Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2519" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> Public Facing Protocols Allow Exploitation of Log4j in vCenter Servers</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> </ol><p><strong>Conti Ransomware Leverages log4j Bug to Exploit VMware vCenter Servers</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>The Conti ransomware operation uses the critical Log4 Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The group did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability.</p><p></p><p><strong>Timeline:</strong></p><ul> <li data-xf-list-type="ul">A proof-of-concept (PoC) exploit for CVE-2021-44228 - otherwise known as Log4Shell and LogJam - emerged in the public space on December 9.</li> <li data-xf-list-type="ul">A day later, mass scanning of the internet started, with multiple actors looking for vulnerable systems. Among the first to leverage the big were cryptocurrency miners, botnets, and a new ransomware strain called Khonsari.</li> <li data-xf-list-type="ul">By December 15, the list of threat actors using Log4J Shell expanded to state-backed hackers and initial access brokers that typically sell network access to ransomware gangs.</li> <li data-xf-list-type="ul">Conti, one of the largest and most prolific ransomware gangs today with tens of active full-time members, appears to have taken interest in Log4J Shell early on, seeing it as a possible attack avenue on Sunday, December 12.</li> </ul><p><strong>Analyst Comments:</strong></p><p>The researchers confirmed that Conti ransomware affiliates had already compromised the target networks and exploited vulnerable Log4j machines to gain access to vCenter servers. This means that Conti ransomware members relied on a different initial access vector (RDP, VPN, email phishing) to compromise a network and are currently using Log4Shell to move laterally on the network.</p><p></p><p><strong>Mitigation:</strong></p><p>It is essential that companies identify and apply security measures to systems accessible over the internet. Protocols used for connectivity to and from internal corporate assets should have as many security controls as possible. Multifactor authentication should be enabled in systems that are accessed remotely - RDP should not be used over the WAN - VPN connections are more secure. After initial access, according to the report from BleepingComputer, Log4j was used to leverage vCenter servers in attacks. VMWare uses a Linux-Based kernel, so it is safe to assume that VMWare is vulnerable to Log4j based-attacks. Companies may want to identify servers using VMware or 'anything Linux' and apply hardening measures accordingly - whether making adjustments and network isolation/segmentation at Layer 3 of the OSI model or removing access directly at the NIC responsible for facilitating host access.</p><p></p><p><strong>Source:</strong></p><p><a href="https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/" target="_blank">https://www.bleepingcomputer.com/ne...ses-log4j-bug-to-hack-vmware-vcenter-servers/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2519, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Public Facing Protocols Allow Exploitation of Log4j in vCenter Servers[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Cybercriminal Attack[/B] [/LIST] [B]Conti Ransomware Leverages log4j Bug to Exploit VMware vCenter Servers Summary:[/B] The Conti ransomware operation uses the critical Log4 Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The group did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability. [B]Timeline:[/B] [LIST] [*]A proof-of-concept (PoC) exploit for CVE-2021-44228 - otherwise known as Log4Shell and LogJam - emerged in the public space on December 9. [*]A day later, mass scanning of the internet started, with multiple actors looking for vulnerable systems. Among the first to leverage the big were cryptocurrency miners, botnets, and a new ransomware strain called Khonsari. [*]By December 15, the list of threat actors using Log4J Shell expanded to state-backed hackers and initial access brokers that typically sell network access to ransomware gangs. [*]Conti, one of the largest and most prolific ransomware gangs today with tens of active full-time members, appears to have taken interest in Log4J Shell early on, seeing it as a possible attack avenue on Sunday, December 12. [/LIST] [B]Analyst Comments:[/B] The researchers confirmed that Conti ransomware affiliates had already compromised the target networks and exploited vulnerable Log4j machines to gain access to vCenter servers. This means that Conti ransomware members relied on a different initial access vector (RDP, VPN, email phishing) to compromise a network and are currently using Log4Shell to move laterally on the network. [B]Mitigation:[/B] It is essential that companies identify and apply security measures to systems accessible over the internet. Protocols used for connectivity to and from internal corporate assets should have as many security controls as possible. Multifactor authentication should be enabled in systems that are accessed remotely - RDP should not be used over the WAN - VPN connections are more secure. After initial access, according to the report from BleepingComputer, Log4j was used to leverage vCenter servers in attacks. VMWare uses a Linux-Based kernel, so it is safe to assume that VMWare is vulnerable to Log4j based-attacks. Companies may want to identify servers using VMware or 'anything Linux' and apply hardening measures accordingly - whether making adjustments and network isolation/segmentation at Layer 3 of the OSI model or removing access directly at the NIC responsible for facilitating host access. [B]Source:[/B] [URL='https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/']https://www.bleepingcomputer.com/ne...ses-log4j-bug-to-hack-vmware-vcenter-servers/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu