CISA and the FBI Publish Second Alert on the Conti Ransomware Group

  • American cybersecurity agencies warn about Conti attacks being on the rise again.
  • The most commonly exploited flaws by the group are “Zerologon” and “PrintNightmare”.
  • Patching software and following standard security practices should be enough to thwart the threat.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) were forced to publish their second alert about the Conti ransomware group in less than six months, as the activities of the particular group of actors are on the rise again. As the alert details, the agencies have observed the deployment of Conti’s file encryption malware in more than 400 attacks on U.S. and international organizations, with a significant percentage of those resulting in a success for the hackers.

Image: TechNadu

The alert explains that Conti has various ways to break into target networks, as the RaaS is used by many affiliates who follow different tactics. Here are the most common ones that have been spotted in the wild:

  • Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links – Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
  • Phone calls
  • Fake software promoted via search engine optimization
  • Other malware distribution networks (e.g., ZLoader)
  • Common vulnerabilities in external assets.

The vulnerabilities that Conti actors have been exploiting lately are mainly the “Zerologon” flaw (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems, the “PrintNightmare” flaw (CVE-2021-34527) in the Windows Print spooler service, and 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities. Patching these would shut the door to the actors, but CISA provides additional advice on top of that.

That would include using multi-factor authentication wherever possible, implementing network segmentation and filtering network traffic, scanning for flaws and applying updates as soon as possible, and removing unused user accounts and unnecessary applications. Finally, endpoint detection and response tools are considered a necessity today.

Morocco vs. Portugal Live Stream: How to Watch World Cup 2022 Quarterfinal Match Online
Eight teams remain in the hunt to win the 2022 FIFA World Cup, and the quarterfinals present fans with four exciting match-ups....
England vs. France Live Stream: How to Watch World Cup 2022 Quarterfinal Match Online
A blockbuster clash awaits us as England and France lock horns in the 2022 FIFA World Cup quarterfinals. Some of the world's...
How to Watch The Match 2022 Online: Live Stream Golf From Anywhere
Golf fans, prepare yourselves: The Match 2022 has arrived. Watching the live stream of the Match 2022 has never been easier, as...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari