CISA and FBI observe the increased use of Conti ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.

Conti actors often gain initial access to networks through:

- Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Phone calls;
- Fake software promoted via search engine optimization;
- Common vulnerabilities in external assets.

In the execution phase, actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.

Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.

According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges and move laterally across a victim’s network.

NSA, CISA, and FBI detail Chinese State-Sponsored Actions, Mitigations

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory, Chinese State-Sponsored Cyber Operations: Observed TTPs. This advisory describes over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, and details mitigations.
Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives.
One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. This advisory provides specific mitigations for detailed tactics and techniques aligned to the recently released, NSA-funded MITRE D3FEND framework.
General mitigations outlined include: prompt patching; enhanced monitoring of network traffic, email, and endpoint systems; and the use of protection capabilities, such as an antivirus and strong authentication, to stop malicious activity.