Tuesday, March 19, 2024

Chinese Hackers Using Log4Shell Exploit Tools to Perform Post-Exploitation Attacks

The cybersecurity firm, CrowdStrike has warned that Chinese hackers are using the Log4Shell exploit tools to perform various post-exploitation operations. 

The hacker group behind these malicious operations, Aquatic Panda was seen using the Log4Shell vulnerability, with the help of a large academic institution.

In early December the Log4Shell and LogJam vulnerability, which were tracked as CVE-2021-44228 was discovered in the popular Log4j logging library.

Aquatic Panda

Aquatic Panda is a Chinese hacking group that is operating since May 2020 and it has two primary goals:-

  • Intelligence collection.
  • Industrial espionage.

This hacking group mainly targets all its users from the following sectors:-

  • Telecommunications sectors
  • Technology sectors
  • Government sectors

Apart from this, the AQUATIC PANDA counts on the following tools for the execution of all its operations:-

  • Cobalt Strike
  • FishMaster (Unique Cobalt Strike downloader.)
  • njRAT

Technical Analysis

To gain initial access to the target system, the Aquatic Panda uses a modified version of the exploit for a bug in Log4j, and then it performs several post-exploitation activities like:- 

  • Exploration
  • Credential collection

The hackers targeted VMware Horizon that used the vulnerable Log4j library to compromise a large academic institution, and on December 13, 2021, the exploit used in this attack was published on GitHub.

Using the DNS lookups for a subdomain running on VMware Horizon as part of Apache Tomcat, the threat actors performed a connection check.

On the Windows host where the Apache Tomcat service was running, the team ran a series of Linux commands, and not only that even they also performed the same on those aimed at deploying malicious tools that are hosted on remote infrastructure.

Here at this point to better understand privilege levels and learn more about the domain, the threat actors have also conducted surveillance efforts. While they also tried to interrupt a response solution and third-party endpoint threat detection solution.

The malware and three VBS files were extracted by the hackers through PowerShell commands, and to accomplish this, additional scripts were deployed by the hackers. 

At this stage, by performing memory dumps and preparing them for theft, the threat actors of Aquatic Panda attempted several trials to collect credentials.

Moreover, the attacked academic institution was timely warned of suspicious activities to be able to quickly use the incident response protocol, fixing vulnerable software and deterring further development of the malicious activity.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hackers Exploiting Microsoft Office Templates to Execute Malicious Code

In a cyberattack campaign dubbed "PhantomBlu," hundreds of employees across various US-based organizations were...

How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within...

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hacked AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles