Conti Ransomware group exploiting Log4Shell

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:

The Russia-based Conti Ransomware Group, one of the most prolific cybercriminal groups of the last two years, has become one of the first groups to weaponise the Log4Shell vulnerability (CVE-2021-44228 Log4Shell Vulnerability). Conti has recently been spotted searching for vulnerable VMWare networks for initial access, as they are on an extensive list of components affected by the Log4j vulnerability. 

They have produced a holistic attack chain which follows this process: 

1. Emotet with the ability to directly install has resurfaced recently on the back of Trickbot, often spread via email phishing 
2. Cobalt Strike, a commercially available tool which gives threat actors direct access to targets 
3. Human exploitation 
4. Missing ADMIN$ share. Administrative shares are hidden network shares created by Windows NT operating systems. If these are seen as missing, then it indicates that the computer has been compromised by malware 
5. Kerberoasting is a pervasive attack which exploits both weak encryption and poor service account password hygiene, a post exploitation attack which extracts credential hashes from AD for offline cracking 
6. Once the credentials have been gained, Brute Force attacks are launched with credentials, systematically checking all passwords and passphrases until they hit a match 

Further information on this can be found here. 

Over the last few months DigitalXRAID analysts have signed up to OTX pulses for Emotet and Trickbot malware, and more recently for Log4Shell. We will continue to be on high alert for these and keep you updated on any incidents found. 

If you need any support or have suffered a breach then call or email us now 0800 066 4509. Our certified experts are here to help. We’re open 24 hours 7 days a week. 

To learn more about how to mitigate the Log4Shell vulnerability, read our previous blog post here.