The cybersecurity company Crowdstrike has discovered an infiltration attempt at an academic institution by a group based in China, through the Log4J vulnerability.
Crowdstrike dubbed the group “Aquatic Panda” and said it is a “group with a dual mission of intelligence gathering and industrial espionage” that has been operating since at least May 2020.
The exact purpose of the group is unknown as the attack was stopped, but Crowdstrike told that Aquatic Panda is known to use tools that allow it to stay in environments to gain access to intellectual property and other industrial trade secrets.
“Aquatic Panda’s operations have been primarily focused on entities in the telecommunications, technology and government sectors. Aquatic Panda relies heavily on Cobalt Strike, and its set of tools includes a unique and well-known Cobalt Strike charger. Under the name FishMaster Aquatic Panda has also been observed delivering njRAT malware to targets, ”the company said in a report.
According to Crowdstrike, his team discovered “suspicious activity originating from a Tomcat process running on a vulnerable VMWare Horizon instance at a large academic institution, resulting in the termination of an active intrusion.”
Log4Shell built into the suite
After observing the group and reviewing the telemetry data, CrowdStrike believes that a modified version of the Log4j exploit was likely used during the malicious group’s operations.
The Crowdstrike team discovered that the group used a public GitHub project dated December 13, 2021 to access the vulnerable VMWare Horizon instance.
“Aquatic Panda continued to reconnect from the host, using native operating system binaries to understand current privilege levels, as well as system and domain details.” OverWatch analysts also observed an attempt to discover and stop a third-party Endpoint Discovery and Response (EDR) service. OverWatch continued to track the malicious behavior of the malicious actor, who downloaded additional scripts and then ran a Base64-encoded command through PowerShell to retrieve malware in their toolkit, ”the company explains.
“During the intrusion, OverWatch closely monitored the attacker’s activity to provide continuous updates to the victim’s organization. Based on actionable intelligence provided by OverWatch, the victim’s organization was able to quickly implement their incident response protocol, which eventually corrected to the vulnerable application and prevented further activity by the attacker on the host. ”
Crowdstrike officials told that they see different groups inside and outside of China taking advantage of the Log4J vulnerability, with adversaries ranging from advanced cyber espionage groups to more mainstream cybercrime groups.
“Ultimately, the viability of this exploit is well proven, with a substantial attack surface still present. We will continue to see actors use this vulnerability until all recommended mitigation measures are in place,” they said in an interview.
Vulnerabilities not to be taken lightly
Last week, the US, UK, Australia and other countries published an advisory on Log4J in response to “active and global exploitation by numerous malicious actors.”
Numerous groups in North Korea, Iran, Turkey, and China have been seen exploiting the vulnerability with a number of ransomware.
According to Jen Easterly, director of the US cybersecurity agency, vulnerabilities in Log4j pose a serious and constant threat to organizations and governments around the world.
“We urge all entities to take immediate steps to implement the latest guidelines to protect their networks,” Easterly said. “These vulnerabilities are the most serious I have seen in my career and it is imperative that we work together to keep our networks secure.”
Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled