Opensource

Initial Recon

nmap

As is my goto for these, I ran nmap to see what was there, as well as adding trick.htb to my hosts file. I used my normal script NmapAutomator (available here: NmapAutomator) to run a battery of tests against it, including nmap (all types of scans), nikto, smtp user enum, and others. From the results, I saw that it was running an OpenSSH 7.9 Debian ssh server on port 22 TCP, a postfix smtp server on port 25 TCP, a BIND9 dns server on port 53 TCP and UDP, and a nginx 1.14.2 HTTP server on port 80. It also discovered a CVE in the ssh version, SSHtranger Things, but that seemed completely irrelavent as it only applied to SCP client.

ExploitCon 2022

Running a successful crimnal enterprise

Ransomware summary

• Ransomware start ups are running like businesses in foreign countries
• On Feb 27, Contileaks posted 60,000 chat messages from Conti Ransomware gang
• Security Researchers have read the messages to build an idea of how the gangs operate
• Ransomware is more about manipulating people than anything else
• 1 out of 14 organizations are impacted by ransomware every month
• BitCoin is used for payment

Modern hackers

• Mainly from eastern europe
• Work as tech startups
• Organized crime groups

Ransomware - Evolving tactics

• Classic 2013 - Downloads from site
• 2017 WannaCry and NotPetya were first global
• 2019 Double Extortion - You pay, or we make your data public
• 2021 Triple Extortion - You pay, and the clients pay
• Ransom payments are incasing exponentionaly

Recent Cyber Attacks

Ransomware on Health Care system of Ireland

• #100 million in damages
• Took months to recover

JBS

Conti ransomwareware group threatens to oust Costa Rica’s government

• US Department of State offering $15 million for apprehension of conti members

Ransomware groups

Conti group ( AKA Wizard spider )

• 100 employees
• Develops ransomware
• Russian
• 2.7 billion USD over 5 years
• 1000 victims

Ransomware as a service

• Develops the software, and manages payment, and other people distribute.
• Broker breaks in and sells access, Afffiliate distributes the ransomware, and CONTI manages R&D, Victim Messaging, and payment processing
• Stern is in charge, conti manages it. They developed ICEID for botnet, EMOTET for malware, and TRICKBOT for malware
• Netwalker - Ransomware
• Lockbit - Ransomware
• Ryuk - Ransomware (predecessor of conti)
• Maze - Ransomware
• Karakut - Data extortion
• Stern is CEO
• Mango is R&D.
  
• Salamandra is leading HRP
• Revers interview, Twin trains
• Bently is IT Support/System Admin

Recruitment practices

• Employee Referral Program
• Job Websites
  • hh.ru provided discounts to CONTI
• Chat rooms interviews no video
• New hire onboarding - They don’t always know what they signed up for

1
2
3
4

Revers: Did the recruiter tell you what to do?
New Hire: Well, I got it roughly yes...
Revers: Have you heard of ransomware
New Hire: No

Work life balance

• 5 day work week.
• Rotating on call
• Performance review
• Paid vaccations
• Employee of the month
• Salary paid on 1st and 15th
• Negotiators paid by commission
• Performance based Bonus

Ransomware negotiation

Conti News

Pillars of successful negotiation

• Victim’s ability to pay
• Quality of exfiltrated data
• Conti’s reputation
• Cyber Insurance - Charge more if they know they have it
• Victim’s negotiators

Ransomware Negotiation Process

• Discounts for fast payments
• Victim’s trying to uy time
• Last chance to pay
• Files publicatoin suspended
• Aggreement or data dump
• CONTI and associates will never victimize you again

Initial Recon

nmap

As is common with these, I began with an nmap scan to see what ports are open. I use a script called nmapAutomator to help automate some of the basic vulnerability scans. It return that port 22 (SSH) and port 80 (HTTP) were open. It also ran a service and vulnerabily scanner, as well as recommending intial recon commands to run. According to the outputs, the website is running in Python, which can be identified by the nmap script scan server string of Werkzeug/2.1.2 Python/3.10.3. Werkzeug is a WSGI implementation, which is part of Django.