The cyber criminals didn't have summer vacations. In August, hacker groups launched attacks against several organizations. Conti operators were more proactive in hacking into the systems of SAC Wireless, a subsidiary of Nokia in the United States. They were able to upload the stolen information to their cloud server and encrypt files in compromised systems.


The FBI connected Conti to more than 400 cyberattacks against organizations demanding ransoms of up to $ 25 million.

Conti performs its ransomware operation as ransomware as a service(RaaS).The core team manages Conti malware and TOR sites, and Conti affiliates hack networks and encrypt devices. Profits are divided into 30% (for the core team) and 70% (for the affiliate). When Conti doesn't execute its part of the deal, the disgruntled affiliate even. The leak included Conti IP addresses for Cobalt Strike C2 servers and a 113 MB archive that contained hacking tools, manuals written in Russian (to use Cobalt Strike, mimikatz to reset NTLM hashes, and text files with various commands), training materials and reference documents for affiliates to perform Contiransomware attacks.


In August, more and more cyberattacks targeted Active Directory. For example, LockFile cyber criminals gained access to Active Directory by exploiting the Exchange Server ProxyShell and PetitPotam vulnerabilities to reset malware.

  • First, the attackers compromised the Exchange servers using the ProxyShellattack vector.
  • They then installed a set of tools, including an exploit forCVE-2021-36942 (also known as PetitPotam, an NTLM relay attack error that can be used by a low-privileged attacker to hijack a domain controller).
  • In addition, they have installed active_desktop_launcher.exe to download a malicious file active_desktop_render.dll.
  • After downloading and decrypting this file, a shell code was executed from the file to activate the efspotato file.exe for using PetitPotam.
  • Once the attackers gained access to the local domain controller, they copied the LockFileransomware, as well as the batch file and auxiliary executable files, to the domain controller.


In the field of ransomware, we have seen an increase in the number of HiveNightmare attacks. HiveNightmare, a.g.CVE-2021-36934,is a NTFS-centric access control list (ACL) defect that affects Windows 10 build 1809-21H1 and allows unprivileged users to execute arbitrary code, read sensitive data, and retrieve registry hive data (including hashed passwords), which in turn can be used to further elevate privileges.


And we would like to end this monthly review on a positive note. In June of this year, a gang of ransomware developers REvil carried out a massive attack on 60 managed service providers and 1500 enterprises around the world, which was one of the largest ransomware attacks in history. To gain access, the groups used a zero-day vulnerability in the remote management application Kaseya VSA. REvil demanded a ransom of $70 million from the victims to get a universal decoder to restore access to compromised files. For unknown reasons, the REvil ransomware group suddenly disappeared, and its payment sites and TOR infrastructure were blocked, leaving victims without the opportunity to get a decryptor.
It seems that before their disappearance, the participants in the threat handed over the decoder to Russian intelligence, which as a gesture of goodwill shared it with US law enforcement agencies. As a result, Kaseya received the decryption key from an unnamed "trusted third party" and quickly distributed it to its affected customers. In early August, the decryptor got to one of the hacker forums.

Have a safe day!