Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2584" data-attributes="member: 3"><p><h3><span style="color: rgb(251, 160, 38)">Severity: Medium</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> <a href="https://forum.comptiaisao.org/resources/aquatic-panda-infiltrated-academic-institution-through-log4j-vulnerability-says-crowdstrike.1254/" target="_blank">Aquatic Panda Infiltrated Academic Institution Through Log4j Vulnerability, Says CrowdStrike</a></h3><p><strong>Summary</strong>:</p><p>“Cybersecurity company CrowdStrike has discovered an attempt by a China-based group to infiltrate an academic institution through the Log4j vulnerability. CrowdStrike called the group "Aquatic Panda" and said it is an "intrusion adversary with a dual mission of intelligence collection and industrial espionage" that has operated since at least May 2020” (<a href="https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/" target="_blank">ZDNet, 2022</a>).</p><p>The group's attack was disrupted by the institution, so their motives are still unclear. The group is known to maintain persistence in networks to steal intellectual property and other industrial trade secrets. They typically focus on entities in telecommunications, technology, and the government sector.</p><p></p><p><strong>Analyst Comments:</strong></p><p>CrowdStrike saw suspicious activity coming from Tomcat processes running under a vulnerable VMWare Horizon instance at a large academic institution. They believe the group was using a modified version of the Log4j exploit. Aquatic Panda used a public GitHub project from December 13th to gain access to the vulnerable VMWare Horizon instance.</p><p></p><p>Using native OS binaries, the group attempted to elevate privileges and tried to stop a third party endpoint detection and response device. The victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.</p><p></p><p>“CrowdStrike officials told ZDNet that they are seeing various threat actors both inside and outside of China leveraging the Log4J vulnerability, with adversaries ranging from advanced threat actors to eCrime actors. In the end, the viability of this exploit is well-proven with a substantial attack surface still present. We will continue to see threat actors making use of this vulnerability until all recommended mitigations are put into place” (<a href="https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/" target="_blank">ZDNet, 2022</a>).</p><p></p><p><strong>Mitigation:</strong></p><p>Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations. CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world.</p><p></p><p><strong>Log4Shell Scanning Software:</strong></p><p><a href="https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md" target="_blank">https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md</a></p><p></p><p><strong>Known Vulnerable Software:</strong></p><p><a href="https://github.com/NCSC-NL/log4shell/blob/main/software/software_list_c.md" target="_blank">https://github.com/NCSC-NL/log4shell/blob/main/software/software_list_c.md</a></p><p></p><p><strong>Source</strong>:</p><p><a href="https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/" target="_blank">https://www.zdnet.com/article/apt-g...tion-through-log4j-vulnerability-crowdstrike/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2584, member: 3"] [HEADING=2][COLOR=rgb(251, 160, 38)]Severity: Medium[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] [URL='https://forum.comptiaisao.org/resources/aquatic-panda-infiltrated-academic-institution-through-log4j-vulnerability-says-crowdstrike.1254/']Aquatic Panda Infiltrated Academic Institution Through Log4j Vulnerability, Says CrowdStrike[/URL][/HEADING] [B]Summary[/B]: “Cybersecurity company CrowdStrike has discovered an attempt by a China-based group to infiltrate an academic institution through the Log4j vulnerability. CrowdStrike called the group "Aquatic Panda" and said it is an "intrusion adversary with a dual mission of intelligence collection and industrial espionage" that has operated since at least May 2020” ([URL='https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/']ZDNet, 2022[/URL]). The group's attack was disrupted by the institution, so their motives are still unclear. The group is known to maintain persistence in networks to steal intellectual property and other industrial trade secrets. They typically focus on entities in telecommunications, technology, and the government sector. [B]Analyst Comments:[/B] CrowdStrike saw suspicious activity coming from Tomcat processes running under a vulnerable VMWare Horizon instance at a large academic institution. They believe the group was using a modified version of the Log4j exploit. Aquatic Panda used a public GitHub project from December 13th to gain access to the vulnerable VMWare Horizon instance. Using native OS binaries, the group attempted to elevate privileges and tried to stop a third party endpoint detection and response device. The victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host. “CrowdStrike officials told ZDNet that they are seeing various threat actors both inside and outside of China leveraging the Log4J vulnerability, with adversaries ranging from advanced threat actors to eCrime actors. In the end, the viability of this exploit is well-proven with a substantial attack surface still present. We will continue to see threat actors making use of this vulnerability until all recommended mitigations are put into place” ([URL='https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/']ZDNet, 2022[/URL]). [B]Mitigation:[/B] Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations. CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world. [B]Log4Shell Scanning Software:[/B] [URL]https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md[/URL] [B]Known Vulnerable Software:[/B] [URL]https://github.com/NCSC-NL/log4shell/blob/main/software/software_list_c.md[/URL] [B]Source[/B]: [URL='https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/']https://www.zdnet.com/article/apt-g...tion-through-log4j-vulnerability-crowdstrike/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu