Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Sophos X-Ops Profile picture
@SophosXOps
Mar 3, 2022 • 23 tweets • 9 min read • Read on X
Scrolly
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
As this is a story told through logs, which are ordered in the reverse chronology, read the logs from the bottom to the top to get a chronological sense of what’s happening.

We’ve removed the dates so as not to reveal to the attacker who our customer is. 4/23
The initial point of access was a server running Windows Server 2008 R2 Service Pack 1. That machine was the source of several failed login attempts to a number of other servers, and 15 minutes, attackers had logged in to a 2nd machine, and four minutes later, a 3rd server. 5/23
Control of the third server gave the attackers admin privileges. They abused a remote management utility called RemoteExec (named CI.exe) and, 18 minutes in to the attack, copied it to six other machines. 6/23
The next minute, the attackers had copied batch scripts to three of the six compromised servers, and those scripts were running, performing a variety of tasks at high speed. They also installed a backdoor service onto one of the other compromised machines. 7/23
By minute 26 of the attack, the intruders had downloaded and installed a second commercial remote access utility, called ScreenConnect, and set up temporary access to a specific, external IP address. 8/23
Methodically over the following hour, attackers moved from compromised server to compromised server, downloading and executing a set of batch scripts. Some of the machines downloaded a payload from an IP address belonging to notorious ISP Green Floid. money.cnn.com/2017/10/25/med… 9/23
And then…nothing happened for three days. The attackers made no attempt to reconnect to the network until almost 72 hours after the initial break-in. But then the gloves came off…and those servers started reporting detections of malware. 10/23
Behavioral detections based on the malicious use of PowerShell; Multiple attempts to deploy Cobalt Strike beacons; Placement of malware executables on network shares. The @Sophos endpoint was blocking all of that. 11/23
All day, the attackers tried and tried and tried again to deploy malware across a wide range of machines, and failed. For more than 15 hours, they repeatedly tried to push malicious executables onto devices or filelessly load them into memory.

They failed. 12/23
After taking a three hour break – all that attempted crime had to be hard work – the attackers then resumed, and continued failing to infect machines, blocked by behavioral and memory detection of the payloads, most of which were Cobalt Strike. 13/23
Finally the attackers’ gloves came off. They used PowerShell to try to disable Windows Defender. They also leveraged those administrator tools they had used earlier in the attack to bundle up internal documents and send them to Mega, a cloud storage provider. 14/23
It took almost a full day for them to download the installers for Chrome and WinRAR, to bundle up the sensitive data into archive files, and then upload them to Mega. At the end, they cleaned up after themselves, deleting host logs and records. 15/23
The attackers took a break for three more days, then came back. We detected them deploying a list of text files on an internal server in preparation for the final phase of the attack, the deployment of ransomware. 16/23
We also detected (and blocked) more attempts to deploy both Cobalt Strike beacons, Metasploit Meterpreters, and BazarBackdoor malware onto various systems they controlled. Once again, they were prevented from doing so. 17/23
Finally, at about 1:34am in the target’s time zone, the attackers started trying to deploy ransomware executables. They were prevented from encrypting dozens of servers and workstations, repeatedly, over the next eight hours. Emotet and BazarBackdoor were also blocked. 18/23
Logs showed that, while the attackers were trying to deploy the ransomware, they used some of their other tools to log in to machines and see what was going on. They probably weren’t happy with what they found. 19/23
The following day, they tried using every tool they could think of to try to disable Sophos. They used PsKill and PsExec and GMER. They tried using the Windows version of a tool called FixGo. They tried to use RemCom, “the open source psexec”
github.com/kavika13/RemCom 20/23
In the end, they were unsuccessful at encrypting the machines. After three days of trying, the threat actors decided to give up but they would salt the earth in their wake.

They just wiped every machine they could reach. 21/23
Perhaps they thought they could get away with just extorting the target, or perhaps the encryption was only a ruse, and they got what they were after in the exfiltrated data. 22/23
Thank you to @threatresearch for their contributions to this thread.

Check out our recent article "Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits" from @thepacketrat ⬇️

news.sophos.com/en-us/2022/02/…

23/23

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sophos X-Ops

Sophos X-Ops Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosXOps

Sophos X-Ops Profile picture
Mar 13
Every year, Sophos X-Ops releases its annual threat report. This year, however, we took a slightly different approach. Rather than looking at the landscape as a whole, we zoned in on the biggest cybercrime threats to SMBs.
A look at SophosLabs telemetry showed that the number one challenge for SMBs is data protection—which isn’t too surprising. Data and credential theft have become increasingly common, with attackers using the data for ransomware or unauthorized remote access.
Nearly 50% of all malware detections for SMBs were keyloggers/spyware/stealers. We also found multiple advertisements on the dark web from IABs specifically targeting SMBs or selling access to SMB networks. Image
Read 10 tweets
Sophos X-Ops Profile picture
Mar 4
Threat actors often use Bring Your Own Vulnerable Driver (BYOVD) attacks – where they abuse vulnerable drivers to gain privileges on a compromised machine – to terminate EDR solutions.
Lots of drivers exist that can be abused in this way, and several threat actor groups (we've previously reported on Robbinhood, BlackByte, and other ransomware actors) routinely use this technique.
One BYOVD tool that got some attention in 2023 was Terminator. A threat actor was selling this tool to other criminals on underground forums. Researchers found that Terminator used a legitimate signed driver (called Zemana Anti Malware, or ZAM).
Read 18 tweets
Sophos X-Ops Profile picture
Mar 1
We’ve seen three more incidents of attackers attempting to move deeper into customer networks after exploiting a vulnerability in ConnectWise' ScreenConnect server. Two appeared to be from the same threat actor. /1
In one, the attacker attempted to execute some commands for reconnaissance on the ScreenConnect server, using PowerShell to try to run getlocaluser (to obtain a list of local user accounts on the server) and ipconfig (to get the local network interface information). /2
The actor behind the other incidents was much more persistent. In the second incident, they first attempted to disable Sophos endpoint protection. Then they attempted to install a Cloudflare Tunnel client to be used as a backdoor, downloading it from Cloudflare’s GitHub page. /3
Read 8 tweets
Sophos X-Ops Profile picture
Feb 21
While the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. 1/11
Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .” 2/11 Image
Back then, Conti was so widespread that even with its shutdown in early 2022, it *still* accounted for nearly 5% of the ransomware cases the IR team tackled. 3/11
Read 11 tweets
Sophos X-Ops Profile picture
Sep 18, 2023
Last year, Sophos X-Ops uncovered a growing number of "liquidity mining" scams—a type of cryptofraud that takes advantage of mobile crypto wallets and decentralized finance (DeFI) apps. While we saw dozens of these last year, we're now seeing 100s of more sophisticated scams. /1
While the scams we first encountered were fairly simple in their attempts to convince targets to join their fraudulent “mining pools”, we have seen liquidity mining scams adopt Sha Zhu Pan (pig butchering) tactics to siphon funds from their victims. /2 Image
Real liquidity pools involve creating a pool of different types of cryptocurrencies for trades, and participants receive a percentage of every fee paid for a trade. Fake pools pretend to operate in the same way—until the scammers pull all the funds from the victims’ wallets./3 Image
Read 9 tweets
Sophos X-Ops Profile picture
Aug 25, 2023
Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs.
In the mid-August attack, once the target system was infected, the attackers used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack.
nvd.nist.gov/vuln/detail/CV…
Later stages of that attack included behaviors such as:
- Payload injection into wuauclt.exe or wmiprvse.exe
- Use of BlueVPS ASN 62005 for malware staging and a C2 IP address (45.66.248[.]189)
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(