Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware
Description
FortiGuard Labs is aware of a report that a
new adversary carried out an attack using a Python-based
ransomware called "Memento." The Memento attackers are
reported to have taken advantage of a remote code execution vulnerability in a VMWare
vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group
started to exploit the vulnerability in April, then stayed in the network until
they deployed ransomware to the victim's network upon completion of their data exfiltration.
Why is this Significant?
This is significant because the attacker was
able to stay in the victim's network for more than 5 months after they gained initial access
to the network by exploiting CVE-2021-21972. Because of the severity of the
vulnerability, CISA released an alert on February 24th, 2021 to urge admins to
apply the patch as soon as possible.
What is CVE-2021-21972?
CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:
vCenter Server 7.0 prior to 7.0 U1c
vCenter Server 6.7 prior to 6.7 U3l
vCenter Server 6.5 prior to 6.5 U3n
For more details, see the Appendix for a
link to the VMware advisory "VMSA-2021-0002".
Has the Vendor Released a Patch for
CVE-2021-21972?
Yes, VMWare released a patch for
CVE-2021-21972 in February 2021.
What's the Details of the Attack Carried
Out by Memento Group?
According to security vendor Sophos, the
attacker gained access to the victim's network in April 2021 by exploiting
the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and
the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that
allows the attacker to remotely execute commands through WMI (Windows
Management Instrumentation). Secretsdump is a tool that allows the attacker to
extract credential material from the Security Account Manager (SAM) database.
The attacker then downloaded a command-line version of the WinRAR and two RAR
archives containing various hacking tools used for reconnaissance and
credential theft to the compromised server. After that, the adversary used RDP
(Remote Desktop Protocol) over SSH to further spread within the network. In late
October, after successfully staying low for 5 months, the attacker collected
files from the compromised machines and put them in an archive file using
WinRAR for data exfiltration. Then the attacker deployed the initial variant of
the Memento ransomware to the victim's network, but the file encryption process was
blocked due to the anti-ransomware protection. The attack then switched its ransom
tactic by putting the victim's files into password-protected archive files instead
of encrypting them.
What is Memento Ransomware?
Memento is a Python-based ransomware used
by the Memento group. The first Memento variant simply encrypts files in the
compromised machine. The second variant does not involve file encryption. It
collects files from the compromised machine and puts them into
password-protected files.
What is the Status of Coverage?
FortiGuard Labs provides the following AV
coverage for the available samples used in the attack:
W32/KeyLogger.EH!tr.spy
PossibleThreat.PALLASNET.H
Riskware/Miner
Riskware/Impacket
Riskware/Mimikatz
Riskware/Secretdmp
FortiGuard Labs provides the following IPS
coverage for CVE-2021-21972?
VMware.vCenter.vROps.Directory.Traversal
Other Workaround?
VMWare provided workaround for
CVE-2021-21972. See Appendix for a link to "Workaround Instructions for
CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)".
Appendix
VMware Releases Multiple Security Updates (CISA)
VMSA-2021-0002 (VMWare)
Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374) (VMWare)
New ransomware actor uses password-protected archives to bypass encryption protection (Sophos)