Joint cybersecurity advisory warns of Iran-based attacks

The FBI and CISA say a significant percentage of foreign threat actors associated with the government of Iran are targeting several U.S. sectors, including healthcare and local governments, to obtain network access and deploy ransomware.
By Andrea Fox
02:08 PM

A specific group of Iranian cyber actors has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017, and as recently as August, according to a new advisory from the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the Department of Defense Cyber Crime Center.

The group – known as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm – partners with ransomware gangs such as ALPHV, also known as BlackCat, a group responsible for numerous healthcare cybersecurity attacks.

WHY IT MATTERS

This group of Iranian threat actors refers to themselves by the monikers "Br0k3r" and, as of 2024, "xplfinder," according to the agencies' joint advisory.

While the FBI has historically observed Iran-based threats associated with hack-and-leak campaigns, the bureau recently identified this group as collaborating directly with ransomware affiliates ALPHV, NoEscape and Ransomhouse. 

Beyond offering full domain-control privileges, the Iranian cyber actors work closely with ransomware affiliates to lock victim networks and strategize their extortion. Their goals include enabling encryption operations in exchange for a percentage of the ransom payments, the agencies said.

According to the alert, the threat actors do not disclose their location to ransomware affiliate contacts and are intentionally vague about their nationality and origin.

As of July, these actors have been observed "scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE2024-24919," the agencies said.

Since April, the threat actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices, "likely conducting reconnaissance" and probing for devices vulnerable to remote code execution. 

The technical details add to and update a previous advisory on Iran-based exploits of VPN vulnerabilities that the FBI and CISA first published in 2020.

The agencies recommend organizations follow suggested mitigations to defend against the Iranian cyber actors' attempts to gain a foothold in their networks.

"These mitigations align with the Cross-Sector Cybersecurity Performance Goals developed by CISA and the National Institute of Standards and Technology," they noted.

THE LARGER TREND

Earlier this year, FBI, CISA and the Department of Health and Human Services revised its joint ALPHV Blackcat cybersecurity alert to address new indicators of compromise targeting the healthcare sector.

"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," they said. 

While the FBI claimed to have seized Russia-based ALPHV's darknet website and infrastructure late last year, the ransomware group allegedly claimed it had exfiltrated 6T bytes of Change Healthcare data after the monumental attack and subsequent outage of the claims payment processing giant in February.

ON THE RECORD

"The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks," said FBI and CISA officials in the advisory.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.