Researchers have disclosed details on a ransomware attack that targeted the well-known Log4j flaw to deploy AvosLocker.
This lengthy campaign has impacted an unnamed company, targeted instances of the VMware Horizon Unified Access Gateway that were vulnerable to the Log4j flaw.
- The attacker first exploited the series of Apache vulnerabilities related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) that can potentially allow for remote code execution on vulnerable Unified Access Gateways via a low-privilege non-root user.
- Threat actors used a newer variant of AvosLocker previously discovered earlier this year, which targets Linux environments in addition to Windows machines; the attack coupled with these recent changes demonstrate how AvosLocker is likely to proliferate in the future
Initially spotted in late June 2021 by researchers who called it “a solid, yet not too fancy new ransomware family.” Researchers with Sophos later in the year noted that ransomware attacks using AvosLocker started to increase in November and December. Some ransomware affiliates have used Microsoft Exchange server vulnerabilities as an intrusion vector, including the Proxy Shell vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473), in addition to CVE-2021-26855, a server-side request forgery flaw in Exchange.
AvosLocker has also been spread through spam email campaigns and malvertising; however, because the ransomware operates on an affiliate model, the TTPs used to carry out attacks vary.
- The incident is first notified on March 7, but the activity related to the attack was tracked as early as Feb. 7.
- After post-initial access, the actor then went silent for a few weeks, before suddenly starting to deploy several different tools a month later, including a Cobalt Strike beacon, the Sliver red-team tool and commercial network scanners
- AvosLocker payload was finally delivered, with the attackers using a legitimate software deployment tool called PDQ Deploy to deploy the ransomware and other tools across the target network.
- The victim’s files were then encrypted with a ransom note giving instructions for a payment.
Researchers also uncovered evidences that multiple threat actors had compromised the same victim network, which is not uncommon, particularly as attackers close in on environments that still have not patched against known, popular vulnerabilities like Log4j. In this incident, a RuntimeBrokerService.exe executable in “C:\Windows\System32\temp” had created a file (“watcher.exe”) that appeared to be related to a cryptocurrency miner.
A layered defense model is critical for businesses to be able to detect and protect against the post-exploitation activity seen in this campaign. Once after the threat actor gained initial access in this attack, the inner-transit firewalls that could control or limit the access to the internal infrastructure were not configured, hence, the attackers used it as the initial access to establish a foothold on the customer’s network, granting access to their internal servers.
Patches for Log4j vulnerability for VMware horizon servers already released, its highly recommended to install it wherever required.
Indicators of Compromise
Cobalt Strike artifacts
IIS Temporary Compressed Files.zip