Pioneer Kitten APT Sells Corporate Network Access

The Iran-based APT has infiltrated multiple VPNs using open-source tools and known exploits.

An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.

Pioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a blog post Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.

Pioneer Kitten’s work is related to other groups either sponsored or run by the Iranian government, which were previously seen hacking VPNs and planting backdoors in companies around the world.

Indeed, the credential sales on hacker forums seem to suggest “a potential attempt at revenue stream diversification” to complement “its targeted intrusions in support of the Iranian government,” Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.

Pioneer Kitten’s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate “with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)” to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.

CrowdStrike observed the group leveraging several critical exploits in particular — CVE-2019-11510, CVE-2019-19781, and most recently, CVE-2020-5902. All three are exploits affect VPNs and networking equipment, including Pulse Secure “Connect” enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.

Pioneer Kitten’s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.

While not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.

Of these, Charming Kitten—which also goes by the names APT35, Ajax or Phosphorus—appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike’s report actually comes on the heels of news that Charming Kitten also has resurfaced recently. A new campaign is using LinkedIn and WhatsApp to convince targets — including Israeli university scholars and U.S. government employees — to click on a malicious link that can steal credentials.

Operating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been email accounts tied to the Trump 2020 re-election campaign and public figures and human-rights activists, among others.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

 

 

 

 

Suggested articles