Threat hunters from CrowdStrike have discovered Aquatic Panda cyber gang using Log4Shell exploit tools in recent intrusion attempts against a customer.
Aquatic Panda is the latest advanced persistent threat (APT) actors to exploit Log4Shell, a remote code execution (RCE) vulnerability (CVE-2021-44228) in the Apache Log4j logging utility.
OverWatch security researchers described the intrusion against vulnerable VMware Horizon instances in a recent blog post:
“OverWatch threat hunters observed the threat actor performing multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance. OverWatch has observed multiple threat actors utilizing publicly accessible DNS logging services like dns[.]1433[.]eu[.]org during exploit attempts in order to identify vulnerable servers when they connect back to the attacker-controlled DNS service.”
Previously, VMware issued guidance on December 14, 2021 regarding two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046) that impacted VMware Horizon via the Apache Log4j open-source component.
As a result, the OverWatch researchers discovered “suspicious activity” related to vulnerable VMware Horizon system Tomcat process at a large academic institution.
Some of those activities included the execution of bash-based interactive shell with hardcoded IP addresses linked to remote infrastructure managed by the Aquatic Panda threat actors.
In addition, the actors performed reconnaissance operations from the compromised host to obtain current privilege levels as well as system and domain details before downloading scripts and then retrieving malware from their toolkit.
The OverWatch team also spotted the actors making multiple attempts at credential harvesting by dumping the memory of the LSASS process using built-in diagnostic utilities rdrleakdiag.exe and cdump.exe.
“Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host,” CrowdStrike concluded in the post.