Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
09.23.21

Customer Advisory for Awareness | CISA, FBI, and NSA Issue Joint Advisory Regarding Increased Conti Ransomware Attacks

By Deepwatch, 

Key Points:

  • Significant Increase In Ransomware Activity, Specifically the Conti Variant
  • Highly Recommended to Review Best Security Practices (Multi-Factor Authentication, Patch Management, Understand Internet Exposed Technologies, especially Remote Desktop and Exchange)
  • All Customers Should Operate Under the Assumption That Ransomware Could target them

Summary

Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint advisory (PDF) yesterday regarding increased Conti ransomware activity and detailing observed tactics, techniques, and procedures (TTPs). According to the advisory, Conti ransomware has been used in over 400 attacks on US and international businesses. 

Deepwatch’s Threat Intel Team has been tracking this activity to provide information as soon as possible. Please review our recent Significant Cyber Event Customer Advisory regarding Microsoft Exchange exploitation and the following headlines from our weekly Cyber Intelligence Brief (CIB):

  • August 16 – “A Look Inside the Operations and Tradecraft of the Conti Ransomware Gang.”
  • August 27 – “FBI Issues Alert Releasing IOCs for “OnePercent Group” Ransomware Affiliate.”
  • September 7 – “CISA Issues Alert for Ransomware Awareness for Holidays and Weekends.”
  • September 13 – “The Ideal Ransomware Victim: What Threat Actors Are Looking For.” 

Conti is classified as ransomware-as-a-service (RaaS); however, its structure differs from a traditional affiliate model. Conti developers are more than likely to give ransomware affiliates a wage rather than a part of the proceeds from a successful assault.

According to the advisory, Conti affiliates used the following techniques to carry out their attacks:

  • Spearphishing attacks.
  • Remote monitoring and management software.
  • The “PrintNightmare” & “Zerologon” vulnerabilities. And have been known to have used “ProxyShell” in attacks as well.
    • Deepwatch encourages customers to reach out to their squad manager about our vulnerability management services.

While the techniques above are commonly utilized, other techniques have also been seen, and a defense-in-depth strategy coupled with best security practices is the strongest way to reduce risk.

Additionally, details from a previously released Conti “playbook” identify four IP addresses used in previous attacks as Cobalt Strike C2 servers (Please see Appendix A).

Mitigations:

CISA, the FBI, and the NSA recommend organizations employ the following mitigation strategies.

  • Multi-factor authentication.
  • Implement network segmentation and filter traffic.
  • Scan for vulnerabilities and keep software updated.
  • Remove unnecessary applications and apply controls.
  • Implement endpoint and detection response tools.
  • Limit access to resources over the network, especially by restricting RDP.
  • Secure user accounts.

In addition to these recommendations, Deepwatch recommends customers implement the following measures:

  • Evaluate your company’s technologies which are exposed to the Internet.
    • Specifically On-Prem Exchange, Remote Desktop, and VPN Technologies
  • Work with your security teams to closely monitor any single-factor authentication technologies on the Internet,
    • Especially VPN technologies.
    • Implement Multi-Factor authentication as soon as possible.

Common vulnerabilities exploited by ransomware threat actors:

Source: Allan Liska via Twitter

Deepwatch Threat Intelligence Outlook

Deepwatch assesses with high confidence that ransomware attacks (including Conti) will continue due to insufficient prioritization of security hygiene for organizations’ Internet-facing systems coupled with the influx of recent vulnerabilities that affect externally facing systems. 

Additionally, a recent discovery that REvil ransomware operators have been taking over ransom negotiations without their affiliate’s knowledge and pocketing the entire ransom payment themselves will likely cause potential affiliates to seek out other RaaS operators like Conti to facilitate their attacks.

Appendix A

IOCs

IP Addresses

  • 162.244.80[.]235
  • 85.93.88[.]165
  • 185.141.63[.]120
  • 82.118.21[.]1

These IP addresses were identified as Cobalt Strike servers previously used and leaked in Conti ransomware playbooks.

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Customer Advisory for Awareness | Microsoft Warns of New RCE Zero-Day Exploited in Targeted Office Attacks

Next post

Customer Advisory for Awareness | Apache HTTP Server Actively Exploited, Patch is Available, Patch Now!

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy