Connect with us

Cyber Security

The Conti Enterprise: Ransomware Gang that Published Data Belonging to 850 Companies

Published

on

Group-IB has today presented its findings of ARMattack, one of the shortest yet most successful campaigns by the Russian-speaking ransomware gang Conti. In slightly more than a month, the notorious ransomware collective compromised more than 40 companies worldwide. The fastest attack took only three days according to Group-IB’s report “CONTI ARMADA: ARMATTACK CAMPAIGN”. In two years, the ransomware operators attacked more than 850 victims including corporations, government agencies, and even a whole country. The research dives deep into the history and major milestones of one of the most aggressive and organized ransomware operations.

Conti is considered one of the most successful ransomware groups. The gang’s existence first came to light in February 2020, when malicious files with the extension “.сonti” appeared on the radar of Group-IB researchers. However, the initial test versions of the malware date back to November 2019. Since 2020, Conti has been dominating the ransomware scene alongside Maze and Egregor in terms of the number of companies whose data has been encrypted.

In 2020, Conti published data belonging to 173 victims on their dedicated leak site (DLS). By the end of 2021, Conti came out on top as one of the largest and most aggressive groups, having published data belonging to 530 companies on its DLS. In just four months in 2022, the group posted information belonging to 156 companies, making for a total of 859 DLS victims in two years, including 46 in April 2022. The actual number of victims is believed to be significantly higher.

Conti and their affiliates attack often and quickly. Group-IB experts analyzed one of the group’s lightning-fast and most productive campaigns, codenamed “ARMattack”. The campaign lasted only about a month (from November 17 to December 20, 2021), but it turned out to be extremely effective. The attackers compromised more than 40 organizations worldwide. Most attacks were carried out in the US (37%), but the campaign also surged through Europe, with victims in Germany (3%), Switzerland (2%), the Netherlands, Spain, France, the Czech Republic, Sweden, and Denmark (1% each). The group also attacked organizations in the UAE (2%) and India (1%).

Historically, the top five industries most frequently targeted by Conti are manufacturing (14%), real estate (11.1%), logistics (8.2%), professional services (7.1%), and trade (5.5%). After gaining access to a company’s infrastructure, the threat actors exfiltrate specific documents (most often to determine what organization they are dealing with) and look for files containing passwords (both plaintext and encrypted). Lastly, after acquiring all the necessary privileges and gaining access to all the devices they are interested in, the hackers deploy ransomware to all the devices and run it.

According to the Group-IB Threat Intelligence team, the gang’s fastest attack was carried out in exactly three days, from initial access to data encryption. Group-IB for the first time analyzed Conti’s “working hours”. Most likely, the group members are located in different time zones; however, the schedule shows their high efficiency: on average, Conti “works” 14 hours a day without holidays (except for “New Year holidays”) and weekends. The group starts working closer to noon (GMT+3) and its activity declines only after 9:00 PM.

The geography of Conti’s attacks is vast but does not include Russia. The group clearly adheres to the unspoken rule among Russian-speaking cybercriminals: do not attack Russian companies. Most attacks occur in the United States (58.4%), followed by Canada (7%), the United Kingdom (6.6%), Germany (5.8%), France (3.9%), and Italy (3.1%).

Another reason behind not targeting Russian companies is that key Conti members refer to themselves as “patriots”. This fact was the cause of an “internal conflict” in the group in February 2022, which resulted in some of Conti’s valuable information being leaked online. The published data included private chat logs, the servers they use, a list of victims, and details of Bitcoin wallets, which stored over 65,000 BTC in total. The leaked chats revealed that the group had faced serious financial difficulties and that their boss had gone off the radar. Yet its members were fully prepared to restart the project after 2 to 3 months.

Despite the “stab in the back” and increased attention from law enforcement, Conti’s appetites continued to increase. They attacked not only large companies, but entire countries as well. Conti’s “cyber war” against Costa Rica in April 2022 led to a state of emergency being declared. Conti has worked closely with other ransomware operators such as Ryuk, Netwalker, LockBit, and Maze. They even tested Maze’s ransomware, reverse-engineered it, and thereby significantly improved their own. An analysis of the ARMattack campaign revealed that the group’s arsenal included not only previously described Windows tools, but also Linux ransomware: Conti and Hive.

That said, the group tends to create unique tools without reusing code snippets. This way, when compared, the code for their tools will not help identify common patterns. Before the chat logs were leaked, cybersecurity researchers could only assume that some RaaS (Ransomware-as-a-service) affiliate programs were in fact Conti divisions. At the same time, the interaction was extensive. Sometimes Conti used network access from other initial access brokers, other times the gang shared their own access for a modest 20% of the revenue.

Just like a legitimate IT business, Conti has its own HR, R&D, and OSINT departments. There are team leads, regular salary payments, and an incentive program. One of Conti’s distinctive features is using new vulnerabilities, which helps the group gain initial access. For instance, Conti was seen exploiting the recent CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 vulnerabilities in the log4j module.

Less than a week later, Conti exploited these vulnerabilities to attack vCenter servers. The leaked chat logs also showed that the group monitors fresh vulnerabilities carefully. One of the tasks from Conti’s CEO to the technical team was to monitor Windows updates and analyze changes made with new patches — which once again highlights the need to install updates as soon as possible. In addition, the Conti crew includes specialists with experience in discovering zero-days.

“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” says Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence department. “In this industry, Conti is a notorious player that has in fact created an “IT company” whose goal is to extort large sums. It is difficult to predict what will happen to Conti in the future: whether it will continue working after a large-scale rebranding or be divided into smaller sub-projects. It is clear, however, that the group will continue its operations, either on its own or with the help of its “subsidiary” projects.”

Cyber Security

CrowdStrike Announces New Features for the CrowdStrike Falcon Platform

Published

on

CrowdStrike has introduced the industry’s first AI-powered Indicators of Attack (IoAs), new innovations for fileless attack prevention at scale and enhanced visibility for stealthy cloud intrusions. Delivered on the CrowdStrike Falcon platform and powered by the CrowdStrike Security Cloud, these new detection and response capabilities stop emerging attack techniques and enable organizations to optimize the threat detection and response lifecycle with speed, scale and accuracy.

More than a decade ago, CrowdStrike invented IoAs, which brought a fundamentally new approach to stopping breaches based on real adversary behaviour, irrespective of the malware or exploit used in an attack. CrowdStrike has also pushed the boundaries of applying AI in cybersecurity to identify and stop the most advanced, emerging attacks. Now, CrowdStrike is leveraging powerful AI techniques to create new IoAs at machine speed and scale.

“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading Indicators of Attack capability, which revolutionized how security teams prevent threats based on adversary behaviour, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Now, we are changing the game again with the addition of AI-powered Indicators of Attack, which enable organizations to harness the power of the CrowdStrike Security Cloud to examine adversary behaviour at machine speed and scale to stop breaches in the most effective way possible.”

The Falcon platform’s new capabilities include:

Industry’s first AI-powered IoAs
Organizations today are under pressure to defend expanding attack surfaces against emerging threats and adversary tradecraft. With the Falcon platform, organizations can:

  • Detect new classes of attacks, faster than ever: Find emerging attack techniques with new IoAs created by continuously learning AI models trained on real-world adversary behaviour and the world’s richest threat intelligence.
  • Drive automated prevention with high-fidelity detections: Shutdown attacks based on a chain of behaviours, irrespective of the specific malware or tools used, with cloud-native AI models constantly delivered to the Falcon agent with newly-found IoAs.
  • Activate IoAs at cloud scale, trained on human-led expertise: Synthesize insights with AI-powered IoAs from CrowdStrike’s world-renowned threat hunting team to minimize false positives, maximize analyst productivity and deploy threat hunting at scale.

Of note, AI-powered IoAs have identified over 20 never-before-seen adversary patterns, which have been validated by experts and enforced on the Falcon platform for automated detection and prevention.

New innovations for fileless attack prevention at scale
According to the 2022 CrowdStrike Global Threat Report, 62% of all attacks are malware-free. These fileless attacks can be carried out entirely in memory, creating a blindspot for threat actors to exploit. With the Falcon platform, organizations can:

  • Prevent the most advanced fileless attacks: Stop advanced persistent threats (APT) and prevalent tools, like Cobalt Strike, with advanced memory scanning techniques that augment best-of-breed AI/ML and IoA detections with lightning-fast scanning of all memory at an unprecedented scale.
  • Leave bloated memory scanning behind: Shed the heavy resource constraints of legacy approaches that made memory scanning a non-starter with high-performance memory scanning techniques, optimized for Intel CPU/GPUs.
  • Initiate memory scans on behaviour, not a fixed schedule: Automate scans with behaviour-based triggers to find and stop fileless attack patterns in real-time, not after a potential breach.

Enhanced visibility for stealthy cloud intrusions
As Linux environments, data and applications have moved to the cloud, adversaries have also moved to the cloud to open backdoors, steal sensitive data and conceal their movement. With the Falcon platform, organizations can:

  • Hunt stealthy rootkits and reduce dwell time: Identify malicious activity early in the kill chain with deep Linux kernel visibility to fuel threat hunting and investigation of hidden, emerging Linux attacks.
  • Bolster managed cloud threat hunting: Disrupt the most sophisticated threats in cloud environments with new kernel telemetry events for Falcon OverWatch experts, building on CrowdStrike’s recently announced Fallon OverWatch Cloud Threat Hunting service.

“Using CrowdStrike sets Cundall apart as one of the more advanced organizations in an industry that typically lags behind other sectors in IT and cybersecurity adoption,” said Lou Lwin, CIO at Cundall. “Today, attacks are becoming more sophisticated and if they are machine-based attacks, there is no way an operator can keep up. The threat landscape is ever-changing. So, you need machine-based defences and a partner that understands security is not ‘one and done.’ It is evolving all the time.”

According to Forrester, “No security tool can detect every attack. Cybersecurity pits adversaries against defenders. Defensive technologies rely on rules, heuristics, and outliers to find evil. Those technologies lack one essential component that threat hunting introduces: the creativity of the practitioners defending enterprise environments.”

These capabilities are generally available for Falcon Prevent (NGAV) and Falcon Insight (EDR) customers.

Continue Reading

Cloud

Preparing a Secure Cloud Environment in the Digital New Norm

Published

on

Written by Daniel Jiang, General Manager of the Middle East and Africa, Alibaba Cloud Intelligence

As hybrid or remote working is being adopted by many companies globally and becoming the ‘new norm’ for millions of workers, cyberattacks meanwhile continue unabated. Building a secure and reliable IT environment has therefore become an increasingly important priority for many businesses who are exploring opportunities in the global digital economy. While moving to the cloud and using cloud-based security features is a good way to challenge cyber risks, it’s important to delve deeper into how best to construct a secure and reliable cloud environment that can fend off even the most determined attacker.

In today’s digital environment, discussions about cyber security’s best practices have never been more important. The UAE in particular established the Cybersecurity Council to develop a cybersecurity strategy and build a secure cyber infrastructure by creating related regulations. Following this move, the nation ranked 5th place on the International Telecommunications Union’s Global Cybersecurity Index 2020, jumping 33 places and it continues to prioritize cyber security and awareness. Creating a secure cloud environment – from building the architecture to adopting cutting-edge security technologies and putting in place important security management practices – will inspire more thorough conversations on this subject.

A resilient and robust security architecture is essential for creating a cloud environment capable of assuring an organisation about the availability, confidentiality and integrity of its systems and data. From the bottom up, the architecture should include security modules of different layers, so that companies can build trustworthy data security solutions on the cloud layer by layer – from the infrastructure security, data security, and application security to business security layers.

In addition to the security modules of all of the layers, there are a variety of automated data protection tools that enable companies to perform data encryption, visualisation, leakage prevention, operation log management and access control in a secure computing environment. Enterprises can also leverage cloud-based IT governance solutions for custom designs of cloud security systems to meet compliance requirements from network security and data security to operation auditing and configuration auditing. This ensures full-lifecycle data security on the cloud, with controllable and compliant data security solutions in place.

Another consideration is to build a multi-tenant environment, abiding by the principle of least privilege and adopting consistent management and control standards to protect user data from unauthorised access. In addition, establishing strict rules for data ownership and operations on data, such as data access, retention and deletion, is also pivotal in creating a safe environment.

Moreover, enterprises can embrace the zero-trust security architecture and build a zero-trust practice by design to protect the most sensitive systems. The architecture requires everything (including users, devices and nodes) requesting access to internal systems to be authenticated and authorised using identity access protocols. As such, the zero-trust security architecture cuts down on automatic trust, or trust without continuous verification, addressing modern challenges in securing remote working environments, hybrid cloud settings and increasingly aggressive cyber threats.

Cutting-edge security technologies such as comprehensive data encryption, confidential computing and many more emerging tech solutions, can be leveraged to ensure we stay on top of the trends in cybersecurity. Comprehensive data encryption provides advanced data encryption capabilities on transmission links (such as data-in-motion), compute nodes (such as data-in-use), and storage nodes (such as data-at-rest). Key Management Service and Data Encryption Service help users securely manage their keys and use a variety of encryption algorithms to perform encryption operations.

Another emerging technology to safeguard the cloud environment is confidential computing. Confidential computing is dedicated to securing data in use while it is being processed, protecting users’ most sensitive workloads. Confidential computing based on trusted execution environments (TEEs), ensures data security, integrity and confidentiality while simplifying the development and delivery of trusted or confidential applications at lower costs.

It is equally important to adopt proper security management practices and mechanisms to maximise the security protection of one’s critical system and important data. One essential mechanism to protect the cloud environment is to develop a comprehensive disaster recovery system, which enables businesses to configure emergency plans for data centres based on factors such as power, temperature and disasters, and establish redundant systems for basic services such as cloud computing, network and storage. It helps companies to deploy their business across regions and zones and build disaster recovery systems that support multiple recovery models.

Setting the effective reviewing and response mechanism for your cloud security issues is imperative. First, having vulnerability scanning and testing in place is important to assess the security status of systems; second, it is vital to use cloud-native monitoring tools to detect any anomalous behaviour or insider threats; furthermore, establishing proper procedures and responsibility models to quickly and accurately assess where vulnerabilities exist and their severity, will help ensure that quick remedy actions can be taken when security problems emerge.

In the future, developing the security architecture, technologies, management and response mechanism will no longer be perceived as a cost-centre burden for companies, but rather, as critical capabilities to safeguard the performance and security of daily business operations. Crafting a comprehensive cloud security plan, adopting the best industrial practices, and choosing a professional cloud service provider with strong security credentials to work with, should be an imperative subjects in a CXO’s agenda.

Continue Reading

Cyber Security

Hive, LockBit and BlackCat Ransomware Gangs Consecutively Attack the Same Network: Sophos

Published

on

Sophos, a global leader in next-generation cybersecurity, today announced in the Sophos X-Ops Active Adversary whitepaper, “Multiple Attackers: A Clear and Present Danger,” that Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

“It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cybersecurity that includes prevention, detection and response are critical for organizations of any size and type—no business is immune.”

The whitepaper further outlines additional cases of overlapping cyberattacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity but also deleted the activity of LockBit and Hive. In another case, a system was infected by LockBit ransomware. Then, about three months later, members of the Karakurt Team, a group with reported ties to Conti, were able to leverage the backdoor LockBit created to steal data and hold it for ransom.

“On the whole, ransomware groups don’t appear openly antagonistic towards one another. In fact, LockBit explicitly doesn’t forbid affiliates from working with competitors, as indicated in Sophos’ whitepaper,” said Shier. “We don’t have evidence of collaboration, but it’s possible this is due to attackers recognizing that there are a finite number of ‘resources’ in an increasingly competitive market. Or, perhaps they believe the more pressure placed on a target—i.e. multiple attacks—the more likely the victims are to pay. Perhaps they’re having discussions at a high level, agreeing to mutually beneficial agreements, for example, where one group encrypts the data and the other exfiltrates. At some point, these groups will have to decide how they feel about cooperation—whether to further embrace it or become more competitive—but, for now, the playing field is open for multiple attacks by different groups.”

Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured unsecured Remote Desktop Protocol (RDP) servers. In most cases involving multiple attackers, the victims failed to remediate the initial attack effectively, leaving the door open for future cybercriminal activity. In those instances, the same RDP misconfigurations, as well as applications like RDWeb or AnyDesk, became an easily exploitable pathway for follow-up attacks. In fact, exposed RDP and VPN servers are some of the most popular listings sold on the dark web.

“As noted in the latest Active Adversary Playbook, in 2021 Sophos began seeing organizations falling victim to multiple attacks simultaneously and indicated that this may be a growing trend,” said Shier. “While the rise in multiple attackers is still based on anecdotal evidence, the availability of exploitable systems gives cybercriminals ample opportunity to continue heading in this direction.”

Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.