Blog | Cyber Threat Intel
Lessons Learned from #ContiLeaks
- Conti operations were run very similar to a mature Small Business Start-Up.
- The hacking techniques, employed by affiliates or “Pentesters”, are not novel.
- Conti has good software development practices and leverages the latest software development capabilities. Conti’s intellectual property is their software.
Contrary to the common belief that RaaS gangs are just a bunch of hackers in hoodies, Conti shows the reality that if you are going to participate in this space and be on top, you must have good business operations. The #ContiLeaks have showed us that Conti had a typical business structure. They were made up of roughly 70 employees which included the following departments: Human Resources, Leadership and Management, Research and Development, Reverse Engineers, 3rd Party Contractors, and Penetration Testers. It might surprise some to learn that Conti had proposal requests, a procurement process, and budgetary requirements. When one of the Penetration Testers needed a licensed piece of software, they submitted their request to a Technical Lead. This was then followed by Management with approvals and directions on where the money (cryptocurrency) would be transferred for purchasing. This process was the same for when Research and Development wanted to purchase enterprise security software and hardware for testing their software’s ability to go undetected or for bypassing these security tools.
Conti Hacking Techniques
A lot was already known about the Conti tools, techniques, and procedures (TTPs) however, with the #ContiLeaks more details have emerged that confirmed initial suspicions and information highlighted by researchers such as the DFIR report. This includes how Conti conducted reconnaissance, gained initial access, moved laterally in networks, persisted, and ultimately reached their goal of exfiltration and encrypting their target’s workstations and servers. Much of what was in Conti’s arsenal of tooling came from free and open-source software (FOSS), legitimate versions of Cobalt Strike, Proof of Concept (POC) code for known vulnerabilities found on GitHub, and other community-driven penetration testing projects and scripts; many of which are used by Ethical Penetration Testing practices today. Custom tooling from the group consisted mostly of automation scripts (batch files, obfuscated PowerShell), custom dynamic link libraries (DLLs), portable executables (PEs), and other executables (EXEs) including the Ransomware itself.
For further details and more in-depth technical information on this topic, please contact us at firstname.lastname@example.org.