Are you a victim of the Conti Ransomware?

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

Conti Ransomware targets enterprises who have not patched their systems by exploiting old vulnerabilities. Conti Ransomware steals sensitive information from businesses and demands a ransom in exchange. CISA has issued a warning about the rise in Conti ransomware attacks. To avoid becoming a victim of Conti ransomware, the Hive Pro Threat Research team suggested you patch these vulnerabilities.

The techniques used by the Conti includes:

• T1078 – Valid Accounts
• T1133 – External Remote Services
• T1566.001 – Phishing: Spearphishing Attachment
• T1566.002 – Phishing: Spearphishing Link
• T1059.003 – Command and Scripting Interpreter: Windows Command Shell
• T1106 – Native API
• T1055.001 – Process Injection: Dynamic-link Library Injection
• T1027 – Obfuscated Files or Information
• T1140 – Deobfuscate/Decode Files or Information
• T1110 – Brute Force
• T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting
• T1016 – System Network Configuration Discovery
• T1049 – System Network Connections Discovery
• T1057 – Process Discovery
• T1083 – File and Directory Discovery
• T1135 – Network Share Discovery
• T1021.002 – Remote Services: SMB/Windows Admin Shares
• T1080 – Taint Shared Content
• T1486 – Data Encrypted for Impact
• T1489 – Service Stop
• T1490 – Inhibit System Recovery

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Links

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472

References

https://us-cert.cisa.gov/ncas/alerts/aa21-265a