The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.
The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.
As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> brute -> vCenter ESXi with log4shell scan for vCenter.
Stepping through that attack chain:
Within two days of the public disclosure of the vulnerability in Apache’s Log4j logging library on Dec. 10 – a bug that came under attack within hours – Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.
Apache patched the bug on Dec. 11, but its patch, Log4J2, was found to be incomplete in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.
As if two bugs aren’t enough, yet another, similar but distinct bug was discovered last week in the Log4J logging library. Apache issued a patch on Friday.
Conti Winds Up Its Exploit Machine
According to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.
“This is the first time this vulnerability entered the radar of a major ransomware group,” according to the writeup. The emphasis is on “major,” given that the first ransomware group to target Log4Shell was a ransomware newcomer named Khonsari. As Microsoft has reported, Khonsari was locking up Minecraft players via unofficial servers. First spotted by Bitdefender in Log4Shell attacks, the ransomware’s demand note lacked a way to contact the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.
Khonsari ransomware was just one malware that’s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, attackers were scanning for vulnerable servers and unleashing quickly evolving attacks to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, Mirai and other botnets, and backdoors.
A Perfect Storm
Log4Shell has become a focal point for threat actors, including suspected nation state actors who’ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the ProxLogon family of bugs in Exchange Server in March and the subsequent attacks, they said: “if one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,” according to their writeup.
But out of all the threat actors, Conti “plays a special role in today’s threat landscape, primarily due to its scale,” they explained. It’s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti’s logs, the Russian-speaking gang made over $150 million over the past six months.
But still they continue to expand, with Conti continually looking for new attack surfaces and methods.
AdvIntel listed a number of Conti’s innovations since August, including:
The writeup shared a timeline of Conti’s search for new attack vectors, shown below.
Keeping Your Head Above the Logjam’s Water
AdvIntel shared these suggested recommendations and mitigations for Log4Shell:
When Will It All End?
Lou Steinberg, former chief technology officer at TD Ameritrade, said it ain’t over til it’s over, “And it’s not over.”
“We don’t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,” he said in an article shared with Threatpost on Monday. “This will happen again. Modern software and systems are built from components which aren’t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
This content was originally published here.