Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new IOCs, and actionable recommendations to protect your organization from Fox Kitten attacks.
Censys, a threat hunting and attack surface management platform has released new details regarding the infrastructure of the Iranian cyberespionage group called Fox Kitten using data from a joint Cybersecurity Advisory (CSA) by the FBI, CISA, and DC3. Censys identified a significant number of additional hosts that likely belong to the Fox Kitten infrastructure, expanding the scope of the threat.
In its report, shared with Hackread.com ahead of its publication on Wednesday, Censys illuminated the unique patterns and potentially new indicators of compromise used by Fox Kitten, which is known for targeting organizations worldwide.
Using these patterns, Censys could find previously undiscovered active hosts that boasted matching patterns and Autonomous Systems (ASs) such as Hosts D, E, and G, which could be part of the same infrastructure and may be used in future attacks. Matching domain IOCs were used to identify Host G, and matching ASs were used to identify Hosts J & C.
The data was analyzed using techniques like Host Profiling, Pattern Recognition, Link Analysis, and Historical Analysis. Host profiling involves analyzing individual hosts’ characteristics, pattern recognition identifies recurring patterns, link analysis examines relationships between infrastructure elements, and historical analysis compares current data with historical records to identify trends.
Further probing revealed that the attackers used various techniques to obfuscate their infrastructure, such as using dynamic IP addresses, distributing infrastructure across multiple Autonomous Systems (ASNs), and using misleading certificate names to disguise malicious activity.
Censys found two domain IOCs (api.gupdate.net and githubapp.net) on active IPs not listed in the CSA. Some domain IOCs were found on Fox Kitten IPs before or after the CSA timeframe. All domain IOCs were found in 64 valid certificates, requiring further monitoring.
Further research revealed commonalities such as geolocation in London, Stockholm, Frankfurt, Tel Aviv, and Los Angeles, shared Autonomous Systems (AS) numbers, unique patterns in Hosts D, E, and G, timeframe discrepancies on some hosts outside the CSA timeframe, and 38,862 additional potentially malicious hosts with similar characteristics. These findings suggest a honeypot-like design and a potential connection between the hosts.
By delving deeper into the Fox Kitten infrastructure, Censys has provided valuable insights into the group’s operations and tactics. These patterns and commonalities can be used to identify other active hosts and certificates that may be part of the same Fox Kitten infrastructure.
Defenders can use IOCs and known periods of nefarious activity to study host and certificate profiles before, during, and after reported attacks, conduct dynamic searches across public scan datasets like Censys to observe how threats may set up new infrastructure, and stay ahead of threat actors.
RELATED TOPICS
- Iranian State Hackers Partner Up for Large-Scale Attacks, Report
- Iran’s MuddyWater Hits Saudis and Israelis with BugSleep Backdoor
- Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
- Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector
- Iran’s Mint Sandstorm APT Hits Universities with Hamas-Israel Phishing