Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

Aug. 28, 2024, 2:37 p.m.

Tags
ransomware
state-sponsored
credential-theft
blackcat
alphv
CVE-2024-3400
iran
CVE-2024-21887
CVE-2024-24919
noberus
2024-08-28
webshells
CVE-2022-1388
CVE-2023-3519
noescape
ransomhouse
CVE-2019-19781
External References
Description

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.

Date

Published: Aug. 28, 2024, 2:08 p.m.

Created: Aug. 28, 2024, 2:08 p.m.

Modified: Aug. 28, 2024, 2:37 p.m.

Indicators

ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f7c7c69

b761680e23f2ebb5f6887d315ebd05b2d7c365731e093b49adb059c3dccaa30c

3488458145eb62d7d3947e3811234f4663d9b5aeef6584ab08a2099a7f946664

2c76104c9aaaf32453a814c227e7d9d755451b551a3fd30d2ea332df396b3a31

185ada4556737a4f26ae16f1a99ca82ab5684c32719ee426c420c0bc14384a0a

14f8ad7d1553d1a47cf4c9e7bedabcc5b759c86e54c636175a472c11d7dec70f

bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8

0a6f992e1372db4f245595424a7436ebb610775d6addc4d568acc2af5d315221

bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr

bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm

bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489

bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9

bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq

bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp

bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs

bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc

bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky

bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0

bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980

bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne

bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh

45.76.65.42

206.71.148.78

193.149.190.248

193.149.187.41

138.68.90.19

167.99.202.130

134.209.30.220

78.141.238.182

login.forticloud.online

cloud.sophos.one

githubapp.net

api.gupdate.net

Download all indicators here!

Attack Patterns

Ransomhouse

BlackCat - S1068

NoEscape

Noberus

ALPHV

Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm

T1596

T1136

T1572

T1505

T1219

T1098

T1053

T1056

T1562

T1190

T1133

T1078

T1059

Additional Informations

Healthcare

Defense

Education

Finance

Government