Specialists of information security company CrowdStrike warn: the Chinese cyber-espionage hack group Aquatic Panda uses the Log4Shell vulnerabilities, with the help of which a large educational institution was compromised.
Let me remind you that the CVE-2021-44228 vulnerability, also called Log4Shell and LogJam, was discovered in the popular Log4j logging library in early December.
The researchers report that Aquatic Panda uses a modified version of the exploit for a bug in Log4j to gain initial access to the target system, and then performs various post-exploitation activities, including exploration and credential collection.
In an attempt to compromise an unnamed educational institution, the hackers targeted VMware Horizon, which used the vulnerable Log4j library. The exploit used in this attack was published on GitHub on December 13, 2021.
The attackers also conducted reconnaissance efforts to better understand privilege levels and learn more about the domain, and also attempted to interrupt a third-party endpoint threat detection and response solution.
After deploying additional scripts, the hackers tried to run PowerShell commands to extract the malware and three VBS files, which appeared to be reverse shells. In addition, Aquatic Panda made several attempts to collect credentials by performing memory dumps and preparing them for theft.
Experts write that the attacked organization was timely warned of suspicious activity and was able to quickly use the incident response protocol, fixing vulnerable software and preventing further development of malicious activity.
The Aquatic Panda group has been active since at least May 2020 and typically engages in intelligence gathering and industrial espionage, targeting organizations in the government, telecommunications and technology sectors. The group’s toolbox includes Cobalt Strike, FishMaster downloader, and njRAT.
Let me also remind you that I wrote that Log4j vulnerability threatens 35,000 Java packages, as well as that Another vulnerability found in Log4j, this time it is a denial of service.