Lessons from the Conti Leaks
If you wanted to learn how an organized cybercriminal operation worked, look no further than the threat group known as Conti. The recent leaks of the group's chat logs have uncovered an unprecedented wealth of information and insights into how these veteran cybercriminals organize themselves.
Cyber Threat Intelligence (CTI) vendors and independent researchers have spent weeks poring over the Conti leaked chat logs and have uncovered dozens of very significant findings.
In this blog, I didn't want to duplicate what is already known (too much). I wanted to share some of the findings that I thought were the most interesting to me. To rapidly get up to speed on the Conti Leaks, I highly recommend other researchers to read the work in the following blogs:
I will also recommend to read what other researchers have tweeted about what they found in the Conti Leaks:
- Observable Tactics, Techniques, and Procedures (TTPs) https://twitter.com/TheDFIRReport/status/1498642505646149634
- Cobalt Strike commands from RocketChat logs https://twitter.com/c3rb3ru5d3d53c/status/1499130574321197058
- All CVEs discussed in the Conti chat server https://twitter.com/c3rb3ru5d3d53c/status/1499570311460753408
- Proof Conti members are active on Twitter https://twitter.com/VK_Intel/status/1498761290709409792
- Сonti member interviewed by local police https://twitter.com/VK_Intel/status/1498400616615395328
- Conti members acquire CarbonBlack and Sophos https://twitter.com/albertzsigovits/status/1498237945685422087
- Conti's Exploit[.]in account https://twitter.com/pancak3lullz/status/1499108972258906123
- Conti's Bitcoin wallets https://twitter.com/pancak3lullz/status/1498347648637624326
With those out of the way, we can get to the meat of this blog. I cannot emphasize enough that these leaks are gargantuan and span years of the group's operations. I seem to find something new every time I take another look at them but now have enough for a blog of my own.
One major discovery in the Conti leaks is that multiple vendors have covered is the existence of an "OSINT Team" who gathers details on Conti's targets. This team uses multiple techniques, as well as commercial tools, to find every piece of information about a target that will support the end goal of domain-wide Conti ransomware deployment. This OSINT Team also may engage with the targets (HUMINT), posing as marketing or sales people, gathering details and information about managers, executives, and how the company operates for exploitation later.
Command and Control (C2)
Tradecraft, Exploits, and 0days
A Cybercrime Empire
- locker.exe e1b147aa2efa6849743f570a3aca8390faf4b90aed490a5682816dd9ef10e473
- locker_x86.dll fb737da1b74e8c84e6d8bd7f2d879603c27790e290c04a21e00fbde5ed86eee3
- cryptor.exe 5f3ae6e0d2e118ed31e7c38b652f4e59f5d5745398596c8b31248eda059778af