Conti Ransomware Sources Blocked by AEGIS
According to CISA (Cybersecurity & Infrastructure Security Agency), Conti Ransomware use increased in 2021, with more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
Read full report: https://www.cisa.gov/news-events/alerts/2021/09/22/conti-ransomware
Conti actors often gain initial access [TA0001] to networks through:
- Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
- Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].[4]
- Phone calls;
- Fake software promoted via search engine optimization;
- Other malware distribution networks (e.g., ZLoader); and
- Common vulnerabilities in external assets.
According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges and move laterally across a victim’s network:
- 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities;
- "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service; and
- "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.
Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.
162.244.80[.]235
85.93.88[.]165
185.141.63[.]120
82.118.21[.]1
CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims.
Aegis Defender Pro has blocked these IPs and their entire networks for years, as well as spam email servers used by these cyber-criminals. With over 2 billion IP addresses in the Aegis Defender Pro firewall lists, it is very rare these phishing schemes even get through email servers running Aegis Defender Pro.
If a phishing call is received, users will find that they can't load cited websites, and infected computers from outside media such as USB sticks won't be able to communicate with the servers they're programmed to, effectively containing them for detection and elimination.