Critical Advisory: Conti Ransomware Group Seen Using Log4Shell to Hack vCenter Servers
Situation
The Conti ransomware group has been seen using the critical Log4Shell exploit to gain access to internal VMware vCenter Server and then encrypt virtual machines.
Problem
Conti has been seen exploiting and taking advantage of the not yet patched versions of vCenter impacted by the Log4Shell vulnerability. While VMware has provided mitigation techniques and workarounds a patch still remains unavailable, leaving those that have not implemented these mitigations susceptible to this type of attack.
Implication
VMware states that “a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack”.
Need
It is recommended for users and administrators to apply the workarounds/mitigations VMware has proposed to help defend against these types of attacks, as well as up all affected system as soon as a patch becomes available. Information regarding the workarounds/mitigations from VMware and the activity seen from the Conti ransomware group can be found in the links below.
VMware workarounds/mitigations:
https://kb.vmware.com/s/article/87081
For more info on Conti activity: