Conti Leaks: Practical walkthrough and what can we learn from it

Transcript

1. None
2. None

3. Who is Conti? Why the Conti Leaks are valuable information?

   Practical Python for Threat Intelligence Exploring the Jabber Logs of the Conti Leaks Extracting and analyzing relevant information using MSTICpy

4. " T h e i n f o r m

   a t i o n a n d k n o w l e d g e a b o u t a n a d v e r s a r y o b t a i n e d t h r o u g h o b s e r v a t i o n , i n v e s t i g a t i o n , a n a l y s i s , o r u n d e r s t a n d i n g , i s t h e p r o d u c t t h a t p r o v i d e s b a t t l e s p a c e a w a r e n e s s " - E d w a r d W a l t z -

5. Easy to use and to learn Versatile Powerful for both

   big and small apps Work perfectly with a lot of data (pandas) Can be used to create workflow with Jupyter Can be used to automate boring stuff Whatever you need, Python will cover your ass!

6. Ransomware as a service Model and double extortion The state

   department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.” Started in December 2019 Believed to be based in Russia, ~$50 Million
7. None

8. Jabber is used as an internal chat tool of the

   Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination

9. Jabber is used as an internal chat tool of the

   Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination I don't read nor understand Russian The Size is about 35 MB I want a quick way to analyze them and find relevant information ChAllenge Accepted!
10. None

11. https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA

12. None
13. None

14. Stern Defender Bentley Mango Buza Target Target https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

15. Querying log data from multiple sources Extracting Indicators of Activity

    (IoA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts Enriching the data with TI, geolocations and Azure resource data Machine learning analysis
16. None
17. None
18. None
19. None

20. Multiple services (HR, Coders, RE, Testers...) Defender Stern Mango Bentley

    Veron... Main Accounts: Interconnection with multiple cybercriminal groups that operates as affiliates. Conti deployment via CobaltStrike Trickbot, BazaLoader, Emotet... The chats represent a communication platform for coordination between multiple criminal elements that are in some cases distinct Well organised and Structured like a company 🤯
21. None

22. The cybercriminal economy is a continuously evolving connected ecosystem of

    many players with different techniques, goals, and skillsets. Threat intelligence can be used to proactively get details about a threat actor. Leaked data are valuable information. Python is the perfect companion for threat intelligence analysts MSTICpy can bolster your process in place for investigation

23. Observation Investigation & Analysis Understand

24. None

25. https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat- intelligence-from-leaked-chat-logs/ https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime- gig-economy-and-how-to-protect-yourself/ https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start- up-sort-of/ https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html https://www.trellix.com/en-au/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-

    ransomware.html https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA https://msticpy.readthedocs.io/en/latest/getting_started/Introduction.html https://twitter.com/fbi/status/1522939345711288320 https://www.vx-underground.org/