Several U.S. government agencies are warning of recent attacks by UNC757, an Iran-based group that has been linked to ransomware activity and separately associated with the government of Iran.
UNC757 (also known as Pioneer Kitten) has been around since 2017 and is known for targeting U.S.-based schools, municipal governments, financial institutions and healthcare facilities. A significant percentage of the operations by UNC757 against U.S. firms aim to obtain initial network access, and then collaborate with ransomware affiliates, including BlackCat, RansomHouse and NoEscape, to deploy ransomware or enable encryption operations in exchange for a percentage of the ransom payments.
However, in the Wednesday cybersecurity advisory for network defenders, the FBI, CISA and Department of Defense Cyber Crime Center warned that the group has also been targeting organizations like U.S. defense sector networks in separate campaigns that are “consistent with Iranian state interests,” rather than the interests of its ransomware affiliate contacts. This link to the Iranian government has previously been reported by threat intelligence teams.
“The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan),” according to the advisory.
The advisory disclosed several recent Indicators of Compromise linked to UNC757 activity. Many of UNC757’s techniques are similar to those described by an advisory released four years ago by CISA. The group still gains initial access primarily through vulnerabilities in devices like Citrix Netscaler, Ivanti Pulse Secure and F5 BIG-IP. As of July, CISA said the group has scanned for IP addresses hosting Check Point Security Gateways (likely in an attempt to exploit CVE-2024-24919, which was disclosed in May). Attackers also appear to be targeting a vulnerability in Palo Alto Network's PAN-OS software for firewalls (CVE-2024-3400).
After initial exploitation, the group sets up persistence in various ways, including creating local accounts on victim networks, capturing login credentials for compromised (primarily Netscaler) devices, and implementing the daily creation of a Windows service task. The actor also uses administrator credentials to disable security software and lower PowerShell policies to a less secure level.
While the group provides ransomware affiliates with initial access to victim networks, CISA said its involvement goes beyond this purpose, and the actor works closely with affiliates to lock networks and develop extortion strategies for the victims. The actor has also historically conducted hack-and-leak campaigns, including the 2020 Pay2Key campaign, for instance.
“While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments,” according to CISA’s advisory. “Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.”
UNC757 also steals sensitive information from victim networks, suggesting its association with the government of Iran, “however, the group’s ransomware activities are likely not sanctioned by the [government of Iran], as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity,” according to CISA. This is one of several dual-purpose groups that have emerged over the years, supporting both ransomware and espionage activities, including North Korean Moonstone Sleet.
Organizations can protect themselves by patching the CVEs targeted by the group, including CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519, as well as validating their security controls against the techniques in the advisory, said CISA.