Another speculated Iranian government-backed hacker was seen selling stolen corporate network information on an underground hacking forum. The group was named ‘Pioneer Kitten,’ also dubbed as Fox Kitten or Parisite, which is believed as a contracted hacker for Iran. The adversary is estimated to be working under the radar since 2017, exploiting known vulnerabilities on remote protocols such as VPN and RDP. Cybersecurity experts become aware of this adversary in 2019, giving a more noticeable presence this July 2020.
Like most threat actors from Iran, they are targeting mainly prominent entities from the US and countries in the Middle East region. Such entities include government organizations, health institutions, and financial business services. However, Pioneer Kitten was the ‘initial access brokers’ for other Iranian cyber-criminal operatives. Mainly, they work as the reconnaissance group gathering initial intel and passage to the target network and then passing it to another group to perform a more difficult task of exfiltration.
According to the report, Pioneer Kittens kicked off their intrusion to known vulnerability on remote network services such as CVE-2019-11510, CVE-2019-19781, and its current favorite, the CVE-2020-5902. They implant backdoor opensource tools like NGROK to the remote network in which will give them the advantage to perform command and control to the infected device and then gathering their specifics. Relevant intel gathered by the group for the Iranian government is then sold and passed to a full government-backed APT hacker of Iran for more adept intrusion and perusal. Other stolen information that is not of the interest of Iran is converted to instant money by auctioning it to different hacking sites for other threat actors that may need it.
Currently, most buyers for the surplus information of Pioneer Kitten are mostly actors that launched ransomware as a spear-phishing activity through business-email-compromise (BEC) and compromised domain redirection.
This is being scrutinized thoroughly by most security experts and defender application. Since the access is already established, ransomware groups will now have ease of further execution of their malware and immediately perform their devious purpose.
This instance only proves that collaboration is real for cybercrime actors at the right price. This can also be seen notably on the evidence for the fast pace in developing a single but more lethal malware, spyware, and ransomware from different features from individual programs and developers. Rather than sealing off news about an attack, cybersecurity experts should also proactively share intel in which the cyber community will benefit more and possibly preempt further damages that may inflict onto many businesses caused by the collaboration of these evildoers.