CrowdStrike researchers report the detection of a hacking group operating from China and that has managed to infiltrate an academic institution by exploiting one of the flaws found in the Log4j logging library. The group was identified as Aquatic Panda and described as an advanced intelligence and espionage operation, active for at least a year and a half.
For now it is unknown what the exact goal of this group is, since the attack was interrupted; however, Aquatic Panda was found to generate persistence in the affected systems in order to gain access to intellectual property and other samples of confidential information, mainly compromising organizations in the telecommunications, government and technology sectors.
As mentioned above, one of the main disruptions of this group was identified in the networks of an unnamed academic institution, where a vulnerable implementation of VMware Horizon was running. From the telemetry obtained, the experts concluded that in the attack he used a modified version of the exploit for the remote code execution flaw in Log4j.
In addition, cybercriminals used a public GitHub project to gain access to the vulnerable VMware Horizon instance, continuing recognition from the host and using native operating system binaries for current privilege levels.
CrowdStrike adds that, since a couple of weeks ago, multiple threat actors have been detected exploiting vulnerabilities in Log4j, from groups dedicated to data theft to actors considered as advanced persistent threat (APT): “We will continue to see threat actors making use of this vulnerability until all relevant mitigations are implemented,” the researchers conclude.
In recent days, the governments of the United States, United Kingdom, Australia and Canada issued a joint alert in reference to the massive exploitation of the faults in Log4j. According to this report, hacking groups in North Korea, Iran, Turkey and China are primarily responsible for the malicious exploitation of these flaws.
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), believes that the exploitation of these flaws poses a serious and constant threat to vulnerable organizations: “We call on all entities to take the necessary steps to keep their networks protected; these are critical vulnerabilities and it is vital that we work together in the fight against cybercrime.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.