These attacks started on December 13th in which the Conti gang focused on targeting VMWare vCenter servers vulnerable to Log4Shell attacks.
Advanced Intelligence (AdvIntel) security firm has discovered that the Conti ransomware gang is the first cybercriminal group to adopt and embed the Log4Shell vulnerability in their operations targeting VMware vCenter Servers.
“A week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti,” AdvIntel reported.
According to AdvIntel’s report published December 12, numerous Conti ransomware group members are trying to exploit the Log4j flaw as an initial attack vector.
“AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” the report read.
Conti targeting VMWare vCenter servers
According to researchers, these attacks started on December 13, and the group specifically focused on targeting VMWare vCenter servers vulnerable to Log4Shell attacks. The group attempted to use the exploit to gain access to the server and laterally move towards enterprise networks.
VMWare released a security advisory containing fixes for all the forty impacted products vulnerable to Log4Shell vulnerability, including vCenter. The advisory confirms that the exploitation attempts are happening. The company’s official statement read:
“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j.”
The ransomware exploitation timeline according to AdvIntel’s blog post is as follows:
About Conti ransomware group
Conti ransomware group is known for high-profile cyberattacks and runs a private Ransomware-as-a-Service (Raas). The group was first identified in the latter half of December 2019 using TrickBot to drop its payload.
According to cybersecurity experts, Conti operators are associated with a Russian cybercrime gang called Wizard Spider. The gang’s modus operandi involves launching attacks, stealing data, and demanding ransom. If the ransom is not paid the gang leaks the stolen data.
According to the gang, they have so far compromised 500 organizations globally. Reportedly, the Conti gang recently targeted a popular hotel that locked out its guests out of their rooms.
Log4Shell – One of the most widely exploited vulnerabilities
When the vulnerability was discovered in the Log4J library, Microsoft researchers revealed that Chinese, Iranian, Turkish, and North Korean nation-state actors were trying to abuse it. The vulnerability (tracked as CVE-2021-44228) was reportedly exploited by the China-based Hafnium group and Iranian threat group Phosphorus.
Microsoft also confirmed that Log4Shell exploitation also helped deploy the Khonsari ransomware. Multiple access brokers started using the Log4Shell flaw to get initial access to their targeted networks and sell it to RaaS affiliates.