Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

Summary

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).

This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.

The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity.

If organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend immediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting Form (see the Reporting section of this advisory for more details and contact methods).

For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Threat Actor Details

Background on Threat Group and Prior Activity

This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.[1][2] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.

The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape[3], Ransomhouse[4], and ALPHV (aka BlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.

Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key.[5],[6] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging their prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.

Attribution Details

FBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in support of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity. This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.

The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities.

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 15.1. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview of Observed Tactics, Techniques, and Procedures

The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.

Reconnaissance, Initial Access, Persistence, and Credential Access

The actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596][T1190].

Following exploitation of vulnerable devices, the actors use the following techniques:

• Capture login credentials using webshells on compromised Netscaler devices and append to file named netscaler.1 in the same directory as the webshell [T1505.003][T1056].
• Create the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003]. Malicious files deployed to this directory include:
  • netscaler.1
  • netscaler.php
  • ctxHeaderLogon.php
• Specifically related to Netscaler, place additional webshells on compromised devices immediately after system owners patch the exploited vulnerability [T1505.003]. The following file locations and filenames have been observed on devices:
  • /netscaler/logon/LogonPoint/uiareas/ui_style.php
  • /netscaler/logon/sanpdebug.php 
• Create the directory /xui/common/images/ on targeted IP addresses [T1133].
• Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain” [T1136.001].
• Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network [T1098].
• Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll. This file has been observed being executed from the Windows Downloads directory [T1053]. 
• Place a malicious backdoor version.dll in C:\Windows\ADFS\ directory [T1505.003].
• Use a scheduled task to load malware through installed backdoors [T1053].
• Deployment of Meshcentral to connect with compromised servers for remote access [T1219].
• For persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random eight characters and attempt execution of a similarly named DLL contained in the C:\Windows\system32\drivers\ directory. For example, a service named “test” was observed attempting to load a file located at C:\WINDOWS\system32\drivers\test.sys [T1505].

Execution, Privilege Escalation, and Defense Evasion

• Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) [T1078.003].
• Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks [T1078.002].
• Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level [T1562.001][T1562.010].
• Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted [T1562.001].
• Use a compromised administrator account to initiate a remote desktop session to another server on the network. In one instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell Integrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including files.catbox[.]moe. Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism [T1059.001].

Discovery

• Export system registry hives and network firewall configurations on compromised servers [T1012].
• Exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—presumably to gather network and user account information for use in further exploitation efforts [T1482].

Command and Control

• Install “AnyDesk” remote access program as a backup access method [T1219].
• Enable servers to use Windows PowerShell Web Access [T1059.001].
• Use the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572].
• Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572].

Exfiltration and Impact

After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657]. The actors also conduct what is assessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010], likely in support of the GOI.

MITRE ATT&CK Tactics and Techniques

See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory.