RELATED IOCs, MITIGATION STEPS AND REFERENCE LINKS
Common Vulnerabilities and Exposures : Firewall Vulnerabilities CVE-2018-13379, CVE-2018-13374, gather foothold using Cobalt strike
IOCs (Indicators of compromise) BazarLoader-- 64.227.69.92|443 161.35.155.92|443 161.35.147.110|443 64.227.65.60|443
Loader download-- millscruelg.com 45.95.11.133|80
Cobalt Strike-- volga.azureedge.net five.azureedge.net checkauj.com 82.117.252.143|443 82.117.252.143|8
Mitigation steps
- Ensure multi-factor authentication (MFA) is enabled across the organization.
- Ensure network segmentation via the usage of demilitarized zones (DMZs) and network traffic management controls are in...
- Ensure assets and software are routinely patched and updated.
- Use application allowlisting, preventing employees from installing illegitimate applications or unauthorized software.
- Implement endpoint and detection response tools. Endpoint and detection response tools like ReaQta-Hive provide unparalleled visibility into the security status of endpoints and proactively secure organisations against malicious cyber actors.
- Control access to resources over the network, i.e restricting RDP.
References
- https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-organizations-worldwide
- https://blog.cyble.com/2021/07/14/ransomware-threat-report-quarter-two-2021/#:~:text=Australia%2C%20Argentina%2C%20Austria%2C%20Belgium%2C%20Bermuda%2C%20Brazil%2C%20Canada%2C%20Chile%2C,Emirates%2C%20United%20Kingdom%2C%20United%20States%2C%20Vietnam%2C%20and%20Zambia.
- https://heimdalsecurity.com/blog/what-is-conti-ransomware/
- https://www.provendatarecovery.com/conti-ransomware-recovery/
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://www.bing.com/search?q=conti+ransomware+mitigation+steps&cvid=762edc151f1644b99345cb33e5790488&aqs=edge..69i57j0l8.6000j0j1&FORM=ANAB01&PC=U531