Fox Kitten (aka Pioneer Kitten or Parisite) is an Iranian cyber threat group that has been active since at least 2017. This group primarily targets both U.S. and international organizations.
Matt Lembright, the Global Lead of Censys Data/Search, recently uncovered Fox Kitten’s hidden infrastructure and new IOCs.
Fox Kitten’s Hidden Infrastructure
The FBI, CISA, and DC3 issued a joint Cybersecurity Advisory in August 2024 in which they warned of ongoing cyberattacks by “Fox Kitten.”
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free
The advisory listed 17 Indicators of Compromise, which includes 12 IP addresses and 5 domain names. Censys analyzed these IOCs using its global internet perspective.
They uncovered unique patterns among the hosts like shared geolocations (predominantly in London, UK), common ASNs (AS14061 and AS16509), and distinctive configurations such as numerous open HTTP ports with specific software (Mirth Connect, Ivanti Connect Secure, Ray Dashboard).
Censys also found strange self-signed “certificates” with seemingly random names like “futureenergy.us” and “next-finance.mil.”
Their analysis revealed potential additional malicious infrastructure that is not mentioned in the original advisory, including the “38,862 hosts” globally with similar patterns.
While it’s also been observed that the domain IOCs on some hosts outside the reported timeframes clearly suggest previously “unknown attack durations.”They also identified 64 currently valid certificates containing these domain IOCs.
Besides this, several commonalities were identified in Autonomous Systems, geolocations, hosting providers, software, port distributions, and certificate characteristics after the analysis of the host and certificate profiles before, during, and after reported attacks.
This approach is similar to how World War II soldiers identified Morse code operators’ unique “fists,” allowing defenders to anticipate threat actors’ moves.
Here, Censys utilized parsed fields in their scan dataset to search for IOCs, trends, and patterns mentioned in the CISA Advisory.
To confirm the IOCs with specified timeframes and identify previously unobserved staging or malicious activity periods, they employed historical host profiles.
The link diagram analysis was used to discover similarities across IOCs, hosts, certificates, and various parsed fields.
This methodology enables cybersecurity researchers to leverage public scan datasets to observe how threats establish new infrastructure using previously identified techniques, despite attempts at obfuscation and randomization by the threat actors.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial