Threat Signal Report

Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware

Description

FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration.

Why is this Significant?

This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible.

What is CVE-2021-21972?

CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:

vCenter Server 7.0 prior to 7.0 U1c

vCenter Server 6.7 prior to 6.7 U3l

vCenter Server 6.5 prior to 6.5 U3n

For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002".

Has the Vendor Released a Patch for CVE-2021-21972?

Yes, VMWare released a patch for CVE-2021-21972 in February 2021.

What's the Details of the Attack Carried Out by Memento Group?

According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database.

The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them.

What is Memento Ransomware?

Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files.

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage for the available samples used in the attack:

W32/KeyLogger.EH!tr.spy

PossibleThreat.PALLASNET.H

Riskware/Miner

Riskware/Impacket

Riskware/Mimikatz

Riskware/Secretdmp

FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?

VMware.vCenter.vROps.Directory.Traversal

Other Workaround?

VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)".