informa
Quick Hits

CISA, FBI, NSA Warn of Increase in Conti Ransomware Attacks

A new alert provides the technical details of ongoing attacks and guidance for organizations to secure systems against Conti.

The FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency today issued a joint alert warning of increased use of Conti ransomware, which has been seen in more than 400 attacks on US and international organizations, officials report.

Conti is considered a ransomware-as-a-service model; however, variation in its structure differentiates it from a typical affiliate model, the alert states. It's likely that Conti's developers pay the attackers who deploy the ransomware a wage rather than a percentage of the proceeds, officials say.

They list multiple means that Conti actors often use to gain initial network access. These include spear-phishing campaigns that use emails containing malicious attachments or links; stolen or weak Remote Desktop Protocol credentials; phone calls; fake software promoted via search engine optimization; common flaws in external assets; or other malware distribution networks.

"CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces," the alert states. Attackers will exploit legitimate remote monitoring and management software, as well as remote desktop software, to persist on target networks.

A recently leaked "playbook" from Conti attackers revealed that they exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim's environment.

Read the full alert for more details.

Recommended Reading: