Conti ransomware is exploiting the Log4Shell vulnerability to the tune of millions

2 years ago 339

Log4Shell is simply a unsafe information interest — and present Conti, a salient ransomware group, is exploiting it to onslaught susceptible servers to extort millions of dollars.

shutterstock-1712588752.jpg

Image: Shutterstock/Khakimullin Aleksandr

Log4Shell is the astir terrible vulnerability hitting systems successful the extremity of 2021. Since its nationalist vulnerability connected the December 9, the information manufacture has worked hard to effort to spot and support against it. But definite enough, cybercriminals person started utilizing it, and it was lone a substance of clip earlier 1 of the astir progressive ransomware groups began to exploit it too.

What is the Log4Shell vulnerability?

The Log4Shell vulnerability (CVE-2021-44228) impacts the log4j Java library, which is utilized by a batch of software. Millions of systems worldwide usage a susceptible mentation of this room and are astatine risk.

Security supplier Cloudflare says successful a blog post that it's seeing the exploitation signifier successful log files up to 1,000 times per second.

What makes it truthful terrible is that it allows an attacker to easy motorboat distant codification connected the instrumentality moving the susceptible library. It does not instrumentality a batch of method skills to exploit it, truthful it is accessible to truly immoderate benignant of attacker, technically bully oregon not.

SEE: NIST Cybersecurity Framework: A cheat expanse for professionals (free PDF) (TechRepublic)

Conti ransomware

AdvIntel reported that a week aft the vulnerability became public, it started being utilized by 1 of the astir prolific organized Russian-speaking ransomware groups: Conti.

The enactment down Conti ransomware is good structured. Its concern exemplary is to supply the Conti ransomware-as-a-service (RaaS). In this model, the cybercriminals operating Conti alteration affiliates to usage it arsenic desired, provided that a percent of the ransom outgo is shared with them.

Between July and November 2021, the radical is estimated to person received $25.5 cardinal from ransom payments, according to cryptocurrency transactions investigations from Swiss institution PRODAFT, portion AdvIntel estimates that Conti made implicit $150 cardinal successful the past six months.

Conti uses the "double extortion" scheme: If companies bash not wage the ransom, not lone is their information lost, but it's besides exposed publically connected the net oregon sold to competitors, since the radical took attraction of exfiltrating each the encrypted information connected its infrastructure.

Knowledge connected the Conti radical grew abruptly erstwhile 1 disgruntled affiliate of the operation abruptly leaked worldly from Conti. The leak contained documents mostly written successful Cyrillic and exposed a afloat playbook to compromise companies and infect them with ransomware, making it uncomfortably casual for immoderate hacker speaking the language, adjacent with debased information and web skills.

The Conti radical seems to beryllium keen connected ever uncovering caller ways to infect companies and dispersed their ransomware, arsenic they often person leveraged exploits arsenic archetypal compromise vectors.

advintel.jpg

The Conti group's timeline for searching caller exploit vectors 

Image: AdvIntel

Using the Log4Shell vulnerability, the radical specifically targeted VMware vCenter servers. The exploit was utilized to get entree to the server and past beryllium capable to determination laterally crossed the targeted company's network. This is simply a notable quality compared to different exploits they mightiness use: This 1 is dedicated to moving laterally wrong the compromised network; the attackers person already successfully obtained archetypal entree to the firm network.

This is by acold the biggest and astir lucrative usage of the Log4Shell vulnerability, since the consequences of its usage mightiness beryllium much companies having their concern being disrupted. Some of them volition astir apt take to wage the ransom to instrumentality to mean and not person their information exposed connected the internet.

The cybercriminals mightiness besides deliberation of different ways to exploit the Log4Shell vulnerability, arsenic bundle different than vCenter is vulnerable, adjacent for the archetypal compromise signifier of their attacks.

SEE: Patch absorption policy (TechRepublic Premium)

How to support yourself from the Log4Shell attacks

VMware already provided instructions to code the vulnerability successful vCenter servers and vCenter Cloud Gateways.

A batch much bundle is vulnerable. It is advised to cheque regularly for updates connected susceptible products and spot oregon deploy workarounds arsenic soon arsenic possible. A comprehensive list of impacted bundle is provided by US CISA.

Log4Shell-specific investigating software is provided by respective information companies for IT unit who privation to cheque whether their systems are impacted and tin beryllium utilized to observe susceptible systems.

Cybereason offers a "vaccine" to forestall the vulnerability from being triggered, but it should beryllium seen lone arsenic a impermanent measurement until each systems are patched.

How to support yourself from ransomware

  • Keep each systems and bundle up to date.
  • Conduct information audits and hole immoderate information occupation appears.
  • Perform regular backups, but support them offline arsenic overmuch arsenic possible, arsenic ransomware is often looking for backup systems and destroying it.
  • Reduce the onslaught aboveground by cautiously disabling immoderate protocol oregon strategy that is not needed. As an example, if FTP is not needed somewhere, disable it.
  • Enable treble origin authentication (2FA) whenever possible, particularly for distant entree connections.
  • Restrict privileges of users to lone the contented they request to work.
  • Use intrusion prevention systems (IPS) / intrusion detection systems (IDS).
  • Run information consciousness programs for each employees.

Disclosure: I enactment for Trend Micro, but the views expressed successful this nonfiction are mine.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article