Discover and read the best of Twitter Threads about #ContiLeaks

Most recents (6)

Lo que está sucediendo en Costa Rica gracias a #ContiLeaks es algo que se esperaba. Un país que no invierte en tecnología en pleno 2022, un país que no tiene sistemas integrados y lo que tiene son pedazos por todos lados, donde la mayoría de colaboradores no son capaces
O no los permiten ser, donde quedamos rezagados en tener las mejores prácticas y en donde todo es pura vida y aquí no pasa nada. Eso es común no solo en el gobierno si no en empresa nacional. Espero que con esto aprendan y entiendan que se debe invertir en tecnología y
Y en sus colaboradores. Se pueden hacer muchísimas cosas y podrían empezar haciendo una evaluación a todos sus colaboradores, en donde los mejores estén en un solo edificio desarrollando una verdadera herramienta para el gobierno. #CostaRica @micittcr @presidenciacr
Read 3 tweets
Thread on #APT grps, #hacktivists, #Ransomware gangs with their ‘likely’ associations (as per TTPs and reports) that are playing a significant role in impending #Ukraine #Russian conflict. Correct me if i am wrong or missing any one. 1/
Firstly on Russian 🇷🇺side there are #GhostWriter (#Belarus Govt Backed) #CozyBear (Russian Foreign Intel aka #SVR) #UNC1151 (Minsk based) #FancyBears & #SandWorm (Russian Military Intel aka #GRU) #Turla and #Gamaredon (Russian Internal Intel #FSB Former KGB) 2/
Read 7 tweets
1/4 Combination of sanctions and Western businesses exodus from Russia may soon result in an uptick of cyber attacks from the country even if the conflict in Ukraine deescalates. Among many other things, the recent leak of internal chat logs and sensitive data tied to Russian
2/4 cybercrime group Conti illustrate that Russian ransomware groups are seeking “employees” on local job-hunting websites. The current pace of Western businesses exodus including technology companies
3/4 will leave many IT talents in Russia without a legitimate income. Also the growing isolation of the Russian economy might in the worst case lead to the North Korean scenario and we can see
Read 6 tweets
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets
Another #ContiLeaks 🧵This one should be smaller 😂 In the rocketchat logs, a channel "manuals_team_c" contained 16 procedures from reconnaissance to exfiltration. I translated (with the help of @sys6x) them, here they are: github.com/Res260/conti_2…
INITIAL ACTIONS
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.
USEFUL COMMANDS
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups
Read 17 tweets
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks Image
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks ImageImageImageImage
Read 78 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!