Conti Group - Tooling, Leaks and Russian FSB Ties

Will
March 11, 2022

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap on this treat actor group. In this post we’ll aim to cover some of the tooling utilized by the threat actor as well as their involvement within the recent Russia and Ukraine conflict.

We encounter this group on a regular basis through our Managed Detection and Response service, and our incident response engagements. This threat actor behaves much like a business with a broad range of internal resources and departments to leverage as part of their ransomware service.

While there are a broad range of publicly available Indicators Of Compromise (IOCs) for this threat actor, we will cover some of the tooling we have seen them used recently which will typically fly under the radar of common security controls.

Conti Group and Critical Infrastructure

As a group Conti makes their money through their ransomware service, once they have gained access to an environment with elevated privileges, they will rapidly look to destroy backups before deploying their ransomware to as many machines as possible. Besides operating more as a business rather than a typical hacker group, they also attempt to ensure their attacks do not impact critical infrastructure. While critical infrastructure typically includes power grids and utilities, Conti are mainly referring to health care infrastructure such as hospitals.

However, with the recent conflict in Ukraine Conti have thrown their support behind Russia by publicly stating they will proactively target the critical infrastructure of countries that get involved with the conflict through cyber-attacks against Russia.

Conti's public announcement around critical infrastructure.

With this specific threat actor being so successful against targets around the world, especially in Australia, it is important to understand the TTPs associated with this threat actor to better defend against them. This is especially important if your business or environment is considered critical infrastructure.

Russian Federal Security Service (FSB) Ties

It has been long suspected that certain crime groups operating out of Russia have had various levels of support from their government. While there isn’t a lot of publicly available concrete evidence to suggest this is the case, documents have been leaked by a Ukrainian within the Conti group that suggests Conti have ties to the Russian Fedaral Security Service.

The below screenshot is from a Conti Jabber conversation where they discuss having gained access to some information detailing correspondence between the victim and the journalism organisation Bellingcat.

Translated conversation within the Conti group discussing FSB ties.
Translated conversation within the Conti group discussing Navalny.

Of particular interest is the mention of Navalny and FSB within the same chat log, this does seem to suggest that to an extent Conti has a connection or contact at the FSB, how far this relationship goes is yet to be seen.

Tools, Techniques and Processes

The Conti group utilize a broadrange of Tools, Techniques and Processes. We are going to take this opportunity to briefly recap on some of the most common TTPs utilized by the group. As part of this we are also going to touch one some ‘greyware’, legitimate applications utilized by the crew to achieve persistence without raising the suspension of security controls.

Trickbot

Trickbot has been around since 2016, originally only observed being utilized by APT group Wizard Spider. This piece of malware is a feature rich application that provides the threat actor with a huge range of capabilities to facilitate persistence, lateral movement, and enumeration activities.

Emotet

Emotet has been operating since 2014 and was typically classified as a banking trojan and spread through broad phishing campaigns. This malware is typically used by groups as a deployment mechanism. Once the malware has successfully executed on an endpoint, the operator can distribute other malware such as Trickbot and Cobalt Strike.

Cobalt Strike

Cobalt Strike is an Adversary Simulation and Red Team Operations tool built for security teams and penetration testers to easily simulate an advanced threat. Think of this tool as a commercial command and control application. Unfortunately, even though  Cobalt Strike perform diligent background checks on all of their customers, the application has been leaked multiple times and is now a staple tool for the Conti group.

Cobalt Strike console screenshot.

Greyware

In recent attacks we have noticed a significant shift in Conti’s tradecraft where they have adopted the use of legitimate tooling for both persistence and command and control. This includes utilizing applications that have legitimate real-world purposes such as applications commonly utilized by developers and Managed Service Providers (MSPs).

These applications will typically go unnoticed by most security controls purely because they are a legitimate application used by a huge number of legitimate businesses globally. While controls such as Endpoint Detection and Response (EDRs) will likely generate an alert that this is a potential risk, they typically do not prevent the application from executing.

Atera

Atera is a remote management tool developed for MSPs to allow them to easily support their customers through the remote management capabilities of the Atera application. While the technique of using remote access tools for persistence or command and control is not new, the licensing model of Atera resonates with Conti’s processes like no other. Typically, once the group has administrative access within an environment they will register for an Atera instance utilizing a public email address aligned to the internal domain name of the compromised environment. While it is not clear whether the group utilises a free trial for their entire engagement, Atera is licensed per consultant. This means they can essentially deploy the tool across an entire environment without running into any ‘per machine’ licensing issues.

Atera remote management tool screenshot.

NGROK

Ngrok is a tool that once installed on a machine can be configured to expose a service on the host to the internet. This is done by tunneling the network traffic over HTTPS to the Ngrok service, where Ngrok then provide a url and port that the user can hit to access the desired service.

Conti typically utilize this service to expose remote access protocols such as Remote Desktop Protocol (RDP). This allows them to gain a RDP session on a host that typically is not directly exposed to the internet and makes it easier for them to perform lateral movement.

The process that allows users to tunnel traffic utilising NGROK.

Crosstec Remote Control

CrossTec is a tool that is very similar to Atera in that it is typically utilized by an MSP to provide remote support to their customers. CrossTec is not as feature rich as Atera however it does provide the same level of remote access and persistence to the threat actor.

CrossTec Remote Control screenshot.

Defending Against Conti

Conti are opportunistic, with most of their successful attacks beginning with a phishing email, password-based attack or exploitation of a 0-Day vulnerability such as LOG4j. If an environment looks to be too mature, they will simply move on to next target to increase the likelihood of a successful attack.

Mitigating most threat actors, including Conti can be achieved using fairly common security controls.

  • Patch Management – Ensure that both applications and operating systems are patched on a regular basis. This should also include an out of band patching process for 0-Day vulnerabilities.
  • Multi-Factor Authentication – This single control will make it significantly harder for any threat actor to abuse password based attacks when deployed properly.
  • End-Point Detection and Response – An industry leading EDR product will detect many of the behaviors exhibited by threat actors. This includes the use of ‘greyware’ and living of the land tooling utilized by groups such as Conti. This also provides your business with a platform to react to incidents on a granular level across all endpoints.
  • Application Whitelisting – This control is extremely effective at reducing the range of tools available for a threat actor to utilize during an incident. Application Control is one of the best ways of ensuring software such as the remote access greyware tools we referred to earlier are not deployed without approval.When configured properly, this control can cripple an attack from even the most advanced threat actors.
  • Application Level Firewalls – The vast majority of application firewall vendors such as PaloAlto and checkpoint provide a categorization for domain and ip addresses. This can be utilized to block an entire application category, for example on a PaloAlto you could block ‘Proxy Avoidance and Anonymizers’ to prevent the use of tools such as NGROK.

References

https://www.cyber.gov.au/acsc/view-all-content/advisories/ransomware-profile-conti

https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/

https://attack.mitre.org/groups/G0102/

https://attack.mitre.org/software/S0575/

Share this article

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

Conti Group - Tooling, Leaks and Russian FSB Ties

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap […]

Read More

Yes, Local Administrators ARE a Risk

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources. What do you do when your users want new […]

Read More

OSINT for Penetration Testers

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish. For example, through OSINT you may discover that the target is openly advertising […]

Read More

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]

Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]

Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then  Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this:  Well, that’s a […]

Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]

Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]

Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is an incredibly powerful framework that organisations can utilise to improve their cyber security capabilities.

Read More