Written by: Joseph Salazar, Technical Marketing Engineer – In mid-May 2021, the FBI released a security report identifying at least 16 Conti ransomware attacks over the past year on healthcare and first-responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. These victims are among more than 400 organizations impacted globally, 290 of which are within the United States.
Like more current ransomware variants, the Conti group steals victim files and encrypts systems to force a ransomware payment. If the victim does not pay the ransom, the Conti operators release the stolen data to a public site they control. Recent demands have been as high as $25 million.
The DFIR Report analysis highlights the MITRE ATT&CK tactics the Conti attackers use to breach an organization. The Attivo Networks ThreatDefend platform detects or derails many of these tactics while misdirecting the attack to a decoy that stalls the ransomware infection by feeding it fake data. The following analysis highlights where and how the ThreatDefend platform can defend against Conti ransomware early in the attack, as the attackers attempted to discover systems and move laterally.
The Conti ransomware actors conducted discovery activities by querying the system and Active Directory to gather data. Among the commands were:
- nltest /domain_trusts
- nltest /domain_trusts /all_trusts
- net group “Domain Admins” /domain
Cobolt Strike Beacons:
- exe /C nltest /domain_trusts
- exe /C nltest /dclist:
- exe /C net group “Enterprise admins” /domain
- exe /C net group “Domain admins” /domain
The attackers sought domain controllers to move laterally to using Windows Remote Desktop Protocol. Once they moved onto the domain controller, they began looking for what networks were present in the environment using dsquery:
- exe /C dsquery subnet -limit 0
They then conducted port scans from the domain controller looking for common ports (such as SSH, SMB, MSSQL, WinRM, RDP, etc.) on systems residing in the same subnet.
They leveraged pass-the-hash techniques to obtain a valid Kerberos ticket for the administrator user, allowing them to move laterally with elevated privileges. They also a Cobalt Strike Beacon to create a new account on the domain controller named “nuuser” and added it to the built-in Administrators domain group, granting it administrative privileges in the AD domain.
How the ThreatDefend Platform Defends against Conti
The Attivo ThreatDefend platform includes three layers of defense. These are identity compromise, privilege escalation, and lateral movement protection. Starting from the endpoint, each plays a valuable role in detecting and misdirecting Conti and other ransomware attack activities.
The first line of defense for derailing Conti ransomware is to remove credential exposures and attack paths from the endpoints to critical assets. The ThreatPath functionality provides topographical and table views of exposed credentials, local admin accounts, shadow admins, delegated accounts, and misconfigured SMB shares. It can also monitor and alert on changes to AD Privileged Groups and risky ACLs.
ThreatStrike credentials load decoy credentials into memory that display hash values for pass-the-hash attacks to prevent further credential compromise. Any attempted use of these lures breadcrumbs the attacker into a sandbox where the organization can safely study them and gather threat intelligence. This function is a solid addition to any endpoint solution since they do not detect credential theft and misuse.
The next line of defense is against privilege escalation, which the Active Directory portfolio of products provides. The ADAssessor solution provides proactive prevention by removing user, device, and Domain level exposures that create risk. Often referred to as a continuous pen test for Active Directory, the solution discovers exposures, misconfigurations, and vulnerabilities and presents them in an actionable dashboard. This process happens quickly and completes in less time than it would take to make a cup of coffee. Defenders gain the advantage against Conti attacks by removing their ability to escalate privileges based on Active Directory risks. The ADAssessor solution also alerts based on live attack activity such as detecting password spray, suspicious or mass account changes, DC Shadow attacks, and more.
An additional proactive and highly recommended measure for protecting Active Directory includes using the ADSecure solution, which would have warned about unauthorized AD queries. As the attackers queried the fake domain admin users from their initial set of queries that the ADSecure solution provided them, they would have received the decoy hashes. The ADAssessor solution would also have identified exposures on the domain controller that would leave it vulnerable to stolen Kerberos ticket attacks for remediation.
Additionally, it could return fake data that pointed to decoy systems to further slow and disrupt the attack. At the same time, the DataCloak function would have hidden the sensitive results, showing decoy domain controllers and Enterprise and Domain admin group members. Stopping the attackers from gaining access to AD takes away their ability to change security policies, conduct mass malware downloads, and instate hidden back doors.
Lateral movement is the next attack activity that Conti and other ransomware attackers use. The Deflect function disrupts this activity by redirecting the port scans that touch closed ports on production systems to decoys for engagement, generating alerts for the scanning activity while responding to the queries. For example, if the ransomware queries a system on port 22 for an SSH server that did not exist, the system would forward the traffic to a decoy SSH server that would have responded to the attackers, forcing them into engaging.
The ThreatDefend platform also creates full OS decoys, including AD domain controllers. Here, the attackers will unknowingly engage with a decoy asset or AD server as they move laterally via RDP. Note that if the attacker had instead connected to the production domain controller, the ADAssessor solution would have identified a new user in the Domain Admin group on the following assessment.
Like many recent ransomware attacks, the Conti ransomware relies heavily on discovery activities to mine AD for sensitive or critical objects, accounts, and targets. The ThreatDefend platform’s many solutions can effectively disrupt, misdirect, and deny the attackers the data they seek, affecting their downstream attacks while alerting the defenders that the attack is underway. These capabilities are not present in traditional security solutions. Adding them to the security stack has become a necessity for mounting an effective defense against ransomware attacks.
For more information, please visit www.attivonetworks.com.