Skip to main content

Chinese Hackers used Modified Version of Log4j Exploit to Attack Academic Institution

By Roscid Dr3am1ng |

        A Chinese advanced persistent threat (APT) hackers has been observed using a modified version of the Log4j exploit to target a large unnamed academic institution. The said exploit was performing various operations such as recon and credential harvesting on the targeted systems.

        The APT group was dubbed as "Aquatic Panda" and some believed that they are on-the-go since mid-2020. As Benjamin Wiley said on the CrowdStrike report, it is a China-based [APT] with a dual mission of intelligence collection and industrial espionage. Their attacks mostly targeted companies in telecommunications, technology, and government sectors.

        According to the CrowdStrike, researchers from Falcon OverWatch recently disrupted an attempt to steal industrial intelligence and military secrets from an unnamed academic institution using Log4Shell exploit tools. The researchers uncovered the suspicious activity where Aquatic Panda exploited the newly discovered Log4Shell flaw known as CVE-2021-44228 to gain access to a vulnerable instance of the VMWare Horizon desktop and app virtualization product.

        The OverWatch started to hunt for unusual processes that was associated with VMWare Horizon after the discovery and quickly notified the organization to start their incident response and some preventive measures to secure their system

        After the reports of many infrastructure products that was vulnerable to Log4Shell attacks in early December. VMWare also issued some reports that some of the components of their Horizon service are vulnerable to Log4j exploits. 

        This leads Falcon OverWatch team to add the Horizon Tomcat web server service of VMWare to their watch list and on December 29, the team noticed the intrusion of the said cyber criminal group when the threat actor started to make multiple connectivity checks for a subdomain that was executed under the Apache Tomcat service running on the VMWare Horizon instance.

        When the hackers gain access to the VMWare Horizon Tomcat web server, they will launched a series of Linux commands that were executed on a Windows under the said service according to the researchers.

        They also said that the attempt dicovered and stopped a third-party endpoint detection and response service or what they called as EDR. Three files with VBS file extensions were also retrived and the researchers believed that these likely constituted a reverse shell that will be loaded into memory via DLL search-order hijacking.

        As of now, the said organization was alerted to the incident and they quickly implement their incident response protocol. They also patched the vulnerable application to prevent another malicious hacking attempt. But until now, there's still no exact answer on what is the intention of the attempt.

        And many people are still talking about that may be the Log4j exploit was developed to be used by the attackers for the welcoming of the new year. 

        “The discussion globally around Log4j has been intense, putting many organizations on edge,” OverWatch researchers wrote on their post on Wednesday. “No organization wants to hear about such a potentially destructive vulnerability affecting its networks.”

        The flaw believed to create a considerable headache for many organizations where the attackers quickly made a 60 variants of the original exploit in just 24 hours after it was released. There is also an attack that was occured on December 20, where the Russia-based Conti ransomware gang became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability with the creation of a holistic attack chain. (Montalbano, 2021)

        CrowdStrike also stated that organizations must remain aware of the latest mitigations or reports available about Log4Shell and Log4j vulnerabilities as the situation continues to evolve every time.


References:

Lakshmanan, R. (2021, December 30). "Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution". Hacker News. https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html

Montalbano, E. (2021, December 30). "APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools". ThreatPost. https://threatpost.com/aquatic-panda-log4shell-exploit-tools/177312/

Labels:

Comments

Post a Comment

Popular posts from this blog

UPDATED V3 ONION LINKS 2022 [DARK WEB]

By Roscid Dr3am1ng |
  People are still wondering what was inside the Dark Web. It became trendy because of curiosity, and the curiosity of people are still growing day by day. Now, to clear the minds of many people, I will show you how to access the Dark Web and give you NEW and UPDATED v3 onion links that you can use to explore deeper. HOW TO ACCESS THE DEEP WEB? 1. Download and install TOR Browser. Download Link:  https://www.torproject.org/download/ 2. After installing the TOR browser, you can now launch the browser. It will now establish a connection. Once it was done, you can see the DuckDuckGo search bar. (Note: DuckDuckGo is the default search engine in TOR browser) 3. Now, you can copy any of the links below and paste it in the address bar of TOR browser. NEW V3 Onion Links for 2022: [Disclaimer: The information in this blog is for educational purposes only. The author of this article will not be responsible for any illegal activities that you will do or bad things that will happen to you...
Post a Comment
Read more

HOW TO BYPASS ALL SHORT LINKS?

By Roscid Dr3am1ng |
  Bitly, TinyURL, Cuttly, and many more. These are some of the URL shorteners that you can find on the internet. The main purpose of these websites or tools is to shorten the links that we share on the internet or make someone earn money by just sharing a link.           But one of the main problems here is, there are so many URL shorteners that made the work much longer and there are so many ads, which is very annoying in my case. So, with this tutorial, I will show you how you can bypass all these short links and get the work done much easier without wasting your time staring at so many ads on your monitor.           Before we start the process, let's talk about the tool that we needed, the TamperMonkey. This is a browser extension that was so popular to the point that it has an estimated of over 10 million users right now. Tampermonkey enables us to add and use userscripts. Userscripts are JavaScript programs that can b...
Post a Comment
Read more

YouTube's new feature for membership gifting launches today!

By Roscid Dr3am1ng |
The membership gifting , which will be the new feature of YouTube, will be available today for a small group of creators. Starting today, selected creators can add this membership gifting feature to their YouTube channels. According to the report, this feature will be their take on Twitch's subscriptions. If you are using Twitch to follow your favorite content creator like Pokimane, you know that you can support them financially by gifting subscriptions to other viewers. Being a member of a certain channel also means that you can enjoy many perks, such as access to badges and emojis that you can use for their live streams. You can only buy a membership subscription for yourself and not for other people on YouTube. But now, YouTube decided to launch its version of this Twitch feature that was introduced to compete with Amazon's popular streaming services. "With Memberships Gifting, your channel members can buy a set number of channel memberships [5, 10, 20] in a single purc...
Post a Comment
Read more