Fox Kitten
Summary of Actor:Fox Kitten is an Iranian state-sponsored cyber espionage group known for its advanced persistent threat (APT) activities. The group primarily targets critical infrastructure sectors across various countries. Their operations often involve exploiting known vulnerabilities and strategic web compromises.
General Features:Fox Kitten is known for its sophisticated attack methods, including the use of spear-phishing, custom malware, and exploiting known vulnerabilities in enterprise VPNs and RDP servers. The group operates with a focus on long-term persistence and data exfiltration from high-value targets.
Related Other Groups: APT33,APT34,MuddyWater
Indicators of Attack (IoA):
- Unauthorized RDP access
- Unusual outbound traffic
- Phishing emails targeting specific sectors
- Use of VPN access for network infiltration
Recent Activities and Trends:
- Latest Campaigns : The most recent campaigns have involved exploiting vulnerabilities in enterprise VPNs to infiltrate networks of targeted organizations.
- Emerging Trends : There has been a noticeable increase in the group's use of strategic web compromises and focus on supply chain attacks, indicating a shift towards more complex and indirect methods of network infiltration.
Cobalt Foxglove
Parisite
Fox Kitten
Pioneer Kitten
Rubidium
+2
Kuwait
Malaysia
France
Germany
Lebanon
+10
Target Sectors
Air Transportation
Manufacturing
Public Administration
Energy & Utilities
Chemical&Pharmaceutical Manufacturing
+6
️Related CVEs
ATT&CK IDs:
T1190
T1572 - Protocol Tunneling
T1219 - Remote Access Software
T1133 - External Remote Services
T1562 - Impair Defenses
+13
Tactic | Id | Technique | |||
---|---|---|---|---|---|
Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1219 | Remote Access Software |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1210 | Exploitation of Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1596 | Search Open Technical Databases |
Sub Techniques |
Detections |
Mitigations |
Total Count : 16
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdfhttps://youtu.be/pBDu8EGWRC4?t=2492
https://attack.mitre.org/groups/G0117/
https://www.crowdstrike.com/blog/who-is-pioneer-kitten
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices
https://us-cert.cisa.gov/ncas/alerts/aa20-259a
https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf
https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/
https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d13d133-e25a-4de0-8952-6b0cbdb92899
https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/
https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf
https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum
https://www.dragos.com/threat/parisite