According to researchers, Conti, the group that provides ransomware as a service (RAAS), just exposed their playbook. In addition to the Cobalt Strike handbook that was used in the creation of the playbook, it has provided a wealth of information on the threat actors.
Conti’s angry partner is alleged to have leaked the confidential playbook documents.
- Cybercriminals could use the documentation’s amount of detail to carry out cyberattacks, according to researchers.
- In addition to using technologies such as AdFind to find users with Active Directory access, the attackers also use OSINT and LinkedIn to discover persons with privileged access.
- Cobalt Strike, a threat emulation software, is one of the most important instruments in the playbook. Armitage, SharpChrome, SharpView and Seatbelt are some of the additional instruments that are employed.
- CVE-2020-1472 (Zerologon) vulnerability employing Cobalt Strike was also disclosed by the attackers.
Source code Leaker:
- m1Geelka is the accused leaker. It’s possible that they are Conti’s low-level partners.
- To now, it appears that no money was exchanged for services rendered, and that the its release was motivated by vengeance.
- Afterwards, the partner clarified that the records were shared in order to better understand Conti, and not as a form of retribution
- Anti-virus software was able to identify only those components that were exposed, and no private code was leaked.
To the security community, Conti’s playbook offers a glimpse into the behaviors of these groups and the technologies they prefer to rely on when conducting their attacks. As a result, security analysts and researchers have an opportunity to put in place the necessary logic to detect and neutralize such risks.