{"id":7372,"date":"2022-02-23T10:54:14","date_gmt":"2022-02-23T17:54:14","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7372"},"modified":"2023-04-20T02:10:18","modified_gmt":"2023-04-20T09:10:18","slug":"all-about-conti-ransomware","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/all-about-conti-ransomware\/","title":{"rendered":"All About Conti Ransomware"},"content":{"rendered":"

Conti has been in the news consistently since August 2021, warranting a joint warning<\/a> from the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA). The warning alerted organizations of the threat posed by the Conti ransomware group and the vulnerabilities exploited.<\/p>\n

A risk-based approach is the requirement of the moment if organizations want to stay ahead of dangerous sophisticated ransomware groups, such as Conti.<\/strong><\/p>\n

\u00a0Timeline<\/a>\u00a0| Conti Develops\u00a0Log4J Exploitation Chain<\/a><\/p>\n

Conti\u2019s Playbook and Tools<\/a>\u00a0 | Conti Attack Methodology<\/a> |<\/p>\n

IOCs and MITRE Map<\/a> | Interesting Trends<\/a> |\u00a0Conti Vulnerabilities<\/a><\/p>\n

Recent Development<\/h2>\n

Conti Shuts Down:<\/strong> According to threat intel analyst, Ido Cohen<\/a>, Conti\u2019s servers were shut down. Conti ransomware shut down its last public-facing infrastructure: a pair of Tor servers used to leak data and negotiate with victims, concluding the last chapter of this notorious cybercrime brand.<\/p>\n

Intel Management Engine Attack: <\/strong>The Conti ransomware gang has been working on a series of firmware attack tactics that might allow users to access privileged code on compromised machines, according to Conti’s leaked messages. This includes attacks against embedded microcontrollers, such as the Intel Management Engine (ME), which is a privileged component included in Intel’s CPU chipsets that may totally bypass the operating system.<\/p>\n

Rust Developers Targeted: <\/strong>On May 20, 2022, security researchers alerted the public to an attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration pipelines. A campaign dubbed CrateDepression combines typosquatting and impersonating a prominent Rust developer to push a malicious ‘crate’ to a Rust dependency community repository.<\/p>\n

Costa Rica Declares National Emergency: <\/strong>Costa Rican President, Rodrigo Chaves, declared a national emergency following cyberattacks from the Conti ransomware group on multiple government bodies. Conti ransomware revealed 672 GB of sensitive data on Costa Rican government entities. In addition, Conti threat actor “UNC1756,” along with their affiliate, has claimed sole responsibility for this cyberattack.<\/p>\n

ContiLeaks: <\/strong>A new Twitter account named ContiLeaks posted links to an archive of Conti’s internal chat messages on February 27, shortly after the ransomware group offered support to Russia in its war against Ukraine. The leaked data also included domains used for compromises with BazarBackdoor, which is malware used to access targeted networks. In addition, DHS CISA updated the Conti ransomware advisory with Indicators of Compromise (IoCs) containing over 100 domain names utilized in criminal operations.<\/p>\n

The ContiLeaks account revealed over 30 vulnerabilities associated with the Conti ransomware, bringing the total of Conti ransomware-associated CVEs to 44.<\/p>\n

Internal chats leaked from the Conti ransomware group revealed the inner workings of the group, including details on 30 vulnerabilities exploited by the group and affiliates and specific insights into its processes after gaining entry, such as how it targets Active Directory.<\/p>\n

Securin’s data researchers and security analysts discuss the latest developments, the tools, techniques, and procedures used, as well as the vulnerabilities explored by Conti in 2021-22 in this blog.<\/p>\n

Who is Conti?<\/strong><\/p>\n

Conti ransomware is a Ransomware-as-a-Service (RaaS) operation believed to be controlled by the Russian cybercrime group, Wizard Spider. The ransomware shares some of its code with the infamous Ryuk ransomware, which went out of the news in July 2020.<\/p>\n

<\/a>Conti-nuous Attacks Through January 2022<\/strong><\/h2>\n

Conti\u2019s prolific track record continued into 2022, with four attacks being reported within the first two months of the new year. Let us take a look at the different recent incidents involving the Conti group.<\/p>\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Ransomware Attack Incident<\/span><\/strong><\/p>\n<\/td>\n

\n

Time Period<\/span><\/strong><\/p>\n<\/td>\n

\n

Sector<\/span><\/strong><\/p>\n<\/td>\n

\n

Demand\/Ransom<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n

Costa Rica<\/a><\/td>\nApril 22, 2022<\/td>\nFinance<\/td>\n–<\/td>\n<\/tr>\n
Panasonic Canada<\/a><\/td>\nApril 15, 2022<\/td>\nHR and accounting<\/td>\n–<\/td>\n<\/tr>\n
Wind Turbine<\/a><\/td>\nMarch 21, 2022<\/td>\nIT<\/td>\n–<\/td>\n<\/tr>\n
TrustFord<\/a><\/td>\nApril 8, 2022<\/td>\nManufacturing<\/td>\n–<\/td>\n<\/tr>\n
\n

Meyer Corporation<\/a><\/span><\/p>\n<\/td>\n

\n

October 25, 2021 –\u00a0<\/span><\/p>\n

February 18, 2022<\/span><\/p>\n<\/td>\n

\n

Distribution<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Kenyon Produce Snacks<\/a><\/span><\/p>\n<\/td>\n

\n

February 02, 2022<\/span><\/p>\n<\/td>\n

\n

Foods and Beverages<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Delta Electronics<\/a><\/span><\/p>\n<\/td>\n

\n

January 21, 2022<\/span><\/p>\n<\/td>\n

\n

Manufacturing<\/span><\/p>\n<\/td>\n

\n

$15 million ransom<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

RR Donnelley<\/a><\/span><\/p>\n<\/td>\n

\n

January 15, 2022<\/span><\/p>\n<\/td>\n

\n

Marketing Agency<\/span><\/p>\n<\/td>\n

\n

2.5 GB data stolen<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bank of Indonesia<\/a><\/span><\/p>\n<\/td>\n

\n

December 2021 – January 2022<\/span><\/p>\n<\/td>\n

\n

Banking<\/span><\/p>\n<\/td>\n

\n

13.88 GB data stolen; ransom amount unknown<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Finite Recruitment<\/a><\/span><\/p>\n<\/td>\n

\n

December 2021<\/span><\/p>\n<\/td>\n

\n

Government<\/span><\/p>\n<\/td>\n

\n

300 GB data stolen<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

McMenamins Brewery<\/a><\/span><\/p>\n<\/td>\n

\n

December 12, 2021<\/span><\/p>\n<\/td>\n

\n

Foods and Beverages<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Nordic Choice Hotels<\/a><\/span><\/p>\n<\/td>\n

\n

December 2, 2021<\/span><\/p>\n<\/td>\n

\n

Hospitality<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Shutterfly<\/a><\/span><\/p>\n<\/td>\n

\n

December 2021<\/span><\/p>\n<\/td>\n

\n

E-commerce<\/span><\/p>\n<\/td>\n

\n

Few million dollars in ransom<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

CS Energy<\/a><\/span><\/p>\n<\/td>\n

\n

November 27, 2021<\/span><\/p>\n<\/td>\n

\n

Energy<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Australian Government<\/a><\/span><\/p>\n<\/td>\n

\n

November 2021 – present<\/span><\/p>\n<\/td>\n

\n

Government<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Graff<\/a><\/span><\/p>\n<\/td>\n

\n

October 2021<\/span><\/p>\n<\/td>\n

\n

Jewelry<\/span><\/p>\n<\/td>\n

\n

69000 files leaked<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

JVC Kenwood<\/a><\/span><\/p>\n<\/td>\n

\n

September – October 2021<\/span><\/p>\n<\/td>\n

\n

Manufacturing<\/span><\/p>\n<\/td>\n

\n

1.7 TB data stolen, $7 million ransom<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Covisian\u00a0<\/a><\/span><\/p>\n<\/td>\n

\n

September 18, 2021\u00a0<\/span><\/p>\n<\/td>\n

\n

Communications Industry<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Microsoft Exchange Servers using ProxyShell<\/a><\/span><\/p>\n<\/td>\n

\n

September 3, 2021<\/span><\/p>\n<\/td>\n

\n

Software<\/span><\/p>\n<\/td>\n

\n

1 TB data stolen<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

SAC Wireless (Nokia subsidiary)<\/a><\/span><\/p>\n<\/td>\n

\n

June – August 2021<\/span><\/p>\n<\/td>\n

\n

Manufacturing<\/span><\/p>\n<\/td>\n

\n

250 GB data stolen<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Stanadyne PurePower Technologies<\/a><\/span><\/p>\n<\/td>\n

\n

June 2, 2021 – Present<\/span><\/p>\n<\/td>\n

\n

Engineering and Technology<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Canada<\/a><\/span><\/p>\n<\/td>\n

\n

Till June 2021 <\/span><\/p>\n<\/td>\n

\n

Insurance<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Canada<\/a><\/span><\/p>\n<\/td>\n

\n

Till June 2021<\/span><\/p>\n<\/td>\n

\n

Engineering & Technology<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Canada<\/a><\/span><\/p>\n<\/td>\n

\n

Till June 2021<\/span><\/p>\n<\/td>\n

\n

Internet services<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

New Zealand Health Department<\/a><\/span><\/p>\n<\/td>\n

\n

May 21, 2021 – Present<\/span><\/p>\n<\/td>\n

\n

Healthcare<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Ireland Department of Health<\/a><\/span><\/p>\n<\/td>\n

\n

May 18 – Present<\/span><\/p>\n<\/td>\n

\n

Healthcare<\/span><\/p>\n<\/td>\n

\n

Attempt unsuccessful<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Ireland Health Service Executive (HSE)<\/a><\/span><\/p>\n<\/td>\n

\n

May 17 – Present<\/span><\/p>\n<\/td>\n

\n

Healthcare<\/span><\/p>\n<\/td>\n

\n

$20 million<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

City of Tulsa<\/a><\/span><\/p>\n<\/td>\n

\n

May 6 – Present<\/span><\/p>\n<\/td>\n

\n

Government<\/span><\/p>\n<\/td>\n

\n

–<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Exagrid<\/a><\/span><\/p>\n<\/td>\n

\n

May 4, 2021<\/span><\/p>\n<\/td>\n

\n

IT<\/span><\/p>\n<\/td>\n

\n

$2.6 million<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Broward County Public School, Florida<\/a>\u00a0<\/span><\/p>\n<\/td>\n

\n

March – April 2021<\/span><\/p>\n<\/td>\n

\n

Education<\/span><\/p>\n<\/td>\n

\n

$40 million<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/a>Conti\u2019s \u2018Playbook\u2019 Leak<\/strong><\/h2>\n

In August 2021, a disgruntled Conti affiliate<\/a> released the threat actor\u2019s \u2018playbook\u2019 which listed out the techniques, tactics, and procedures as well as commonly exploited vulnerabilities.<\/p>\n

Some vulnerabilities mentioned in the technical manual were the 2017 Microsoft Windows SMB 1.0 server vulnerabilities<\/a>, CVE-2021-34527 in Windows Print Spooler Service<\/a>, and CVE-2020-1472 in Microsoft\u2019s Active Directory Domain Controller systems, better known as the ZeroLogon exploit<\/a>.<\/p>\n

The playbook also identified four Cobalt Strike server IP addresses used by Conti actors to communicate with their command and control (C2) server. The FBI and CISA also observed that Conti actors use different Cobalt Strike server IP addresses for different victims.<\/p>\n