After the release of the Log4Shell vulnerability, cyber attackers started scanning the internet for the exploitation of the flaws in the enterprise network. Tonnes of technologies and products run Log4j2 library including popular vCenter, Kafka, Elastic, and Minecraft presenting an attack surface for the attackers.
We have already reported that hackers are exploiting the Log4Shell vulnerability for deploying Khonsari ransomware on the vulnerable network. The same thing has been also observed by BitDefender and confirmed by Microsoft.
Today, security firm Advanced Intelligence (AdvIntel) reported the exploitation of CVE-2021-44228 by one of the most prolific organized ransomware groups - "Conti".
Conti now becomes the second ransomware strain delivered by exploiting the Log4Shell exploit after Khonsari. Conti is the Russian-speaking professional hackers' group that has multiple teams involving tenths of full-time members.
Conti already had a history of leveraging exploits as an initial attack vector and for lateral movement. For instance, the group leverages Fortinet VPN vulnerability CVE-2018-13379 to target unpatched devices for the initial attack vector. Conti favors PrintNightmare privilege elevation CVE-2021-34527, CVE-2021-1675, Zerologon (CVE-2020-1472), and ms17-010 for local privilege elevation and lateral movement on the compromised hosts.
Ransomware Exploitation Timeline: Conti Search for Newer Attack Vectors
AdvIntel discovered that multiple Conti group members started the exploitation of the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4J2 exploit. This is the first time when Conti members expressed interest in exploiting this vulnerability.
Currently, the Conti group still exploiting the log4j2 flaws but the most important thing that AdvIntell noted is that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.
Last Chance to Patch Log4Shell Flaws
We strongly recommend everyone to update the Apache log4j2 utility As-Soon-As-Possible. Initially, we haven't seen much exploitation of the CVE-2021-44228 & CVE-2021-45046, but now the vulnerabilities are getting abused by Ransomware gangs. This may be the last chance to get your system patch before they strike on your network.
The Apache Log4j2 Java-based logging library vulnerability CVE-2021-44228 has the highest possible severity score of Base Score: 10.0 CRITICAL allowing direct remote code execution on the vulnerable machines. Due to its core component impact, this vulnerability in some way can be compared to the Apache Struts vulnerability CVE-2019-0230: Apache Struts OGNL Remote Code Execution. After that, another flaw CVE-2021-45046 revealed which got CSSV to score of 3 as it was only a DoS vulnerability in version 2.15.0, but today Apache team has changed the severity of the CVE to 9 with exploitation level to Remote Code Execution. So updating to v2.15.0 is not keep your system secure, so we recommend updating it to v2.16.0.
For Recommendations, Mitigations& Advisory check this post.