Iran-linked APT group Pioneer Kitten is now trying to monetize its efforts by selling access to some of the networks it has hacked to other hackers.
Iran-linked APT group Pioneer Kitten, also known as Fox Kitten or Parisite, is now trying to monetize its efforts by selling access to some of the networks it has hacked to other hackers.
The Iranian hacker group has been attacking corporate VPNs over the past months, they have been hacking VPN servers to plant backdoors in companies around the world targeting Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs.
According to a report published by Crowdstrike, the group is now trying to sell access to some to compromised companies on a cybercrime forum.
“PIONEER KITTEN tradecraft is characterized by a pronounced reliance on exploits of remote external services on internet-facing assets to achieve initial access to victims, as well as an almost total reliance on open-source tooling during operations.” reads the report published by Crowdstrike.
“The adversary is particularly interested in exploits related to VPNs and network appliances, including CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902; reliance on exploits such as these lends to an opportunistic operational model.”
PIONEER KITTEN operations leverage on SSH tunneling, through open-source tools such as Ngrok, they also used the custom tool SSHMinion to communication with malware deployed in the target networks.
In the last couple of years, the group attempted to breach corporate networks by exploiting multiple vulnerabilities in VPNs and networking equipment, including:
- CVE-2018-13379 – Fortinet VPN servers running FortiOS
- CVE-2019-1579 – Palo Alto Networks “Global Protect” VPN servers
- CVE-2019-11510 – Pulse Secure “Connect” enterprise VPNs
- CVE-2019-19781 – Citrix “ADC” servers and Citrix network gateways
- CVE-2020-5902 – F5 Networks BIG-IP load balancers
In late July 2020, Crowdstrike spotted a threat actor associated with PIONEER KITTEN that was attempting to sell access to compromised networks on an underground forum. According to the experts, the threat actors are merely trying to monetize their efforts selling information that have no intelligence value for the Iranian Government.
“In late July 2020, an actor assessed to be associated with PIONEER KITTEN was identified as advertising to sell access to compromised networks on an underground forum.” continues the report. “That activity is suggestive of a potential attempt at revenue stream diversification on the part of PIONEER KITTEN, alongside its targeted intrusions in support of the Iranian government.”
PIONEER KITTEN hackers to date have focused their attacks against entities in North American and Israeli, while targeted sectors include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail.