Researchers have disclosed details on a ransomware attack that targeted the well-known Log4j flaw to deploy AvosLocker.
This lengthy campaign has impacted an unnamed company, targeted instances of the VMware Horizon Unified Access Gateway that were vulnerable to the Log4j flaw.
- The attacker first exploited the series of Apache vulnerabilities related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) that can potentially allow for remote code execution on vulnerable Unified Access Gateways via a low-privilege non-root user.
- Threat actors used a newer variant of AvosLocker previously discovered earlier this year, which targets Linux environments in addition to Windows machines; the attack coupled with these recent changes demonstrate how AvosLocker is likely to proliferate in the future
Initially spotted in late June 2021 by researchers who called it “a solid, yet not too fancy new ransomware family.” Researchers with Sophos later in the year noted that ransomware attacks using AvosLocker started to increase in November and December. Some ransomware affiliates have used Microsoft Exchange server vulnerabilities as an intrusion vector, including the Proxy Shell vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473), in addition to CVE-2021-26855, a server-side request forgery flaw in Exchange.
AvosLocker has also been spread through spam email campaigns and malvertising; however, because the ransomware operates on an affiliate model, the TTPs used to carry out attacks vary.
- The incident is first notified on March 7, but the activity related to the attack was tracked as early as Feb. 7.
- After post-initial access, the actor then went silent for a few weeks, before suddenly starting to deploy several different tools a month later, including a Cobalt Strike beacon, the Sliver red-team tool and commercial network scanners
- AvosLocker payload was finally delivered, with the attackers using a legitimate software deployment tool called PDQ Deploy to deploy the ransomware and other tools across the target network.
- The victim’s files were then encrypted with a ransom note giving instructions for a payment.
Researchers also uncovered evidences that multiple threat actors had compromised the same victim network, which is not uncommon, particularly as attackers close in on environments that still have not patched against known, popular vulnerabilities like Log4j. In this incident, a RuntimeBrokerService.exe executable in “C:\Windows\System32\temp” had created a file (“watcher.exe”) that appeared to be related to a cryptocurrency miner.
A layered defense model is critical for businesses to be able to detect and protect against the post-exploitation activity seen in this campaign. Once after the threat actor gained initial access in this attack, the inner-transit firewalls that could control or limit the access to the internal infrastructure were not configured, hence, the attackers used it as the initial access to establish a foothold on the customer’s network, granting access to their internal servers.
Patches for Log4j vulnerability for VMware horizon servers already released, its highly recommended to install it wherever required.
Indicators of Compromise
AvosLocker
- ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
- cee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b
Sliver
- 7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2
MimikatZ
- cac73029ad6a543b423822923967f4c240d02516fab34185c59067896ac6eb99
- 29a3ae1d32e249d01b39520cd1db27aa980e646d83694ff078424bed60df9304
- 63bdd396ff6397b3a17913badb7905c88e217d0a8cf864ab5e71cc174a4f97a1
- 63ebb998ebbbfe3863214a85c388fc23b58af4492b2e96eb53c436360344d79d
- 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9
- f2faa8a91840de16efb8194182bcfa9919b74a2c2de40d6ed4791a3308897a01
Cobalt Strike artifacts
SMB.PS1
- 48514e6bb92dd9e24a16a4ab1c7c3bd89dad76bef53cec2a671821024fadcb2b
- 61239d726c92c82f553200ecbec3ac18d251902fb9ca4d4f52263c82374a5b75
BEACON.PS1
- e4af7f048e93b159e20cc3efbacdb68e3c1fb213324daf325268ccb71f6c3189
- e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f
IIS Temporary Compressed Files.zip
- 978dffa295ac822064ff6f7a6b6bc498e854f833d36633214d35ccce70db4819
URLs
- hxxp[://]45[.]136[.]230[.]191:4000/D234R23
IPs
- 176[.]113[.]115[.]107
- 45[.]136[.]230[.]191
