CrowdStrike has found Log4shell exploitation tools in the possession of Aquatic Panda, a Chinese-government operated threat group. The researchers explain, "AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets." The affected organization was able to address the issue, patch the vulnerability, and disrupt the attempt.
On December 28th Checkmarx reported, and Apache fixed, a new arbitrary code execution vulnerability in Log4j. Newly released Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) all address CVE-2021-44832. BleepingComputer, keeping score, counts this as the fifth Log4j CVE that's been addressed in less than a month.
And Microsoft last week issued new services designed to protect its users against exploitation of Log4j vulnerabilities. "New capabilities in threat and vulnerability management including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution," the company blogged on December 27th.
Follow the CyberWire's Pro coverage of the Log4j affair.