UPDATED 21:16 EDT / JANUARY 12 2022


Iranian state-sponsored hacking group exploiting Apache Log4j vulnerabilities

An Iranian state-sponsored hacking group has been found to be actively exploiting vulnerabilities in Apache Log4j to distribute a new modular PowerShell toolkit for nefarious purposes.

Detailed Tuesday by researchers at Check Point Software Technologies Ltd., the APT35 hacking group, also known as Phosphorous and Charming Kitten, was first detected exploiting Log4j only four days after the first vulnerability was disclosed. The attack setup is described as being rushed, since the group used only a basic open-source JNDI exploit kit.

Having gained access to a vulnerable service, the Iranian hackers then included a new modular PowerShell-based framework that has been dubbed “CharmPower.” The script is used to establish persistence, gather information and execute commands.

CharmPower has four main initial modules. The first validates a network connection and the second gathers basic system information such as Windows version, computer name and the content of various system files. The third module decodes the command and control domain retrieved from a hardcoded URL stored on an Amazon Web Services Inc. S3 bucket, while the final module receives, decrypts and executes follow-up modules.

Depending on the information gathered by the initial deployment, APT35 then deploys additional custom modules to facilitate data theft and hide its presence on the infected machine.

APT35 is a well-known hacking group that most famously was linked to attacks in 2020 targeting the Trump campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran. The group also targeted the Munich Security Conference later the same year.

“The research tying Log4Shell exploitation to Iranian APT Charming Kitten coincides, and somewhat conflicts, with a statement made by the US Cybersecurity Infrastructure and Security Agency on Jan. 10 which suggested there had been no significant intrusions tied to the bug at that time,” Chris Morgan, senior cyber threat Intelligence analyst at digital risk solutions provider Digital Shadows Ltd., told SiliconANGLE. “This likely emphasizes ongoing issues with incident disclosure and transparency, and the lag that can exist between threat actor activity and discovery.

John Bambenek, principal threat hunter at information technology service management company Netenrich Inc., said it’s not surprising that second-tier nation-state actors would leverage the opportunity presented by the log4j vulnerability in a rushed fashion.

“Any exploit of this severity would be latched upon by anyone looking to get a quick foothold and sometimes tactical windows open like this which means that you have to act quickly,” Bambenek said. “The bigger question is which intelligence agency was using this before the vulnerability was made public?”

The news that Iranian hackers were exploiting the Log4j vulnerabilities came as U.S. Cyber Command’s Cyber National Mission Force disclosed that it had identified multiple open-source tools that Iranian intelligence actors are using in networks around the world.

The disclosure related to an Iranian state-sponsored hacking group dubbed “MuddyWater.” The group has been linked to Iran’s Ministry of Intelligence and Security and primarily targets other nations in the Middle East and, on occasion, countries in Europe and North America.

Photo: Blondinrikard Fröberg/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy