ProxyLogon in Exchange, OGNL injection in Confluence, log4shell in the log4j library. 2021 was rife with critical vulnerabilities. They were exploited by ransomware gangs and hackers for mining crypto currencies. But where have the professional spies, the APT groups been? Did they miss such opportunities and take a vacation from cyber warfare? Surely they didn't. And we have collected evidence.
Spies dressed up as hackers
The APT fallout of vulnerabilities such as ProxyLogon in Exchange (Hafnium), OGNL injection, and log4shell
The benefactors of the scatter fire
The APT group Emissary Panda (also known as APT27, LuckyMouse) has exploited the Microsoft Exchange vulnerability "ProxyLogon", often publicly referred to as "Hafnium" vulnerability, to carry out targeted industrial espionage. The particularly perfidious aspect of this is that they intentionally acted like "ordinary hackers" in order to not trigger a comprehensive analysis and remediation. With great success.
We analyzed several incidents and found that some customers did not seriously follow up on a ProxyLogon compromise because at first glance it looked like an attack by an occasional attacker. This is how Emissary Panda (APT27) managed to run through the classic APT kill chain and steal trade secrets undetected for months.
Our report not only provides background and details on the process, the TTPs and the IOCs, but also initial evidence that the OGNL injection in Confluence was and is also being of interest for targeted industrial espionage. The same applies for log4shell.
The PDF is written for security experts. However, the findings are also and especially important for decision-makers in companies and are therefore summarized on this page.
The effects of the global vulnerabilities from 2021 will only gradually come to light... or as a German soccer manager once so aptly put it: "Only when the snow melts you will see where the poo is".
We have to assume that numerous APT and other compromises by ProxyLogon (Exchange), OGNL injection (Confluence) and log4shell (Log4j) are still undetected. Especially for log4shell, the typical detection period of 3 - 6 months has not even been reached yet.