The Iranian Cyber Contractor Collaborating with Ransomware Gangs | #ransomware | #cybercrime

Redazione RHC : 26 June 2025 09:46

We continue our series of articles on IABs by writing about an Iranian cyber contractor that not only works as an initial access broker but also provides support to ransomware gangs to fill their and their own pockets with money.

In a CISA report published in August 2024, CISA, the FBI and the DoD Cyber Crimes Division say that an Iranian group known as “Pioneer Kitten”, “Fox Kitten”, “UNC757”, “Parisite”, “RUBIDIUM” or “Lemon Sandstorm” has been successful in cyber crime by selling access to hackable corporate networks. The group has also operated under other names such as “Br0k3r” and “xplfinder” and has been observed selling access to affiliates of RaaS operations such as AlphV/BlackCat, NoEscape, and RansomHouse.

The CISA report also indicates that in cases where RaaS affiliates had difficulty encrypting devices on the victim’s network, members of the Iranian APT (the group is also known as APT33) also provided assistance in exchange for a percentage of the ransom.

Attack Vectors

The research highlighted how “Br0K3r” gains access to networks by exploiting old vulnerabilities/CVEs such as those (pre 2024)

• Citrix Netscaler gateways (CVE-2019-19781, CVE-2023-3519)
• F5 BIG-IP load balancers (CVE-2022-1388),

but also more recent exploits (CVE from 2024)

• for Check Point secure gateways (CVE-2024-24919) and
• for Palo Alto Networks PAN-OS and GlobalProtect VPN devices (CVE-2024-3400).

The report identifies the group as being made up of employees of an Iranian company called Danesh Novin Sahand, which gives some of their hopes victims that there is a possibility of bringing an official indictment against this organization in the near future, perhaps in an international court.

Technical Details Overview

Fox Kitten uses the Shodan search engine to identify IP addresses hosting devices vulnerable to specific exploits, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPN, or PanOS firewalls. Once the vulnerabilities are exploited, the actor installs a webshell and captures login credentials before creating malicious activity to add backdoor malware and continue compromising systems. New accounts are also created with names that suggest ADMIN and EDR/Antivirus systems are disabled. More detail will be provided later in the article by citing the TTPs cited in the CISA report in the paragraph “Tactics, Techniques, and Procedures (TTPs) “.

Br0k3r Onion Sites

Br0k3r has taken a novel approach to the IAB business model, using a site hosted by a single Tor provider to advertise its access across multiple forums. This Tor site includes instructions for requesting and purchasing access. According to Br0k3r, each access sale includes Windows Domain Administrator (DA) credentials, Active Directory (AD) user credentials and password hashes, DNS zones and objects, and Windows domain trusts.

The site and system developed by Br0k3r are said to be operated by Br0k3r itself and are not connected to any other threat actors. This is because Br0k3r can build trust with its cybercriminal clientele. This is a one-to-many service and not a marketplace

APT33 is reportedly an Iranian state-sponsored group active since at least 2013 (some sources They cite however that it has been active since 2017). It has targeted organizations in the United States, Saudi Arabia and South Korea, with a strong focus on the aviation and energy sectors. Given its attack capabilities and overlapping activities with other Iranian persistent threats and shared victimology, it is assumed to be a group linked to the Islamic Revolutionary Guard Corps (IRGC).

APT33, like other IRGC-subordinate groups, wins IT contracts to operate under the guise of a private (for this APT the company name is “Danesh Novin Sahand”) to make it more difficult to trace its activities / attribute them.

Historically, APT33 has been associated with hacking and leaking campaigns, such as Operation Pay2Key (https://research.checkpoint.com/2020/ransomware-alert-pay2key/) in late 2020, a cyber warfare operation aimed at undermining the cybersecurity of Israeli infrastructure. In the case of the APT33 group’s activities, it appears they are primarily focused on stealing credentials and sensitive information.

Br0k3r now states on their website that “numerous active ransomware gangs work with me at a fair percentage [sic].” This highlights how Br0k3r exemplifies that the relationship between ransomware operators and Initial Access Brokers (IABs) is mutually beneficial.

The Br0k3r Shop allows ransomware operators to focus on lateral movement, data theft, ransomware payload deployment, and extortion, rather than spending their time on the time-consuming work of gaining network access. Ransomware operators also provide a steady revenue stream to Br0k3r. The cost of access is negligible compared to the ransom demanded from victims, which has led to an explosion in offers to sell access to compromised organizations.

According to SANS, those who decide to purchase logins from Br0k3r. also receive a preview of the network for which they are purchasing logins. This includes the victim’s domains and a summary of the victim’s organization from ZoomInfo. To prove that the login is legitimate, Br0k3r also provides proof of domain administrator privileges, company access level, network size, and the antivirus or endpoint detection and response (EDR) system in use. Once the potential buyer confirms that they have a wallet with available funds, the deal is done.

Implications

These access-selling activities aim to broaden the scope of cyber threats from Iran-based actors, the report says. In early 2024, the FBI, CISA, and the Department of Health and Human Services updated their cybersecurity alert on ALPHV (IAB client gang Br0k3r) to highlight new indicators of compromise specifically targeting the healthcare sector. Despite the FBI’s attempts to disrupt the operations of ransomware groups like ALPHV, these groups continue to pose a significant threat.

IAB Motivation

Espionage, Sabotage, Money.

Target Countries/Industries

USA, Israel, Azerbaijan, Saudi Arabia, South Korea

Industries: Financial Institutions, Aviation, Energy, Education, Government, Healthcare

Attack Vectors

Use of Proxies, Spearphishing, Public-Facing Applications, Social Media Messaging, Malicious Packages (NPM, Pip), Watering Hole, Supply Chain Attacks

Tools & Malware

• Wiper: Shamoon
• Custom backdoor: Tickler, FalseFont
• Remote Access Trojan: QuasarRAT

TOX ids used by Br0k3r

TOX Id	TOX Public Key
xplfinder	ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f 7c7c69
Br0k3r	B761680E23F2EBB5F6887D315EBD05B2D7C365731E093B49ADB059 C3DCCAA30C

Jabber/XMPP ID br0k3r[@]xmpp[.]jp

Main scenarios in which the actor operated

Pay2Key (October 2024)

Two dozen Israeli companies targeted in October 2024: Forensic evidence links the campaign to Fox Kitten. JNS reports that one of them is linked to Israel’s air defense system known as Iron Dome: “Fox Kitten, in the Pay2Key campaign, claimed to have breached the computer system of Elta Systems, a subsidiary of Israel Aerospace Industries (IAI), which developed the radar used in the Iron Dome missile defense system;  Fox Kitten/Br0k3r allegedly leaked sensitive data on the dark web.”

“Knock Knock! Tonight is longer than longest night for @ILAerospaceIAI”

“Knock Knock! This night is longer than the longest night for @ILAerospaceIAI”

tweeted after the 2024 attack.

Tactics, Techniques, and Procedures (TTP)

Overview of tactics, techniques, and procedures observed according to the CISA report. Initial intrusions by this Iranian actor rely on the exploitation of remote external services on Internet-exposed resources to gain initial access to victim networks.

As of July 2024, this actor has been observed scanning IP addresses hosting Check Point security gateways for devices potentially vulnerable to CVE2024-24919. Since April 2024, it has been conducting a mass scan of IP addresses hosting Palo Alto Networks PAN-OS and GlobalPOS systems, most likely conducting reconnaissance and discovery of devices vulnerable to CVE-2024-3400. Historically, this group has breached enterprises by exploiting CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.

Reconnaissance, Initial Login, Persistence, and Credential Access

The actor was observed using the Shodan search engine to identify and enumerate IP addresses hosting devices vulnerable to a particular CVE. The actors’ initial access is typically gained by leveraging a publicly exposed network device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPN (CVE-2024-21887), and most recently PanOS (CVE-2024-3400).

After breaching the vulnerable devices, the following techniques are used:

• Capturing login credentials via webshell on compromised Netscaler devices and adding them to the file named netscaler.1 in the same directory as the webshell.
• Creating the /var/vpn/themes/imgs/ directory on Citrix Netscaler devices to deploy a webshell. Harmful files distributed in this directory include:
• As for Netscale specifically, additional web browser positions compromised immediately after the system owners applied a patch to the exploited vulnerability. The following paths and file names were observed on the devices:
  • /netscaler/logon/LogonPoint/uiareas/ui_style.php
• Creation of accounts on victim networks; observed names include “sqladmin$”, “adfsservice“, “IIS_Admin“, “iis-admin“, and “John McCain“. of exemptions to security policies and zero-trust enforcement for tools intended to be distributed as malicious on the victim’s network.
• Creating a malicious planned activity in the Task Agent HR folder the Windows/Spaceport. This task uses a DLL side-loading technique against the signed Microsoft SysInternals contig.exe executable, which can be renamed to dllhost.ext, to load a payload from version.dll. This file was observed while being executed from the Windows “Download” directory.
• Creation of a malicious backdoor “version.dll” in the directory. C:WindowsADFS.
• Creation of a scheduled task to load the malware through the installed backdoors.
• Distribution of “Meshcentral” to connect to servers compromised for remote access.
• Creation of a daily Windows service task with eight characters and execution of a DLL For example, a service named “test” was observed attempting to load a file whose full path was  C:WINDOWSsystem32drivers-drivers...

IoC

Indicatore di Compromissione	Prima osservazione	Ultima osservazione ad agosto 2024
138.68.90[.]19	January 2024	August 2024
167.99.202[.]130	January 2024	August 2024
78.141.238[.]182	July 2024	August 2024
51.16.51[.]81	January 2024	August 2024
51.20.138[.]134	February 2024	August 2024
134.209.30[.]220	March 2024	August 2024
13.53.124[.]246	February 2024	August 2024
api.gupdate[.]net	September 2022	August 2024
githubapp[.]net	February 2024	August 2024
18.134.0[.]66	September 2023	November 2023
193.149.190[.]248	September 2023	January 2024
45.76.65[.]42	September 2023	December 2023
206.71.148[.]78	October 2023	January 2024
193.149.187[.]41	October 2023	November 2023
login.forticloud[.]online	October 2023	November 2023
fortigate.forticloud.[]online	October 2023	November 2023
cloud.sophos[.]one	October 2023	November 2023

Conclusion

FBI and CISA recommend that all organisations implement mitigation measures to improve their cybersecurity posture based on the activities of the Iranian cyber group. FBI believes that the group’s objective is primarily based on identifying devices vulnerable to the cited CVEs therefore, any organisation should defend against exploitation of known vulnerabilities with policies of patching and replacement of deprecated/obsolete devices and software especially if exposed on public IPs.