Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement

By Vitali Kremez & Yelisey Boguslavskiy

This redacted report is based on our actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment) identified via unique high-value Conti ransomware collections at AdvIntel via our product “Andariel.”

This is a redacted TLP:WHITE version of the larger AdvIntel findings.

Conti Ransomware Log4Shell Operation

Background: Log4Shell Vulnerability

On December 11, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an urgent announcement on possibly the most important vulnerability of recent years:

“To be clear, this (Log4j2) vulnerability poses a severe risk. We urge all organizations to join us in this essential effort and take action. By bringing together key government and private sector partners via the JCDC, including our partners at the FBI and NSA, we will ensure that our country’s strongest capabilities are brought to bear in an integrated manner against this risk.”

CISA’s concerning tone is understandable: the new vulnerability is not another hidden path for a malicious attack. Embedded deeply in the stack level it offers the attackers an entire new dimension of offensive patterns. The depth is transferred to scale as this vulnerability affects core library components supporting thousands of networks, companies, and machines across the world.

Recorded in the vulnerability database on Friday, November 26, 2021, the Apache Log4j2 Java-based logging library vulnerability CVE-2021-44228 has the highest possible severity score of Base Score: 10.0 CRITICAL allowing direct remote code execution on the vulnerable machines. Due to its core component impact, this vulnerability in some way can be compared to the Apache Struts vulnerability CVE-2019-0230: Apache Struts OGNL Remote Code Execution that led to the breach of Equifax.

Multiple technologies and products run Log4j2 library including popular vCenter, Kafka, Elastic, and Minecraft presenting an attack surface for the attackers.

The current activity surrounding the vulnerability resulted in massive world scanning with the payloads running from miners, unix DDoS malware, and framework stagers pushed to the compromised hosts.

Conti: A Quest For Ultimate Ransomware Exploitation

Naturally, this new attack domain became the focal point of hackers’ interests. Hacker teams suspected to work for foreign governments and US adversaries were quickly spotted to investigate Log4j2. And as the new adversarial pattern seen with ProxyLogon in March 2021 suggests, if one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware.

And indeed, a week after the Log4j2 vulnerability became public, AdvIntel discovered the most concerning trend - the exploitation of the new CVE by one of the most prolific organized ransomware groups - Conti.

Conti plays a special role in today’s threat landscape, primarily due to its scale. Divided on several teams and involving tenths of full-time members, the Russian-speaking Conti made over $150 million USD in the last six months, according to AdvIntel research into the ransomware logs. And they continue to expand. It is this expansion that has set Conti on a long quest of searching for new attack surfaces and methods. Since August, they have employed many new means: hidden RMM backdoors, new backup removal solutions, and, most recently, even an entire operation to revive Emotet.

Moreover, Conti already had a history of leveraging exploits as an initial attack vector and for lateral movement. For instance, the group leverages Fortinet VPN vulnerability CVE-2018-13379 to target unpatched devices for the initial attack vector. Conti favors PrintNightmare privilege elevation CVE-2021-34527/CVE-2021-1675, Zerologon (CVE-2020-1472), and ms17-010 for local privilege elevation and lateral movement on the compromised hosts.

As such, Log4j2 vulnerability appears at a time for Conti: at the moment when the syndicate has both the strategic intention and the capability to weaponize it for its ransomware goals.