Threat Watch

Iranian Hackers Seen Selling Corporate Network Access on Criminal Forums

Iran(Fox Kitten/Parasite/Pioneer Kitten): At least one member of an Iran’s state-sponsored hacking group has been seen on a criminal forum selling access to corporate networks. The seller was identified as a member of Pioneer Kitten, also commonly referred to as Fox Kitten or Parasite. The group is well known for utilizing several different vulnerabilities to exploit VPNs and standard corporate networking devices. The sale of a number of corporate networks began in July of this year and the user behind the sale has since been linked to Pioneer Kitten. It is currently believed that the sale of these accounts is simply a means of expanding the group’s financial gain from their activities. The systems being sold are targets which would typically be out of the scope of the Iranian regime’s scope of interest.

ANALYST NOTES

Pioneer Kitten has always been believed to act as more of a contractor for the Iranian government rather than an actual asset of the Iranian government. Because of this, it is not surprising that the group would be willing to publicly sell access to entities that they have compromised and which the Iranian government has little to no interest in. Pioneer Kitten specializes in gaining initial access and installing backdoor access into systems. This access is typically passed off to other Iranian threat actors, but the access would also be of great interest to ransomware operators now that the group is willing to sell access publicly. Pioneer Kitten is well known for targeting several vulnerabilities and it is important to ensure that network devices and VPNs are updated promptly to defend against the exploitation of any of the below vulnerabilities.
• Pulse Secure “Connect” VPN – CVE2019-11510
• Fortinet VPN Servers running FortiOS – CVE-2018-13379
• Palo Alto Networks “Global Protect” VPN – CVE-2019-1579
• Citrix “ADC” servers and Citrix network gateways – CVE2019-19781
• F5 Networks BIG-IP load balancers – CVE-2020-5902
More information on this topic can be found at: https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/