Cyberthreats

Min read

Tracking APT35 (Charming Kitten) Activities in Albania

Published on

Nov 4, 2024

Introduction

From October 25 to October 27, we observed malicious activities from a Threat Actor targeting Albania through our Threat Intelligence Platform, Sphere. Our investigation extended to other regions to check for similar indicators but found no related activity in other countries, confirmed through various intelligence tools.

‍Activity Overview

Sphere is a comprehensive threat intelligence platform with modules dedicated to Threat Intelligence and Identity Management. The following graph highlights the activities detected from this Threat Actor in 2024, pinpointing that this actor was especially active between October 25 and 27. The actor was found exploiting multiple vulnerabilities, demonstrating a relatively noisy operational style during this timeframe.

‍

Exploited Vulnerabilities

During this period, the threat actor exploited a range of known vulnerabilities, including:

CVE-2024-1561 - Local File Inclusion in Gradio (open-source Python package for building ML web apps)
CVE-2024-5975 - SQL Injection in CZ Loan Management WordPress plugin
CVE-2024-4577 - OS Command Injection in PHP-CGI
CVE-2014-2383 - Information Disclosure in DomPDF (HTML to PDF converter)
CVE-2017-5638 - Remote Code Execution in Apache Struts
CVE-2018-3238 - Unauthorized Access to Oracle WebCenter Sites
CVE-2021-26084 - OGNL Injection in Confluence Server and Data Center
CVE-2020-9483 - SQL Injection in Apache Skywalking
CVE-2017-9841 - Code Injection in PHPunit
CVE-2021-34473 - Proxy Shell, Remote Code Execution in Microsoft Exchange Server
CVE-2022-1388 - Missing Authentication in F5 BIG-IP

Command & Control (C2) Server

Further investigation on our platform revealed that the IP address used by the attacker was linked to a Command & Control (C2) server traced back to August 2024. The actor employed the Mythic C2 framework, a red-teaming platform built in Golang and equipped for post-exploitation tasks, aligning with several of the vulnerabilities exploited.

Other Activities

Our continued monitoring identified additional suspicious activities, including:

1. A phishing/spear-phishing campaign themed around discounted travel, aiming to lure users into downloading a malicious archive file. While no password was included on the website, it’s likely this would be distributed via email.

2. A campaign likely designed to harvest credentials from Cisco ASA WebVPN users.

Attribution

Initially, the observed tactics, techniques, and procedures (TTPs) did not strongly align with known threat actors. However, extensive reconnaissance, including domain registration checks associated with the attacker’s IP, linked this activity to APT35 (Charming Kitten). This group, recognized for its opportunistic yet persistent attacks, has been involved in cyber operations largely associated with Iranian interests.

Background on APT35 (Charming Kitten)

APT35, also known as Charming Kitten or Phosphorus, is an Iranian government-sponsored group recognized for cyber-warfare operations. Although their tactics may appear unsophisticated, APT35 is known for persistence, especially in targeting government entities and critical infrastructure in regions such as the Middle East and Europe. Albania has previously been a target of similar attacks, indicating strategic intentions that go beyond simple data theft.

Iranian-linked cyber operations, including those by APT35, often combine espionage with influence tactics. These operations typically focus on:

- Disrupting governmental and infrastructure sectors to create instability.
- Conducting information operations, leveraging compromised sites to spread disinformation.
- Exploiting common CMS vulnerabilities to gain initial access.

These tactics underscore the need for enhanced cyber defense mechanisms to counteract persistent threats from nation-state actors. Albania, in particular, remains a key focus for such Iranian cyber-warfare activities.

‍

IoC

85[.]114[.]138[.]96

168[.]100[.]8[.]190

168[.]100[.]10[.]216

proxy[.]0pzmon0zog[.]xyz

de6f366c120d2aabeacfb66e01e7eba68a5b094672a4412dbe9fd5259c093b83

Other Articles

Exploring Leading Vendors’ Hardened OS in Firewalls

Research

Where Firewalls Run

Firewalls are essential security devices that protect networks from unauthorized access and malicious activities. These critical components operate on specialized operating systems (OS) designed to provide robust protection and optimize performance. In this article, we will delve into the world of firewalls and examine the hardened OS employed by some of the industry’s leading vendors. From well-established companies to innovative newcomers, let’s explore where firewalls run and the key characteristics of these operating systems.

What is sandboxing in cybersecurity?

A sandbox is a malware detection system that runs a suspected item in a virtual machine (VM) with a full-featured operating system and analyzes the object’s behavior to detect harmful activity.

Sphere's Proactive Detection Shields Against CVE-2023-20198 Exploitation

Sphere's proprietary threat intelligence tool has detected active exploitation of CVE-2023-20198, highlighting its critical role in cybersecurity vigilance. This detection, alongside advisories from Cisco Talos, underscores the urgent need for users to apply recommended patches and enhance network monitoring to protect against sophisticated cyber threats.

Cybersecurity Awareness

Supply Chain Attacks And Their Importance

Supply chain attacks are a type of cyber attack where an attacker targets a company’s supply chain in order to gain unauthorized access to their systems or data. This involves compromising a third-party vendor or supplier that has access to the target company’s systems or data.