The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw.
On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw.
By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell.
Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12.
The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm.
Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable.
While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released.
Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware
Log4Shell to move laterally
"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer.
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel
While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected.
Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers.
This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network.
Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.