China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.
Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.
As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.
In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13.
[ READ: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw ]
The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance, under the Apache Tomcat service (other threat actors too have been observed using public DNS logging services to identify vulnerable servers).
Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure.
The attackers performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution.
After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell.
Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them.
The target organization was alerted to the suspicious activity immediately after detection and was able to quickly implement their incident response protocol, to patch the vulnerable software and prevent further malicious activity.
Active since at least May 2020 and engaging in intelligence collection and industrial espionage, Aquatic Panda has been observed targeting organizations in the government, telecommunications, and technology sectors. The group’s toolset includes Cobalt Strike, the FishMaster downloader, and njRAT, among others.
Related: NVIDIA, HPE Products Affected by Log4j Vulnerabilities
Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report