Protecting your tech startup against Conti type ransomware

Blog written by Alex Jessop, Managing Security Consultant (CIRT) at NCC Group

Background

March saw a 53% increase in ransomware attacks on February, continuing the upward trend for 2022. Conti were the second most prolific group, responsible for 27.52% of the ransomware attacks occurring worldwide^[1]. FS-ISAC, in their “Navigating Cyber 2022” report, stated that with the observed trends over recent years, ransomware will remain a top cyber threat to financial institutions^[2].

Conti are just another in a long line of Advanced Persistent Threat (APT) actor groups that are targeting organisations for monetary gain. While their arsenal may have some custom tooling, the majority of the Tactics, Techniques and Procedures (TTPs) are well known and used by multiple APT groups. A large proportion of incidents observed by NCC Group would have easily been prevented if policies had been followed or proactive measures taken to understand weaknesses in the environment.

Taking the following three steps will drastically reduce the likelihood of a successful compromise:

Robust patch management policy
- The majority of initial access vectors observed in Conti attacks would be mitigated
Enforcing principle of least privilege^[3]
- Restricting user permissions would reduce the likelihood of post-exploitation if initial access is gained
Restricting internet access on servers
- Connectivity is key to threat actors and would make a compromise substantially more difficult if the server estate could not communicate openly with the internet

Executive Summary

In February 2022, a Twitter account which uses the handle ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind Conti ransomware. The leaked data included private conversations between members along with source code methods of delivery. Furthermore, even though the leaks appeared to have a focus on the people behind the Conti operations, the leaked data confirmed (at least to the public domain) that the Conti operators are part of the group, which operates under the TheTrick’ ecosystem. For the past few months, there was a common misconception that Conti was a different entity.

Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. The aim of this article is to describe the methods and techniques we observed during recent incidents that took place after the leaked data.

Our findings can be summarised as below:

Multiple different initial access vectors have been observed.
The operator(s) use service accounts of the victim’s Antivirus product in order to laterally move through the estate and deploy the ransomware.
After getting access, the operator(s) attempted to remove the installed Antivirus product.
To achieve persistence in the compromised hosts (maintain access), multiple techniques were observed;
- Service created for the execution of Cobalt Strike.
- Multiple legitimate remote access software tools found. These include AnyDesk’, Splashtop’ and Atera’.
  - Local admin account Crackenn’ created. (Note: This has been previously reported by Truesec as a Conti behaviour^[4])
- Before starting the ransomware activity, the operators are known to have exfiltrated data from the network with the legitimate software Rclone’^[5].

It should be noted that the threat actor(s) might use different tools or techniques in some stages of the compromise.

Initial Access

Multiple initial access vectors have been observed recently; phishing emails and the exploitation of Microsoft Exchange servers. The phishing email which was delivered to an employer proceeded to download and install malware which gave the threat actor direct access to the host.

The targeting of Microsoft Exchange saw ProxyShell and ProxyLogon vulnerabilities exploited. This gave threat actors direct access to the Exchange servers. When this vector was observed, the compromise of the Exchange servers often took place two to three months prior to the post exploitation phase.

Other initial access vectors utilised by the Conti operator(s) are:

Credential brute-force
Use of publicly available exploits. We have observed the following exploits being used:
- FortiGate VPN
- Log4Shell
Phishing e-mail sent by a legitimate compromised account, including email accounts of trusted partners

Discovery and Lateral Movement

Once a threat actor has gained access to a host on the network, the threat actor deploys tooling or executes Windows commands to identify hosts on the estate and potential pathways to their objectives.

Typically they begin with network scanning tools to build a picture of the estate and identify what is accessible from the host they currently have access to. Next they will use Windows domain discovery tools to identify users on the domain, as well as user groups which will assist in escalating their privileges .

Lateral movement is usually performed by either:

Use of Remote Desktop Protocol (RDP) to log onto hosts remotely
Access across open network shares to copy and execute malware

This phase often occurs within hours or days of initial access being gained.

Persistence

The threat actor leveraged Windows Services to add persistence for the Cobalt Strike beacon. Cobalt Strike is a popular tool for adversary simulation and was the main command and control framework utilised by this group.

In addition, services were also installed to provide persistence for the Remote Access Tools deployed by the threat actor:

AnyDesk
Splashtop
Atera

Local accounts have also been created by the threat actor on patient zero to maintain access.

Privilege Escalation

Conti operator(s) managed to escalate their privileges by compromising and using different accounts that were found in the compromised host. The compromised credentials in engagements undertaken by NCC were found to be compromised through the use of tools such as Mimikatz, which is a well-known tool to extract credentials from running processes.

One operator was also observed exploiting ZeroLogon to obtain credentials and move laterally.

Exfiltration and Encryption

Similar to many other threat actors, Conti operator(s) exfiltrate a large amount of data from the compromised network using the legitimate software Rclone’. Rclone’ is a legitimate file transfer tool which is used to manage files on cloud storage or a private file server. When cloud storage is used, Mega is the option chosen by this group.

Soon after the data exfiltration, the threat actor(s) started the data encryption. In addition, we estimate that the average time between the lateral movement and encryption is five days.

As discussed previously, the average dwell time of a Conti compromise is heavily dependant on the initial access method. Those incidents that have involved ProxyShell and ProxyLogon, the time between initial access and lateral movement has been three to six months. However once lateral movement is conducted, time to completing their objective is a matter of days.

Recommendations

Monitor firewalls for traffic categorised as filesharing
Monitor firewalls for anomalous spikes in data leaving the network
Patch externally facing services immediately
Monitor installed software for remote access tools
Restrict RDP and SMB access between hosts
Implement a Robust Password Policy^[6]
Provide regular security awareness training

References

Photo by Tima Miroshnichenko: https://www.pexels.com/photo/people-typing-on-keyboards-5380596/

AG Elevate launches accelerator programme

Addleshaw Goddard just launched its 5th AG Elevate programme ”“ an accelerator for those looking to become the next tech-unicorn.

This fast-track 10-month programme is designed to accelerate the growth of tech businesses in all sectors of the economy helping them with legal challenges that can arise as they grow.

Previous AG Elevate cohorts have included Scottish fintechs Amiqus, Trace and OBR.

The programme is designed, developed and delivered by AG‘s expert lawyers, who will provide access to legal advice, legal and business mentors and networks across the globe.

Elvan Hussein, Partner and co-programme lead at Addleshaw Goddard, said:

“We have emerged from the pandemic into a different environment, with tech integrated in all aspects of our lives and this continues to both offer opportunities for high growth and the chance for tech businesses to play a huge part in rebuilding and growing our economies wherever they are based.”

“AG Elevate is tried and tested and we understand what matters most to these businesses, and what challenges they will inevitably face. Our mentors have the specialist sector knowledge to bring tangible added value to the relationships with their Elevate members, beyond their undoubted legal expertise and we can’t wait to meet our new cohort.”

To qualify for consideration for a place on the programme, businesses need to have existing plans for high–growth and have received external funding.

Interested parties can apply at www.addleshawgoddard.com/en/ag–elevate/ until the end of May 2022.

The Startup Race announces 9 events in Scotland

The Startup Race, just announced that it will host nine events in Scotland All those events will be headlined by bestselling entrepreneurship author Ash
Maurya, well-known for his book Running Lean, which has become a real entrepreneurship movement.

The events will take place in Edinburgh, Glasgow and Dundee, and will aim to connect angels, investors and startup founders. They will offer the opportunity to discuss how to identify risk in business model. The events are supported by both The Startup Race through a partnership grant with the Scottish Government’s Technology Ecosystem Initiative.

Ash Maurya said:

“As I always say, Building a scalable and successful business starts with knowing what to measure and how. Being able to bring this mission to Scotland with the support of both The Startup Race and the Scottish Government’s Technology Ecosystem Initiative, in order to meet with like minded individuals ”“ this is a true honour.”

Here is a breakdown of the programme of events:

Dundee 3rd May
Angel Investor Lunch with Ash Maurya 12:00-14:00
Scaling Lean Workshop for Scaleups & Investors with Ash Maurya
14:00-18:00
Fireside Chat for Scaleups, Startups & Investors with Ash Maurya
19:00-21:00

Glasgow 4th May
Angel Investor Lunch with Ash Maurya 12:00-14:00
Scaling Lean Workshop for Scaleups & Investors with Ash Maurya
14:00-18:00
Fireside Chat for Scaleups, Startups & Investors with Ash Maurya
19:00-21:00

Edinburgh 5th May
Angel Investor Lunch with Ash Maurya 12:00-14:00
Scaling Lean Workshop for Scaleups & Investors with Ash Maurya
14:00-18:00
Fireside Chat for Scaleups Startups & Investors with Ash Maurya
19:00-21:00

Mr. Maurya’s objective is to meet Scottish Angel investors and Scaleup Entrepreneurs to discuss how funded Scaleups need to exploit the “Lean Startup principles” to achieve revenue and profit growth.

Michael Clouser, co-founder of The Startup Race said

“Introducing Ash Maurya to the Scottish startup community has been a goal for quite some time, and we are thrilled to be able to launch this partnership. We hope Scottish based startup founders, angels and investors find value in these events for future growth in all of their entrepreneurship endeavours.”

For more information on The £10,000 Startup Race, please visit:
https://thestartuprace.com/the-10000-startup-race/

Why should tech companies care about double fetch vulnerabilities?

Fintech companies are facing an increasing need to focus on cybersecurity. Whilst cyber-attacks are on the rise and necessitate the constant evolution of cyber-security solutions, very often the issues arise from known vulnerabilities within existing systems.

In this blog we’re exploring double fetch vulnerabilities.

The phrase ‘double fetch bug’ was first used by Fermin J. Serna in a post on the Microsoft Security and Defense Blog in October 2008, although the bug type had been known about for some time before this.

Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes.

As much of this information is spread across various sources, the whitepaper, draws the knowledge together into a single place, in order to better describe the different types of the vulnerability, how each type occurs, and the appropriate fixes.

There are two broad general types of double fetch vulnerability: those resulting from coding practices and those introduced by compiler optimization, referred to as a ‘compiler introduced double fetch’ below and in the whitepaper.

The two types of double fetch bug both have the same result, whereby an invariant exists involving two or more variables and one or more of these variables is modified without the invariant being enforced.

Since double fetch bugs can have varying causes, we must consider different solutions for the two different subtypes of double fetch.

Double fetch bugs caused from accessing shared memory may be fixed by adding a check against the second fetch, eliminating the second fetch (where practical), or performing the check in a different manner.
For compiler-introduced double fetches, the use of volatile variables is one possible solution to the double fetch problem.

In conclusion, double fetch bugs can result in privilege escalation vulnerabilities that can allow an attacker with a low privilege account to execute code with elevated privileges, although the exploitable vulnerabilities are a relatively small subset of these bugs.

To understand how to best protect yourself against these vulnerabilities, click here to access the full whitepaper from NCC.

Combatting CEOs cyber security concerns

By Fraser Wilson, Head of Financial Services at PwC Scotland and Colin Slater, Cyber Security Partner and Scotland Risk Leader.

For businesses with digital adoption high on their agenda, the arrival of the pandemic was undoubtedly a catalyst moment. Customers moved online in their droves benefitting subscription services from Spotify to Peloton. Retailers moved rapidly to refocus their operations to the web, and customer service channels and face to face’ services via video consultations, from high street banks to doctors surgeries, suddenly became normalised.

Scotland has a world leading FinTech ecosystem which has a key role in driving the innovations that allow businesses to transform customer experiences and adapt to a changing environment. However, the rapid pace of change has left many businesses feeling exposed to new risks.

Nearly two thirds (64%) of respondents to PwC’s 25th Annual CEO Survey said that they have significant concerns about cyber threats. In the UK, this outranked health risks, macroeconomic volatility and climate change as the threat to their business that CEOs are most concerned about, further cementing its elevation in business conscience.

And CEOs are right to worry. It’s an accepted fact that it’s not if but when a cyber attack will occur. CEOs’ main concern is around a catastrophic incident stunting business growth. As shown by the myriad of Ransomware cases, a successful cyber attack delivers more complex existential problems to solve. Associated issues we see, like not being able to pay salaries, deal with supply chains, place orders or give regulators the information they need; suddenly become pressing if you are in the midst of recovering your whole business.

Risk is a fundamental part of business. Companies are well practised at both mitigating risks and using them to take calculated business steps. Fintechs, in particular, have a role in both the defensive as well as proactive use of risk management. Being a good cyber citizen can be a huge market differentiator and demonstrating a good cyber posture and structure can also be hugely beneficial in any investment or deal situation. Being cyber aware and building a secure business are the foundational aspects for any fintech and will ultimately protect the valuable IP assets they are creating. While CEOs are right to be concerned, having an organisational approach to think cyber’ across all strategic and tactical decisions is key to success. Putting the right structures in place now ultimately will pay dividends in the market later.

Our recent announcement that we’re strengthening our financial services team in Scotland is part of our commitment to helping businesses embrace technology and improve resilience and agility. With our cyber security hub in Scotland we are expanding and delivering services around the world as well as on our doorstep. Our Managed Operations Centre of Excellence is located in Edinburgh, alongside our Threat Intelligence team, so our local footprint is something we are rightly proud of. We’re determined to help CEOs tackle their cyber concerns head on and drive the Fintech agenda in Scotland.

Being a woman entrepreneur in the fintech industry

To celebrate International Women’s Day 2022, we met with Lynne Darcey Quigley, founder and CEO at Scottish fintech Know-it.

Lynne, when did you decide to become an entrepreneur and why?

From a young age I knew I wanted to run my own business.

I’ve always been hardworking and was a skilled credit management consultant so understood that I could build something great by helping businesses in need of recovering unpaid invoices and increasing their cashflow.

I founded Darcey Quigley & Co in 2007 offering commercial debt recovery and sales ledger management that has grown to be one of the UK’s leading commercial debt recovery specialists.

What led you to launch Know-it?

Working in the credit industry for over 25 years and running one of the UK’s leading commercial debt recovery specialists for 15 years I seen businesses make the same credit management mistakes time and time again.

The businesses I help day to day could avoid the need to use a debt recovery partner if they had implemented a robust credit control process. However, there’s a perceived barrier to this, mainly time and cost.

But the problem of late payments is massive, SMEs in the UK are currently chasing £61 billion in late payments, an increase of 22% since 2020!

Realising the size of the issue with late payments I founded Know-it to give business owners a complete automated end-to-end credit management process that is cost effective. Our automation will save businesses valuable time and help them get paid quicker and boost their cashflow.

How will Know-it help businesses avoid problems associated with late payments and improve their cashflow?”

Know-it provides businesses with all the tools and intelligence needed for a watertight credit control process all in one easy to use platform. Know-it brings together the 3 key elements of the credit control process, we like to call the 3 C’s, Check- it, Chase-it, Collect-it.

Check-it gives businesses the facility to credit check and automatically monitor companies from across the UK with real-time data from independent and reliable sources in just one click. This intelligence will allow businesses to make more informed credit decisions and mitigate credit risk.

Chase-it automatically chases unpaid invoices when they’re due through email, letter and SMS. Our smart integration with leading accountancy packages means Chase-it knows which invoices are due when and how much is owed.

Collect-it offers a much needed safety net by providing the services of leading commercial debt recovery specialists Darcey Quigley & Co to Know-it users with problematic late payers.

What is it like to be a woman entrepreneur in the fintech industry?

It’s been fantastic so far! The Scottish fintech community is so vibrant I feel women are very well represented.

I feel very supported in the Scottish fintech space. Schemes such as AccelerateHER and Business Women Scotland are helping female entrepreneurs thrive.

Do you feel like investors, potential clients or other stakeholders approach female entrepreneurs differently?

No, it’s never been something I’ve experienced during my fintech journey so far, certainly not with potential clients, partners or other stakeholders.

We’re just getting started with our big push for investment but so far I haven’t experienced any feelings of being treated differently so far.

According to you, what should be done to ensure more gender diversity in tech?

I believe there’s a lack of awareness of the variety of careers available to women within the IT industry.

It’s not just about coding. There are so many other exciting jobs in the tech sector such as Project Management, Business Analysis, Solutions Architects, as well as a myriad of roles in supporting business functions. We are in tech and big advocates for our industry, so we need to educate girls and women to the variety of careers now available to them.

What does the future look like for Know-it? Any exciting developments you can share with us?

Having launched our beta late last year we have aggressive growth plans for 2022.

We’re actively seeking investment now to help us fund these plans.

Our goal is to make Know-it the best credit management platform possible so we’re taking feedback from our users onboard and are always developing our product to meet the needs of our users.

Scottish Edge round 19, just over 1 week to apply

Applications are open for Scottish EDGE Round 19 and firms have another week to get involved with the deadline at 2pm on Tuesday 15^th February 2022. Firms will compete to win awards, some of which could go up to £100,000.

Interested firms can apply via www.scottishedge.com and will need to complete the online application form which includes a 3-minute video pitch presentation.

Key Support for Round 19:

R19 Workshop ”“ an Online Workshop providing important information for businesses planning on applying is available on replay – https://youtu.be/skeiGHkgA1k

Impact Section Workshop ”“ a virtual workshop that focuses on the Impact section of the application process. It will take place on Wednesday 9^th February, 3pm-4.30pm, register here.

R19 Support ”“ There is also lots of support available on the Scottish EDGE website including the Competition Brochure, a Blank Application Template and a 3-Minute Pitch Videos example.

UK-wide Investment Series announced by FinTech Alliance

FinTech Alliance, the Government-backed digital ecosystem for UK FinTech, has launched its third annual Investment Series, announcing FinTech Scottland as a key partner.

The series aims to bring FinTechs from around the UK together to learn about all aspects of a successful funding round and meet high-profile investors.

FinTechs can:

– Use the FinTech alliance platform for the duration, including the regulated Investment Hub.

– Build their pitch deck with advice from FinTech leaders.

– Network with high profile investors.

– Learn from a series of hybrid workshops on pitching, negotiating deals and more.

Signups are now open for the series, and the process will see a number of regional events across the UK to find the most innovative Seed and Series A FinTechs – including an event in Scotland.

The signup deadline is 30 March, after which there will be a launch party during UK FinTech Week, with workshops running through May and a pitch day in June.

Not ready to raise funds just yet? No problem! You can still take part in all workshops and build your network.

We’re delighted to partner with FinTech Alliance on the series.

For more information, email info@fintech-alliance.com

Lessons as the latest IPO window starts to close

In recent weeks, there has been a flurry of news articles about the bumper run of IPOs, observed as economies globally look to plot a post-COVID recovery. Those ongoing and ultra-lax monetary policies buoy this, though that may be coming to an end. Floats are being postponed or prices slashed by prospective issuers, suggesting that it is inevitable that the window is starting to close ”“ for now anyway.

However, is this such a bad thing? Increasingly IPOs have been looking somewhat disorganised. Whilst fervent day one ‘pops’ in the share prices of newly issued stock may be headline-grabbing, ultimately, it suggests that the advisers have miscalled the market. Founders and early-stage investors could have got a far better price had a more considered approach been taken. Indeed, academic thinking from a little over twenty years ago always suggested that involvement in IPOs was a risky proposition. With savings in transaction costs and taxes offset by the fact that the previous investor ought to be selling at the top of the market and the opportunity cost of having capital tied up during the pre-IPO period.

It is also worth bearing in mind that even if IPO deal flow does become somewhat more constrained, the option is not being removed indefinitely. This market has always been cyclical, so that it will return. Given that, what takeaways are there from the frantic levels of activity seen over the last twelve months?

Arguably the most important for many will be ensuring that your cap table reflects the needs of the business at the time of float. What will an IPO mean for key staff and early-stage investors who have likely played an instrumental role in getting you this far? And how can these valuable participants be convinced to stick around for the next phase of the journey?

Secondly, there’s that opportunity to ensure your business is IPO-ready. Regardless of the time horizon here, there’s a raft of best practices that you can deploy to make sure your company is in the right shape to facilitate a listing. After all, you may find that time is of the essence at a future date and such preparedness has longevity ”“ investments now will yield results in the future. That combines to create a situation where you’re getting closer to having liquidity within your privately held business ”“ something that CrowdX is assisting with already, helping bolster the company’s reputation, its brand perception, and the early stages of institutional engagement.

This all means that it should be easier for prospective professional advisers to make more accurate assessments of your company’s value. Those ‘day-one-pops’ in share prices can largely be a simple transfer of wealth from your company to the institutions that can participate at the very outset. Don’t give away wealth unnecessarily.

Looking forward to a month of events

Welcome to September! I’m excited to write this month’s blog post where we highlight the 2021 FinTech Scotland Festival.

September is always a month the FinTech Scotland team look forward! It’s a time to celebrate fintech, learn about developments, meet new people, and reconnect with old friends who are driving forward fintech innovation across Scotland and across the world.

This year we’re especially grateful to be able to welcome back more in person, and face to face events as we continue to emerge from the necessary restrictions over the last 18 months.

The festival kicks off on the 16^th of September with the DIGIT FinTech Summit and concludes with the Times Scotland and Canongate Publishing event on actions and initiatives to drive global fintech leadership on the 14^th of October.

For the first time in a long time, we’ll get to see people in person! We’ll experience the atmosphere and energy that comes from fintech innovation and specifically through the people that make fintech.

Fintech entrepreneurs and leaders will share their experiences and talk about the innovations shaping financial services and the future digital economy. We’ll hear from Nucleus, Sustainably and LendingCrowd on their thoughts about the opportunity fintech continues to present and about the fintech Cluster in Scotland. Soar, MoneyMatix and Exizent will give views on the opportunities for fintech to contribute to building back better post COVID. Fintechs such as Pour, Striver, Women’s Coin, Amiqus, Modulr and Gigged.ai also plan to share their experiences and ambitions for the future.

We’ll be hearing directly from fintech entrepreneurs on topics such as fast-tracking innovation, the future of crypto, how blockchain is transforming society, avoiding team burnout in fintech and how to scale a fintech! YES and YES!

The diverse mix of events and topics covered during the festival continue to demonstrate the breath of opportunity and significant range of contribution that makes fintech unique, inclusive and collaborative. It’s this support from a wide range of committed participants that allows fintech innovation in Scotland to thrive.

Like every year, our partners are also very much involved and we’re looking forward to attend events from RBS, Pinsent Masons, BT, PwC, Deloitte, The University of Edinburgh, The University of Strathclyde, IBM, Merkle, Checkpoint, SDI and no less than 6 events from the FCA.

We’re particularly excited to welcome colleagues from across the UK and the world as we continue to build national and international collaboration, share knowledge, and learn about fintech developments across regions and geographies.

We’re privileged and inspired to see the leadership, experience and expertise that plan to contribute across all the events, and I’d like to extend my thanks to everyone involved.

I’ll look forward to hearing your experiences and updates across the duration of the festival and I’m very much looking forward to seeing many of you in the coming weeks.

All the best

Nicola