Security News > 2021 > December > Conti Ransomware Gang Has Full Log4Shell Attack Chain

The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.

As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel's Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> -> Kerberoast -> brute -> vCenter ESXi with log4shell scan for vCenter.

Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking.

Within two days of the public disclosure of the vulnerability in Apache's Log4j logging library on Dec. 10 - a bug that came under attack within hours - Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.

According to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector.

Still they continue to expand, with Conti continually looking for new attack surfaces and methods.

News URL

https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/