The group has actively targeted the healthcare industry and first responder networks when COVID was at its peak. The following information is obtained from the Conti ransomware tor handle.
Based on the past activity of the group, they target the Retail and Manufacturing sector extensively, largely focusing on American entities.
Ransoms are tailored to victims based on their net worth, very recent ransom demanded by the group has gone as high as 25 million USD.
Country |
Victims |
Bahamas |
1 |
Canada |
14 |
USA |
128 |
Mexico |
1 |
UK |
11 |
Germany |
4 |
Italy |
2 |
India |
1 |
Japan |
1 |
New Zealand |
1 |
Australia |
1 |
Conti has a very distinctive style in carrying out the campaigns, profiled TTPs are listed below:
Tactics Techniques and Procedures
Following TTPs are MITRE ATT&CK mapped:
- Exploit Public-Facing Application T1190
- Exploitation for Credential Access T1212
- System Network Configuration Discovery T1016
- Remote System Discovery T1018
- Network Service Scanning T1046
- Valid Accounts: Domain Accounts T1078.002
- Remote Services: SMB/Windows Admin Shares T1021.002
- Windows Management Instrumentation T1047
- Process Injection: Dynamic-link Library Injection T1055/001
- Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002
- Data Encrypted for Impact T1486
Networking ports used by Conti
Following ports are used for sustaining remote connection 80, 443, 8080, and 8443
There are identified cases where actors have used port 53 for persistence
Analysis
The actor has shared internal infrastructure used to compromise target networks, Cobalt Strike Framework is used for Command & Control . A C2 server runs an application to send operating system commands and executes them on the compromised system, finally fetching the output of the commands to relay back to C2 thus establishing complete control over the compromised computer system/network.
The actor has exposed Cobalt Strike Team Servers which is a very critical component of attacker infrastructure.
An attack originates from Cobalt Strike Aggressor/TeamServer, thus leaking the IPs compromises operation security of the attacker as these IPs can be black listed by the corporate network firewalls and other security endpoint systems. Nevertheless, most of the attackers use IP redirectors or proxies in the middle of the target corporate network and their team servers for operation security and to protect their internal assets.
Ransomware Groups and Active Directory
Ransomware groups are financially motivated cybercriminals that target enterprises to extort money. Large organisations in the world are consumers of Microsoft Active Directory to manage their users and network resources. Active Directory is a directory service that maps users/people and network assets like printers/computers into logical network groups for efficient administration and management. It follows a hierarchical structure where a domain is a logical aggregation of resources over the network with a node called a domain controller to control the assets in the specific domain. User who is in charge of the domain controller is called a Domain admin. An enterprise can have multiple domains along with corresponding domain administrators.
Ransomware operators compromise the domain controller server and covertly gain control over domain administrator account to carry out malicious activities in the domain. Following are few tactics employed by adversary in a campaign:
– Initial Access
- RDP brute forcing
- Cobalt Strike beacon deployment
- ZeroLogon Vulnerability
- Social Engineering via Weaponized Office documents.
– Privilege Escalation & Lateral Movement
- Compromise LSASS via Mimikatz tool
- Kerberoasting Technique
– Privilege Escalation
- Golden Ticket Attacks
– Locking and data exfiltration
- Deployment of locker program after disabling AV
- Archive Programs
- Rclone
Manuals and Offensive Tools
The actor has shared a repository of tools and manuals, used by the group, on a file-sharing platform. Based on our analysis, tools shared are not of any exclusive nature but standard Active Directory Enumeration tools.
Summary of Tools
- Basic Cobalt Strike manuals covering usage and payload deployment
- Cobalt Strike related artifacts for evasion and lateral movement.
- RMM client application used for remote management.
- Manual for dumping windows secrets via LSASS using MIMIKATZ tool.
- Windows domain System/User enumeration commands at domain level to plan and carry out attacks.
- Volume shadow copy enumeration; Volume Shadow Copy is a backup mechanism in Windows.
- PowerUPSQL powershell script to target enterprise SQL servers.
Various network scanners and proxies - Tunnel to RDP using NGORK
- Rclone tool for file transfer.
- Kerberoasting techniques; It’s a specific technique used to crack kerberos hash using brute force. Once the hash is compromised associate user account will be compromised
- Router Scan tool used for doing recon against routers and employing bruteforce techniques to gain unauthorized access.
- Zerologon CVE-2020-1472 Cobalt Strike Beacon Object File that can abuse systems vulnerable to Zerologon.
- Script files to obtain Armitage tool and further deployment on target infrastructure.
- Script to install various linux tools like tmux [terminal multiplexer for multitasking] and standard Kali linux system set up scripts.
- List of various Telegram channels for security related discussions.
- Instructions on AD lockout policy enforced on user accounts.
- Instructions to enhance operation security by using Whonix gateways.
- Instructions on how to abuse Shadow Protect SPX installed on target systems to compromise back ups and other data stores
- Manuals for standard privilege escalation vectors.
- Shared AD exploitation cheat sheet
- Manual for disabling Windows defender via command line
- Manual for launching the locker on Linux versions with launch parameters.
- Manual for making new firewall rules via command line on Windows.
- Powershell cheat sheets for performing various system-level tasks.
- Manual for various use cases for Windows Management Interface Command tool for orchestrating attacks on Windows machines.
- Instructions on using PuTTy and FileZilla for file aggregation and tunnelling.
- Instructions on using the AnyDesk application for remoting purposes.
Common Passwords used that conforms to AD password policy:
- Password1
- Hello123
- password
- Welcome1
- banco@1
- training
- Password123
- job12345
- spring
- food1234
- June2020
- July2020
- August20
- August2020
- Summer20
- Summer2020
- June2020!
- July2020!
- August20!
- August2020!
- Summer20!
- Summer2020!
Recommendations
Adversary’s Team Server IPs can be black listed:
IP |
Country |
ISP |
ASN |
162.244.80.235 |
USA |
Data Room Inc |
19624 |
86.93.88.165 |
Netherlands |
KPN BV |
1136 |
185.141.63.120
|
Bulgaria |
RedCluster Ltd |
44901 |
82.118.21.1 |
Poland |
ITL LLC |
204957 |
Prevent initial access at any costs. Following are basic mitigations:
- Update and patch Internet facing assets on the network.
- Aware of social engineering tactics employed by threat actors via mail.
- Proper segregation and isolation of internal networks.
- Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
- Proper system monitoring pipeline for better logging capability that includes Powershell, JScript etc.
- An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTPs
- Effective and redundant fail proof back up plans.
- Use multi factor authentication whenever possible.
- Disable unused ports and services.
- Enforce effective password policy which addresses password complexity and password rotation