Conti Ransomware Hitting VMware vCenter With Log4j Exploit
‘[The] Log4j2 vulnerability appears … for Conti at the moment when the syndicate has both the strategic intention and the capability to weaponize it for its ransomware goals,’ says AdvIntel in a security advisory.
Conti is pursuing lateral movement on vulnerable Log4j VMware vCenter servers, making them the first major ransomware gang revealed to be weaponizing the massive bug.
The prolific Russian-speaking ransomware group on Wednesday began exploiting the Log4j vulnerability for initial access and lateral movement on VMware vCenter networks, according to a report from New York-based AdvIntel published Friday morning. Conti’s campaign resulted in the ransomware operator obtaining access to victim’s vCenter networks across the United States and Europe, AdvIntel said.
“A week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend – the exploitation of the new [bug] by one of the most prolific organized ransomware groups – Conti,” AdvIntel wrote in a post Friday. “[The] Log4j2 vulnerability appears … for Conti at the moment when the syndicate has both the strategic intention and the capability to weaponize it for its ransomware goals.”
VMware is one of the most susceptible vendors to Log4j exploits, with the critical bug potentially allowing for remote code execution in nearly 40 of the Palo Alto, Calif.-based virtualization giant’s tools. The company disclosed that both the Windows-based and virtual vCenter appliances have vulnerable Log4j code as does the vCenter Cloud Gateway, with patches not yet available for any of these products.
“A malicious actor with network access to an impacted VMware product may exploit these issues to gain full control of the target system,” VMware wrote in a security advisory first issued on Dec. 10.
“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” according to a VMware statement released to CRN.
Multiple Conti group members on Sunday expressed interest in exploiting the Log4j vulnerability as an initial attack vector, according to AdvIntel. A day later, AdvIntel said Conti initiated scanning activity in pursuit of initial access. The Conti group then tested the possibility of using the Log4j exploit in multiple use cases, including on Wednesday the targeting of VMware vCenter networks for lateral movement.
AdvIntel said Conti used remote desktop protocol (RDP), VPN, or email attachments as their initial vector to compromise a network, and then took advantage to the Log4j vulnerability to move laterally on the network. Conti has already compromised target networks and exploited vulnerable Log4j machines to gain access to vCenter servers, according to AdvIntel.
Specifically, AdvIntel said Conti capitalized on pre-existent Cobalt Strike sessions to access vCenter across U.S. and European victim networks. Cobalt Strike is a paid penetration testing product used by both the security community as well as a wide range of threat actors to perform intrusions with precision.
“It is only a matter of time until Conti and possibly other groups will begin exploiting Log4j2 to its full capacity,” AdvIntel CEO Vitali Kremez and Head of Research Yelisey Boguslavskiy wrote in a ransomware advisory issued Friday. “It is recommended to patch the vulnerable system immediately and view the Log4j2 as a ransomware group exploitation vector.”
VMware said it expects to fully address the critical vulnerability by updating log4j to version 2.16 in forthcoming releases of vCenter Server. But for now, the virtualization giant is offering workarounds that it cautions are “meant to be a temporary solution only,” according to VMware Knowledge Base articles updated yesterday and today.
Conti plays an outsized role in today’s threat landscape due primarily to its scale, with tens of full-time members divided across several teams, according to AdvIntel. The ransomware group has made more than $150 million over the past six months and has a history of both searching for new attack surfaces and methods as well as leveraging exploits as an initial vector and for lateral movement, AdvIntel said.
Specifically, AdvIntel said Conti exploits a Fortinet VPN vulnerability to go after unpatched devices as an initial attack vector and favors PrintNightmare for local privilege elevation and lateral movement on the compromised hosts. And since August, AdvIntel said Conti has employed many new attack methods: hidden RMM backdoors, new backup removal solutions, and an effort to revive the notorious Emotet.
Bitdefender reported Monday that the new Khonsari ransomware family has been attempting to exploit the Log4j vulnerability against users running Windows operating systems. And on Wednesday, Microsoft reported that Minecraft customers running their own servers with a vulnerable version of Log4j have been hit with Khonsari ransomware. But Log4j wasn’t being exploited by the heavy hitters until now.
“Hacker teams suspected to work for foreign governments and U.S. adversaries were quickly spotted to investigate Log4j2,” AdvIntel wrote in its advisory Friday. “And as the new adversarial pattern … suggests, if one day a major [vulnerability] is spotted by APTs [state-sponsored Advanced Persistent Threat groups], the next week it is weaponized by ransomware.”