Pierluigi Paganini December 17, 2021

The Conti ransomware gang is the first ransomware operation exploiting the Log4Shell vulnerability to target VMware vCenter Servers.

Conti ransomware gang is the first professional race that leverages Log4Shell exploit to compromise VMware vCenter Server installs. The ransomware group used the exploit to target internal devices that are not protected.

Conti operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data. Conti operators claimed to have already compromised at least 500 organisations worldwide.

Recently the Conti gang hit the attack on the Australian energy CS Energy and threaten to leak the stolen files.

After the disclosure of the exploit, Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing the Log4Shell (CVE-2021-44228) in the Log4J library in their campaigns. Some of the groups exploiting the vulnerability are China-linked Hafnium and Iran-linked Phosphorus, the former group is using the flaw to attack virtualization infrastructure, the latter to deploy ransomware.

The IT giant also confirmed that the exploitation of the Log4Shell to deploy the Khonsari ransomware, as discussed by Bitdefender recently. 

Microsoft experts also state that multiple access brokers have begun using the Log4Shell vulnerability to gain initial access to target networks and then sell it to ransomware-as-a-service affiliates.

Researchers from threat intelligence firm AdvIntel, the Conti ransomware gang started attempting to exploit the Log4Shell issue the day after the disclosure of the exploit.

“And indeed, a week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti.” reads the analysis published by AdvIntel.

The gang and its affiliates started targeting VMware vCenter servers because the virtualization giant has yet to release a fix for the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” reads the advisory published by VMware.

Below is the ransomware exploitation timeline published by AdvIntel:

On December 12, AdvIntel discovered that multiple Conti group members that were attempting to exploit the vulnerability for the initial attack vector.

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit. Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.” continues AdvIntel.

Experts believe that it is only a matter of time until Conti and other threat actors will exploit the Log4j to its full capacity.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]