Cloud Security, Threat Management, Threat Management, Cloud Security

Iranian-linked APT35 leverages PowerShell on attempted Log4j exploits

The Iranian flag is seen in front of the building of the International Atomic Energy Agency (IAEA) Headquarters on May 24, 2021, in Vienna, Austria. (Photo by Michael Gruber/Getty Images)

Researchers on Monday offered details on how suspected Iranian nation-state threat actor APT35 used a PowerShell-based framework dubbed “CharmPower” to attempt exploits of the Log4j vulnerability.

In a Jan. 11 blog post, the researchers said APT35, also known as "Charming Kitten," "TA453," and "Phosphorus," made its first attempts to exploit Log4j just four days after the vulnerability was disclosed.

The researchers said APT35’s attack setup was “obviously rushed” because they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier for Check Point to detect and attribute. Check Point said the attackers chose one of the publicly available open-source JNDI Exploit Kits, which has since been removed from GitHub following the Log4j disclosure.  

Check Point’s new Log4j research on APT35’s attempted exploitations was released one day after the Cybersecurity and Infrastructure Security Agency (CISA) made a clear public statement that Log4j has not yet resulted in any “significant intrusions."

As for ongoing threat research by vendors, Eric Goldstein, executive director of CISA, explained during Monday’s press conference in Washington how CISA viewed the work of the security researchers:

"We work extremely closely with the cybersecurity community, including through the Joint Cyber Defense Collaborative to understand the analysis that they are putting forth,” Goldstein said. “Certainly as we gain more information suggesting possible nation-state attribution of any intrusion, we will work through that and share it at the appropriate time."

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, added that the research identified that Charming Kitten used a publicly available JNDI exploit kit that was published on GitHub, but had since been removed. Morgan said this may serve as additional fuel to the debate regarding GitHub’s policy on proof of concept (PoC) exploit kits and malware samples hosted on their service. GitHub changed its policy in June 2021 to permit the removal of such items to minimize the risk of the exploits being used in live attacks.

“This decision originally was related to the removal of a PoC raised by a security researcher for the ProxyLogon Microsoft Exchange vulnerabilities, and was widely criticized by many in the security community,” Morgan explained. “With Charming Kitten serving as a live example of how a public exploit can fall into the wrong hands quickly, the research's findings may prove to be a justification of why their change in policy by Github was a correct decision.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.