The FBI, CISA, and the Department of Defense Cyber Crime Center have issued a joint advisory warning about a group of Iranian cyber actors conducting a high volume of computer network intrusion attempts against U.S. organizations since 2017. The group, known by various names including Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, has been collaborating with ransomware gangs such as ALPHV, also known as BlackCat, which is responsible for numerous healthcare cybersecurity attacks. According to the alert, these Iranian cyber actors work closely with ransomware affiliates to lock victim networks and strategize their extortion, offering full domain-control privileges in exchange for a percentage of the ransom payments.
The threat actors do not disclose their location to ransomware affiliate contacts and are intentionally vague about their nationality and origin. Recent observations include these actors scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE2024-24919. They have also conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices, likely conducting reconnaissance and probing for devices vulnerable to remote code execution.
Iranian ransomware threat warning issued
The agencies recommend organizations follow suggested mitigations to defend against the Iranian cyber actors’ attempts to gain a foothold in their networks. These mitigations align with the Cross-Sector developed by CISA and the National Institute of Standards and Technology.
Earlier this year, the FBI, CISA, and the Department of Health and Human Services addressed new indicators of compromise targeting the healthcare sector. Since mid-December 2023, nearly 70 leaked victims have been reported, with the healthcare sector being the most commonly victimized. “The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks,” said FBI and CISA officials in the advisory.
For more updates on cybersecurity threats and defenses in the healthcare sector, stay tuned for developments from the upcoming HIMSS Healthcare Cybersecurity Forum scheduled to take place October 31-November 1 in Washington, D.C.
