Log4j: Conti ransomware attacking VMware servers and TellYouThePass ransomware hits China

Researchers in China have also seen the TellYouThePass ransomware used in Log4j attacks on Windows and Linux devices.
Written by Jonathan Greig, Contributor

Researchers with security firm Advanced Intelligence have discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities

In a report on Friday, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability. 

AdvIntel said the current exploitation "led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit." 

"Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting the US and European victim networks from the pre-existent Cobalt Strike sessions," the researchers said. 

They noted that their research of ransomware logs shows Conti made over $150 million in the last six months. AdvIntel laid out a timeline of events for Conti's interest in Log4j starting on November 1, when the group sought to find new attack vectors. Throughout November, Conti redesigned its infrastructure as it sought to expand, and by December 12, they identified Log4Shell as a possibility. 

By December 15, they began actively targeting vCenter networks for lateral movement. 

Advanced Intelligence

In a statement, VMware said it issued a security advisory containing fixes for the 40 products it sells that are vulnerable to the Log4J issue, including vCenter. In the advisory, they confirm that exploitation attempts in the wild have been confirmed. 

"Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j," VMware said.

AdvIntel added that it is only a matter of time until Conti and other groups will begin exploiting Log4j to its full capacity. 

Khonsari was the first ransomware group to begin targeting Log4j but was considered lower grade and did not even have a viable ransom note, leading some to consider it simply a wiper. Researchers in China have identified the TellYouThePass ransomware being used in attacks against Windows and Linux devices using the Log4j issue. 

Recorded Future ransomware expert Allan Liska said the most recent news about different ransomware groups exploring the exploitation of Log4j lined up with what he is seeing.

"IABs working with Conti have started scanning for Log4Shell and likely have exploited victims. BUT we have not seen any evidence of a successful ransomware attack resulting from these scans yet. Doesn't mean it hasn't happened, just we haven't seen it," Liska said. 

Editorial standards