Executive Summary
SecurityScorecard has identified probable victims of Log4Shell exploitation, including a South American vaccine distributor, a UK energy company, and multiple private and state US entities.
SecurityScorecard also identified connections to various Chinese IP addresses attributed to China-based mobile networks.
Lack of technical evidence makes attribution difficult. However, non-technical, historic, and geopolitical factors suggest a Chinese APT is likely behind this activity.
Threat actors will keep exploiting the Log4Shell vulnerability for as long as vulnerable systems remain unpatched.
Background
On June 23, The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) warning network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers. CGCYBER’s analysis of an organization compromised via the Log4Shell VMware Horizon exploit revealed that after access was obtained, the threat actors uploaded a windows loader called hmsvc.exe, which contained a remote access tool (RAT) named 658_dump_64.exe. This RAT has the ability to log keystrokes, and upload and execute additional payloads, a C2 tunneling proxy, and graphical user interface (GUI) access over a target Windows system’s desktop. The RAT connects to its hard-coded C2 IP address 192.95.20[.]8 over ports 4443 and 443.
Pivoting on the information provided by CISA and CGCYBER in their advisory, SecurityScorecard got to work. We started by looking at the C2 IP, 192.95.20[.]8, to understand its role in the campaign and determine if it was still actively communicating with victims despite being exposed. IP 192.95.20[.]8 belongs to OVH Hosting Inc., a large hosting provider with 27 data centers worldwide. 192.95.20[.]8 is geo-located to OVH’s data center in Montreal, Canada. At time of publication, our data indicated that IP 192.95.20[.]8 has only one domain residing on it, ip8.ip-192-95-20[.]net, which is a standard domain assigned by OVH for each of its IPs.
Victimology
Our data reveals that over the last two months, IP 192.95.20[.]8 received hundreds of connections from 4 unique IP addresses via port 4443 and dozens of IP addresses via 443. We focused our immediate efforts on the former, given that 4443 is a unique port and more indicative of a compromise. Of the four likely victims, two are located in the US, one in Brazil, and the other in China. The following table represents probable victims, due to the observation of beacons to the C2 via port 4443.
IP | Probably Victim Info |
US IP Address 1 | Community College |
US IP Address 2 | Staffing Firm |
China IP Address 1 | Unknown (China Mobile) |
Brazil IP Address 1 | Brazilian vaccine and antivenom manufacturer |
Table 1: Probable victims due to 4443 traffic to C2.
The last probable victim caught our attention, given the strategic importance the organization has to its country, and that it represents a juicy target for nation-state cyber actors seeking to fill intelligence gaps on vaccine development. According to its website, it’s responsible for providing the vast majority of antivenom and vaccines in Brazil.
We also observed several other frequent connections to IP 192.95.20[.]8 via port 443. Given that the IP only hosts one default domain, it is likely that these connections are indicative of a 658_dump_64.exe compromise. The following entities are likely victims, due to the observation of beacons to the C2 via port 443.
An UK-based oil and gas decommissioning company
A Texas-based private capital group
A Texas county government
A North Carolina-based state university
An Ohio-based community college
A US-based subsidiary of a Japanese global development, resource, and energy company
A Vermont-based law firm
SecurityScorecard also observed several connections from China/Hong Kong-based IP addresses that could only be attributable to Chinese mobile networks and not specific organizations.
Upon initial review of the victims we discovered, it would appear that the threat actor intentionally focused on targeting US- and China-based entities. However, it’s more likely that these victims were targets of opportunity, given that the US and China have the highest saturation of VMware deployments. Thus the threat actor was likely scanning for vulnerable systems and happened upon these targets. As previously mentioned, a major vaccine distributor would represent a juicy target to both nation-state and criminal hackers alike; nation-state actors would be interested in proprietary vaccine formulas and efficacy rates, while cyber criminals would assume this victim would be quick to pay a ransom to cease/prevent decryption or data exposure.
Nation-state actors have a history of targeting Covid-19 vaccine manufacturers. In July 2020, the Russian state-sponsored group APT29 compromised Canada’s Medicago Inc., a Quebec-based company developing a COVID-19 vaccine using a novel process that involves plants related to tobacco, and has received financial support for the project from the provincial and federal governments. That same month, the US Department of Justice made public an indictment of two Chinese nationals accused of spying on the United States, including three unnamed U.S.-based targets involved in medical research to fight the novel coronavirus. The indictment said the Chinese hackers “conducted reconnaissance” against the computer network of Massachusetts biotech firm Moderna.
Since the pandemic began, the compromised Brazilian vaccine manufacturer has been intertwined with Chinese vaccine manufacturers. In December 2020, the victim announced that its trials with 13,000 Brazilian volunteers proved the CoronaVac vaccine, developed by the private Chinese laboratory Sinovac Life Science, achieved the levels of efficacy against the coronavirus required by the World Health Organization (WHO). The victim began importing active ingredients from China to manufacture the vaccine in Brazil and started using it as the primary Covid-19 vaccine for Brazilian citizens. However, a year later, Brazil back-peddled on its manufacture and use of CoronaVac as concerns grew over its efficacy against the Delta variant. Brazil decided to develop its own vaccine and rely on US-made vaccines until its own vaccine had finished trials. This would have no doubt been seen as a major blow to CoronaVac, which at the time was competing with other vaccine manufacturers for the South American market.
Attribution
Given the prevalence of devices vulnerable to Log4Shell still exposed on the internet, and the number of groups still taking advantage of this attack vector, it’s difficult to attribute this specific campaign to a particular actor. SecurityScorecard could not identify any network connections to IP 192.95.20[.]8 that appeared to be the hackers connecting to their own infrastructure. This could be that the actors’ traffic is indistinguishable from victim traffic, or we simply didn’t have an aperture into this activity. We did observe connections to Chinese mobile IPs via 443, but could not determine if this was victim or controller traffic. Although there is no technical evidence for attribution, there are some historical, non-technical, and geo-political factors that indicate a nation-state actor may be behind this campaign:
1. We did not find any evidence of ransomware deployed on victim networks, nor did we detect any data extortion campaigns, despite observing exfiltration from victims. Since we didn’t see any evidence that the threat actor was trying to gain financially from its activity, it’s likely not a criminal actor.
2. The hot-then-cold relationship between the Brazil-based victim and China no doubt provides ample incentive for China’s intelligence services to covertly seek to understand Brazil’s decision-making process regarding Covid-19 vaccines.
3. Chinese APTs, such as Deep Panda and Aquatic Panda, have been observed exploiting the Log4Shell since 2021, using the vulnerability to compromise academic institutions as well as the finance, travel, and cosmetic industries.
Outlook
SecurityScorecard assesses that threat actors will continue to exploit devices vulnerable to Log4Shell as long as vulnerable devices remain exposed on the internet. Chinese linked APTs have demonstrated that they have mastered the use of this TTP and will no doubt keep it in their toolbox as long as it continues to serve them.
Recommendations
In its CSA, CISA goes as far as advising that any VMware systems that were not promptly updated in December 2021 with updates for Log4Shell should be considered compromised. Given the amount of threat activity targeting this vulnerability, SecurityScorecard agrees with the advice and strongly recommends that organizations install fixed builds to update all VMware Horizon and UAG systems to the latest versions as soon as possible.