Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs
A joint Cybersecurity Advisory (CSA) issued by the FBI, CISA, and DC3 in August 2024 warned that an Iran-based cyber actor group known as "Fox Kitten" continues to exploit organizations in the U.S. and abroad. The advisory included a list of 17 Indicators of Compromise (IOCs) but advised against blocking them solely based on their inclusion in the CSA. Censys, an internet intelligence platform, analyzed these IOCs to assist defenders in investigating and vetting them. Censys discovered unique host patterns over time, which were used to identify active hosts and certificates that may be part of the same infrastructure used by Fox Kitten for potential future attacks. These patterns included a high number of open services/ports, specific software fingerprints, and certificates with names mimicking legitimate organizations. Censys also found that some host profiles appeared similar or identical beyond the timeframes listed in the CSA, suggesting possible unreported activity. Additionally, Censys observed domain IOCs on currently active IPs not mentioned in the advisory and found 64 valid, self-signed certificates with domain IOCs that could be used on active or future hosts. The analysis concluded that despite attempts at obfuscation, patterns emerge that can help defenders stay ahead of threat actors. Censys recommends defenders leverage IOCs and known periods of nefarious activity to study host and certificate profiles to identify linkages and patterns for dynamic threat hunting. Malware: ANTAK, BLUEBEAM, CHINACHOP, CHUNKYTUNA, HEATGUN, JFFSHELL, KeeThief, Ligolo, PASSCAT, QUICKHOARD, REDUH, RemCom, SPACEWEB, WMIEXEC CVEs: CVE-2024-3400, CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-24919, CVE-2024-21887 [View Article](https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/)