APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools

  • Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution.

    Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the Log4Shell vulnerability.

    Researchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday.

    “Aquatic Panda is a China-based [APT] with a dual mission of intelligence collection and industrial espionage,” wrote Benjamin Wiley, the author of the CrowdStrike report.

    Wiley said researchers uncovered the suspicious activity tied to the target’s infrastructure. “This led OverWatch to hunt for unusual child processes associated with the VMware Horizon Tomcat web server service during routine operations,” he wrote.

    OverWatch quickly notified the organization of the activity so the target could “begin their incident response protocol,” researchers said.

    CrowdStrike, among other security firms, has been monitoring for suspicious activity around a vulnerability tracked as CVE-2021-44228 and colloquially known as Log4Shell that was found in the Apache Log4j logging library in early December and immediately set upon by attackers.

    Ever-Widening Attack Surface

    Due to its ubiquitous use, many common infrastructure products from Microsoft, Apple, Twitter, CloudFlare and others are vulnerable to Log4Shell attacks. Recently, VMware also issued guidance that some components of its Horizon service are vulnerable to Log4j exploits, leading OverWatch to add the VMware Horizon Tomcat web server service to their processes-to-watch list, researchers said.

    The Falcon OverWatch team noticed the Aquatic Panda intrusion when the threat actor performed multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance, they wrote in the post.

    “The threat actor then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat-actor tooling hosted on remote infrastructure,” researchers wrote.

    The commands were executed on a Windows host under the Apache Tomcat service, researchers said. They triaged the initial activity and immediately sent a critical detection to the victim organization, later sharing additional details directly with their security team, they said.

    Eventually, researchers assessed that a modified version of the Log4j exploit was likely used during the course of the threat actor’s operations, and that the infrastructure used in the attack is linked to Aquatic Panda, they said.

    Tracking the Attack

    OverWatch researchers tracked the threat actor’s activity closely during the intrusion to provide continuous updates to academic institution as its security administrators scrambled to mitigate the attack, they said.

    Aquatic Panda engaged in reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. Researchers also observed the group attempt discover and stop a third-party endpoint detection and response (EDR) service, they said.

    The threat actors downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. They also retrieved three files with VBS file extensions from remote infrastructure, which they then decoded.

    “Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking,” researchers wrote.

    Aquatic Panda eventually made multiple attempts to harvest credentials by dumping the memory of the LSASS process using living-off-the-land binaries rdrleakdiag.exe and cdump.exe, a renamed copy of createdump.exe.

    “The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windowstemp directories,” researchers wrote.

    The victim organization eventually patched the vulnerable application, which prevented further action from Aquatic Panda on the host and stopped the attack, researchers said.

    New Year, Same Exploit

    As 2021 comes to a close, it’s likely Log4Shell and exploits developed so attackers can use it for nefarious activity will carry their disruption into the new year.

    “The discussion globally around Log4j has been intense, putting many organizations on edge,” OverWatch researchers wrote. “No organization wants to hear about such a potentially destructive vulnerability affecting its networks.”

    Indeed, the flaw already has created considerable headache for organizations and security researchers alike since its discovery earlier this month. Attackers immediately jumped on Log4Shell, spawning 60 variants of the original exploit created for the flaw in a 24-hour period when it was first revealed. Though Apache moved quickly to patch it, the fix also turned problematic, creating a vulnerability of its own.

    Moreover, Aquatic Panda also is not the first organized cybercrime group to recognize the opportunity to exploit Log4Shell, and likely not be the last. On Dec. 20, the Russia-based Conti ransomware gang—known for its sophistication and ruthlessness–became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability with the creation of a holistic attack chain.

    CrowdStrike urged organizations to remain abreast of the latest mitigations available for Log4Shell and overall Log4j vulnerabilities as the situation evolves.

    Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.