The ongoing war between Russia and Ukraine has led to a wide range of impacts and outcomes globally, and across industries. In the cyber domain, one of the most recent outcomes is the leak of a massive information source associated with the Conti crime group – including internal messages and Trojan source code – over the last two weeks.
The disclosure of Conti’s internal messages has given us a glimpse into this cybercrime group’s operations across numerous breaches, through details of the internal politics and struggles, negotiations, and successful ransomware attacks that were waged against many of the breached organizations.
Following our analysis of the leaked information, coupled with our vast experience in dealing with Conti over the last few years, we would like to share some insights regarding the group’s modus operandi, and to focus on what differentiates between the group’s struggles, and their successful breaches.
an opportunist will always be an opportunist
Although there have been occasions in which the crime group focused attack efforts on certain sectors and areas around the globe, the defining characteristic of Conti’s operations is their opportunistic approach. Rather than investing extensive effort in overcoming a complex, targeted challenge, Conti exploits current situations as they occur and develop. An example of this is Conti’s leveraging of legacy systems and several well-known exploits (such as, EternalBlue, which is a well-known exploit that has been in use since 2017, and does not affect modern devices) to compromise additional endpoints, in order to move laterally within a network and achieve full domain compromise.
Other examples of Conti breaches demonstrate the opportunities that are obtained by compromising a new account; but primarily, an opportunistic approach involves attempting to find the fastest path to a domain admin account.
Our analysis reveals several situations in which Conti encountered an increasing level of difficulty when pursuing breaches. For example, attack attempts using old exploits were prevented by system patches, and harvested credentials did not create additional attack opportunities, due to correct management of privileged account passwords, for example, by implementing a PIM/PAM solution and managing local administrator accounts correctly.
The leaked internal chat messages reveal several cases in which Conti struggled to overcome the challenge presented by having MFA configured on external gateways to the network, such as a VPN or an application gateway. For instance, when attempting to compromise users and machines that must provide an MFA token to log in to the corporate environment, it appears that the group only operates when there is an active session on the compromised machine; the cost of waiting for such an opportunity adds another 1-2 weeks to the process of the breach. During that time, the group may move to other, more inviting, vulnerable targets – alternatively, they run the risk of having the attempt detected and contained by the security team of the targeted organization.
quick & dirty
The Conti breaches aim at quick monetization rather than selecting and investing a lot of effort into attacking one victim. Details extracted from the internal chats reveal several cases in which Conti attempted to use exploits or deploy a piece of malware which failed. These failures were often followed by additional attempts to execute the same exploit, or to deploy different malware on the same host until one of the attempts is successful. This haphazard approach is likely to generate critical security alerts, giving the security team of the targeted organization an indication that something is happening in their network.
In some cases, remediation efforts were initiated, but did not completely eradicate Conti’s access. This enabled Conti not only to continue their operation, but also to increase the pace of their attack, while using whatever level of access they could leverage (for instance, attempting to use compromised credentials that were not rotated), with the aim of achieving some form of monetization before losing access. This serves to highlight that the eradication process of an active compromise should be handled delicately, and with a complete monitoring effort to support the process.
We identified a number of takeaways based on the content of this leaked resource. Our primary conclusion is that by implementing basic security best practices and committing to a thorough, calculated detection and response process, opportunistic attacks such as Conti’s can, for the most part, be effectively thwarted.
- Follow well-known security recommendations in order to prevent not only successful Conti attacks, but also many of the major breaches – or at least significantly hinder and delay serious blows to an organization:
- Enable two-factor authentication on external-facing applications and sensitive
- Enhance password hygiene practices.
- Actively implement patch management for endpoints, servers, and applications.
- Apply network segmentation and separate the backup environment from the network.
- Investigate critical alerts thoroughly. Do not settle for eradicating confirmed malware: investigate its source and any potentially or actually compromised peripherals.
- Approach remediation and backdoor eradication with caution, as such mitigation activities might tip off the threat actor that someone is on to them. Ensure that the process you are undertaking is comprehensive, and support the remediation with tailored monitoring efforts in order to prevent further risk, and to detect any backdoors that might have been missed.
Contributors: Amnon Kushnir, Yoav Mazor, Noam Lifshitz, Etai Livne, Yoav Flint, Amir Becker
To learn more about Sygnia's Incident Response services click here.
If you are currently impacted by a cyber incident, or are seeking guidance, please contact us at firstname.lastname@example.org or our 24/7 hotline +1-877-686-86
This advisory and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is provided on an as-is basis, and without warranties of any kind.