A hacking group from Iran, that has been attacking VPNs of different corporations over a period of several months, has now started selling access to some of the hacked networks to other hackers.
In an attempt to monetize the compromised systems, the group has published selling offers in an underground hacking forum.
A report published by the cybersecurity firm Crowdstrike has revealed that an Iranian state-sponsored hacking organization has been detected selling access to hacked corporate networks on an online hacker website. The hacking organization has been identified using the codename Pioneer Kitten, however, the group is also operating under the names Fox Kitten and Parisite.
According to the report, the hacking organization is assumed to be a contractor for the Iranian government, and for the past two years has been focused in hacking corporate networks trhough vulnerabilities in VPNs and networking equipment.
Some of the vulnerabilities that the criminal group has been exploiting for its hacking attacks include:
- Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
- Fortinet VPN servers running FortiOS (CVE-2018-13379)
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
- F5 Networks BIG-IP load balancers (CVE-2020-5902)
According to a study from Cyber Security Company Dragos, the hacking group has been compromising network devices through the weaknesses listed above. The hackers have been planting backdoors and then enabling other hacking groups from Iran (such as APT33 (Shamoon), Oilrig (APT34), or Chafer) to gain initial access to the hacked systems.
With the help of this initial access provided by Pioneer Kitten, the other hacking groups then would easily extend their entry by inserting other, more advanced malware, to acquire classified details, which are believed to be of concern to the Iranian government.
In its article, Crowdstrike claims that the Pioneer Kitten hacking group has been detected selling access to some of the hacked networks in underground forums since July this year. According to the cyber security company, the hacking organization is simply trying to diversify the income source and monetize some of the hacked networks that are of little interest to the intelligent services of Iran.
The usual targets for Iranian hacker groups traditionally involve businesses and governmental institutions in the US, Israel and other Middle East countries. Defense, infrastructure, healthcare, technology and government are among the main industries that typically get attacked. The main clients of hacking groups like Pioneer Kitten who specialize in providing initial access to networks are typically gangs involved in ransomware attacks.