Discover and read the best of Twitter Threads about #ContiLeaks
Most recents (6)
Lo que está sucediendo en Costa Rica gracias a #ContiLeaks es algo que se esperaba. Un país que no invierte en tecnología en pleno 2022, un país que no tiene sistemas integrados y lo que tiene son pedazos por todos lados, donde la mayoría de colaboradores no son capaces
O no los permiten ser, donde quedamos rezagados en tener las mejores prácticas y en donde todo es pura vida y aquí no pasa nada. Eso es común no solo en el gobierno si no en empresa nacional. Espero que con esto aprendan y entiendan que se debe invertir en tecnología y
Y en sus colaboradores. Se pueden hacer muchísimas cosas y podrían empezar haciendo una evaluación a todos sus colaboradores, en donde los mejores estén en un solo edificio desarrollando una verdadera herramienta para el gobierno. #CostaRica @micittcr @presidenciacr
Thread on #APT grps, #hacktivists, #Ransomware gangs with their ‘likely’ associations (as per TTPs and reports) that are playing a significant role in impending #Ukraine #Russian conflict. Correct me if i am wrong or missing any one. 1/
Firstly on Russian 🇷🇺side there are #GhostWriter (#Belarus Govt Backed) #CozyBear (Russian Foreign Intel aka #SVR) #UNC1151 (Minsk based) #FancyBears & #SandWorm (Russian Military Intel aka #GRU) #Turla and #Gamaredon (Russian Internal Intel #FSB Former KGB) 2/
Other hacking groups incl #Lazarus (Russia & North Korea backed) #RedBanditsRU #Coomingproject #Freecivilian #DigitalCobraGang #Stormous #XakNet #Killnet #Zatoichi #Conti 3/
1/4 Combination of sanctions and Western businesses exodus from Russia may soon result in an uptick of cyber attacks from the country even if the conflict in Ukraine deescalates. Among many other things, the recent leak of internal chat logs and sensitive data tied to Russian
2/4 cybercrime group Conti illustrate that Russian ransomware groups are seeking “employees” on local job-hunting websites. The current pace of Western businesses exodus including technology companies
3/4 will leave many IT talents in Russia without a legitimate income. Also the growing isolation of the Russian economy might in the worst case lead to the North Korean scenario and we can see
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:
1/x
This allows us to connect certain #Trickbot activcity with the #Conti group:
1/x
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210
2/x
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210
2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:
3/x
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:
3/x
Another #ContiLeaks 🧵This one should be smaller 😂 In the rocketchat logs, a channel "manuals_team_c" contained 16 procedures from reconnaissance to exfiltration. I translated (with the help of @sys6x) them, here they are: github.com/Res260/conti_2…
INITIAL ACTIONS
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.
USEFUL COMMANDS
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.
If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks
