Threat Intelligence, Threat Management, Vulnerability Management

Chinese espionage group leveraged Log4j bug in VMware

U.S. President Joe Biden participates in a virtual meeting with Chinese President Xi Jinping on November 15, 2021. CrowdStrike today said it detected a Chinese-affiliated espionage group attempting to leverage the Log4j vulnerability in VMware’s Horizon Tomcat webserver service. (Photo by Alex Wong/Getty Images)

CrowdStrike reported on Wednesday that it detected a Chinese-affiliated espionage group it tracks as Aquatic Panda attempting to leverage the Log4j vulnerability in VMware's Horizon Tomcat webserver service.

The company's Falcon OverWatch threat hunting service claims it detected and denied an attempted Log4j breach at an unnamed academic institution.

"While we cannot directly state that we are seeing broader use of this particular vulnerability by espionage actors, its viability as an access method is already proven," said Param Singh, CrowdStrike’s vice president of Falcon OverWatch in an email.

VMware first issued guidance and workarounds for different Horizon components on December 14, which lead OverWatch to investigate client usage of the products. VMware has continued to update the guidance website on Log4j, most recently on December 23.

During the attack, Aquatic Panda used a modified version of the Log4j exploit. The espionage group drew CrowdStrike's attention by attempting to use Linux Bash commands on the Windows host machine to launch an interactive shell. From there, the group attempted to download what CrowdStrike believes was a reverse shell encoded as three files with the VBS extension. Finally, the group tried several times to harvest credentials by dumping the memory of the Windows Local Security Authority Subsystem Service (LSASS).

Singh noted that the same reasons that make Log4j attractive for use by malicious hackers may ultimately make it less attractive for widespread use by espionage groups.

"Many security vendors have developed detection and alerting mechanisms for when this exploitation occurs which make use of this vulnerability less attractive to advanced threat actors," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.