A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data.
“The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates,” said Rotem Sde-Or and Eliran Voronovitch, researchers with Fortinet’s FortiGuard Labs, in a report released this week. “The victims belong to the financial, academic, cosmetics, and travel industries.”
Deep Panda, also known by the monikers Shell Crew, KungFu Kittens, and Bronze Firestone, is said to have been active since at least 2010, with recent attacks “targeting legal firms for data exfiltration and technology providers for command-and-control infrastructure building,” according to Secureworks.
Cybersecurity firm CrowdStrike, which assigned the panda-themed name to the threat cluster all the way back in July 2014, called it “one of the most advanced Chinese nation-state cyber intrusion groups.”
The latest set of attacks documented by Fortinet shows that the infection procedure involved the exploitation of the Log4j remote code execution flaw (aka Log4Shell) in vulnerable VMware Horizon servers to spawn a chain of intermediate stages, ultimately leading to the deployment of a backdoor dubbed Milestone (“1.dll”).
images from Hacker News