Security News > 2021 > December > Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution
A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Panda has been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.
Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed "Large academic institution." The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors.
The attempted intrusion exploited the newly discovered Log4Shell flaw to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.
"A modified version of the Log4j exploit was likely used during the course of the threat actor's operations," the researchers noted, adding it involved the use of an exploit that was published in GitHub on December 13, 2021.
Aquatic Panda's malicious behavior went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.
After the victim organization was alerted to the incident, the entity "Was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host." In light of the attack's successful disruption, the exact intent remains unknown.
News URL
https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html
Related news
- Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Hackers exploit Four-Faith router flaw to open reverse shells (source)
- Chinese hackers targeted sanctions office in Treasury attack (source)
- US sanctions Chinese company linked to Flax Typhoon hackers (source)
- Chinese hackers also breached Charter and Windstream networks (source)
- Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens (source)
- US Treasury hack linked to Silk Typhoon Chinese state hackers (source)
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)