Category Archives: News

ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help

Read Time:8 Minute, 38 Second

Private messages between Conti members uncover invaluable information about how the infamous ransomware group hijacks victims’ systems.

Leaked internal chats between Conti ransomware group members offer a unique glimpse into its inner workings and provide valuable insights, including details on over 30 vulnerabilities used by the group and its affiliates, as well as specifics about its processes after infiltrating a network, like how it targets Active Directory.

In this blog post, we’ll offer background into Conti – one of the more prolific ransomware groups in operation today – dig into the leaked information, and offer concrete advice on how to protect your organization against Conti’s attacks.

Background

The ContiLeaks began on February 27 – the work of an alleged member of the Conti ransomware group. This individual leaked a series of internal chats between members of the group to the general public. This isn’t the first time confidential information about the group has been leaked. In August 2021, an affiliate of Conti published a playbook of training materials given to affiliates, which provided our first insight into the ransomware group’s operation.

These leaks have allowed researchers to analyze more of the tactics, techniques, and procedures developing indicators of compromise associated with the group. Researchers at Breach Quest published an article on March 9 analyzing the ContiLeaks, which included a list of vulnerabilities the group appears to have been using to target organizations.

What is Conti?

First discovered in 2020 by researchers at Carbon Black, Conti is a ransomware group that operates a ransomware-as-a-service model to deploy the Conti ransomware.

Ransomware-as-a-Service (RaaS) is offered by ransomware groups and gives affiliates — cybercriminals looking to partner with RaaS groups — access to ransomware that is ready to be deployed, as well as a playbook to help guide their attacks. RaaS groups take a small cut of paid ransoms, providing the bulk of the profits to affiliates.

Conti has risen to prominence over the last two years, earning a reported $180 million in profits from its attacks, according to Chainalysis. It’s also gained notoriety for attacks against the healthcare sector, including at least 16 U.S. health and emergency networks. Most notable was Conti’s attack on the Ireland Health Service Executive (HSE) in May 2021 in which the group demanded a $20 million ransom, which the HSE refused to pay.

Conti’s focus on the healthcare sector isn’t surprising. In our 2021 Threat Landscape Retrospective report, we found that 24.7% of healthcare data breaches were the result of ransomware attacks, and ransomware itself was responsible for 38% of all breaches publicly disclosed last year.

Which vulnerabilities are Conti and its affiliates using?

Ransomware groups like Conti use a variety of tactics to breach the networks of prospective targets. These include phishing, malware and brute force attacks against Remote Desktop Protocol.

Conti has also been linked to EXOTIC LILY, an initial access broker (IAB) group. IABs are focused on obtaining malicious access to organizations for the purpose of selling that access to ransomware groups and affiliates. However, exploiting pre-and-post authentication vulnerabilities also play an important role in ransomware attacks.

As part of the leaked affiliate playbook, we’ve seen reports that Conti and its affiliates have been using the PrintNightmare and Zerologon vulnerabilities against targets. However, the ContiLeaks revealed an additional 29 vulnerabilities used by the group.

Additionally, there are reports that Conti and its affiliates have targeted vulnerabilities in the Fortinet FortiOS found in Fortinet’s SSL VPN devices to gain initial access to target environments.

The following is a breakdown of the types of vulnerabilities used by Conti and its affiliates:

Initial access vulnerabilities

CVE
Description
CVSS Score
VPR

CVE-2018-13379
Fortinet FortiOS Path Traversal/Arbitrary File Read Vulnerability
9.8
9.8

CVE-2018-13374
Fortinet FortiOS Improper Access Control Vulnerability
8.8
8.4

CVE-2020-0796
Windows SMBv3 Client/Server Remote Code Execution Vulnerability (“SMBGhost”)
10
10.0

CVE-2020-0609
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
9.8
8.4

CVE-2020-0688
Microsoft Exchange Validation Key Remote Code Execution Vulnerability
8.8
9.9

CVE-2021-21972
VMware vSphere Client Remote Code Execution Vulnerability
9.8
9.5

CVE-2021-21985
VMware vSphere Client Remote Code Execution Vulnerability
9.8
9.4

CVE-2021-22005
VMware vCenter Server Remote Code Execution Vulnerability
9.8
9.6

CVE-2021-26855
Microsoft Exchange Server Remote Code Execution Vulnerability (“ProxyLogon”)
9.8
9.9

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 24 and reflects VPR at that time.

Elevation of privilege vulnerabilities

CVE
Description
CVSS Score
VPR

CVE-2015-2546
Win32k Memory Corruption Elevation of Privilege Vulnerability
6.9
9.6

CVE-2016-3309
Windows Win32k Elevation of Privilege Vulnerability
7.8
9.7

CVE-2017-0101
Windows Elevation of Privilege Vulnerability
7.8
9.7

CVE-2018-8120
Windows Win32k Elevation of Privilege Vulnerability
7
9.8

CVE-2019-0543
Microsoft Windows Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-0841
Windows Elevation of Privilege Vulnerability
7.8
9.8

CVE-2019-1064
Windows Elevation of Privilege Vulnerability
7.8
9.2

CVE-2019-1069
Windows Task Scheduler Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1129
Windows Elevation of Privilege Vulnerability
7.8
8.9

CVE-2019-1130
Windows Elevation of Privilege Vulnerability
7.8
6.7

CVE-2019-1215
Windows Elevation of Privilege Vulnerability
7.8
9.5

CVE-2019-1253
Windows Elevation of Privilege Vulnerability
7.8
9.7

CVE-2019-1315
Windows Error Reporting Manager Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1322
Microsoft Windows Elevation of Privilege Vulnerability
7.8
9.0

CVE-2019-1385
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
7.8
5.9

CVE-2019-1388
Windows Certificate Dialog Elevation of Privilege Vulnerability
7.8
8.4

CVE-2019-1405
Windows UPnP Service Elevation of Privilege Vulnerability
7.8
9.7

CVE-2019-1458
Win32k Elevation of Privilege Vulnerability
7.8
9.7

CVE-2020-0638
Update Notification Manager Elevation of Privilege Vulnerability
7.8
5.9

CVE-2020-0787
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
7.8
9.7

CVE-2020-1472
Windows Netlogon Elevation of Privilege Vulnerability (“Zerologon”)
10
10.0

CVE-2021-1675
Windows Print Spooler Remote Code Execution Vulnerability
8.8
9.8

CVE-2021-1732
Windows Win32k Elevation of Privilege Vulnerability
7.8
9.8

CVE-2021-34527
Windows Print Spooler Remote Code Execution Vulnerability (“PrintNightmare”)
8.8
9.8

We’re also aware that Conti and its affiliates have used CVE-2021-44228, also known as Log4Shell, as part of attacks beginning in late 2021.

Leveraging elevation of privilege vulnerabilities

When looking at the impact of the various vulnerabilities disclosed specifically within the ContiLeaks communications, an interesting pattern emerges: nearly three quarters of the vulnerabilities on the list are elevation of privilege flaws, which signifies that the group is largely using vulnerabilities that support post-exploitation activities.

Given that the group and its affiliates can find different entry points into an organization outside of vulnerabilities, but need to elevate privileges in order to wreak havoc, it is not surprising that most of their vulnerability toolkit is focused on elevation of privileges.

Conti and Active Directory

Through the ContiLeaks, we learned that Conti follows a set of processes once inside a network. To target Active Directory (AD), the group will seek out domain administrator privileges, as is common amongst ransomware. For ransomware groups, AD is a valuable tool to help achieve their intended goal of encrypting systems across an organization’s network.

Conti and its affiliates will try to leverage Zerologon to obtain domain admin privileges, or they will seek out “potentially interesting people” within an organization’s AD according to BreachQuest.

The group and its affiliates target AD through a variety of means including:

ADFind
BloodHound
Steal or Forge Kerberos Tickets (“Kerberoasting”)
OS Credential Dumping: NTDS

Solution

The majority of vulnerabilities used by the Conti ransomware group and its affiliates have been patched over the last few years. The oldest flaw on this list was patched six years ago in 2015.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

To enable our customers to identify all of the known vulnerabilities leveraged by the Conti ransomware group and its affiliates, we will be releasing scan templates soon, while dashboards for Tenable.io, Tenable.sc and Nessus Professional are available now.

ContiLeaks Scan Template

ContiLeaks Dashboard for Tenable.io

ContiLeaks Dashboard for Tenable.sc

ContiLeaks Report from Tenable.sc

For more information on the dashboards and reports, please refer to the following articles:

ContiLeaks Tenable.io Dashboard
ContiLeaks SC Dashboard
ContiLeaks SC Report Template

Indicators of Exposure view in Tenable.ad

For Tenable.ad customers, we have detection and prevention solutions in the form of Indicators of Exposure (IoE) and Indicators of Attack (IoA). IoEs are a preemptive way to find and address gaps within your AD infrastructure to eliminate attack paths for ransomware groups and other cybercriminals, while IoAs detect attacks in real time.

Example IOA alert for password spraying

The following is a list of IoEs and IoAs derived from the findings within the ContiLeaks:

Tactics
MITRE ATT&CK
Solutions
Type

Discovery (e.g. BloodHound)
T1087.001, T1087.002, T1106, T1069.001, T1069.002
Enumeration of local administratorsMassive computers reconnaissance
IoA

Privilege Escalation (Golden Ticket)
T1558.001
GoldenTicket
IoA

Privilege Escalation (Zerologon)
T1068
Unsecured configuration of Netlogon protocol
IoE

Credential Access (Bruteforce, Password Spraying)
T1110.001, T1110.002, T1110.003, T1110.004
Password GuessingPassword Spraying
IoA

Credential Access (Collection and decryption of GPP Passwords)
T1552.006
Reversible passwords in GPO
IoE

Credential Access (ntds.dit)
T1003.003
NTDS Extraction
IoA

Credential Access (Encrypted Passwords)
T1003.003
Reversible passwords
IoE

Credential Access (Kerberoasting)
T1558.003
Kerberoasting
IoA

Credential Access (Mimikatz)
T1003.001
OS Credential Dumping: LSASS Memory
IoA

Get more information

Conti ransomware gang chats leaked by pro-Ukraine member
The Conti Leaks | Insight into a Ransomware Unicorn

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Why I’m Proud to Protect

Read Time:1 Minute, 28 Second

At McAfee, we’re proud to protect. It’s part of our DNA.

We’re all dedicated to keeping the world safe from cyber threats. As a team, we’re driven by our mission to protect all that matters. Individually, we’re motivated by our own unique reasons – whether that’s family, friends, or our communities.

As part of our commitment to online safety, we asked our McAfee team to share what motivates them every day to make life online safe and enjoyable. Here are just a few incredible reasons shared by some of our team:

“I’m really proud to protect my father in the digital life as he did with me in the real life.”- Francisco

“I’m proud to protect my family. I want to ensure they are safe now that everything is online.” – Cagla

“I’m proud to be part of a community that helps millions of people stay safe online.” – Karan

“I’m proud to protect my kids with the gift of digital safety so that they can freely enjoy their screen time.” – Loretta

“I am proud to protect my McAfee family because I love this company so much! I’m also proud to protect my grandson’s online activity thanks to McAfee!” – Melody

“I’m proud to protect family, friends, and our society as a whole. It is important for me to lead the change for a safer environment and future for the one close to me.”  – Benni

Watch the video below to see McAfee team members worldwide share their commitment to protecting all that matters to them.

Interested in building your career at a company that’s proud to protect? Search our openings!

The post Why I’m Proud to Protect appeared first on McAfee Blog.

Read More

ExtraHop adds heat map to its AWS cloud-native security solution

Read Time:33 Second

A cloud-native security provider announced Wednesday that it has added heat-mapping capabilities to its Amazon Web Service (AWS) flagship product. The new tier of service for ExtraHop Reveal(x) 360 uses artificial intelligence (AI) and machine learning to give security teams a visual means for identifying, investigating, and mitigating hotspots of malicious activity in their cloud environments without interfering with developer activity.

“We’re able to passively analyze network traffic data within a virtual private cloud and provide broad visibility and core detection capabilities across all AWS environments,” Bryan Lares, vice president of product management at ExtraHop, tells CSO.

To read this article in full, please click here

Read More

A lasting trend: As a Service

Read Time:4 Minute, 36 Second

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service providers have become an optimal solution for many companies. Knowing they can count on their partners to focus on specific vectors, internal security teams can concentrate on their core missions. This could be high priority or critical items within security or something totally outside of security. The flexibility of Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer’s business needs are being met.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational where the CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans. The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. 

Skills gap and the burnout of security teams

The cyber security talent shortage impacts a growing number of organizations, including an increasing workload for the existing cyber security team, unfilled open job requisitions, and high burnout among staff. Only pandemic-related issues outrank talent shortages as the most significant worry companies face. With the never-ending surge of cyber-attacks and potential threats in this digital era, enterprises have started identifying the significance of a robust cybersecurity plan to protect themselves.

While many companies enjoy the privilege of a specially dedicated in-house cybersecurity lead, namely a CISO, the position in most cases is a bit expensive considering the SMEs. On the other hand, the ongoing pandemic has induced a total shift in the working patterns and data sharing mediums.

The change has forced enterprises to understand the importance of complete cybersecurity protection to tackle incoming threats. While a full-time CISO position might not be feasible considering the affordability factor for Subject Matter Experts (SME), virtual CISO (vCISO) services offer a more flexible and affordable model.

CISO and security strategy an essential must have

It’s a critical juncture for cybersecurity and CISOs. A business-driven cyber strategy is the essential first step for business and security leaders amid sweeping, rapid business digitization. This reset defines the expanding role of the CISO. It affects how the organization sets cyber budgets, invests in security solutions, plans for resilience, and enhances its security. It determines whether CISOs may grow to become stewards of digital trust and securely lead their organizations into the new era with strategies to protect and create business value.

Time for a flexible delivery model

CISOaaS is a flexible CISO service that gives you the ability to flex your resourcing with your security needs without employing more staff. Form a strategy, embed best practices, and validate IT project architectural designs.

Contrary to a traditional CISO role, CISOaaS is based on a multidisciplinary team of experienced cybersecurity professionals. Required experience includes regulatory compliance and consulting on identity & access management, security testing, network & physical security, risk management, data protection, disaster recovery/business continuity, delivering customized services based on your needs, and achieving significant cost reduction. The caliber of security professionals required to mitigate the myriad of potential cyber threats and ever-growing legislative compliance requirements can often be beyond the reach of many businesses.

CISO as a Service brings affordability and flexibility to this critically strategic role.

Where to get started in 2022 with a vCISOaaS

Start by analyzing and building inventories of systems your organization and understanding your business objectives.
Develop a comprehensive and practical security program that fits the need of the business and enhances the immune system of the company’s information security posture with not focusing on just getting more tools but a more integrated risk view.
vCISO team can function as an extension of your team and deliver expert security strategy, leadership, and support.
Putting an effective cybersecurity strategy in place can seem overwhelming because of tight budgets and how efforts are prioritized when investing in a cyber risk management solution? 

Milestones to achieve

Establish Your Security Program

Learning the environment and understanding business goals to achieve the security program alignment to the business.

2. Prioritize and categorize the security needs 

The unique design of the security program will provide strategic direction to help you achieve your business goals. Determine and prioritize security initiatives to reduce risk quickly, economically, and efficiently.

3. Security Improvements for Risk Mitigation

Learn and understand the risk posture for the business and then create a complete risk treatment plan to achieve the accepted level of risk posture.

A lasting trend

The ongoing pandemic has brought many twists and turns to our working style, model, and pattern. Change is inevitable, and at the same time, needs to ensure compliance and protection to organization’s security standards and policies.

The vCISO service can provide an expert solution with an affordable and reliable model for enterprises, ensuring security. Large enterprises benefit from expert advisory, strategic guidance, and much-needed continuity. On the other hand, small-scale companies could use vCISO as a service that helps to manage security standards, compliances, management of staff, and the deployment of a security roadmap. The flexibility and cost-effectiveness of the vCISOaaS is a stand-out feature that makes it the right choice for many.

Read More

How WiCyS is taking on security’s image problem

Read Time:40 Second

The way Janell Straach sees it, the cybersecurity profession has an image problem, and it’s keeping women out of the field at a time when the industry needs all the workers it can get.

Straach says female students, when asked to describe cybersecurity work, continue to think of a guy in a hoodie alone at a keyboard. They see disproportionately few women on the job, particularly in the senior ranks. And some still get harassed at conferences, despite codes of conduct meant to discourage inappropriate behavior.

Granted, the first image isn’t accurate and hostile experiences aren’t the norm, Straach says. Yet both perceptions persist.

And the sense of too few women in the field? That, Straach says, is actually true.

To read this article in full, please click here

Read More