Insider threats have always been a severe concern for organizations across the globe. Malicious actions of rogue employees keep critical corporate data at risk. Surprisingly, a recent event has proved that even cybercriminal groups are suffering from insider threats. According to a report from Naked Security, an anonymous hacker belonging to an infamous Conti ransomware group has leaked the group’s files on a darknet forum.
The files reportedly belong to the Russian-speaking ransomware group Conti. The threat actor who leaked the data has been an active affiliate of the Conti ransomware group. He claimed that “the boys are fed up” with how the extortion money is divided. The exposed information included instruction manuals and guidelines, written in Russian, on identifying victims to attack using Cobalt Strike. The leaked files instruct members on using Google to search for potential targets. The members are further required to find employee accounts with administrative privileges and leverage this data to install ransomware to encrypt their network systems.
Files exposed in the breach contained advice on various topics, including:
- Dumping password hashes
- Turning a defender off, manually
- Installing and using Metasploit
- Scanning networks for backup devices
- Opening backdoors into a compromised network
- Using popular exploits
- Elevating privilege
- Listing users
Weaponizing Cobalt Strike
Cobalt Strike is threat simulation software used by security experts and penetration testers to identify the potential risk of a data breach or cyberattack. Several security experts stated that threat actors leverage the Cobalt Strike tool for cybercriminal activities.
“Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families. Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions have long spread across the internet. Additionally, there are tons of tutorials, education videos, and other public documents that can help newcomers understand how to effectively use it, lowering the bar for entry in the cybercrime world,” a report from Intel 471 stated.