FBI investigations, as of August 2024, indicate that groups like Pioneer Kitten are linked to the Government of Iran (GOI) and an Iranian IT company. These cyber actors are conducting malicious operations to deploy ransomware and gain network access to continue ransomware attacks.
CISA, in collaboration with the FBI and the Department of Defense Cyber Crime Center (DC3), issued a joint advisory Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations. This advisory alerts organizations to cyber actors, also known as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, who are targeting and exploiting entities across various sectors in the U.S. and abroad. Targeted organizations include healthcare, education, finance, defense firms, and local governments.
FBI investigations, as of August 2024, indicate that groups like Pioneer Kitten are linked to the Government of Iran (GOI) and an Iranian IT company. These cyber actors are conducting malicious operations to deploy ransomware and gain network access, facilitating further collaboration with affiliate actors to continue ransomware attacks.
The advisory is similar to a earlier advisory published on September 15, 2020, Iran-Based Threat Actor Exploits VPN Vulnerabilities, which includes known indicators of compromise (IOCs) and outlines tactics, techniques, and procedures (TTPs).
CISA and its partners urge critical infrastructure organizations and other targeted organizations to review and implement the recommended mitigations in this advisory to minimize the risk and impact of ransomware incidents. For more details on Iranian state-sponsored cyber threats, visit CISA’s Iran Cyber Threat Overview and Advisories page.
For additional guidance on ransomware protection, detection, and response, refer to #StopRansomware and the updated #StopRansomware Guide. More information on the Cross-Sector Cybersecurity Performance Goals (CPGs) and recommended baseline protections can be found on CISA’s website.
! Here are some steps organizations can take to protect themselves from ransomware attacks:
- Keep Software Updated: Regularly update all software, including operating systems and applications, to fix vulnerabilities that ransomware can exploit.
- Use Two-Factor Authentication (2FA): Implement 2FA to add an extra layer of security, making it more difficult for attackers to gain access.
- Enhance Email Security: Secure email systems to prevent phishing attacks, which are a common method for delivering ransomware.
- Deploy Endpoint Security: Use comprehensive endpoint security solutions to detect and block ransomware before it can execute.
- Regular Data Backups: Back up important data regularly and store backups offline or in a secure cloud environment to ensure data can be restored if an attack occurs.
- Adopt a Zero Trust Model: Implement a Zero Trust security model, which assumes that threats could be both inside and outside the network and verifies every request as though it originates from an open network.
- Conduct Security Awareness Training: Educate employees about the risks of ransomware and how to recognize potential threats, such as suspicious emails and links.
- Implement Network Segmentation: Segment networks to limit the spread of ransomware if an infection occurs.
- Enforce Access Controls: Use strict access controls to limit user permissions and reduce the potential impact of ransomware.
- Develop an Incident Response Plan: Create and regularly update an incident response plan to ensure a quick and effective response to ransomware attacks.
By following these steps, organizations can significantly reduce their risk of falling victim to ransomware attacks. If you need more details on any of these measures, feel free to ask!