Cobalt Strike servers associated with ex-Conti Gang members have been attacked

The Cobalt Strike servers, operated by former members of the Conti ransomware gang, were the target of a DDoS attack by an unknown group. Pictured: ‘Glory to Ukraine’ is written on a burnt Russian military vehicle in Kyiv, Ukraine, on August 24, 2022. (Photo by Alexey Furman/Getty Images)

A report Wednesday in BleepingComputer that an unknown group has launched DDoS attacks on Cobalt Strike servers run by former members of the Conti ransomware gang – the attacks laced with anti-Russian rhetoric – prompted security researchers to warn everyday practitioners , buttoning up all Cobalt Strike servers using Red Team Operations.

Security researchers reportedly said whoever carried out these attacks targeted at least four Cobalt Strike servers allegedly controlled by former members of the Conti gang. The Conti gang ceased operations in May, but former gang members have joined other groups and continue to use the same Cobalt Strike infrastructure to launch other ransomware attacks.

“Red Teamers operating the Cobalt Strike infrastructure to help organizations identify gaps must ensure they are adequately protecting their infrastructure,” said Jerrod Piker, competitive intelligence analyst at Deep Instinct. “DoS/DDoS protection is necessary, as the recent attacks by the Conti Group have shown, as well as advanced malware prevention, identity protection and access control. Attackers will always be looking for low-hanging fruit and will eventually spot them, so we need to make sure we make their discovery process as difficult as possible.”

John Bambenek, principal threat hunter at Netenrich, said while we don’t know for sure, this could be a pure Conti issue due to the ongoing conflict in Ukraine.

“Whenever there is a connection to a major geopolitical event, DDoS and other attacks start happening in earnest,” Bambenek said. “DDoS is the ‘simplest’ form of attack. However, anyone legitimately running Cobalt Strike should not allow the open internet to see their install.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, said this recent activity reflects a larger trend of hacktivism that has been consistently active and productive since the Russian invasion of Ukraine. Hoffman said the conflict has sparked a resurgence in hacktivism that is likely to last through the end of the year.

“Many groups like Killnet and Anonymous use social media to amplify their messages and recruit new members,” Hoffman said. “The increase in hacktivist activity should motivate organizations to put in place defenses to mitigate or prevent a DDoS attack.”

Deep Instinct’s Piker added that since the beginning of the war between Russia and Ukraine, we’ve seen the role cyberwarfare plays in the modern battlefield today. Piker said while it is not known if these recent DoS/DDoS attacks on former Conti Cobalt Strike servers are related to the Russia-Ukraine conflict, it would make sense.

So what does the recent cyberwar spotlight mean for cybersecurity in general?

Piker said this points to the fact that information technology resources have become the most important asset of any organization, be it in the public or private sector, in legitimate or illegal businesses.

“Nation-states are now recruiting world-class hacking talent to create complex APT toolkits that are sold on the black market, and they find their way into the hands of everyday cybercriminals,” Piker said. “So today’s advanced cyberespionage against major national governments and major cybercrime organizations is tomorrow’s WannaCry campaign against private commerce around the world. What the cybersecurity community needs to do is rise to the challenge, continue to study and learn from modern APT campaigns and improve our toolsets to prevent the next major global attack of today and tomorrow.”

In other Conti-related news today, Google’s Threat Analysis Group reported that as the war in Ukraine continues, it has been tracking a growing number of financially-motivated threat actors targeting Ukraine, whose activities are closely linked to those run by the Russian government supported attackers appear to be connected.

TAG’s blog post provides details on five different campaigns conducted from April to August 2022 by a group of threat actors that may overlap with a group tracking CERT-UA as UAC-0098. TAG believes some of the threat actors are former members of the Conti gang.


About Author

Comments are closed.