China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.
Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.
As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.
In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13.
[ READ: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw ]
The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance, under the Apache Tomcat service (other threat actors too have been observed using public DNS logging services to identify vulnerable servers).
Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure.
The attackers performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution.
After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell.
Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them.
The target organization was alerted to the suspicious activity immediately after detection and was able to quickly implement their incident response protocol, to patch the vulnerable software and prevent further malicious activity.
Active since at least May 2020 and engaging in intelligence collection and industrial espionage, Aquatic Panda has been observed targeting organizations in the government, telecommunications, and technology sectors. The group’s toolset includes Cobalt Strike, the FishMaster downloader, and njRAT, among others.
Related: NVIDIA, HPE Products Affected by Log4j Vulnerabilities
Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
