Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

SUMMARY :

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.

OPENCTI LABELS :

iran,ransomware,cve-2024-21887,blackcat,alphv,noberus,state-sponsored,credential-theft,cve-2024-3400,cve-2023-3519,cve-2024-24919,cve-2022-1388,ransomhouse,cve-2019-19781,webshells,noescape


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations