{"id":7527,"date":"2021-07-07T20:13:45","date_gmt":"2021-07-08T03:13:45","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7527"},"modified":"2023-04-05T12:39:12","modified_gmt":"2023-04-05T19:39:12","slug":"is-conti-ransomware-on-a-roll","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/is-conti-ransomware-on-a-roll\/","title":{"rendered":"Is Conti Ransomware on a Roll?"},"content":{"rendered":"<p><strong>{Update\u00a0September 2021}:\u00a0<\/strong>The Conti group that started trending early this year, is still going strong. In a newly <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nokia-subsidiary-discloses-data-breach-after-conti-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">disclosed<\/a> data breach from June 2021, SAC Wireless, a US-based Nokia subsidiary, reported 250 GB of data stolen and encrypted systems.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>{Update August 2021}: <\/strong>In a recent development in early August 2021, a disgruntled Conti RaaS affiliate <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook\/\" target=\"_blank\" rel=\"noopener\">leaked<\/a> some of the gang\u2019s core training material, as he was unsatisfied with his cut for a ransomware attack. The publicly available data includes Cobalt Strike C2 IP addresses and ransomware attack tools and training details, all the more reason for organizations to watch out for all possible attack vectors weaponized by the Conti group.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>The Conti group is associated with three vulnerabilities. If these had taken precedence in the CVE patching priority, the series of Conti attacks could have been avoided.<\/strong><\/p>\n<blockquote><p>CVE-2020-0796 and CVE-2018-13379 were warned against in CSW\u2019s <a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\">Ransomware Reports<\/a> published in February and May 2021.<\/p><\/blockquote>\n<p dir=\"ltr\">Let us take a look at the different recent incidents in which the Conti group has been involved.<\/p>\n<p><img decoding=\"async\" style=\"width: 300px; height: 500px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/contis-ransomware-attack-infographic-new.png\" alt=\"Conti Ransomware Attacks\" \/><\/p>\n<p>The Ireland HSE incident shook the health industry, closely following in the wake of the Oil industry\u2019s Colonial Pipeline attack; IT systems had to be shut down, leading to chaos in rendering regular health services. Exagrid <a href=\"https:\/\/www.computerweekly.com\/news\/252501665\/Exagrid-pays-26m-to-Conti-ransomware-attackers?amp=1\" target=\"_blank\" rel=\"noopener\">paid a $2.6M ransom<\/a> in the form of 50.75 Bitcoins for a decryption tool and to prevent data from being leaked. In more recent updates in the last week of June 2021, Conti claimed responsibility for an attack on the city of Tulsa in early May, leaking over 18,000 city files on the Dark Web. Three Canadian companies &#8211; an Internet provider and an engineering firm, both from Ontario, and a Quebec-based insurance broker &#8211; have also <a href=\"https:\/\/www.itbusiness.ca\/news\/cyber-security-today-june-28-2021-more-canadian-firms-hit-with-ransomware-nobelium-group-attempting-to-infiltrate-canadian-and-u-s-firms-dreamhost-data-fumble-and-more\/118638\" target=\"_blank\" rel=\"noopener\">fallen victim to the group<\/a>, according to Conti&#8217;s website.<\/p>\n<table border=\"1\" cellspacing=\"1\" cellpadding=\"1\">\n<tbody>\n<tr>\n<td>\n<h2 dir=\"ltr\">\u00a0 \u00a0<strong>Conti &#8211; A Cheat Sheet<\/strong><\/h2>\n<p dir=\"ltr\">\u00a0 \u00a0 \u00a0We analyzed three CVEs being exploited by the Conti group &#8211; CVE-2020-0796,<br \/>\nCVE-2018-13374, CVE-2018-13379, and here is our analysis about them &#8211;<\/p>\n<ul>\n<li role=\"presentation\">CVE-2020-0796 is a critical RCE\/PE vulnerability, with a severity score of 10. This vulnerability also goes by the names CoronaBlue and SMBGhost, and was one of the top exploited vulnerabilities of 2020.<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2018-13379 is a critical RCE vulnerability that allows for unauthenticated attacks, and has a severity score of 9.8.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2018-13374 is a high-rated vulnerability, with a severity score of 8.8 and can be exploited to compromise web applications.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CWE Weakness Categories<\/p>\n<ul>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2020-0796 is categorised under a weakness leading to improper input validation, CWE-20<\/p>\n<\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2018-13379 falls under a weakness leading to improper limitation of a pathname to a restricted directory, CWE-22<\/p>\n<\/li>\n<li aria-level=\"2\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2018-13374 belongs to CWE-732 that leads to assignment of incorrect permissions for critical resources<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2020-0796 is present in two Microsoft products &#8211; Windows 10 and Windows Server 2016, while the other two exist in Fortinet\u2019s FortiOS.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0796\" target=\"_blank\" rel=\"noopener\">patch<\/a> for CVE-2020-0796 has been available since March 2020, while vendors recommend upgrading to the latest version of FortiOS for the other two vulnerabilities.<\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" style=\"width: 759px; height: 375px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/vulnerabilities-used-by-conti-ransomware-new-1.jpg\" alt=\"Vulnerabilities used by Conti Ransomware\" \/><\/p>\n<blockquote>\n<p dir=\"ltr\">It is widely believed that Russia\u2019s Wizard Spider Advanced Persistent Threat (APT) group uses the Conti ransomware in its attacks.<\/p>\n<\/blockquote>\n<h2 dir=\"ltr\">Global Exposure<\/h2>\n<p dir=\"ltr\">A Shodan analysis of CVE-2020-0796 brings up over 75,000 deployments, mainly focused in Taiwan and Japan. Windows 10 Home is the most widely used OS susceptible to CVE-2020-0796 exploits.<\/p>\n<p dir=\"ltr\">\u00a0 \u00a0 \u00a0 \u00a0\u00a0<b id=\"docs-internal-guid-950c2a5e-7fff-956c-7620-a136311d7452\"><img decoding=\"async\" style=\"width: 602px; height: 399px;\" src=\"https:\/\/lh3.googleusercontent.com\/P-8YwjNwz2iNSadnJpOtjOVrVi4eyk4dpSBklj2zM8JXqizTXJwbK9FjUGFt4Pt086nakuWS5wW1VknpJu9fplztQwzIPHCLjywzI3oVdL8T8zXH23AFbqVarPYdlMMwpQ7OBiyl\" \/><\/b><\/p>\n<p>&nbsp;<\/p>\n<p>There are over 60,000 deployments of FortiOS worldwide, according to Shodan, with the US ranking first on the list.<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 215px; height: 300px;\" src=\"https:\/\/lh4.googleusercontent.com\/ed8JR7SQU0oZypSyvX3guqspT4U9zk0EajZmhbMcXOPQUxtjeJJcQJXaG26DW32yENbmBIDHxUjsF8odg2O983RcG_wIah-_3SNE7VbkfoIuEKrQYN0T6Dlxi_fHm6KRmcgJ8bBg\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2 dir=\"ltr\">Attack Methodology<\/h2>\n<p dir=\"ltr\">Looking at multiple attacks involving Conti ransomware, we have understood the following to be their overall attack methodology.<\/p>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Scout for weak entry points in devices and infect them with IcedID payload, followed by BazarLoader malware.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Use batch files to disable security tools through the created backdoor.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Deploy Cobalt Strike beacon to gather confidential details<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Scan to identify open ports<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Utilize a combination of Remote Desktop Protocol (RDP), PsExec and Server Message Block (SMB) to worm its way laterally within the network<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Exfiltrate data to cloud storage through command line tools like RClone<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Stealthily deploy Cobalt Strike beacon to attached devices<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Execute malicious code in memory across all active systems<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Delete shadow copy using Windows Management Instrumentation (WMI)<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">\u00a0Ransomware continues ploughing through until detected<\/p>\n<\/li>\n<\/ol>\n<p><img decoding=\"async\" style=\"width: 700px; height: 375px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/conti-ransomware-new.png\" alt=\"Attack Methodology - Conti Ransomware\" \/><\/p>\n<p>Coincidentally, on June 1, 2021, the <a href=\"https:\/\/www.nzherald.co.nz\/nz\/nz-cloud-storage-company-being-used-by-ransomware-attackers-says-fbi\/CJN7XDMIUZEY3IX2Q34SA4APAY\/\" target=\"_blank\" rel=\"noopener\">FBI sent out a warning<\/a> regarding New Zealand based Mega cloud storage being used by ransomware groups like Conti,\u00a0 for data storage.<\/p>\n<h2 dir=\"ltr\"><\/h2>\n<h2 dir=\"ltr\">MITRE ATT&amp;CK Mapping<\/h2>\n<table style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>Indicators of Compromise<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<p dir=\"ltr\"><strong>SHA 256:<\/strong><\/p>\n<p dir=\"ltr\">d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c<\/p>\n<p dir=\"ltr\">f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81<\/p>\n<p dir=\"ltr\">e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6<\/p>\n<p dir=\"ltr\">707b752f6bd89d4f97d08602d0546a56d27acfe00e6d5df2a2cb67c5e2eeee30<\/p>\n<p dir=\"ltr\">03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd<\/p>\n<p dir=\"ltr\">b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9<\/p>\n<p dir=\"ltr\">1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24<\/p>\n<p dir=\"ltr\">c14f8bc656284715516f26935afe487a1d584f56ffabbcb98f2974f6ca6cd3a4<\/p>\n<p dir=\"ltr\">e16fea1b8874cc6b26e7e2df9697f03f86efa82247bb3b2922f1d05052dbcbb4<\/p>\n<p dir=\"ltr\">5d8a701110d58ab7c1aa8bae6bc9d5358b8cd508115891320e6af6c68f3bbd74<\/p>\n<p dir=\"ltr\">ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124<\/p>\n<p dir=\"ltr\">D236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40<\/p>\n<p dir=\"ltr\">2579148e5f020145007ac0dc1be478190137d7915e6fbca2c787b55dbec1d370<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" style=\"width: 100%; height: 100%;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/mitre-attck-map-conti-ransomware.png\" alt=\"MITRE Att&amp;ck Map Conti Ransomware\" \/><\/p>\n<h2 dir=\"ltr\">A thorough ransomware analysis is the need of the hour<\/h2>\n<p dir=\"ltr\">The vulnerabilities CVE-2020-0796 and CVE-2018-13379 are currently trending, although they were discovered more than a year back. This is a clear indication of the importance of patching older vulnerabilities and not just the newly discovered high-severity ones. In fact, as highlighted in CSW\u2019s <a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" target=\"_blank\" rel=\"noopener\">Ransomware Report<\/a>, vulnerabilities that were discovered in 2020 and earlier accounted for 97% of the total vulnerability count (260) as of March 2021.<\/p>\n<p dir=\"ltr\">The recent series of attacks is an example of how attackers might be taking it slow, waiting for bigger opportunities leading to crippling disruption. Adopting a risk-based approach and prioritizing critical vulnerabilities based on threat context is the need of the hour.<\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\" target=\"_blank\" rel=\"noopener\">Reach out to CSW for assistance with vulnerability analysis and prioritization.<\/a><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\">\n","protected":false},"excerpt":{"rendered":"<p>The Conti group is associated with three vulnerabilities. If these had taken precedence in the CVE patching priority, the series of Conti attacks could have been avoided.<\/p>\n","protected":false},"author":1,"featured_media":7528,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,117],"tags":[386,384,385,357,91,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7527"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7527"}],"version-history":[{"count":4,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7527\/revisions"}],"predecessor-version":[{"id":17399,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7527\/revisions\/17399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7528"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}