Fox Kitten
Summary of Actor:Fox Kitten is an Iranian state-sponsored cyber espionage group known for its advanced persistent threat (APT) activities. The group primarily targets critical infrastructure sectors across various countries. Their operations often involve exploiting known vulnerabilities and strategic web compromises.
General Features:Fox Kitten is known for its sophisticated attack methods, including the use of spear-phishing, custom malware, and exploiting known vulnerabilities in enterprise VPNs and RDP servers. The group operates with a focus on long-term persistence and data exfiltration from high-value targets.
Related Other Groups: APT33,APT34,MuddyWater
Indicators of Attack (IoA):
- Unauthorized RDP access
- Unusual outbound traffic
- Phishing emails targeting specific sectors
- Use of VPN access for network infiltration
Recent Activities and Trends:
- Latest Campaigns : The most recent campaigns have involved exploiting vulnerabilities in enterprise VPNs to infiltrate networks of targeted organizations.
- Emerging Trends : There has been a noticeable increase in the group's use of strategic web compromises and focus on supply chain attacks, indicating a shift towards more complex and indirect methods of network infiltration.
Parisite
Rubidium
Pioneer Kitten
Lemon Sandstorm
Cobalt Foxglove
+2
Malaysia
Germany
Israel
Australia
Austria
+10
Air Transportation
Manufacturing
Public Administration
Energy & Utilities
Chemical&Pharmaceutical Manufacturing
+6
Noberus
ALPHV
BlackCat - S1068
NoEscape
Ransomhouse
T1083 - File and Directory Discovery
T1486 - Data Encrypted for Impact
T1190
T1059 - Command and Scripting Interpreter
T1056 - Input Capture
+20
Tactic | Id | Technique | |||
---|---|---|---|---|---|
Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1219 | Remote Access Tools |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1482 | Domain Trust Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1210 | Exploitation of Remote Services |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1596 | Search Open Technical Databases |
Sub Techniques |
Detections |
Mitigations |
Total Count : 18
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdfhttps://attack.mitre.org/groups/G0117/
https://www.dragos.com/threat/parisite
https://www.crowdstrike.com/blog/who-is-pioneer-kitten
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/
https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf
https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d13d133-e25a-4de0-8952-6b0cbdb92899
https://youtu.be/pBDu8EGWRC4?t=2492
https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/
https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf
https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices
https://us-cert.cisa.gov/ncas/alerts/aa20-259a