Two cyber security firms have jointly unveiled details about an unnamed affiliate of the Conti ransomware gang, which they claim has used Cobalt Strike infrastructure to attack seven US-based companies.
eSentire’s Threat Response Unit (TRU) said it had been tracking the affiliate since August 2021, and began sharing findings with BreakPoint Lab after discovering that the firm was independently investigating the same group.
Their joint investigation has provided new information about the Conti affiliate, including specific IP addresses, domain names and Protonmail email accounts that it uses, as well as details of the vulnerabilities used to conduct its attacks.
This includes SonicWall Exploits, Cobalt Strike, the use of VPS servers for command and control (C2), Forty North’s C2Concealer, and Bring Your Own Virtual Machine (BYOVM).
The earliest attack carried out by the affiliate appears to have been in July 2021, when the threat actor launched a Cobalt Strike operation that compromised four financial organisations via their shared technology provider, which had deployed SonicWall as a VPN to help manage their IT environments.
Although the threat actors were able to delete cloud-stored backups before deploying ransomware, the financial companies were able to restore from other, more recent backups. Other victims of the affiliate have included companies in the environmental, legal and charitable sectors.
According to the cyber security firms, the most recent attack took place on Valentine’s Day 2022, when the TRU intercepted an attack leveraging Cobalt Strike infrastructure in an attempt to breach a children’s charity and then, hours later, a legal firm.
“The speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customised Cobalt Strike configurations and its associated initial access vectors,” said eSentire in a blogpost. “Customisation choices include legitimate certificates, non-standard CS ports, and malleable command and control.”
Although Cobalt Strike is a legitimate threat emulation software used for adversary simulations and penetration-testing Windows systems, cracked versions of the HelpSystems-developed tool have begun to be used by ransomware gangs and other cyber criminals in the past 18 months.
eSentire said in its blog post that Cobalt Strike was becoming increasingly popular among ransomware gangs because of the “full-scale organisational intrusions” that it enables, and the ability it gives to evade network and endpoint security, essentially pooling most of the features expected in other malware into one place.
“Threat actors need only deliver Cobalt Strike’s Beacon – a highly configurable backdoor that allows attackers to quietly and remotely control endpoints and inject other attacker tools – as a payload of their chosen initial access vector, and Beacon will point back to an attacker – controlled Team Server, where attackers can log on and intrusions can be orchestrated,” it said.
“Due to Cobalt Strike’s relative simplicity, it enables lower-tiered threat actors to act in supporting roles to ransomware operations, allowing ransomware gangs to scale out their operations and increase efficiencies.”
eSentire’s TRU previously released a report on Conti on 7 March 2022, warning both customers and critical infrastructure organisations that the gang was continuing to launch attacks against oil terminals, pharmaceutical companies, food manufacturers, IT services providers, and others.
That predated a Cybersecurity and Infrastructure Security Agency (CISA) alert about Conti on 9 March, which warned organisations to review their advisory and apply the recommended mitigations.
The CISA alert said: “Conti cyber threat actors remain active and Conti ransomware attacks against US and international organisations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike.”
Conti declared its allegiance to the Russian state immediately after Vladimir Putin’s illegal invasion of Ukraine.