Redazione RHC : 26 June 2025 09:46
We continue our series of articles on IABs by writing about an Iranian cyber contractor that not only works as an initial access broker but also provides support to ransomware gangs to fill their and their own pockets with money.
In a CISA report published in August 2024, CISA, the FBI and the DoD Cyber Crimes Division say that an Iranian group known as “Pioneer Kitten”, “Fox Kitten”, “UNC757”, “Parisite”, “RUBIDIUM” or “Lemon Sandstorm” has been successful in cyber crime by selling access to hackable corporate networks. The group has also operated under other names such as “Br0k3r” and “xplfinder” and has been observed selling access to affiliates of RaaS operations such as AlphV/BlackCat, NoEscape, and RansomHouse.
The CISA report also indicates that in cases where RaaS affiliates had difficulty encrypting devices on the victim’s network, members of the Iranian APT (the group is also known as APT33) also provided assistance in exchange for a percentage of the ransom.
The research highlighted how “Br0K3r” gains access to networks by exploiting old vulnerabilities/CVEs such as those (pre 2024)
but also more recent exploits (CVE from 2024)
The report identifies the group as being made up of employees of an Iranian company called Danesh Novin Sahand, which gives some of their hopes victims that there is a possibility of bringing an official indictment against this organization in the near future, perhaps in an international court.
Fox Kitten uses the Shodan search engine to identify IP addresses hosting devices vulnerable to specific exploits, such as Citrix Netscaler, F5 Big-IP, Pulse Secure/Ivanti VPN, or PanOS firewalls. Once the vulnerabilities are exploited, the actor installs a webshell and captures login credentials before creating malicious activity to add backdoor malware and continue compromising systems. New accounts are also created with names that suggest ADMIN and EDR/Antivirus systems are disabled. More detail will be provided later in the article by citing the TTPs cited in the CISA report in the paragraph “Tactics, Techniques, and Procedures (TTPs) “.
Br0k3r has taken a novel approach to the IAB business model, using a site hosted by a single Tor provider to advertise its access across multiple forums. This Tor site includes instructions for requesting and purchasing access. According to Br0k3r, each access sale includes Windows Domain Administrator (DA) credentials, Active Directory (AD) user credentials and password hashes, DNS zones and objects, and Windows domain trusts.
The site and system developed by Br0k3r are said to be operated by Br0k3r itself and are not connected to any other threat actors. This is because Br0k3r can build trust with its cybercriminal clientele. This is a one-to-many service and not a marketplace
APT33 is reportedly an Iranian state-sponsored group active since at least 2013 (some sources They cite however that it has been active since 2017). It has targeted organizations in the United States, Saudi Arabia and South Korea, with a strong focus on the aviation and energy sectors. Given its attack capabilities and overlapping activities with other Iranian persistent threats and shared victimology, it is assumed to be a group linked to the Islamic Revolutionary Guard Corps (IRGC).
APT33, like other IRGC-subordinate groups, wins IT contracts to operate under the guise of a private (for this APT the company name is “Danesh Novin Sahand”) to make it more difficult to trace its activities / attribute them.
Historically, APT33 has been associated with hacking and leaking campaigns, such as Operation Pay2Key (https://research.checkpoint.com/2020/ransomware-alert-pay2key/) in late 2020, a cyber warfare operation aimed at undermining the cybersecurity of Israeli infrastructure. In the case of the APT33 group’s activities, it appears they are primarily focused on stealing credentials and sensitive information.
Br0k3r now states on their website that “numerous active ransomware gangs work with me at a fair percentage [sic].” This highlights how Br0k3r exemplifies that the relationship between ransomware operators and Initial Access Brokers (IABs) is mutually beneficial.
The Br0k3r Shop allows ransomware operators to focus on lateral movement, data theft, ransomware payload deployment, and extortion, rather than spending their time on the time-consuming work of gaining network access. Ransomware operators also provide a steady revenue stream to Br0k3r. The cost of access is negligible compared to the ransom demanded from victims, which has led to an explosion in offers to sell access to compromised organizations.
According to SANS, those who decide to purchase logins from Br0k3r. also receive a preview of the network for which they are purchasing logins. This includes the victim’s domains and a summary of the victim’s organization from ZoomInfo. To prove that the login is legitimate, Br0k3r also provides proof of domain administrator privileges, company access level, network size, and the antivirus or endpoint detection and response (EDR) system in use. Once the potential buyer confirms that they have a wallet with available funds, the deal is done.
These access-selling activities aim to broaden the scope of cyber threats from Iran-based actors, the report says. In early 2024, the FBI, CISA, and the Department of Health and Human Services updated their cybersecurity alert on ALPHV (IAB client gang Br0k3r) to highlight new indicators of compromise specifically targeting the healthcare sector. Despite the FBI’s attempts to disrupt the operations of ransomware groups like ALPHV, these groups continue to pose a significant threat.
IAB Motivation
Espionage, Sabotage, Money.
Target Countries/Industries
USA, Israel, Azerbaijan, Saudi Arabia, South Korea
Industries: Financial Institutions, Aviation, Energy, Education, Government, Healthcare
Attack Vectors
Use of Proxies, Spearphishing, Public-Facing Applications, Social Media Messaging, Malicious Packages (NPM, Pip), Watering Hole, Supply Chain Attacks
Tools & Malware
TOX ids used by Br0k3rTOX Id TOX Public Key xplfinder ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f 7c7c69 Br0k3r B761680E23F2EBB5F6887D315EBD05B2D7C365731E093B49ADB059 C3DCCAA30C
Jabber/XMPP ID br0k3r[@]xmpp[.]jp
Pay2Key (October 2024)
Two dozen Israeli companies targeted in October 2024: Forensic evidence links the campaign to Fox Kitten. JNS reports that one of them is linked to Israel’s air defense system known as Iron Dome: “Fox Kitten, in the Pay2Key campaign, claimed to have breached the computer system of Elta Systems, a subsidiary of Israel Aerospace Industries (IAI), which developed the radar used in the Iron Dome missile defense system; Fox Kitten/Br0k3r allegedly leaked sensitive data on the dark web.”
“Knock Knock! Tonight is longer than longest night for @ILAerospaceIAI”
“Knock Knock! This night is longer than the longest night for @ILAerospaceIAI”
tweeted after the 2024 attack.
Overview of tactics, techniques, and procedures observed according to the CISA report. Initial intrusions by this Iranian actor rely on the exploitation of remote external services on Internet-exposed resources to gain initial access to victim networks.
As of July 2024, this actor has been observed scanning IP addresses hosting Check Point security gateways for devices potentially vulnerable to CVE2024-24919. Since April 2024, it has been conducting a mass scan of IP addresses hosting Palo Alto Networks PAN-OS and GlobalPOS systems, most likely conducting reconnaissance and discovery of devices vulnerable to CVE-2024-3400. Historically, this group has breached enterprises by exploiting CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.
Reconnaissance, Initial Login, Persistence, and Credential Access
The actor was observed using the Shodan search engine to identify and enumerate IP addresses hosting devices vulnerable to a particular CVE. The actors’ initial access is typically gained by leveraging a publicly exposed network device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPN (CVE-2024-21887), and most recently PanOS (CVE-2024-3400).
After breaching the vulnerable devices, the following techniques are used:
| Indicatore di Compromissione | Prima osservazione | Ultima osservazione ad agosto 2024 |
| 138.68.90[.]19 | January 2024 | August 2024 |
| 167.99.202[.]130 | January 2024 | August 2024 |
| 78.141.238[.]182 | July 2024 | August 2024 |
| 51.16.51[.]81 | January 2024 | August 2024 |
| 51.20.138[.]134 | February 2024 | August 2024 |
| 134.209.30[.]220 | March 2024 | August 2024 |
| 13.53.124[.]246 | February 2024 | August 2024 |
| api.gupdate[.]net | September 2022 | August 2024 |
| githubapp[.]net | February 2024 | August 2024 |
| 18.134.0[.]66 | September 2023 | November 2023 |
| 193.149.190[.]248 | September 2023 | January 2024 |
| 45.76.65[.]42 | September 2023 | December 2023 |
| 206.71.148[.]78 | October 2023 | January 2024 |
| 193.149.187[.]41 | October 2023 | November 2023 |
| login.forticloud[.]online | October 2023 | November 2023 |
| fortigate.forticloud.[]online | October 2023 | November 2023 |
| cloud.sophos[.]one | October 2023 | November 2023 |
FBI and CISA recommend that all organisations implement mitigation measures to improve their cybersecurity posture based on the activities of the Iranian cyber group. FBI believes that the group’s objective is primarily based on identifying devices vulnerable to the cited CVEs therefore, any organisation should defend against exploitation of known vulnerabilities with policies of patching and replacement of deprecated/obsolete devices and software especially if exposed on public IPs.
Redazione