CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%
The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.
The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.
As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.
Stepping through that attack chain:
Within two days of the public disclosure of the vulnerability in Apache’s Log4j logging library on Dec. 10 – a bug that came under attack within hours – Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.
Apache patched the bug on Dec. 11, but its patch, Log4J2, was found to be incomplete in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.
As if two bugs aren’t enough, yet another, similar but distinct bug was discovered last week in the Log4J logging library. Apache issued a patch on Friday.
According to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.
“This is the first time this vulnerability entered the radar of a major ransomware group,” according to the writeup. The emphasis is on “major,” given that the first ransomware group to target Log4Shell was a ransomware newcomer named Khonsari. As Microsoft has reported, Khonsari was locking up Minecraft players via unofficial servers. First spotted by Bitdefender in Log4Shell attacks, the ransomware’s demand note lacked a way to contact the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.
Khonsari ransomware was just one malware that’s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, attackers were scanning for vulnerable servers and unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, Mirai and other botnets, and backdoors.
Log4Shell has become a focal point for threat actors, including suspected nation state actors who’ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the ProxLogon family of bugs in Exchange Server in March and the subsequent attacks, they said: “if one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,” according to their writeup.
But out of all the threat actors, Conti “plays a special role in today’s threat landscape, primarily due to its scale,” they explained. It’s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti’s logs, the Russian-speaking gang made over $150 million over the past six months.
But still they continue to expand, with Conti continually looking for new attack surfaces and methods.
AdvIntel listed a number of Conti’s innovations since August, including:
The writeup shared a timeline of Conti’s search for new attack vectors, shown below.
Timeline of Conti’s search for new attack vectors. Source: AdvIntel.
AdvIntel shared these suggested recommendations and mitigations for Log4Shell:
Lou Steinberg, former chief technology officer at TD Ameritrade, said it ain’t over til it’s over, “And it’s not over.”
“We don’t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,” he said in an article shared with Threatpost on Monday. “This will happen again. Modern software and systems are built from components which aren’t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.”
122121 10:25 Added more attack chain details provided by AdvIntel.
122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.
Check out our free upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.
businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild
docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing
github.com/NCSC-NL/log4shell/tree/main/software
github.com/YfryTchsGD/Log4jAttackSurface
kb.vmware.com/s/article/87081
media.kasperskycontenthub.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg
threatpost.com/apache-log4j-log4shell-mutations/176962/
threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/
threatpost.com/category/webinars/
threatpost.com/cobalt-strike-cybercrooks/167368/
threatpost.com/conti-ransomware-backups/175114/
threatpost.com/emotet-resurfaces-trickbot/176362/
threatpost.com/log4shell-attacks-origin-botnet/176977/
threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/
threatpost.com/patching-time-log4j-exploits-vaccine/177017/
threatpost.com/third-log4j-bug-dos-apache-patch/177159/
threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/
unit42.paloaltonetworks.com/conti-ransomware-gang/
www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware
www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/
www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/
www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%