TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Credit card info of 1.8 million people stolen from sports gear sites
CISA urges VMware admins to patch critical flaw in Workspace ONE UEM
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
New stealthy DarkWatchman malware hides in the Windows Registry
This $19 bundle helps fill your résumé with CompTIA certifications
Western Digital warns customers to update their My Cloud devices
Save 50% on access to 2,400 hours of IT training from ITU Online
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Conti ransomware uses Log4j bug to hack VMware vCenter servers
Conti ransomware operation is using the critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines.
The gang did not waste much time adopting the new attack vector and is the first “top-tier” operation known to weaponize the Log4j vulnerability.
A proof-of-concept (PoC) exploit for CVE-2021-44228 — otherwise known as Log4Shell — emerged in the public space on December 9.
A day later, mass scanning of the internet started, with multiple actors looking for vulnerable systems. Among the first to leverage the bug were cryptocurrency miners, botnets, and a new ransomware strain called Khonsari.
By December 15, the list of threat actors using Log4Shell expanded to state-backed hackers and initial access brokers that typically sell network access to ransomware gangs.
Conti, one of the largest and most prolific ransomware gangs today with tens of active full-time members, appears to have taken interest in Log4Shell early on, seeing it as a possible attack avenue on Sunday, December 12.
The gang started looking for new victims the next day their goal being lateral movement to VMware vCenter networks, cybercrime and adversarial disruption company Advanced Intelligence (AdvIntel) shared with BleepingComputer.
Dozens of vendors have been affected by Log4Shell and rushed to patch their products or provide workarounds and mitigations for customers. VMware is one of them, listing 40 vulnerable products.
While the company provided mitigations or fixes, a patch for vCenter versions impacted has yet to become available.
vCenter servers are not normally exposed to the public internet, there are scenarios where an attacker could exploit the issue:
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – VMware
AdvIntel says that Conti ransomware gang members showed interest in leveraging Log4Shell for their operations using the public exploit.
In a report shared with BleepingComputer, the company notes that “this is the first time this vulnerability entered the radar of a major ransomware group.”
“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” – AdvIntel
While most defenders are focused on blocking Log4Shell attacks on Internet-exposed devices, the Conti ransomware operation shows how the vulnerability can be used to target internal devices that may not receive as much attention.
The researchers confirmed that Conti ransomware affiliates had already compromised the target networks and exploited vulnerable Log4j machines to gain access to vCenter servers.
This means that Conti ransomware members relied on a different initial access vector (RDP, VPN, email phishing) to compromise a network and are currently using Log4Shell to move laterally on the network.
Conti is a Russian-speaking group that has been in the ransomware game for a long time, being the successor of the infamous Ryuk.
The gang is responsible for hundreds of attacks, its data leak site alone listing more than 600 victim companies that did not pay a ransom. To these are added other businesses that paid the actor to have their data decrypted.
Cybersecurity company Group-IB estimates that about 30% of the ransomware victims choose to pay to restore their files using the attacker’s decryption tool.
Recently, the Australian Cyber Security Centre (ACSC) published an alert about Conti ransomware targeting multiple organizations in the country. One of the victims was electricity provider CS Energy.
Frontier Software, a payroll software provider used by the Australian government, was also hit by Conti, the breach leading to exposing the data of tens of thousands of government employees.
More recently, BleepingComputer learned that the gang hit McMenamins, a brewery and hotel chain in Oregon (Portland) and Washington, U.S.
Conti ransomware has been operating under this name since June 2020. According to info from AdvIntel, the group has extorted more than $150 million from its victims over the past six months.
The Week in Ransomware – December 17th 2021 – Enter Log4j
New ransomware now being deployed in Log4Shell attacks
Hackers start pushing malware in worldwide Log4Shell attacks
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
New zero-day exploit for Log4j Java library is an enterprise nightmare
Not a member yet? Register Now
This image looks very different on Apple devices — see for yourself
Upgraded to log4j 2.16? Surprise, there’s a 2.17 fixing DoS
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Researchers show that Apple’s CSAM scanning can be fooled easily

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…

Softbank plans to charge electronic gadgets using 5G antennas

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…

Western Digital warns customers to update their My Cloud devices

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

RedCurl corporate espionage hackers resume attacks with updated tools

US indicts Iranian hackers for Proud Boys voter intimidation emailsWinamp prepares a…