Aquatic Panda Used Log4Shell Exploit Tools During Hands-on Intrusion Attempt – CrowdStrike

Since the vulnerability was announced, CrowdStrike’s OverWatch threat hunters have been continuously ingesting the latest insights about the Log4j vulnerability as well as publicly disclosed exploit methods to influence their continuous hunting operations. On Dec. 14, 2021, VMware issued guidance around elements of VMware’s Horizon service found to be vulnerable to Log4j exploits. This led OverWatch to hunt for unusual child processes associated with the VMware Horizon Tomcat web server service during routine operations.

On the back of this updated hunting lead, OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion.

OverWatch threat hunters observed the threat actor performing multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance. OverWatch has observed multiple threat actors utilizing publicly accessible DNS logging services like dns[.]1433[.]eu[.]org during exploit attempts in order to identify vulnerable servers when they connect back to the attacker-controlled DNS service.

Read more…
Source: CrowdStrike