Experts from Cisco Talos translated the leaked internal materials from the Conti gang into English. The details of the gang’s attack methods and the instructions show that they were designed to allow even low-skilled actors to carry out successful attacks against valuable targets.
After an unhappy Conti member leaked the ransomware gang’s attack playbook, researchers from Cisco Talos took their time to study them and released an English translation that clarifies the exact steps and tools involved in launching a Conti attack.
The documents analyzed by researchers revealed detailed attack scenarios that could be performed by amateur hackers, yet could be very destructive.
The instructions teach Conti’s affiliates how to get administrator access to a network after using provided commands and tools to list users, particularly those with Active Directory access.
The leaked materials detail how to perform simple reconnaissance like checking LinkedIn and other social media platforms to identify employees who may have privileged network access.
The most popular tool in the instructions was the Cobalt Strike red-teaming framework, and its cracked version 4.3.
There are also instructions on how to exploit ZeroLogon vulnerability (CVE-2020-1472) and other critical bugs, including PrintNightmare (CVE-2021-1675, CVE-2021-34527) and EternalBlue (CVE-2017-0143/0148).
Some tools described by the adversary are not what researchers typically see during an incident response engagement. Among them, Armitage - Java-based GUI front-end for the Metasploit penetration testing platform, SharpView – a .NET port of the PowerView tool from the PowerShell-based PowerSploit offensive toolkit, and SharpChrome – for decrypting logins and cookies in Chrome.
Some command-line utilities that were mentioned in the leaked docs included ADFind, which is an Active Directory query tool, SMBAutoBrute, a tool for disabling Windows Defender GMER, AnyDesk – remote desktop application used for persistence, and SMBAutoBrute, a tool for brute–forcing accounts on the current domain.
The leak also includes video tutorials that teach how to use PowerShell to perform various tasks, such as pen-testing and attacking the Active Directory. Much of the video tutorials for these topics are from readily available online resources.
The leaked documentation of the Conti gang will help other researchers improve their understanding of this particular actor and his operations.
“This is an opportunity for defenders to make sure they have logic in place to detect these types of behaviors or compensating controls to help mitigate the risk. This translation should be viewed as an opportunity for defenders to get a better handle on how these groups operate and the tools they tend to leverage in these attacks,” Cisco Talos said in the report.