Mass strike Report on Wednesday It found a spy organization related to China, which it tracked as Aquatic Panda trying to use Log4j vulnerability In VMware’s Horizon Tomcat Web server service.
The company’s Falcon OverWatch threat tracking service claims that it has detected and denied attempts to disrupt Log4j in an unnamed academic institution.
Param Singh, vice president of Falcon OverWatch at CrowdStrike, said in an email: “Although we cannot directly state that we see espionage The feasibility of the method has been confirmed.”
VMware first release Guidance and solutions On December 14th, for different Horizon components, this led OverWatch to investigate customer usage of the product. VMware continues to update the guide website on Log4j, most recently on December 23.
During the attack, Aquatic Panda used a modified version of the Log4j vulnerability. The spy organization tried to use the Linux Bash command on the Windows host to start an interactive shell, which attracted the attention of CrowdStrike. From there, the organization tried to download what CrowdStrike believed was a reverse shell encoded as three files with a VBS extension. Finally, the organization tried multiple times to obtain credentials by dumping the memory of the Windows Local Security Authority Subsystem Service (LSASS).
Singh pointed out that the same reasons make Log4j attractive to malicious hackers, but in the end it may make it less attractive for widespread use by spy organizations.
“Many security vendors have developed detection and alerting mechanisms so that when such exploitation occurs, the use of this vulnerability is less attractive to advanced threat actors,” he said.
