SophosLabs Profile picture
Mar 3 • 23 tweets • 9 min read
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
As this is a story told through logs, which are ordered in the reverse chronology, read the logs from the bottom to the top to get a chronological sense of what’s happening.

We’ve removed the dates so as not to reveal to the attacker who our customer is. 4/23
The initial point of access was a server running Windows Server 2008 R2 Service Pack 1. That machine was the source of several failed login attempts to a number of other servers, and 15 minutes, attackers had logged in to a 2nd machine, and four minutes later, a 3rd server. 5/23
Control of the third server gave the attackers admin privileges. They abused a remote management utility called RemoteExec (named CI.exe) and, 18 minutes in to the attack, copied it to six other machines. 6/23
The next minute, the attackers had copied batch scripts to three of the six compromised servers, and those scripts were running, performing a variety of tasks at high speed. They also installed a backdoor service onto one of the other compromised machines. 7/23
By minute 26 of the attack, the intruders had downloaded and installed a second commercial remote access utility, called ScreenConnect, and set up temporary access to a specific, external IP address. 8/23
Methodically over the following hour, attackers moved from compromised server to compromised server, downloading and executing a set of batch scripts. Some of the machines downloaded a payload from an IP address belonging to notorious ISP Green Floid. money.cnn.com/2017/10/25/med… 9/23
And then…nothing happened for three days. The attackers made no attempt to reconnect to the network until almost 72 hours after the initial break-in. But then the gloves came off…and those servers started reporting detections of malware. 10/23
Behavioral detections based on the malicious use of PowerShell; Multiple attempts to deploy Cobalt Strike beacons; Placement of malware executables on network shares. The @Sophos endpoint was blocking all of that. 11/23
All day, the attackers tried and tried and tried again to deploy malware across a wide range of machines, and failed. For more than 15 hours, they repeatedly tried to push malicious executables onto devices or filelessly load them into memory.

They failed. 12/23
After taking a three hour break – all that attempted crime had to be hard work – the attackers then resumed, and continued failing to infect machines, blocked by behavioral and memory detection of the payloads, most of which were Cobalt Strike. 13/23
Finally the attackers’ gloves came off. They used PowerShell to try to disable Windows Defender. They also leveraged those administrator tools they had used earlier in the attack to bundle up internal documents and send them to Mega, a cloud storage provider. 14/23
It took almost a full day for them to download the installers for Chrome and WinRAR, to bundle up the sensitive data into archive files, and then upload them to Mega. At the end, they cleaned up after themselves, deleting host logs and records. 15/23
The attackers took a break for three more days, then came back. We detected them deploying a list of text files on an internal server in preparation for the final phase of the attack, the deployment of ransomware. 16/23
We also detected (and blocked) more attempts to deploy both Cobalt Strike beacons, Metasploit Meterpreters, and BazarBackdoor malware onto various systems they controlled. Once again, they were prevented from doing so. 17/23
Finally, at about 1:34am in the target’s time zone, the attackers started trying to deploy ransomware executables. They were prevented from encrypting dozens of servers and workstations, repeatedly, over the next eight hours. Emotet and BazarBackdoor were also blocked. 18/23
Logs showed that, while the attackers were trying to deploy the ransomware, they used some of their other tools to log in to machines and see what was going on. They probably weren’t happy with what they found. 19/23
The following day, they tried using every tool they could think of to try to disable Sophos. They used PsKill and PsExec and GMER. They tried using the Windows version of a tool called FixGo. They tried to use RemCom, “the open source psexec”
github.com/kavika13/RemCom 20/23
In the end, they were unsuccessful at encrypting the machines. After three days of trying, the threat actors decided to give up but they would salt the earth in their wake.

They just wiped every machine they could reach. 21/23
Perhaps they thought they could get away with just extorting the target, or perhaps the encryption was only a ruse, and they got what they were after in the exfiltrated data. 22/23
Thank you to @threatresearch for their contributions to this thread.

Check out our recent article "Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits" from @thepacketrat ⬇️

news.sophos.com/en-us/2022/02/…

23/23

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

Dec 22, 2021
NEW: Avos Locker remotely accesses boxes, even running in Safe Mode

Infections involving this relatively new ransomware-as-a-service spiked in November and December...

1/16
Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target. 2/16
In a recent series of ransomware incidents involving this ransomware, Sophos Rapid Response discovered that attackers had booted their target computers into Safe Mode to execute the ransomware, similar to now-defunct Snatch, REvil, and BlackMatter ransomware families. 3/16
Read 16 tweets
Dec 21, 2021
NEW: Attackers test “CAB-less 40444” exploit in a dry run

An updated exploit takes a circuitous route to trigger a Word document into delivering an infection without using macros...

1/11
In September, Microsoft published mitigation steps and released a patch to a serious bug (CVE-2021-40444) in the Office suite of products. Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability at least a week before September’s Patch Tuesday... 2/11
...but the early mitigations (which involved disabling the installation of ActiveX controls), and the patch (released a week later), were mostly successful at stopping the exploits that criminals had been attempting to leverage to install malware. 3/11
Read 11 tweets
Dec 21, 2021
NEW on #Log4Shell

Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks

China and Russia, Kinsing miner botnet dominate sources of exploit attempts...

1/16
Since the first vulnerability in the Apache Foundation’s Log4j logging tool was revealed on December 10, three sets of fixes to the Java library have been released as additional vulnerabilities were uncovered. 2/16
This rapid iteration of fixes has left software developers and organizations worldwide scrambling to assess and mitigate their exposure with nearly daily-changing guidance.

In the meantime, we’ve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
Read 16 tweets
Dec 17, 2021
NEW on #Log4Shell...

Inside the code: How the Log4Shell exploit works

1/21
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”

The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
Read 21 tweets
Dec 16, 2021
#PatchTuesday ICYMI

Microsoft wraps up 2021 with 64 patched vulnerabilities—including Windows 7 fixes...

1/11
While Log4J may have cast a very long shadow over this month, Microsoft has released fixes for 64 more vulnerabilities in its software products, including 16 Chromium-based bugs in the Edge browser that were already patched in updates pushed since last month. 2/11
Some of the remaining fixes apply to versions of Windows stretching back to the end-of-life’d Windows 7...

There are 17 bugs being patched in Windows 7 this month, including three of this month’s seven critical vulnerabilities—all of which are remote code execution bugs. 3/11
Read 11 tweets
Dec 13, 2021
#Log4Shell Hell: anatomy of an exploit outbreak

A vulnerability in a widely-used Java logging component is exposing untold numbers of organizations to potential remote code attacks and information exposure...

1/16
On December 9, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. 2/16
The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. 3/16
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(