CrowdStrike reported on Wednesday that it detected a Chinese-affiliated espionage group it tracks as Aquatic Panda attempting to leverage the Log4j vulnerability in VMware's Horizon Tomcat webserver service.
The company's Falcon OverWatch threat hunting service claims it detected and denied an attempted Log4j breach at an unnamed academic institution.
"While we cannot directly state that we are seeing broader use of this particular vulnerability by espionage actors, its viability as an access method is already proven," said Param Singh, CrowdStrike’s vice president of Falcon OverWatch in an email.
VMware first issued guidance and workarounds for different Horizon components on December 14, which lead OverWatch to investigate client usage of the products. VMware has continued to update the guidance website on Log4j, most recently on December 23.
During the attack, Aquatic Panda used a modified version of the Log4j exploit. The espionage group drew CrowdStrike's attention by attempting to use Linux Bash commands on the Windows host machine to launch an interactive shell. From there, the group attempted to download what CrowdStrike believes was a reverse shell encoded as three files with the VBS extension. Finally, the group tried several times to harvest credentials by dumping the memory of the Windows Local Security Authority Subsystem Service (LSASS).
Singh noted that the same reasons that make Log4j attractive for use by malicious hackers may ultimately make it less attractive for widespread use by espionage groups.
"Many security vendors have developed detection and alerting mechanisms for when this exploitation occurs which make use of this vulnerability less attractive to advanced threat actors," he said.