Hello all, another week another roundup! Welcome back to the Positive Security News where it's not all doom and gloom in the cyber security industry!
Since this week will celebrate the tenth edition of Practical Infosec's Positive Security News we felt as it was only right to discuss a massive stepping stone within the cyber security industry. It's only one news article this week, but it's a good one!
Conti Ransomware Group Leaks
Here’s an extremely rare and big moment in the fight against ransomware that I hope you appreciate just as much we do!
After a pledge from the Conti ransomware group announcing their support for the Russian government, a clearly displeased pro-Ukrainian individual within the organisation took it upon themselves to leak a tremendous amount of information. Such information involved a look at their communication logs, tactics, techniques, procedures and, possibly biggest of all, the source code to the Conti ransomware - to name a few.
Now, who is this Group? Well, what they aren’t is undoubtedly happy! In all seriousness, this group stands out as one, out of dozens, of the most heartless gangs out there. They spent over a year attacking organisations where consequences they produced had life-threatening results. Namely, “hospitals, 911 dispatch carriers, emergency medical services and law enforcement agencies”.
Conti has been connected to more than 400 cyberattacks against organisations all around the world, the FBI states, majority of which are targeted in the U.S. with ransoms as steep as $25 million, making them one of the most voracious gangs out there.
It’s safe to say that these leaks are welcome and anything to combat these evildoers is appreciated, even if it’s from someone inside.
The member that leaked the internals of Conti’s operations, shared the data alongside a message expressing their support for Ukraine. To help the matter, vx-underground, a web collection of malware source codes, samples and papers that are considered to be a harmless commodity shared the message through Twitter with their own download option - making it more accessible to less tech-savvy people.
Naturally, the chat logs that were leaked provided an interesting insight into their social decorum but also allowed researchers to enumerate the people within the gang. It was especially helpful as it also provided a look at the tactics, tools and techniques they use.
The techniques that were mentioned:
Active Directory Enumeration
SQL Databases Enumeration via sqlcmd.
How to gain access to Shadow Protect SPX (StorageCraft) backups.
How to create NTDS dumps vs vssadmin
How to open New RDP Port 1350
The tools that were mentioned:
Cobalt Strike
Metasploit
PowerView
ShareFinder
AnyDesk
Mimikatz
The leaks also contained the source code for Conti Locker v2, which is the fancy name for the ransomware they use for encryption. We also got treated a decryptor for the respective encryptor but with our luck falling short as, unfortunately, it’s not an updated version and therefore wont combat against recent Conti attacks. Still, this is a milestone and provides significant help with reverse engineering with a hope to even see a working decryptor in the near future.
Interestingly enough, they’ve also demonstrated to be a rather sophisticated albeit extremely dislikable gang providing “training materials” which entailed online courses in Russian involving a list of TTPs:
Cracking
Metasploit
Network Pentesting
Cobalt Strike
PowerShell for Pentesters
Windows Red Teaming
WMI Attacks (and Defenses)
SQL Server
Active Directory
Reverse Engineering
Now, as much as we want the Conti gang to be groveling in regret and begging for forgiveness, this is supposedly not the case with Yelisey Boguslavskiy, head of research at intelligence firm Advanced Intelligence, stating “none of the firm’s primary source intel demonstrates that this will affect Conti.”
The leak was from only one of the six Conti groups, and even though it may have been the biggest out of them, the rest “were not impacted at all” Boguslavskiy said “Conti relaunched all of its infrastructural capacities and keep operating.” he continued.
Regardless of impact, we shouldn’t scoff at any opportunities as rare as this, providing valuable inside knowledge that will help better defend and arm ourselves against the ever-growing problem of ransomware.