Cyber Warfare Escalation: Iran’s Fox Kitten Group Behind US Ransomware Attacks

This week, the FBI and CISA sounded the alarm about a troubling development: Iran’s state-sponsored Fox Kitten group is stepping up its cyber activities by collaborating with ransomware gangs to target organizations both in the US and around the world. Advanced threat group Pioneer Kitten and Rubidium have changed their strategy and are now looking to take advantage of their network by facilitating ransomware attacks. 

Fox Kitten, which began operations in 2017 and is believed to be backed by the Iranian government, found early access to ransomware like ALPHV and the Ransomhouse Group, which exploited vulnerabilities in VPN devices and other network services by gaining unauthorized access to the victims. For example, day zero vulnerabilities such as CVE-2024-24919 in Check Point VPNs and CVE-2024-3400 in Palo Alto Networks’ PAN-OS have recently been discovered. 

Once inside, Fox Kitten’s strategy includes obtaining credentials, deploying malware, and escalating privileges to facilitate ransomware attacks. The group’s access methods exploit unpatched vulnerabilities, highlighting a fundamental issue: Many applications fail to address these security flaws. According to Tenable, a gazillion compromised devices remain unstoppable, making them targets of prominence. 

This advisory serves as a wake-up call to the significance of proactive security measures and robust patch management. The troubling trend of state-sponsored cyber groups collaborating with ransomware operations, using their early access to amplify their influence and revenue, underscores the urgency of this need. It is not a matter of if but when the next attack will occur. The time to act is now.