The notorious Iran-based cybercriminal organisation Pioneer Kitten works with other ransomware operations to attack and extort various organisations. Reports confirmed that the most targeted industries that this group attacks came from the defence, education, banking, and healthcare sectors in the United States.
This malicious organisation, which is also known by different names, such as Fox Kitten and UNC757, has been operating since at least 2017 and is alleged to have connections to the Iranian government.
This detail prompted the relevant law enforcement agency in the US to issue a joint advisory earlier this week to warn people that attackers are monetising their access to compromised organisations’ networks by selling domain admin credentials and full domain control privileges on various underground marketplaces using the ‘Br0k3r’ and ‘xplfinder’ handles.
The Pioneer Kitten threat group has been willing to take pay cuts from their attacks to execute their activities more efficiently.
According to investigations, the Pioneer Kitten threat group worked directly with ransomware groups to allow encryption activities in exchange for a portion of the ransom payments. The FBI confirmed that these criminals have coordinated with notorious ransomware organisations like BlackCat, NoEscape, and Ransomhouse.
Iranian cybercriminals’ role in these attacks extends beyond providing access. They collaborate closely with ransomware affiliates to lock victim networks and execute extortion tactics.
Pioneer Kitten works closely with ransomware operators in these attacks but keeps its affiliates low-profile because the threat actors do not identify their nationality or origin to the ransomware operators.
This group’s most recent activity occurred last month when they started looking for Check Point Security Gateways that could be vulnerable to CVE-2024-24919. Since April, they have also acquired bulk scans for Palo Alto Networks PAN-OS and GlobalProtect VPN devices, which researchers believe the actors used to look for equipment vulnerable to a maximum-severity command injection flaw.
Pioneer Kitten was also detected attempting to sell access to infiltrated networks on underground forums in July 2020, showing that they are executing efforts to diversify its monetary source.
US-based organisations, especially those in the most targeted sector, should be vigilant about their digital presence. This threat poses a significant danger due to its collaboration with other cybercriminal groups.