An Iranian APT hacking group called "Fox Kitten" has been linked to Pay2Key ransomware, which has recently started targeting organizations in Israel and Brazil. exhibition the threat intelligence company "ClearSky".
According to the report published on December 17, this campaign is part of the ongoing rivalry between Israel and Iran, with the latest wave of attacks causing significant damage to some of the affected companies.
The Iran-backed "Fox Kitten" hacking group (codenamed Parisite by ICS cyber security company "Dragos") has been active since at least 2017 and is known for orchestrating and participating in online espionage and theft campaigns. data.
Fox Kitten also provides access in breached corporations networks, to another Iranian hacking group, called "APT33", also known as Elfin and Magnallium.
Pay2Key is a relatively new ransomware company that has targeted Israeli and Brazilian organizations in the last month. Starting in October 2020, Fox Kitten uses Pay2Key ransomware in its attacks to steal sensitive and confidential data from industries, as well as security and logistics companies. The team has taken advantage vulnerabilities in Pulse Secure, Fortinet, F5 and Global Protect products VPN or publicly exposed Remote Desktop Protocol (RDP) to access target networks and deploy malware payloads.
According to Check Point, the ability of Pay2Key operators to spread ransomware across a single target network within an hour suggests that the hacking team is likely to be a state-owned enterprise with APT-grade skills and resources.
Also, the hackers team created a rotating device for use as an outgoing proxy between infected devices and command-and-control servers, which helps them avoid or reduce the risk of crawling before encrypting all the network systems to which they have access.
Another piece of evidence that Fox Kitten is focusing on information theft with Pay2Key is that the team did not even develop ransomware payloads on recent victims' networks, but instead used only the stolen data to blackmail victims.
Israeli media reported that hackers broke into Israeli company Amital earlier this month and then broke into 40 of the company's customers in a supply chain attack.
In addition, according to BleepingComputer, the hacking group known as "BlackShadow" is behind a cyber attack on the Israeli insurance company "Shirbit", and demanded $ 1 million to prevent the leaked data.
While the attack in which Shirbit systems were breached is similar to the Pay2Key attacks, it is not yet known if they are linked, ClearSky researcher Ohad Zaidenberg told BleepingComputer.
Israeli researchers cyber security estimate that these attacks have escalated due to the recent assassination of an Iranian nuclear scientist.