14 DAY TRIAL // Key details critical to the operation of Conti Ransomware-as-a-Service have been exposed online, says Threat Post.
The page provides an archive of numerous Cobalt Strike tools, training materials and an archive of Cobalt Strike C2 servers with IP addresses that show how the group conducts its attacks. The information was posted by an allegedly vindictive Conti Gang member who accused the organization of cheating him out of money for their services.
The group appears not to have paid a disgruntled member as much as expected, resulting in an online rant. After receiving only $1,500 in payment for his efforts, the affiliate claimed that recruiters took advantage of "suckers" and divided the money among themselves.
Network administrators should block any Conti IP addresses
Needless to say that the leak of critical information represents “the holy grail of the pen-tester operation behind the Conti ransomware ‘pen-tester’ team from A-Z,”, according to ethical hacker and security researcher Vitali Kremez. Using the disclosed material, Kremez issued a warning to network administrators who are on the lookout for behavior from Conti, advising them to look for Any Desk persistence and unwanted Atera Agent installations.
Conti followers should add 82.118.21.1, 185.141.63.120, 85.93.88.165, and 162.244.80.235 to their blocked IP list to avoid being attacked by the group, who was made public by the leak as using those IP addresses, according to @Pancak3 security researcher.
In this particular situation, the intrusion demonstrates that Ransomware-as-a-Service operations are weak against such vulnerabilities, as evidenced by the disclosure of information and resources amassed during the course of the attacks.
Beginning in July 2021, the United States Department of State is prepared to pay up to $10 million for valuable information that contains evidence of foreign hostile cyber activity against critical infrastructure on US soil.