Security News > 2021 > December > Conti Ransomware Gang Has Full Log4Shell Attack Chain
The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.
As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel's Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> -> Kerberoast -> brute -> vCenter ESXi with log4shell scan for vCenter.
Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking.
Within two days of the public disclosure of the vulnerability in Apache's Log4j logging library on Dec. 10 - a bug that came under attack within hours - Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.
According to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector.
Still they continue to expand, with Conti continually looking for new attack surfaces and methods.
News URL
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)