Chinese Aquatic Panda Hackers Directly Abuse Log4j

Aquatic Panda, a Chinese hacking collective, has directly used the Log4j vulnerability to attack an undisclosed academic institution. The attack was discovered and countered by CrowdStrike’s Overwatch threathunting specialists.

According to CrowdStrike, the Chinese (state) hackers launched an attack on an unnamed academic institution using a discovered Log4j vulnerability. This vulnerability was found in a vulnerable VMware Horizon instance of the affected institution.

VMware Horizon instance

CrowdStrike’s threat hunters discovered the attack after spotting suspicious traffic from a Tomcat process running under the affected instance. They monitored this traffic and determined from the telemetry that a modified version of Log4j was being used to penetrate the server. The Chinese hackers carried out the attack using a public GitHub project published on December 13.

Further monitoring of the hacking activity revealed that the Aquatic Panda hackers were using native OS binaries to understand the privilege levels and other details of the systems and domain environment. CrowdStrike’s specialists also found that the hackers were attempting to block the operations of an active third-party endpoint detection and response (EDR) solution.

The OverWatch specialists then continued to monitor the hackers’ activities and were able to keep the institution in question informed of the hack’s progress. The academic institution could act on this itself and take the necessary control measures and patch the vulnerable application.

Aquatic Panda Hackers

The Chinese hacking group Aquatic Panda has been active since May 2020. The hackers focus exclusively on intelligence gathering and industrial espionage. Initially, the group mainly focused on companies in the telecom sector, the technology sector and governments.

The hackers mainly use the so-called Cobalt Strike tool sets, including the unique Cobalt Strike downloader Fishmaster. The Chinese hackers also use techniques such as njRAt payloads to hit targets.

Monitoring Log4j important

In response to this incident, CrowdStrike stated that the Log4j vulnerability is a seriously dangerous exploit and that companies and institutions would do well to vet and also patch their systems for this vulnerability.