The news broke that recently Iranian state-sponsored hacker group detected which are actively exploiting the vulnerabilities in apachelog4j to distribute a new modular PowerShell toolset.
Detailed by researchers at Check Point Software Technologies, The APT35 hacker group, also known as Phosphorous and Charming Kitten, was first detected exploiting Log4j just four days after the first vulnerability was disclosed.
The attack setup described as rushed since the group used only a basic open source JNDI exploit kit.
Having gained access to a vulnerable service, users Iranian hackers included a new modular framework based on PowerShelwhich was called "Charm Power". The script is used to establish persistence, collect information, and execute commands.
CharmPower has four main initial modules:
- The first validates a network connection
- The second collects basic system information, such as the version of Windows, the name of the computer, and the content of various system files.
- The third module decodes the command and control domain retrieved from an encoded URL stored in an Amazon Web Services Inc S3 bucket.
- While the trailing module receives, decrypts and executes the tracking modules.
According to the information collected by initial implementation, APT35 then implement additional custom modules to facilitate data theft and hide their presence on the infected machine.
APT35 is a well-known hacker group that was linked to attacks in 2020 against the Trump campaign, current and former US government officials, journalists covering world politics, and prominent Iranians living outside Iran. The group also targeted the Munich Security Conference that same year.
“The investigation linking the Log4Shell exploit to the Iranian Charming Kitten APT coincides with, and somewhat conflicts with, a statement made by the US Cybersecurity Infrastructure and Security Agency on January 10 that suggested that there had been no significant intrusions related to the bug at that time.”
“This likely underscores the current issues with incident disclosure and transparency, and the lag that can exist between threat actor activity and discovery.
John Bambenek, chief threat hunter at information technology services management company Netenrich Inc., said it's not surprising that second-tier nation-state actors seize the opportunity presented by the log4j vulnerability in a rush.
“Any feat of this severity would be exploited by anyone looking for a quick foothold, and sometimes tactical windows like this open up, which means you have to act fast,” Bambenek said. "The bigger question is which intelligence agency was using this before the vulnerability was made public."
The Log4j flaw, which is also known as Log4Shell and is tracked as CVE-2021-44228, is a major threat due to the wide enterprise use of Log4j and the plethora of servers and cloud-based services that could be exposed zeroday type vulnerabilities. Log4j, a free and widely distributed open source tool from the Apache Software Foundation, is a logging tool and the flaw affects version 2.0 through 2.14.1.
security professionals have said that the threat posed by Log4Shell is so high not only because of the scope of the use of the tool, but also because of the ease with which it can be exploited the vulnerability. Threat actors only need to submit a string containing the malicious code, which Log4j parses and logs and uploads to a server. Hackers can then gain control of the
News that Iranian hackers were exploiting Log4j vulnerabilities came as the U.S. Cyber Command's National Cyber Mission Force revealed that it had identified several open source tools that Iranian intelligence agents are using on hacking networks. everyone.
The disclosure relates to an Iranian state-sponsored hacker group dubbed “MuddyWater.”
The group has been linked to Iran's Ministry of Intelligence and Security and primarily targets other nations in the Middle East and occasionally countries in Europe and North America.
If you want to know more about it, you can check the details In the following link.