CrowdStrike, a cybersecurity firm reported that , infiltration was aimed at an unnamed “large academic institution.” The state-sponsored group is thought to have been active since mid-2020, primarily targeting companies in the telecommunications, technology and government sectors in the pursuit of intelligence and industrial espionage.
Aquatic Panda, a never-before-seen China-based targeted intrusion adversary has been observed using critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations on targeted systems, including reconnaissance and credential harvesting.
The attempted intrusion took advantage of a newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, then executed a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.
“The threat actor then ran a series of Linux commands, including attempting to run a bash-based interactive shell with a hardcoded IP address, as well as curl and wget commands to retrieve threat actor tooling hosted on remote infrastructure. Our CrowdStrike Intelligence team later linked the infrastructure to AQUATIC PANDA, a threat actor.”
Aquatic Panda’s malicious behaviour extended beyond special operations of the compromised host, first attempting to disable a third-party endpoint detection and response (EDR) service before retrieving next-stage payloads designed to obtain a reverse shell and harvest credentials.
Finally the Researchers Concluded that ,”However, after being notified of the incident, the victim organisation was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host. The precise intent of the attack remains unknown in light of its successful disruption.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 