eSentire Conti Leaks Analysis

April 05, 2022

eSentire Conti Leaks Analysis

Industry: N/A | Level: Tactical | Source: eSentire

eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).

  • Anvilogic Scenario: ZeroLogon Compromise
  • Anvilogic Use Cases:
    • Adfind Commands
    • Adfind Execution
    • Common Reconnaissance Commands
    • Cobalt Strike Beacon
    • Cobalt Strike style Shell invocation
    • Create/Add Local/Domain User
    • Locate Credentials
    • Mimikatz
    • Modify Group Policy
    • Native Archive Commands
    • Potential Web Shell
    • Registry key added with reg.exe
    • Rclone Execution

FBI’s Internet Crime Report for 2021

March 29, 2022

FBI’s Internet Crime Report for 2021

Industry: Critical Infrastructure | Level: Strategic | Source: IC3

The FBI’s Internet Crime Complaint Center (IC3) has released its report for 2021, tracking a variety of internet crimes with top crime types involving extortion, identity theft, personal data breach, non-payment/non-deliver, and phishing/vishing/smishing/pharming crimes. Of particular interest are ransomware statistics, which since 2021, IC3 has received 3,729 complaints. The critical infrastructure sector has been closely monitored since June 2021, with 16 crucial sectors considered “vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy, public health or safety, or any combination thereof.” Of complaints received, 649 involved organizations in the critical infrastructure sector and in addition, “of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least 1 member that fell victim to a ransomware attack in 2021.” From the 14 impacted critical infrastructure sectors, the top victims were Healthcare and Public Health (148 complaints), Financial Services (89), Information Technology (74), Critical Manufacturing (65) and Government Facilities (60). Three ransomware variants were the culprits of many reported complaints. They are as followed Conti (87 victims), LockBit (58 victims) and REvil/Sodinokibi (51 victims).

Conti Source Code Leak

March 22, 2022

Conti Source Code Leak

Industry: N/A | Level: Strategic | Source: BleepingComputer

Conti leaks continue from a Ukrainian security researcher under Twitter handle @ContiLeaks. The latest leak on March 20th, 2022 provided on VirusTotal, contains the source for “conti v3.” A review of the uploaded files was conducted by BleepingComputer having identified the code to be dated to January 25th, 2021, and newer than previously leaked code. The code is authentic, as BleepingComputer was able successfully to compile the code without issue.

Intel471 Ransomware Review in 2021 Q4

March 22, 2022

Intel471 Ransomware Review in 2021 Q4

Industry: Consumer, Energy, Financial, Heath Care, Life Science, Manufacturing, Non-Profit, Professional Services, Real Estate, Technology | Level: Strategic | Source: Intel471

Intel471 shares ransomware findings tracked from October 2021 to December 2021. The intelligence team was able to identify 722 attacks by 34 ransomware variants. The most active month was November 2021 with 283 organizations being targeted, followed by October 2021 with 234 and December 2021 at 205. The volume of attacks increased compared to the third quarter of 2021 with 110 more attacks. The ransomware variants most active (with percentages of contribution) were LockBit 2.0 (29.7%), Conti (19%), PYSA (10.5%) and Hive (10.1%). Many sectors were targeted by ransomware with the most impacted being identified by Intel471 as “consumer and industrial products; manufacturing; professional services and consulting; real estate; life sciences and health care; technology, media and telecommunications; energy, resources and agriculture; public sector; financial services; and nonprofit.” Ransomware groups that were less active were FiveHands, Haron, Payload[.]bin and Thanos.

EXOTIC LILY – Initial Access Brokers

March 22, 2022

EXOTIC LILY – Initial Access Brokers

Industry: Healthcare, Information Technology: Cybersecurity | Level: Tactical | Source: Google TAG

Google’s Threat Analysis Group (TAG) reports on the threat actor group, EXOTIC LILY identified as Initial Access Brokers (IAB). The group is observed to be financially motivated with associations to Wizard Spider/FIN12 and ransomware associations with Conti and Diavol. Initial target sectors tracked in November 2021, included healthcare and information technology specifically cybersecurity, however the group since has widened its target groups. Peak activity recorded from the group identified EXOTIC LILY “sending more than 5,000 emails a day, to as many as 650 targeted organizations globally.” Tactics observed by the team include targeted phishing campaigns (typically spoofing domains and fake personas), the use of “legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload”, payload delivery with” ISO files with hidden BazarLoader DLLs and LNK shortcuts” and exploiting MSHTML vulnerability CVE-2021-40444.

  • Anvilogic Use Case: Malicious Document Execution

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

BazarLoader Malware Leverages Contact Forms

March 15, 2022

BazarLoader Malware Leverages Contact Forms

Industry: N/A | Level: Tactical | Source: AbnormalSecurity

Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim’s workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor’s objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • regsvr32 Execution

Conti’s Chats Leaked

March 01, 2022

Conti chats stored from a Jabber communication system were leaked by a Ukrainian security researcher, as reported by BleepingComputer.

Dragos 2021 Industrial Control System (ICS)/Operational Technology (OT)

March 01, 2022

Dragos 2021 Industrial Control System (ICS)/Operational Technology (OT)

Industry: Critical Infrastructure | Level: Tactical | Source: Dragos

Dragos provides insight on the impact of cybersecurity in Industrial Control System (ICS)/Operational Technology (OT) during the 2021. The report identified within the ICS sector as the manufacturing sector being the most targeted, having 211 ransomware compromises, followed by food and beverage with 35, and transportation with 27. The most heavily impacted manufacturing group by subsector involved metal products, automotive and plastics technology. Overall attacks have largely been attributed to LockBit 2.0 and Conti, accounting for 51% of all attacks and 70% of the attacks targeting manufacturing. Targeting of the manufacturing sector is often due to a lack of information security practices with Dragos citing poor perimeter security, external connectivity and use of shared credentials. Dragos engagement with an electric operator identified a compromise that was made simplified due to poor network controls, “Because of a weak security posture and no network segmentation, the adversary gained access to the domain controller and other key systems at the plant.” The attacker’s initial tactic involves a smash and grab, exfiltrating data of interest until laying low for a week. Following a week’s silence, steps for ransomware deployment were implemented as attackers “deployed scripts and tools to weaken the company’s defenses, such as Microsoft Defender, and deployed ransomware through the Group Policy, WinRM, and PSExec-as-a-service to most systems on the network,” as well as attempting to hinder forensics analysis by clearing Windows logs and disabling logging.

  • Anvilogic Use Cases:
    • Modify Group Policy
    • WinRM Tools
    • Remote Admin Tools
    • Clear Windows Event Logs

Trickbot Fading and Conti Rises

February 22, 2022

Notorious malware, Trickbot appears to be losing relevance, seeming to be no longer as stealthy as it once was and Conti absorbing its key developers.