Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
Essential information
- Published
- 28/08/2024 14:08
- Modified
- 28/08/2024 14:37
- Tags
- 2024-08-28 CVE-2019-19781 CVE-2022-1388 CVE-2023-3519 CVE-2024-21887 CVE-2024-24919 alphv blackcat credential-theft cve-2024-3400 iran noberus noescape ransomhouse ransomware state-sponsored webshells
- Related entities
- 33 observables, 1 intrusion sets (apt), 13 techniques (mitre), 5 malware, 5 others
Description
This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.