In the second part of our two-part series on the Conti materials leak, we assess what the playbooks reveal about the latter stages of the Conti attack methodology.
It is in these latter stages where operators access systems, exfiltrate data and deploy ransomware.
Discovery of NAS and fileshares
The Conti manual describes a method of searching for Network Attached Storage (NAS) and backups using a publicly available tool called ‘NetScan’ where a configuration file is provided to the operators that they use to scan for machines on the network. The results of the scan can be investigated to find the operating system, disk size, open ports, shares and the role of the machine.
Operators are also provided with a tool called ‘RouterScan’, which is designed to profile and attack routers, IoT devices and NAS solutions. The tool can automatically perform discovery of a service and attack it using known exploits for the device. If this fails it can instead perform brute force attacks on a login page.
Exfiltration of data
Once the requisite access has been obtained by the attackers, they can then begin exfiltrating data. For larger amounts of data found by using the methodologies outlined above, the manual instructs the operators to use ‘rclone’. Rclone is another legitimate tool that can be used to automate backups and file transfers to cloud storage.
The attackers first create a MEGA.io account and pay for the storage plan they require based on the amount of information they want to steal, paying for the account in cryptocurrency. This account is then used to configure rclone to transfer the data to the account. Having configured rclone appropriately, the threat actors will deploy it onto a compromised device and execute, typically using Cobalt Strike.
Preparation and operational security of data
Once the stolen data has been uploaded to MEGA.io, operators will use the MEGAsync tool to copy the data to a dedicated storage location.
As an extra layer of operational security, operators are instructed to connect to MEGA.io via Tor to ensure anonymity when using their personal devices. To prepare the data for release to potential buyers and to maximise the leverage for extortion of money from victims, operators are told to search for the documents that would be the most damaging to an organisation. The leaked manual also includes a list of keywords to search for.
The most recent and sensitive files are intended to be tagged and prepared for the extortion portion of the campaign, with particular interest being paid to financial and cyber insurance documentation. This allows the threat actors maximum leverage over their victims and can help set the ransom demand to an amount that the criminals think the victim is willing and able to pay.
Deployment of ransomware
The final stage of the attack is to deploy the ransomware to as many machines as possible. Operators are advised to target the most important devices to the company’s daily operations first, in order to maximise disruption. This typically includes critical assets such as domain controllers, network attached storage devices and web servers.
The information contained in this leak gives a fantastic opportunity to test and develop detection methodologies. The Conti gang provide their operators with detailed information on lateral movement and privilege escalation, indicating this is the stage of their attack where they need to be the most flexible. The latter stages of their attack rely heavily on being able to leverage accounts with high privileges to deploy ransomware.
We also saw some of the operational security steps the Conti operators take when they exfiltrate data, using one-time burner accounts to sign up to cloud storage providers.
It is also clear that the Conti operators will scope their victim’s environment and rely on deploying legitimate tooling such as AnyDesk and rclone, as well as platform specific tooling such as MEGASync to achieve their goals and avoid detection. Other threat actors will use similar tools, giving us an opportunity to develop an application allowlist which restricts applications from running unless on a pre-approved list.
We assess with high confidence that Conti and similar ransomware operators will continue to operate with these tactics, techniques and procedures (TTPs). Once initial access is gained, they will seek to gather credentials stores in plain text and move to more overt methods, such as using Mimikatz, if this is unsuccessful.
Hardening Active Directory by reducing the number of privileged accounts, increasing password complexity by using passphrases, and auditing security groups, will hinder threat actors’ ability to move laterally and gain access to privileged accounts.
For recommendations to mitigate against Conti, read part 1
Regular threat intelligence reports are provided to customers as part of Kroll Responder, our outcome-focused Managed Detection & Response (MDR) service. It supplies the people, technology and cyberoffensive intelligence required to continuously hunt for threats across networks and endpoints and help shut them down before they cause damage and disruption.
Special thanks to Laurie Iacono, Nick Senske and the Kroll Threat Intelligence team for helping to research and collate the information in this article.