While organizations and security admins worldwide are immersed in mitigating the Log4j vulnerability effects, new exploits are being weaponized to entice more fear. Recently, security experts from AdvIntel revealed that Conti ransomware operators abused the Log4j flaw (CVE-2021-44228) to gain access to the internal VMware vCenter Server and encrypt vulnerable devices.
Weaponizing the Log4j Vulnerability
The researchers stated that Conti ransomware became the first sophisticated ransomware group weaponizing Log4j vulnerability. The threat actors targeted specific vulnerable VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting victims in the U.S. and European networks. AdvIntel has recommended that users and organizations patch their systems immediately to avoid further exploitation of the Log4j flaw.
Also Read: Log4j Explained: How It Is Exploited and How to Fix It
“AdvIntel discovered that multiple Conti group members expressed interest in exploiting the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4j2 exploit. The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4j2 exploit. This is the first time this vulnerability has entered the radar of a major ransomware group,” the researchers said.
Several reports also stressed that threat actors exploited the Log4Shell flaw to deploy a new ransomware variant Khonsari and a remote access Trojan Orcus, using botnets like Mirai and Muhstik against vulnerable systems to spread malware.
Apache Issues Patches
The security concerns with Log4j continued to increase. After discovering the third critical vulnerability, the Apache Software Foundation (ASF) released one more patch. Tracked as CVE-2021-45105 (CVSS score: 7.5), the flaw is stemmed from the incomplete fix of Log4Shell vulnerability CVE-2021-44228. The flaw reportedly affects all versions from 2.0-beta9 to 2.16.0, allowing attackers to launch a DDoS attack.
“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process,” ASF said in an advisory.