Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Conti Leaks: Practical walkthrough and what can...

Thomas Roccia
December 12, 2022
Technology
0
960

Conti Leaks: Practical walkthrough and what can we learn from it

This conference has been presented at Bsides Melbourne and Hack Sydney.

Conti, one of the most prolific ransomware gangs in recent years, conducted multiple targeted attacks against companies with multi-million dollars in revenue. The Conti ransomware gang is a well-organized group, with an affiliate model using Ransomware as Service (RaaS).

On February 28th, a major leak has been published on Twitter about the Conti group. The leaked chat logs revealed private discussions between Conti members and show the size of their network. The data provided a unique insight into the inner workings of the group.

This presentation will provide a practical approach to exploit the chat logs using Python applied for threat intelligence. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence.

The talk will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analysing chat logs, extracting indicators of compromise, and improving threat intelligence and defence process using Python.

Thomas Roccia

December 12, 2022
Tweet

More Decks by Thomas Roccia

See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.2k
Prompt Engineering for Threat Intelligence
fr0gger
1
270
State-Sponsored Financially Motivated Attacks
fr0gger
0
670
Binary Instrumentation for Malware Analysis
fr0gger
2
1.5k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.9k
Code Graphology
fr0gger
0
720
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
920
AISA - Practical Threat Intelligence
fr0gger
0
1.3k
Hermetic Wiper Infographic
fr0gger
1
850

Other Decks in Technology

See All in Technology
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
TypeScript、上達の瞬間
sadnessojisan
46
13k
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
4
230
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
強いチームと開発生産性
onk
PRO
35
11k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
170
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
13k

Featured

See All Featured
Fireside Chat
paigeccino
34
3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Designing for Performance
lara
604
68k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Done Done
chrislema
181
16k
Typedesign – Prime Four
hannesfritz
40
2.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Writing Fast Ruby
sferik
627
61k
Code Review Best Practice
trishagee
64
17k
Code Reviewing Like a Champion
maltzj
520
39k
Music & Morning Musume
bryan
46
6.2k

Transcript

  1. None
  2. None

  3. Who is Conti? Why the Conti Leaks are valuable information?

    Practical Python for Threat Intelligence Exploring the Jabber Logs of the Conti Leaks Extracting and analyzing relevant information using MSTICpy

  4. " T h e i n f o r m

    a t i o n a n d k n o w l e d g e a b o u t a n a d v e r s a r y o b t a i n e d t h r o u g h o b s e r v a t i o n , i n v e s t i g a t i o n , a n a l y s i s , o r u n d e r s t a n d i n g , i s t h e p r o d u c t t h a t p r o v i d e s b a t t l e s p a c e a w a r e n e s s " - E d w a r d W a l t z -

  5. Easy to use and to learn Versatile Powerful for both

    big and small apps Work perfectly with a lot of data (pandas) Can be used to create workflow with Jupyter Can be used to automate boring stuff Whatever you need, Python will cover your ass!

  6. Ransomware as a service Model and double extortion The state

    department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.” Started in December 2019 Believed to be based in Russia, ~$50 Million
  7. None

  8. Jabber is used as an internal chat tool of the

    Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination

  9. Jabber is used as an internal chat tool of the

    Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination I don't read nor understand Russian The Size is about 35 MB I want a quick way to analyze them and find relevant information ChAllenge Accepted!
  10. None

  11. https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA

  12. None
  13. None

  14. Stern Defender Bentley Mango Buza Target Target https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

  15. Querying log data from multiple sources Extracting Indicators of Activity

    (IoA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts Enriching the data with TI, geolocations and Azure resource data Machine learning analysis
  16. None
  17. None
  18. None
  19. None

  20. Multiple services (HR, Coders, RE, Testers...) Defender Stern Mango Bentley

    Veron... Main Accounts: Interconnection with multiple cybercriminal groups that operates as affiliates. Conti deployment via CobaltStrike Trickbot, BazaLoader, Emotet... The chats represent a communication platform for coordination between multiple criminal elements that are in some cases distinct Well organised and Structured like a company 🤯
  21. None

  22. The cybercriminal economy is a continuously evolving connected ecosystem of

    many players with different techniques, goals, and skillsets. Threat intelligence can be used to proactively get details about a threat actor. Leaked data are valuable information. Python is the perfect companion for threat intelligence analysts MSTICpy can bolster your process in place for investigation

  23. Observation Investigation & Analysis Understand

  24. None

  25. https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat- intelligence-from-leaked-chat-logs/ https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime- gig-economy-and-how-to-protect-yourself/ https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start- up-sort-of/ https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html https://www.trellix.com/en-au/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-

    ransomware.html https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA https://msticpy.readthedocs.io/en/latest/getting_started/Introduction.html https://twitter.com/fbi/status/1522939345711288320 https://www.vx-underground.org/