US agencies warn of ongoing ransomware attacks by Iranian hacking group

U.S. cybersecurity and intelligence agencies have exposed an Iranian hacking group that allegedly hacked multiple organizations across the country and coordinated with affiliates to spread ransomware.

The activity has been linked to a threat actor dubbed Pioneer Kitten, also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it describes as being connected to the Iranian government and using an Iranian information technology (IT) company, Danesh Novin Sahand, as a likely front.

“Their malicious cyber operations are aimed at deploying ransomware attacks to gain and expand network access,” the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber ​​Crime Center (DC3) said. “These operations help malicious cyber actors further collaborate with affiliated actors to continue deploying ransomware.”

Targets of the attacks include the education, financial, healthcare, and defense sectors, as well as local government entities in the United States. Intrusions have also been reported in Israel, Azerbaijan, and the United Arab Emirates (UAE) to steal sensitive data.

The goal, the agencies said, is to first gain a foothold in victim networks and then collaborate with ransomware affiliates associated with NoEscape, RansomHouse, and BlackCat (aka ALPHV) to deploy file-encrypting malware in exchange for a share of the illicit proceeds, while keeping their nationality and origin “intentionally vague.”

The attack attempts reportedly began as early as 2017 and are continuing this month. The threat actors, also known by the online aliases Br0k3r and xplfinder, are monetizing their access to victim organizations on underground marketplaces, underscoring their attempts to diversify their revenue streams.

“A significant portion of the group’s cyber activities in the United States are aimed at gaining and maintaining technical access to victims’ networks to enable future ransomware attacks,” the agencies noted. “The actors are providing full domain control privileges, as well as domain administrator credentials, to multiple networks around the world.”

“Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they are working closely with ransomware affiliates to lock down victim networks and develop strategies to extort victims.”

Initial access is achieved by leveraging remote external services on internet-facing assets that are vulnerable to previously disclosed vulnerabilities (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a series of steps to persist, escalate privileges, and configure remote access via tools like AnyDesk or the open-source tunneling tool Ligolo.

Iranian state-sponsored ransomware operations are not a new phenomenon. In December 2020, cybersecurity firms Check Point and ClearSky detailed a hacking and data leak campaign by Pioneer Kitten called Pay2Key that specifically targeted dozens of Israeli companies by exploiting known security vulnerabilities.

“The ransom itself ranged from seven to nine bitcoins (with a few cases where the attacker reduced it to three bitcoins),” the company said at the time. “To pressure victims into paying, the Pay2Key leak site displays sensitive information stolen from targeted organizations and threatens further leaks if victims continue to delay payments.”

Some of the ransomware attacks were also allegedly carried out through an Iranian subcontractor company named Emennet Pasargad, according to documents leaked by Lab Dookhtegan in early 2021.

The revelation paints a picture of a flexible group that operates with both ransomware and cyber espionage motivations, joining other dual-use hacking groups like ChamelGang and Moonstone Sleet.

Peach Sandstorm Spreads Tickler Malware in Long-Running Campaign

The development comes as Microsoft said it has observed Iranian state-sponsored threat actor Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) deploying a new multi-stage custom backdoor called Tickler in attacks against targets in the satellite, communications equipment, oil and gas, and federal and state government sectors in the United States and the United Arab Emirates between April and July 2024.

“Peach Sandstorm also continued to conduct password spraying attacks against the education sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence gathering,” the Microsoft Threat Intelligence team said, adding that it had detected intelligence gathering and possible social engineering targeting the higher education, satellite, and defense sectors via LinkedIn.

These efforts on the professional networking platform, which date back to at least November 2021 and continued through mid-2024, materialized in the form of fake profiles posing as students, developers, and talent acquisition managers supposedly based in the United States and Western Europe.

Password spray attacks serve as a conduit for the custom multi-stage Tickler backdoor, which has the capabilities to download additional payloads from adversary-controlled Microsoft Azure infrastructure, perform file operations, and collect system information.

Some attacks are known to exploit Active Directory (AD) snapshots for malicious administrative actions, Server Message Block (SMB) for lateral movement, and AnyDesk remote monitoring and management (RMM) software for persistent remote access.

“The convenience and usefulness of a tool like AnyDesk is amplified by the fact that it can be authorized by application controls in environments where it is used legitimately by IT support staff or system administrators,” Microsoft said.

Peach Sandstorm is believed to operate on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). It is known to have been active for over a decade, conducting espionage attacks against a wide range of public and private sector targets around the world. Recent intrusions targeting the defense sector also deployed another backdoor called FalseFont.

Iranian counterintelligence operation uses HR decoys to gather information

In evidence of Iran's ever-expanding cyber operations, Google-owned Mandiant said it had uncovered an alleged Iran-linked counterintelligence effort aimed at collecting data on Iranians and domestic threats that may be collaborating with its perceived adversaries, including Israel.

“The data collected could be used to uncover human intelligence (HUMINT) operations against Iran and to persecute any Iranians suspected of involvement in these operations,” said Mandiant researchers Ofir Rozmann, Asli Koksal and Sarah Bock. “These could include Iranian dissidents, activists, human rights defenders and Farsi speakers living in Iran and abroad.”

According to the company, this activity has “low overlap” with APT42 and aligns with the IRGC’s history of surveillance operations against internal threats and individuals of interest to the Iranian government. The campaign has been active since 2022.

The backbone of the attack lifecycle is a network of over 40 fake recruitment websites that impersonate Israeli human resources companies and are then distributed via social media platforms such as X and Virasty to trick potential victims into sharing their personal information (i.e. name, date of birth, email, home address, education and work experience).

These decoy websites, posing as Optima HR and Kandovan HR, state that their alleged goal is to “recruit employees and officers of Iranian intelligence and security organizations” and have Telegram handles that reference Israel (IL) in their identifiers (e.g., PhantomIL13 and getDmIL).

Mandian added that further analysis of Optima HR websites led to the discovery of an earlier group of fake recruitment websites targeting Farsi and Arabic speakers affiliated with Syria and Lebanon (Hezbollah) under another HR company named VIP Human Solutions between 2018 and 2022.

“The campaign casts a wide net, operating across multiple social media platforms to spread its network of fake human resources websites in an effort to expose Farsi-speaking individuals who may be working with intelligence and security agencies and are therefore perceived as a threat to the Iranian regime,” Mandiant said.

Did you find this article interesting? Follow us on Twitter  and LinkedIn to read more of the exclusive content we publish.

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos