eSentire Conti Leaks Analysis
Industry: N/A | Level: Tactical | Source: eSentire
eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).
FBI’s Internet Crime Report for 2021
Industry: Critical Infrastructure | Level: Strategic | Source: IC3
The FBI’s Internet Crime Complaint Center (IC3) has released its report for 2021, tracking a variety of internet crimes with top crime types involving extortion, identity theft, personal data breach, non-payment/non-deliver, and phishing/vishing/smishing/
Conti Source Code Leak
Industry: N/A | Level: Strategic | Source: BleepingComputer
Conti leaks continue from a Ukrainian security researcher under Twitter handle @ContiLeaks. The latest leak on March 20th, 2022 provided on VirusTotal, contains the source for “conti v3.” A review of the uploaded files was conducted by BleepingComputer having identified the code to be dated to January 25th, 2021, and newer than previously leaked code. The code is authentic, as BleepingComputer was able successfully to compile the code without issue.
Intel471 Ransomware Review in 2021 Q4
Industry: Consumer, Energy, Financial, Heath Care, Life Science, Manufacturing, Non-Profit, Professional Services, Real Estate, Technology | Level: Strategic | Source: Intel471
Intel471 shares ransomware findings tracked from October 2021 to December 2021. The intelligence team was able to identify 722 attacks by 34 ransomware variants. The most active month was November 2021 with 283 organizations being targeted, followed by October 2021 with 234 and December 2021 at 205. The volume of attacks increased compared to the third quarter of 2021 with 110 more attacks. The ransomware variants most active (with percentages of contribution) were LockBit 2.0 (29.7%), Conti (19%), PYSA (10.5%) and Hive (10.1%). Many sectors were targeted by ransomware with the most impacted being identified by Intel471 as “consumer and industrial products; manufacturing; professional services and consulting; real estate; life sciences and health care; technology, media and telecommunications; energy, resources and agriculture; public sector; financial services; and nonprofit.” Ransomware groups that were less active were FiveHands, Haron, Payload[.]bin and Thanos.
EXOTIC LILY – Initial Access Brokers
Industry: Healthcare, Information Technology: Cybersecurity | Level: Tactical | Source: Google TAG
Google’s Threat Analysis Group (TAG) reports on the threat actor group, EXOTIC LILY identified as Initial Access Brokers (IAB). The group is observed to be financially motivated with associations to Wizard Spider/FIN12 and ransomware associations with Conti and Diavol. Initial target sectors tracked in November 2021, included healthcare and information technology specifically cybersecurity, however the group since has widened its target groups. Peak activity recorded from the group identified EXOTIC LILY “sending more than 5,000 emails a day, to as many as 650 targeted organizations globally.” Tactics observed by the team include targeted phishing campaigns (typically spoofing domains and fake personas), the use of “legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload”, payload delivery with” ISO files with hidden BazarLoader DLLs and LNK shortcuts” and exploiting MSHTML vulnerability CVE-2021-40444.
- Anvilogic Use Case: Malicious Document Execution
CISA Update on Conti Ransomware
Industry: N/A | Level: Tactical | Source: CISA
The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.
- Anvilogic Use Cases:
- RDP Brute-force Detection
- Kerberos RC4 Encrypted Tickets
- Common Reconnaissance Commands
- Windows Share Multiple File Access
- Service Stop Commands
- Inhibit System Recovery Commands
BazarLoader Malware Leverages Contact Forms
Industry: N/A | Level: Tactical | Source: AbnormalSecurity
Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim’s workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor’s objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.
- Anvilogic Use Cases:
- Symbolic OR Hard File Link Created
- regsvr32 Execution
Conti chats stored from a Jabber communication system were leaked by a Ukrainian security researcher, as reported by BleepingComputer.
Dragos 2021 Industrial Control System (ICS)/Operational Technology (OT)
Industry: Critical Infrastructure | Level: Tactical | Source: Dragos
Dragos provides insight on the impact of cybersecurity in Industrial Control System (ICS)/Operational Technology (OT) during the 2021. The report identified within the ICS sector as the manufacturing sector being the most targeted, having 211 ransomware compromises, followed by food and beverage with 35, and transportation with 27. The most heavily impacted manufacturing group by subsector involved metal products, automotive and plastics technology. Overall attacks have largely been attributed to LockBit 2.0 and Conti, accounting for 51% of all attacks and 70% of the attacks targeting manufacturing. Targeting of the manufacturing sector is often due to a lack of information security practices with Dragos citing poor perimeter security, external connectivity and use of shared credentials. Dragos engagement with an electric operator identified a compromise that was made simplified due to poor network controls, “Because of a weak security posture and no network segmentation, the adversary gained access to the domain controller and other key systems at the plant.” The attacker’s initial tactic involves a smash and grab, exfiltrating data of interest until laying low for a week. Following a week’s silence, steps for ransomware deployment were implemented as attackers “deployed scripts and tools to weaken the company’s defenses, such as Microsoft Defender, and deployed ransomware through the Group Policy, WinRM, and PSExec-as-a-service to most systems on the network,” as well as attempting to hinder forensics analysis by clearing Windows logs and disabling logging.
- Anvilogic Use Cases:
- Modify Group Policy
- WinRM Tools
- Remote Admin Tools
- Clear Windows Event Logs
Notorious malware, Trickbot appears to be losing relevance, seeming to be no longer as stealthy as it once was and Conti absorbing its key developers.