Aquatic Panda Exploit Targets American Universities

Aquatic Panda, an advanced persistent threat group, uses Log4Shell exploit tools to attack colleges and universities in the United States.  CrowdStrike researchers recently disrupted one of the attacks launched to steal military secrets and other sensitive information from an academic institution.
 

What, Exactly, is Aquatic Panda?

Aquatic Panda is a group of hackers based in China.  This group is focused on stealing intelligence information and conducting espionage on valuable industrial targets.  The author of the recent CrowdStrike report detailing the latest Aquatic Panda attack reveals that attack attempted to steal industrial intelligence from an American university.

How was the Attack Identified and Disrupted?

CrowdStrike Falcon OverWatch researchers disrupted the Aquatic Panda attack by focusing on the use of Log4Shell tools to exploit the vulnerable target.  The attack attempted to install VMware on an academic institution network.  The CrowdStrike team discovered the shady activity within the target university’s infrastructure.  To be more specific, OverWatch found the Aquatic Panda attack when the threat actor conducted connectivity checks through a DNS lookup for a subdomain executed through the Apache Tomcat service operating on VMware Horizon.  
 
The attackers used several Linux commands, including an attempt to perform a bash-based interactive shell containing IP addresses.  These digital miscreants also employed wget and curl commands to obtain the attacker’s tooling within the remote infrastructure.  The commands were performed on Windows hosts within the Apache Tomcat service.  
 
OverWatch then searched for potentially nefarious child processes linked to the VMware Horizon Tomcat server amidst routine operations.  OverWatch successfully triaged the initial component of the cyber attack.  The targeted institution was quickly provided with a critical detection notice so it could launch the appropriate incident response protocol.  Additional information was transmitted to the institution’s digital security team following the identification of the attack.  The digital security sleuths analyzing the attack also determined a modified form of the Log4j exploit was used throughout the attack.  
 

Why was CrowdStrike so Quick to Respond? 
 

CrowdStrike and several other digital security specialists have been actively monitoring networks for suspicious digital actions related to the vulnerability known as CVE-2021-44428, also known as Log4Shell within the Apache Log4j logging dataset.  These digital sleuths have been looking for the shady activity since the first week of December.  
 

Why are Log4Shell Attacks Such a Significant Threat? 
 

Log4Shell is widely used throughout the tech industry, meaning the top tech companies’ infrastructure products are susceptible to attack.  Examples of the companies most likely to suffer setbacks include Apple, Microsoft, CloudFlare, and Twitter.  VMware recently stated parts of its Horizon service are susceptible to Log4j exploits, prompting OverWatch to add VMware Horizon Tomcat support to its list of processes to watch.
 

Will Log4Shell Continue to be a Problem in ’22 and Beyond?
 

Indeed, it appears as though the Log4Shell attacks have no end in sight.  This digital security flaw has proven quite problematic for businesses and other organizations of all sizes and types throughout December.  
 
Digital criminals will continue to use Log4Shell for exploits as the new year unfolds.  There is a worldwide discussion centering the best approach to stop the Log4j attacks.  All in all, 60+ variants of the Log4Shell attack exist as of the year’s final day.