Cybersecurity company CrowdStrike identified a China-based threat group exploiting a Log4j vulnerability to infiltrate an academic institution. CrowdStrike dubbed the group “Aquatic Panda” and believe the group’s goal was to collect intelligence and conduct industrial espionage although the attack was disrupted. The team at CrowdStrike discovered that Aquatic Panda used a public GitHub project from Dec. 13th, 2021 to gain access to the vulnerable instance of VMWare Horizon. Threat actors of every skill level continue to exploit Log4j vulnerabilities, especially on servers that answer connections from the public Internet. Threat researchers have seen APT groups from North Korea, Iran, Turkey, China as well as ransomware operators and cybercriminals exploiting the vulnerability.
Analyst Notes
Log4Shell is an extremely severe vulnerability. It is recommended for organizations to determine the applications that are impacted, especially any externally facing ones, and patch them as soon as possible. Exploitation of Log4Shell began on or around December 1, 2021, and increased significantly on December 9th when a proof-of-concept exploit became publicly available for this vulnerability. The FBI has observed attempted exploitation and widespread scanning of the Log4j vulnerability to gain access to networks to deploy crypto mining and botnet malware. The FBI assesses this vulnerability may be exploited by sophisticated cyber threat actors and incorporated into existing cybercriminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques. Binary Defense has published a comprehensive blog detailing recommendations on managing the log4j vulnerability:
https://www.binarydefense.com/advice-for-defenders-responding-to-the-log4j-vulnerability-cve-2021-44228/
