TagsConti, Cyber Crime, Log4j, Ransomware, Russia, security, Vulnerability
Super secure VPN
Minimal data logging
Advanced Intelligence (AdvIntel) security firm has discovered that the Conti ransomware gang is the first cybercriminal group to adopt and embed the Log4Shell vulnerability in their operations targeting VMware vCenter Servers.
“A week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti,” AdvIntel reported.
According to AdvIntel’s report published December 12, numerous Conti ransomware group members are trying to exploit the Log4j flaw as an initial attack vector.
“AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” the report read.
According to researchers, these attacks started on December 13, and the group specifically focused on targeting VMWare vCenter servers vulnerable to Log4Shell attacks. The group attempted to use the exploit to gain access to the server and laterally move towards enterprise networks.
VMWare released a security advisory containing fixes for all the forty impacted products vulnerable to Log4Shell vulnerability, including vCenter. The advisory confirms that the exploitation attempts are happening. The company’s official statement read:
“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j.”
The ransomware exploitation timeline according to AdvIntel’s blog post is as follows:
Conti ransomware group is known for high-profile cyberattacks and runs a private Ransomware-as-a-Service (Raas). The group was first identified in the latter half of December 2019 using TrickBot to drop its payload.
According to cybersecurity experts, Conti operators are associated with a Russian cybercrime gang called Wizard Spider. The gang’s modus operandi involves launching attacks, stealing data, and demanding ransom. If the ransom is not paid the gang leaks the stolen data.
According to the gang, they have so far compromised 500 organizations globally. Reportedly, the Conti gang recently targeted a popular hotel that locked out its guests out of their rooms.
When the vulnerability was discovered in the Log4J library, Microsoft researchers revealed that Chinese, Iranian, Turkish, and North Korean nation-state actors were trying to abuse it. The vulnerability (tracked as CVE-2021-44228) was reportedly exploited by the China-based Hafnium group and Iranian threat group Phosphorus.
Microsoft also confirmed that Log4Shell exploitation also helped deploy the Khonsari ransomware. Multiple access brokers started using the Log4Shell flaw to get initial access to their targeted networks and sell it to RaaS affiliates.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.
Get the best stories straight into your inbox!
Don’t worry, we don’t spam
App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.