Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Conti Ransomware. Show all posts

Conti's Legacy: Ransomware's Evolution and Future Threats

Ransomware has been a persistent and highly lucrative threat in the cybersecurity landscape, and one group that has garnered significant attention is Conti. Known for their sophisticated tactics and high-profile attacks, Conti has left a lasting impact on the cybersecurity community. However, recent developments indicate that Conti's legacy is undergoing a transformation, with spinoffs refining their attack strategies and raising concerns about the future of ransomware.

Conti first emerged in 2020 and quickly gained notoriety for its highly effective and profitable ransomware operations. The group targeted a wide range of industries, including healthcare, manufacturing, and finance, leveraging advanced techniques to breach networks and encrypt valuable data. Their success was attributed to their ability to exploit vulnerabilities in organizations' security infrastructure and their aggressive extortion tactics.

However, recent reports suggest that Conti's original group may have disbanded or rebranded, leading to the emergence of spinoffs carrying on their legacy. These new entities, operating under different names, have refined their attack strategies and continue to pose a significant threat to organizations worldwide.

One notable aspect of these spinoffs is their focus on data exfiltration alongside encryption. Instead of merely encrypting files and demanding a ransom, they now steal sensitive data before encryption, increasing their leverage by threatening to expose confidential information if the ransom is not paid. This approach not only amplifies the financial pressure on victims but also raises concerns about potential data breaches and regulatory implications.

To make matters worse, these spinoffs have also adopted a more targeted approach, carefully selecting victims based on their perceived ability to pay a significant ransom. By focusing on organizations with deep pockets or critical infrastructure, they maximize their chances of success and potential profit. Additionally, they have become more adept at evading detection by using sophisticated obfuscation techniques and employing anonymous communication channels.

The evolution of Conti's legacy highlights the need for organizations to remain vigilant and proactive in their cybersecurity measures. This includes implementing robust security controls, conducting regular vulnerability assessments, and educating employees about the risks and best practices for preventing ransomware attacks. It is also crucial for organizations to establish and regularly test incident response plans to minimize the impact and downtime in the event of an attack.

Furthermore, collaboration among law enforcement agencies, cybersecurity firms, and the private sector is essential to disrupt the operations of ransomware groups and bring their members to justice. By sharing threat intelligence and coordinating efforts, the global community can work towards dismantling these criminal networks and mitigating the widespread damage caused by ransomware attacks.

Ransomware Threats in 2023: Increasing and Evolving

Cybersecurity threats are increasing every year, and 2023 is no exception. In February 2023, there was a surge in ransomware attacks, with NCC Group reporting a 67% increase in such attacks compared to January. The attacks targeted businesses of all sizes and industries, emphasizing the need for organizations to invest in robust cybersecurity measures.

The majority of these attacks were carried out by the Conti and LockBit 2.0 groups, with the emergence of new tactics such as social engineering and fileless malware to evade traditional security measures. This emphasizes the need for organizations to address persistent social engineering vulnerabilities through employee training and education.

A proactive approach to cybersecurity is vital for organizations, with the need for leaders to prioritize and invest in robust incident response plans. It's essential to have a culture of security where employees are trained to recognize and report suspicious activity.

According to a Security Intelligence article, the increasing frequency of global cyber attacks is due to several reasons, including the rise of state-sponsored attacks, the increasing use of AI and machine learning by hackers, and the growing threat of ransomware.

The threat of ransomware attacks is expected to continue in 2023, and companies need to have a strategy in place to mitigate the risk. It includes implementing robust security measures, training employees to identify and avoid social engineering tactics, and regularly backing up critical data. As cybersecurity expert Steve Durbin suggests, "Ransomware is not going away anytime soon, and companies need to have a strategy in place to mitigate the risk."

To safeguard themselves against the risk of ransomware attacks, organizations must be proactive. Companies need to focus and invest in strong incident response plans, employee education and training, and regular data backups in light of the rise in assaults. By adopting these actions, businesses can lessen the effects of ransomware attacks and safeguard their most important assets.


FBI: To Install Malware, Hackers are Buying Ad Services

 

The FBI has recommended the citizens to download an ad blocker in order to safeguard themselves from internet security dangers, as cybercriminals use ads to spread ransomware and steal information.  

Trend Micro claims that Royal is the beta version version of the Zeon ransomware that first appeared this year and was linked in August to Conti Team One, one of the organizations responsible for the propagation of the Conti ransomware.

There were three groups of cybercriminals operating behind Conti, one of which switched to Quantum ransomware, another operating the Black Basta, Karakurt, and Blackbyte ransomware families, as well as Royal, and the third being shut down in early 2022, as per a chart that a security expert Vitali Kremez shared in August.

Royal ransomware has been employed in assaults mostly aimed at targets in the US and Brazil, according to Trend Micro. It is typically delivered via callback phishing, tricking victims into downloading remote access software.

The FBI highlighted that these adverts were also used to spoof financial websites, notably exchange platforms for cryptocurrencies.

Businesses employ search engine advertising services to make sure their ads show up at the top of search results with the smallest possible difference between an advertisement and a real internet search result. However, the warning noted that online criminals are also using domains that are similar to legitimate businesses or services to purchase these services for illicit reasons.

How to spot fake advertisements:
  • Prior to clicking an advertisement, check the URL. Look out for typos or unusual suffixes on a link because it will reveal the true URL.
  • If you want to look up businesses, enter the address in the browser's address bar rather than using a search engine like Google. 
  • Try using an ad blocker. These block all advertisements, so you can simply avoid being targeted by fraudulent ads but also fail to see any legitimate ones.
Ad blockers can help consumers avoid misleading adverts, but they can also severely damage their online experience. Many websites depend on advertising, thus some won't let you visit if you are using an ad blocker. When using an ad blocker, be sure to put your preferred websites to the list of the program. This will allow you to see advertising on this site but prevent you from seeing them elsewhere.

To assure the development of strong, safe passwords and keep away of malicious practices, the FBI also advises utilizing a password manager. Another effective strategy for protecting against online attacks is antivirus software.



Conti Gang Doppelganger Adopts Recycled Code 

A ransomware attack from a brand-new gang dubbed 'Monti,' which primarily exploits Conti code has come to the surface. 

The Monti ransomware was found and revealed by MalwareHunterTeam on Twitter on June 30, but Intel471 and BlackBerry independently announced their study into Monti on September 7th.

The malware's developers constitute a well-known ransomware group that has launched numerous attacks. They operate under "Wizard Spider" and could be linked with the global Trickbot cybercrime ring. 

Reportedly, the cybercrime group that has a base in Russia, supports the Russian government's goals, particularly the Ukraine conflict. 

In return for a portion of the ransom money collected, the Conti gang offers 'its members' access to its software. The group's ability to scale operations is a direct result of the aforementioned. The group resorts to the ransomware as a service (RaaS) approach to disseminate the infection.

According to Intel471, "Monti might be a rebranded version of Conti or even a new ransomware version that has been developed utilizing the disclosed source code," it was published on February. It really doesn't appear like Monti has been involved in enough activities for the security company to establish a connection to Conti." 

Since the Conti disclosures in February effectively handed Monti malicious actors a step-by-step roadmap to mimicking Conti's notoriously successful actions, BlackBerry appears to be more certain that Monti is a copycat than a legitimate successor to its namesake.

Apart from one, Monti threat actors used the Action1 Remote Monitoring and Maintenance (RMM) agent, and the majority of Indicators of Compromise (IOCs) discovered by the BlackBerry IR team in the Monti attack were also detected in prior Conti ransomware attacks. 

Experts want to highlight a useful technique that was made feasible by our awareness of the code repetition before  Monti's reuse of Conti's encryptor code. 

The BlackBerry IR team was aware that Conti encryptor payloads do not always completely encrypt each file because we were familiar with Conti v2 and v3 encryptor payloads. Source code research reveals that Conti payloads combine a file's location, type, and size to decide which encryption techniques to employ. 

The BlackBerry IR team was able to recover completely, unencrypted strings from encrypted log files because of this information.

Conti's activities have slowed down recently, some experts have proposed that Conti's reduced activity is the consequence of a rebranding effort similar to those undertaken by various ransomware strains in the past, perhaps involving several members of the Conti gang. Other sources claim that other RaaS firms, like Karakurt and BlackByte, have engaged former Conti operators.

Whether Conti is being dubbed Monti to spoof the earlier strain or it is simply another new ransomware variety remains unclear, we will probably continue to see this new version have an impact on organizations all around the world. However, utilizing publicly accessible binaries to develop fresh ransomware or relaunch an old one would potentially offer defenders a head start as Monti develops.





Networks Breached via Bumblebee Loader


The Bumblebee loader is increasingly being used by hackers linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.

When Google's Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the bigger Conti collectives in March 2022, Bumblebee initially came to light.

What is Bumblebee?

Researchers discovered that Bumblebee is a successor for the malware known as BazarLoader, which previously distributed the Conti ransomware.

Spam emails are where the Bumblebee virus first appears. The malicious Dynamic Link Library (DLL) file is finally dropped by the ISO file that can be downloaded using the link in this email. On the victim's computer, the DLL file continues to load Bumblebee's ultimate payload.

An identical replica of the data found on an optical disc, such as a CD or DVD, is stored in an archive file called an ISO file. They are primarily employed to distribute huge file sets intended for burning onto optical discs or backup optical discs.

Analysis by experts 

According to Cybereason, most Bumblebee infections were initiated by end users executing LNK files, which load the malware via a system binary.

As per experts from Cybereason Meroujan Antonyan and Alon Laufer, "the virus is distributed by phishing emails with an attachment or a link to the malicious archive containing Bumblebee."

Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.

The loader is launched using the command found in the LNK file, which serves as a conduit for subsequent steps including persistence, privilege escalation, reconnaissance, and data theft.

After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. By deploying AnyDesk remote desktop software, persistence is achieved.

The technical report stated that the hackers 'disrupted Active Directory and used confidential data such as users' logins and passwords for lateral movement. Less than two days passed between the initial access and the compromising of Active Directory.

Cybereason asserts that Bumblebee needs to be handled as a serious threat due to the attack's proactivity.


Experts Warn Against Ransomware Hitting Government Organizations

Cyble Research Labs noticed an increase in ransomware incidents in the second quarter of 2022, few of these led a deep impact on the victims, like attack against the Costa Rican government which led to the countrywide crisis. 

Experts warn of ransomware operations targeting government organizations, finding 48 government organizations across 21 countries that suffered 13 ransomware attacks this year. Researchers at Cyble say that hacking groups have modified their strategies, going from enterprises to small states threatening to destabilize government operations. 

Small states become easy targets because of the low levels of critical infrastructure security due to low finances to protect them. 

The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. "A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million. 

The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country," reads a Cyble post. 

After the Costa Rica incident, the Conti ransomware gang also attacked Peru. Other incidents of ransomware attacks were reported in Latin America, which includes Brazil and Peru governmental organizations. 

"Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021," says Cyble. Experts also report sales on underground cybercrime platforms of data extraction from the server of government organizations. 

It includes the Federal Court of Malaysia, the Ministry of Energy and Natural Resources, the Department of Management Services under the Malaysian Ministry of Personnel and Organizational Development, the Civil Service Commission of the Republic of Philippines, and the National Bank of Angola. Experts have highlighted the need for smaller states to strengthen their threat-finding capabilities and to implement quick response mechanisms to cyberattacks. 

Cyble says the importance to spend in capacity building to promote skilled manpower, promote awareness among users, and lessen the technology gap to mitigate their risk impact.

IBM X-Force Finds New Ransomware Group Black Basta

IBM Security X-Force has been keeping an eye on Black Basta, the latest ransomware gang that first surfaced in April 2022. Until now, Black Basta has claimed to attack over 29 different targets in various industries via double extortion techniques. In double extortion, the threat actors execute ransomware along with stealing data and blackmail to post it publicly unless their ransom demands are not met. 

The data discourse points of these ransomware attacks take place on a data leak website called Tor network. To make the victim pay the ransom, the Black Basta group progressively publishes the stolen data on the leak site. The group is still in the early phase of its organization, X-Force has not found any pieces of evidence of distributing the malware or hiring threat actors on underground platforms or the dark web. 

Due to similarities in operations and no affiliation attempts, experts believe that the Black Basta group is a new version of Conti gan, infamous ransomware groups already having various affiliates. But Conti group recently announced that it has no links with the Black Basta ransomware group. X-Force is currently finding the relationship between these two. 

Black Basta ransomware gang works at a very high pace, it hardly alerts the cybersecurity defenders and by the time they realize, the damage has already been done. Experts say it doesn't seem that Black Basta is attacking specific industries or verticals. But for organizations that collect data in large quantities can become a victim of extortion attacks like personally identifiable information (PII), financial credentials, sensitive information, etc are easy targets for attackers.  

Concerned users can read IBM X-Force Definitive Guide to Ransomware and follow some basic guidelines:

  • Having routine backups, both online and offline, a robust backup mechanism helps in recovery from a ransomware attack. 
  • Build a plan to protect against unauthorized data theft, especially as it concerns uploading vast amounts of data to trusted cloud platforms that threat actors might exploit. 
  • Apply user behavior analytics to predict security incidents. If triggered, assume a breach happened- audit, monitor, and act quickly on the attack associated with privileged accounts and groups. 
  • Implement two-factor authentication on each remote access point into an organization network- special attention should be given to disabling or secure remote desktop protocol (RDP) access. Various ransomware attacks in the past were able to exploit weak RDP access to have early access into a network.

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew

 

Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”

Anonymous : 900,000 Emails From Russian State Media Were Leaked

 

Anonymous which has been trying to target Russia since the invasion of Ukraine has reported more attacks against critical infrastructure sectors, including one which used an "improved" version of Russian Conti ransomware, and has called for the targeting of companies for proceeding to do business in Russia after the slaughter of Ukrainian civilians in Bucha. 

More than 900,000 emails by the All-State Television and Radio Broadcasting Company were purportedly leaked by the NB65 or Network Battalion 65 group, which is linked to the famed hacker collective Anonymous (VGTRK). 

DDoSecrets, a non-profit whistleblower site for news leaks, has rendered the 786.2 GB cache accessible to the public as a torrent file after NB65 apparently shared the hacked emails with them on Monday. In this regard, Emma Best, a co-founder of DDoSecrets said, "An unprecedented expose of state-owned media and propaganda which the Russian government views crucial to the state security."

A hacker organization called NB65 has been infiltrating Russian entities, collecting private data, and exposing it online for the past month, claiming the attacks are related to Russia's occupation of Ukraine. The emails, according to the Everyday Dot, span more than 20 years of correspondence and include discussions about daily operations as well as sanctions put on Russia by many other countries in reaction to its invasion of Ukraine.

Tensor, the Russian space program Roscosmos, and VGTRK, the state-owned Russian Television and Radio broadcaster, are among the Russian organizations said to have been targeted by the hacking group. The stated theft of 786.2 GB of data, comprising 900,000 emails and 4,000 files, was released on the DDoS Secrets website following the attack on VGTRK. Since the end of March, the NB65 hackers have been using a new tactic that is attacking Russian institutions with ransomware assaults. 

Conti's source code was released after the company allied with Russia in the Ukraine invasion, and a security researcher obtained 170,000 internal chat conversations and source code for the company's operation. 

Threat analyst Tom Malka first alerted to NB65's activities but was unable to locate a ransomware sample, and the hacking gang refused to provide it. This changed when a sample of the NB65's updated Conti ransomware executable was published to VirusTotal, letting us see how it functions. 

On VirusTotal, almost all antivirus vendors identify this sample as Conti, and Intezer Analyze discovered it shares 66% of the code with other Conti ransomware samples. When encrypting files, gives NB65's malware a run for its money.

The All-Russian State Television and Radio Broadcaster (VGTRK) is Russia's largest media conglomerate, with five national television channels, two major international networks, five radio shows, and over 80 regional television and radio networks under its umbrella. The ransomware will also leave R3ADM3.txt ransom notes all over the encrypted device, with threat actors accusing President Vladimir Putin of invading Ukraine for the attacks. 

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.

AnchorDNS Loophole of a TrickBot Spyware Upgraded to AnchorMail

 

Even after the TrickBot infrastructure was shut down, the malware's operators continued to improve and retool its arsenal in preparation for attacks which ended in the distribution of the Conti ransomware. The new, improved edition of the criminal gang's AnchorDNS backdoor was called AnchorMail by IBM Security X-Force, which discovered it. 

According to IBM's malware reverse researcher Charlotte Hammond, AnchorMail "uses an email-based [command-and-control] server with which it connects using SMTP and IMAP protocols over TLS." "AnchorMail's behavior is essentially similar to vs its AnchorDNS predecessor, excluding the redesigned C2 communication method." 

The Trickbot Group, also known as ITG23 on X-Force, is a cybercriminal group best known for creating the Trickbot financial Trojan. Originally discovered in 2016, it was used to aid online banking fraud, initially. The gang adapted to the ransomware economy by gaining a footing for ransomware assaults utilizing its Trickbot and Bazarloader payloads, a tight partnership with both the Conti ransomware-as-a-service provider (RaaS). 

ITG23 is also known for creating the Anchor malware framework, which includes the AnchorDNS variant. In 2018 various high-profile targets were being infected with Trickbot or Bazarbackdoor, another ITG23 backdoor. AnchorDNS is known for using the DNS protocol to communicate with its Command and Control (C2) server. The improved backdoor, dubbed AnchorMail or Delegatz by IBM Security X-Force researchers, now communicates with an email-based C2 server through SMTP and IMAP protocols via TLS. AnchorMail's functionality is essentially similar to its AnchorDNS predecessor for most of its part, with the exception of the redesigned C2 communication mechanism. 

The uncovering of this updated Anchor variant adds an extra inconspicuous backdoor during ransomware assaults, demonstrating the group's drive to continually improve its malware. AnchorMail provides a scheduled job for persistence after execution, which is set to execute every 10 minutes. It then gathers basic system data, registers with its C2, and enters a loop of monitoring for and executing commands received. 

The command structure of the backdoor and AnchorDNS appear to be fairly similar, and both forms appear to accept the same set of control codes, which allow a variety of various possibilities for processing orders and payloads received from the C2. The commands include the ability to run binaries, DLLs, and shellcode downloaded from a remote server, as well as launch PowerShell commands and erase themselves from infected PCs. 

"The revelation of this new Anchor version adds a new covert gateway used during ransomware assaults, AnchorMail has only been seen to target Windows PCs so far. However, given the AnchorDNS has been adapted to Linux, a Linux-based version of AnchorMail appears inevitable," said Charlotte Hammond, BM's malware reverse engineer.

Conti Cyberattack Reported via Bank Indonesia

 

The Indonesian central bank was hit by ransomware, but the threat was reduced and the attack had no impact on the country's essential services. As per the bank, the situation was contained before it had a negative influence on BI's essential services, as Reuters initially reported.

"Last month, BI was informed of a ransomware attack. The bank was targeted by a cyber-attack. This is a true crime, the bank had witnessed," said Erwin Haryono, spokesman for Bank Indonesia. 

According to CNN Indonesia, the criminals allegedly took "non-critical" staff data and planted ransomware payloads on multiple computers on the bank's network during the attack on a central bank branch on the island of Sumatra. While Bank Indonesia didn't disclose who was behind the ransomware assault, security experts believe it was perpetrated by the Conti ransomware gang. 

Conti is a Russian-speaking ransomware cell that has infected over 400 companies globally, including 290 in the United States alone. Phishing emails (malicious URLs or attachments) or stolen/cracked windows remote protocol (RDP) credentials are primarily used attack vectors by Conti attackers to access victim networks. 

The group appears to target high-profile company networks, which infiltrate by using BazarLoader or TrickBot malware to gain illegal remote access to crucial devices. Threat actors strive to spread the infection by infecting additional linked devices after compromising the network. The cybercriminals then take records, encrypt servers and desktops, and demand a ransom payment. 

The Conti ransomware group claimed responsibility for the attack and listed Bank Indonesia among its victims on a Tor leaks site, claiming to have stolen about 14 GB (13.88 GB) of data.

Ransomware is used by cybercriminals to infiltrate selected network operations, infect critical data, and encrypt systems, rendering it unavailable to others. To decrypt infected systems, threat actors demand a ransom. If the victim continues to resist, hackers can threaten to expose secret information in order to put more pressure on the individual or organization.

Bank Indonesia should analyze the severity of the attack, according to Miftah Fadhli, a cybersecurity specialist at the NGO Institute of Policy Research and Advocacy (ELSAM), because it might "carry a major danger" and affect its transactions.

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.

Graff : Victim of a Digital Heist

 

Hackers have stolen a huge amount of the personal information of various bigwigs, including global presidents, famous Hollywood stars, and rich tycoons, in a spectacular 'virtual theft' on the exclusive jewelry business 'Graff,' according to The Mail on Sunday. 

Cyber crooks have already released approximately 69,000 private papers on the 'black web.' Several files hold information about former US President Donald Trump, Sir Philip Green, David Beckham, and Oprah Winfrey, among others. 

Graff is a London-based global jeweler. Laurence Graff, a British jeweler, launched it in 1960. Graff operates as a vertically integrated corporation, designing, manufacturing, and retailing jewelry and timepieces. 

Hackers appear to be asking tens of millions of pounds in ransom money to prevent the publication of additional critical material. Conti, a well-known Russian hacker organization, is responsible for data theft. It further alleges that the material revealed, which covers around 11,000 of Graff's rich clients, represents only 1% of the data taken. 

Philip Ingram, former colonel, British military intelligence, said, "Given the profile of the customer database, this is massive." 

"This is going to bring the highest levels of international law enforcement down on the gang, and that's going to give them a whole lot of headaches in trying to get the ransom paid and then get away with it," added Ingram. 

Invoices, receipts, client lists, and credit notes are examples of documents that might have been stolen. They may be humiliating for certain individuals who may have purchased presents for hidden lovers or accepted jewelry as bribes. 

A spokesperson for Graff said: “Regrettably we, in common with several other businesses, have recently been the target of a sophisticated – though limited – cyber-attack by professional and determined criminals. We were alerted to their intrusive activity by our security systems, allowing us to react swiftly and shut down our network. We notified, and have been working with, the relevant law enforcement agencies and the ICO. We have informed those individuals whose personal data was affected and have advised them on the appropriate steps to take.”

Trickbot Uses New Distribution Mechanisms to Disseminate Malware

 

The creators of the harmful TrickBot malware have emerged with new tricks aimed at widening the malware's dissemination routes, eventually culminating to the deployment of ransomware like Conti. According to a report by IBM X-Force, the threat actor known as ITG23 and Wizard Spider has been discovered to collaborate with other cybercrime gangs known as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are relying on to deliver proprietary malware. 

TrickBot is a well-known banking Trojan that has been operating since October 2016, and its creators have kept it updated by adding new features. The botnet is still available via a multi-purpose malware-as-a-service (MaaS) model. Threat actors use the botnet to spread malware like Conti and Ryuk, which steals personal information and encrypts it. More than a million computers have been compromised by the Trickbot botnet so far. 

"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said. 

Microsoft's Defender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec teamed forces in October to launch a concerted effort to shut down the infamous TrickBot botnet's command and control infrastructure. Despite the fact that Microsoft and its allies pulled the TrickBot infrastructure down, its operators sought to restart operations by bringing new command and control (C&C) servers online. 

In a malware campaign aimed at corporate users earlier this year, the cybercrime group used email campaigns to send Excel documents and a call center ruse known as "BazaCall." The gang formed a collaboration with two notable cybercrime affiliates in June 2021, which included the use of hijacked email threads and bogus website consumer inquiry forms.

"This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," the researchers said. 

The Hive0107 affiliate is said to have adopted a new tactic in one infection chain observed by IBM in late August 2021, which involves sending email messages to target companies informing them that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, and urging the recipients to click on a link for more evidence. When the link is clicked, a ZIP archive containing a malicious JavaScript (JS) downloader is downloaded, which then contacts a remote URL to download the BazarLoader malware, which drops Cobalt Strike and TrickBot.