Are you a victim of the Conti Ransomware?

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

Conti Ransomware targets enterprises who have not patched their systems by exploiting old vulnerabilities. Conti Ransomware steals sensitive information from businesses and demands a ransom in exchange. CISA has issued a warning about the rise in Conti ransomware attacks. To avoid becoming a victim of Conti ransomware, the Hive Pro Threat Research team suggested you patch these vulnerabilities.

The techniques used by the Conti includes:

• T1078 - Valid Accounts
• T1133 - External Remote Services
• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1106 - Native API
• T1055.001 - Process Injection: Dynamic-link Library Injection
• T1027 - Obfuscated Files or Information
• T1140 - Deobfuscate/Decode Files or Information
• T1110 - Brute Force
• T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
• T1016 - System Network Configuration Discovery
• T1049 - System Network Connections Discovery
• T1057 - Process Discovery
• T1083 - File and Directory Discovery
• T1135 - Network Share Discovery
• T1021.002 - Remote Services: SMB/Windows Admin Shares
• T1080 - Taint Shared Content
• T1486 - Data Encrypted for Impact
• T1489 - Service Stop
• T1490 - Inhibit System Recovery

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Links

<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010&gt;

<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527&gt;

<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472&gt;

References

<https://us-cert.cisa.gov/ncas/alerts/aa21-265a&gt;