Details of new Conti ransomware affiliate emerge

Report by eSentire gives domains and email addresses used by the gang

Details of an affiliate of the Conti ransomware gang has been released, and organisations are urged to watch out for Indicators of Compromise (IoCs) by the threat actor, which so far has used similar techniques to the more well-known cyber crime group.

The affiliate was tracked independently by security firm's eSentire and BreakPoint Labs, who decided to join forces and share information about the threat actor, details of which are published in a report by eSentire's Threat response Unit (TRU) on the company's blog.

eSentire's TRU says it has been tracking the unnamed affiliate group since August 2021, and that the group has used Cobalt Strike infrastructure to attack seven different US companies. The victims include companies in the financial, environmental, legal and charitable sectors, with the most recent being two attempted ransomware attacks on 14th February 2022.

"The speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customized Cobalt Strike configurations and its associated initial access vectors," eSentire says in its blog.

Ransomware gangs often operate a system of affiliations, swapping tools and know-how with other groups and combining efforts to identify, attack and extort victims. For example, the Conti gang is known to have forged close links with Trickbot authors, Wizard Spider.

Leaked chat records of the Conti gang have recent led to more understanding of how the group operates. Among the groups high-profile victimes are the Irish Health Service, FatFace, Scottish Environment Protection Agency and KP Snacks.

In its blog post, eSentire provides new accounts, specific IP addresses, domain names and Protonmail email accounts linked to the Conti affiliate, and also details of the vulnerabilities it uses to attack its victims. These include methods often used by the Conti group, including:

• SonicWall Exploits
• Cobalt Strike
• Forty North's C2Concealer
• Bring Your Own Virtual Machine (BYOVM)
• The use of VPS servers for C2

Common SonicWall exploits include SMA and SRA products running unpatched and end-of-life 8.x firmware.

Meanwhile, Cobalt Strike is a legitimate tool for penetration testing Windows systems, sold by HelpSystems. Cracked versions of the software began circulating in 2020 and became widely used by cyber criminals, giving the access to a multimodal attack framework and up-to-date exploits. Source code of the latest version was reportedly leaked in January, just 10 days after its official release.

Forty North's C2Concealer is another pen-testing tool, deployed with Cobalt Strike to hide the attacker's command and control (C2) servers. eSentire's report gives an example of its use called 'Cobalt Strike ShadowBeacon' in which the C2 appeared to be an internal device on the victim's network. The threat actor was able to install its own VMs on the victim's network which were used to communicate with the real external C2 servers.

Dr Keegan Keplinger, threat intelligence research and reporting lead at eSentire, said organisations should block the domains identified as belonging to the new Conti affiliate, and otherwise follow identified best practice when defending against that ransomware group.

"The attacks launched by this Conti ransomware affiliate follow a typical ransomware playbook, so many of the best security practices, such as endpoint monitoring for the following hacker techniques or tactics are effective," he said.

"Some of the key techniques or tactics which organisations need to look for include guarding against the abuse of 'living-off-the-land' binaries, discovery, lateral movement, and privilege escalation. These are very effective in defending an organisation's data and applications from this ransomware threat actor group and others."

In terms of defending against living off the land (the abuse of processes built into Windows), Keplinger recommended organisations look at the work of the LOLBAS project. Meanwhile, for the discovery phase they should guard against the misuse of admin tools such as ltest.exe, net.exe, quser.exe; lateral movement in Windows frequently uses PsExec, PowerShell and named pipes; and attackers often make use of internal exploits, such as Zerologon for privilege escalation, or use Mimikatz to collect credentials for credential theft.

"Endpoint detections can be written for all of these tactics and techniques outlined above. Of course, alongside these detections, it's about really educating one's employees/users around security awareness of malicious spam and phishing emails, and ensuring that your organisation has a robust vulnerability management program in place, whereby you are identifying critical vulnerabilities which are being exploited by the threat actors and patching those promptly," Keplinger said.