CrowdStrike, a cybersecurity firm, identified an effort by a Chinese party to enter an academic institution using the Log4j vulnerability. The group is called “Aquatic Panda,” and it’s an “intrusion adversary with a dual mission of intelligence collection and industrial espionage.” It’s been active since at least May 2020.
The group’s real intentions are unknown because the cyberattack was thwarted. According to CrowdStrike, Aquatic Panda is known to sustain persistence in settings to obtain access to intellectual property and other industrial trade secrets.
“Aquatic Panda operations have primarily focused on entities in the telecommunications, technology, and government sectors,” CrowdStrike explained in a report.
CrowdStrike further stated that their system uncovered “suspicious activity stemming from a Tomcat process running under a vulnerable VMWare Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion.”
CrowdStrike thinks that a modified version of the Log4j vulnerability was likely employed during the threat actor’s operations after seeing them operate and studying the data provided. As per the CrowdStrike team, Aquatic Panda recently exploited a public GitHub project to obtain access to the vulnerable instance of VMWare Horizon.
The company explained that Aquatic Panda resumed its investigation from the host, employing native OS binaries to learn about current privilege levels, as well as system and domain information. OverWatch threat hunters found that a third-party Endpoint Detection and Response (EDR) service was also discovered and shut down.
Officials from CrowdStrike noted that the Log4J vulnerability is being used by various threat actors both inside and outside of China, with adversaries ranging from sophisticated threat actors to eCrime players.
In response to “active, worldwide exploitation by multiple threat actors, including malevolent cyber threat actors,” the US, UK, Australia, and other governments issued a Log4j alert last week. Several entities from North Korea, Iran, Turkey, and China, as well as a slew of ransomware and cybercriminal organizations, have been detected leveraging the flaw. Log4j vulnerabilities, according to CISA Director Jen Easterly, are a severe and continuous danger to enterprises and governments throughout the world.