Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

Iranian hackers work with ransomware gangs to break into companies via VPN and firewall tools

Technology background with national flag of Iran. 3D rendering.

Firewalls and VPNs are being used as a point of entry for Iranian state-sponsored hackers, tracked as Pioneer Kitten, looking to gain access to American schools, banks, hospitals, defense sector firms, and government agencies.

The attackers are gaining access through vulnerable devices from Check Point, Citrix, and Palo Alto Networks, according to a joint statement released by the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3) and the Cybersecurity and Infrastructure Security Agency (CISA).

Pioneer Kitten’s objectives are likely to be intelligence gathering operations to steal data from US defense contractors in line with the wider aims of the Iranian government, as well as fundraising by providing access to ransomware groups.

State-sponsored hackers team up with ransomware gangs

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the advisory says.

Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) has been observed working with ransomware groups ALPHV/BlackCat, NoEscape, and Ransomhouse to provide access to their targets.

The has been exploiting a number of known vulnerabilities, such as CVE-2024-24919 to exploit devices using Check Point Security Gateways, as well as CVE-2024-3400 to take advantage of unpatched Palo Alto Networks PAN-OS and GlobalProtect VPNs, disabling antivirus and moving laterally as they go. The group has also been targeting organizations based in Israel, the United Arab Emirates and Azerbaijan.

Another Iranian state-sponsored group has also been acting on behalf of the Iranian Islamic Revolutionary Guards Corps to gather intelligence on US satellite communications using a custom built malware dubbed Tickler.

“The FBI assesses a significant percentage of these threat actors' operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the statement continued. “The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims.”

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.