintain persistence and control over the compromised networks, including capturing login credentials, deploying a webshell, placing additional webshells immediately after system owners patch vulnerabilities, manipulating zero-trust applications and other security policies to evade detection, creating malicious scheduled tasks and installing backdoors.
They also apply a set of adversary techniques for execution, privilege escalation, and defense evasion, including repurposing compromised credentials from devices like Citrix Netscaler to access other apps, abusing admin credentials, disabling security protection software to bypass anti-malware analysis, and employing a compromised admin account for offensive purposes. Iranian hackers also export system registry hives and network firewall configurations on impacted devices and exfiltrate both user and network data. For command and control, they rely on the AnyDesk utility for backup remote access and take advantage of Ligolo or NGROK tunneling tools for establishing outbound connections.
To minimize the risks of the Pioneer Kitten attacks, defenders recommend applying patches for CVEs weaponized by the group, investigating for stolen credentials and footholds in the case of vulnerability exploitation, and checking for unique malicious activity, like specific usernames, the use of specific tools from the adversary toolkit, and monitoring for outbound requests. SOC Prime’s Attack Detective helps organizations risk-optimize their cybersecurity posture by gaining comprehensive threat visibility and improving detection coverage, getting access to low-noise and high-quality rules for alerting, and enabling automated threat hunting.
