Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Conti Leak Indicators – What to block, in your SOC….

Security expert provided leak indicators for Conti ransomware operations that were recently disclosed by a disgruntled affiliate. An affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators. The Conti Ransomware operators offer their services to their […]

Reynolds ransomware uses BYOVD to disable security before encryption ransomware

Security expert provided leak indicators for Conti ransomware operations that were recently disclosed by a disgruntled affiliate.

An affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.

The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.

The angry affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

Threat intelligence expert Niels Groeneveld provided leak Conti ransomware operations

Individual IP addresses used by Conti, according to the leaked documentation:

  • 162.244.80.235
  • 85.93.88.165
  • 185.141.63.120
  • 82.118.21.1

Probably the threat actors will already have changed these individual indicators; to threaten them as individual IOC’s might be 100% pointless. However, the threat actors might continue, to use the same infrastructure.

162.244.80.0/22 – Data Room

85.93.80.0/20 – Heg Mass

185.141.61.0/24 – RedCluster LTD

185.141.62.0/23 – RedCluster LTD

82.118.20.0/22 – GreenFloid NOC

For most organizations, the chance of false positives, when blocking these subnets, will be very low to non-existent. If you are in doubt, check the subnets on https://bgp.he.net and look at known DNS entries to get an idea.

If you want to extend your blocking further, look at the BGP AS associated to these subnets; and subsequently, check the prefixes listed for associated subnets.

Data Room https://bgp.he.net/AS19624#_prefixes

PlusServer https://bgp.he.net/AS61157#_prefixes

BelCloud https://bgp.he.net/AS44901#_prefixes

ITL Bulgaria https://bgp.he.net/AS204957#_prefixes

Blocking individual IP addresses does not make much sense when fighting against professional ransomware or APT actors. Looking at their infrastructures, other story?

About the author Niels Groeneveld

A threat researcher of the Digital Protection Unit, at Tesorion Cybersecurity Solutions, he worked for RedSocks/Bitdefender as senior threat intelligence analyst from 2014-2020, analyzing malicious malware infrastructure, used by ransomware groups, APT groups and other threat actors.’

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]