Protecting your tech startup against Conti type ransomware
Blog written by Alex Jessop, Managing Security Consultant (CIRT) at NCC Group
March saw a 53% increase in ransomware attacks on February, continuing the upward trend for 2022. Conti were the second most prolific group, responsible for 27.52% of the ransomware attacks occurring worldwide. FS-ISAC, in their “Navigating Cyber 2022” report, stated that with the observed trends over recent years, ransomware will remain a top cyber threat to financial institutions.
Conti are just another in a long line of Advanced Persistent Threat (APT) actor groups that are targeting organisations for monetary gain. While their arsenal may have some custom tooling, the majority of the Tactics, Techniques and Procedures (TTPs) are well known and used by multiple APT groups. A large proportion of incidents observed by NCC Group would have easily been prevented if policies had been followed or proactive measures taken to understand weaknesses in the environment.
Taking the following three steps will drastically reduce the likelihood of a successful compromise:
- Robust patch management policy
- The majority of initial access vectors observed in Conti attacks would be mitigated
- Enforcing principle of least privilege
- Restricting user permissions would reduce the likelihood of post-exploitation if initial access is gained
- Restricting internet access on servers
- Connectivity is key to threat actors and would make a compromise substantially more difficult if the server estate could not communicate openly with the internet
In February 2022, a Twitter account which uses the handle ‘ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind Conti ransomware. The leaked data included private conversations between members along with source code methods of delivery. Furthermore, even though the leaks appeared to have a focus on the people behind the Conti operations, the leaked data confirmed (at least to the public domain) that the Conti operators are part of the group, which operates under the ‘TheTrick’ ecosystem. For the past few months, there was a common misconception that Conti was a different entity.
Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. The aim of this article is to describe the methods and techniques we observed during recent incidents that took place after the leaked data.
Our findings can be summarised as below:
- Multiple different initial access vectors have been observed.
- The operator(s) use service accounts of the victim’s Antivirus product in order to laterally move through the estate and deploy the ransomware.
- After getting access, the operator(s) attempted to remove the installed Antivirus product.
- To achieve persistence in the compromised hosts (maintain access), multiple techniques were observed;
- Service created for the execution of Cobalt Strike.
- Multiple legitimate remote access software tools found. These include ‘AnyDesk’, ‘Splashtop’ and ‘Atera’.
- Local admin account ‘Crackenn’ created. (Note: This has been previously reported by Truesec as a Conti behaviour)
- Before starting the ransomware activity, the operators are known to have exfiltrated data from the network with the legitimate software ‘Rclone’.
It should be noted that the threat actor(s) might use different tools or techniques in some stages of the compromise.
Multiple initial access vectors have been observed recently; phishing emails and the exploitation of Microsoft Exchange servers. The phishing email which was delivered to an employer proceeded to download and install malware which gave the threat actor direct access to the host.
The targeting of Microsoft Exchange saw ProxyShell and ProxyLogon vulnerabilities exploited. This gave threat actors direct access to the Exchange servers. When this vector was observed, the compromise of the Exchange servers often took place two to three months prior to the post exploitation phase.
Other initial access vectors utilised by the Conti operator(s) are:
- Credential brute-force
- Use of publicly available exploits. We have observed the following exploits being used:
- FortiGate VPN
- Phishing e-mail sent by a legitimate compromised account, including email accounts of trusted partners
Discovery and Lateral Movement
Once a threat actor has gained access to a host on the network, the threat actor deploys tooling or executes Windows commands to identify hosts on the estate and potential pathways to their objectives.
Typically they begin with network scanning tools to build a picture of the estate and identify what is accessible from the host they currently have access to. Next they will use Windows domain discovery tools to identify users on the domain, as well as user groups which will assist in escalating their privileges .
Lateral movement is usually performed by either:
- Use of Remote Desktop Protocol (RDP) to log onto hosts remotely
- Access across open network shares to copy and execute malware
This phase often occurs within hours or days of initial access being gained.
The threat actor leveraged Windows Services to add persistence for the Cobalt Strike beacon. Cobalt Strike is a popular tool for adversary simulation and was the main command and control framework utilised by this group.
In addition, services were also installed to provide persistence for the Remote Access Tools deployed by the threat actor:
Local accounts have also been created by the threat actor on patient zero to maintain access.
Conti operator(s) managed to escalate their privileges by compromising and using different accounts that were found in the compromised host. The compromised credentials in engagements undertaken by NCC were found to be compromised through the use of tools such as Mimikatz, which is a well-known tool to extract credentials from running processes.
One operator was also observed exploiting ZeroLogon to obtain credentials and move laterally.
Exfiltration and Encryption
Similar to many other threat actors, Conti operator(s) exfiltrate a large amount of data from the compromised network using the legitimate software ‘Rclone’. ‘Rclone’ is a legitimate file transfer tool which is used to manage files on cloud storage or a private file server. When cloud storage is used, Mega is the option chosen by this group.
Soon after the data exfiltration, the threat actor(s) started the data encryption. In addition, we estimate that the average time between the lateral movement and encryption is five days.
As discussed previously, the average dwell time of a Conti compromise is heavily dependant on the initial access method. Those incidents that have involved ProxyShell and ProxyLogon, the time between initial access and lateral movement has been three to six months. However once lateral movement is conducted, time to completing their objective is a matter of days.
- Monitor firewalls for traffic categorised as filesharing
- Monitor firewalls for anomalous spikes in data leaving the network
- Patch externally facing services immediately
- Monitor installed software for remote access tools
- Restrict RDP and SMB access between hosts
- Implement a Robust Password Policy
- Provide regular security awareness training
Photo by Tima Miroshnichenko: https://www.pexels.com/photo/people-typing-on-keyboards-5380596/