Processing Conti Leaks thru Carver Analysis

all right hello everyone um this is Will Baggett we're going to discuss the compromised Conti chats and the methodology used to process those as a cyber threat intelligence analyst thank you for tuning in to b-sides Charlotte it's greatly appreciated it's a fantastic local hacker convention they put on in Charlotte and it's an honorary part of it so I'm will Baggett certified combat collection engineer that's an older certification I got when I was teaching NATO Special Forces certified fraud examiner uh other shirts too but for this course this class it's relevant uh very short career path so you know the filter that I'm coming through for the approach for this talk I was in financial Tech I worked for

SunTrust pre-wik UK from there we got recruited I went to the intelligence Community uh did a lot of stuff and things in the cyber world human collection from that I've decided to resign and stay in the Charlotte area instead of moving back to DC worked for a couple of years in Belgium as a NATO Special Forces cyber instructor teaching drone forensics phone forensics um desktop ocean training the Drone forensics is a lot of fun um good way to get in trouble a thing called covet hit I ended up getting a job as an Insider threat consultant to a large pharmaceutical firm during covid uh after that ended I went to a cyber threat intelligence role

where I am now it's a fantastic company but we're not going to mention their name because I'd have to get company concurrence legal would have to approve the conversation and that just takes things way too long so we won't mention who I'm working for this talk is going to cover four main topics uh the content ransomware group the Russian Ukrainian cyber warfare efforts that have been ongoing since 14 of what is Insider threat what does that mean because it's such a compartmented stovepipe esoteric Byzantine there's some three dollar words for you uh disciplined part of cyber some people may or may not know what it does so we'll touch on that and the last in the

core of the presentation is the Carver analysis method and how that applied to what was leaked out so for the audience because this is a 15-minute talk 40 minutes ish with time for questions in real person time real space the red slides of the background is where we had stopped if we had a week we'd pivot to an open exercise I leave that there just as a thought for if you want to play after the talk or pause and go try whatever I'm suggesting great the yellow slides are things that were found from the leak that happened months or years after the league well a year and a half after the leak that way you can

differentiate what the slides mean like ransomware so if you've been watching the news if this is the talk back in Vegas definitely it's a topic of concern uh ransomware and the variant of wipeware or gang of criminals usually sometimes funded by nation states will send malware find exploited vulnerability and do reconnaissance Excel trait key data and then once they have the key data they have a team of Experts of Consultants that will go through and determine how big the payout can be from a company and once that's executed they'll have a name and shame to try and gauge on how deep we want to go for this a name and chain for Caesars has been breached here's some of the

data they refuse to pay the uh Ransom to get their data back so we're going to start publicly embarrassing a variant that came out of the Russian Ukraine effort has been wiperwear same thing but instead of holding the data hostage for money they'll just completely wipe the data from a pure academic point of view it's better than kinetic strikes loss of life or ransomware where the data could be gone the data's gone the hardware is recoverable no one's generally dead unless you power supply water supply food supply but generally it's a less destructive method of cyber warfare so copy is a russian-based ransomware group came out in mid-2020 dated the extraction the name and chain just like

uh Alpha just like the other big ransomware groups clock using move it and it came out later not to get ahead of myself but this is a fundraising element of the Russian government they'll take the ransom millions of dollars and send it back to the Russian government to use in the Russian legal Invasion the Ukraine so in 2021 Conti far outperformed the rest of the ransomware groups not completely combined but very close 180 million dollars per year in Revenue they'll attack usually same method excuse me they'll either send a phishing link spray the passwords they'll use a cve that's not been patched to gain access once they have access to the data they'll exfiltrate it to their command

site and then they'll send the ransom email you know if we can see even step through here also don't connect to these C2 sites from your corporate laptop that gives the imprint to the ransomware operator that you have an interest in them that puts you on the radar that gives nights weekends overtime hours that's a paperwork generating event we don't want those in cyber so to tie all this together May 2021 Colonial Pipeline and those of us here on the East Coast were definitely impacted by that Colonial pipeline had not to editorialize as the first talk for the conference and we don't need will editorializing this early in the morning Colonial pipeline had quite a few cyber

vacancies open unfulfilled they weren't taking the cyber security role for this infrastructure quite as serious as they should and Dark Side sent a phishing email to one of the administrators at Colonial pipeline that locked up the Billing System and then we had gasoline shortages on the East Coast for at least a solid week if not longer and disrupted the East Coast Economy just from one ransomware attack so we're cyber security began to Pivot a little bit more to paying attention to what ransomware was doing we're now more in tune with it seeing the damage that can be done the uh transitioning from that to the Russian Ukraine cyber warfare effort a couple of things to get in here

there's a lot of new techniques that have happened the one we were talking about in NATO's office of wall of text but it was a brilliant combined effort when Ukrainian troops land near the Russian border activate their phones in your personal fund to battle right um a Soldiers the Ukrainian soldiers would get attacked saying you are surrounded you're abandoned you're going to die in the battlefield concurrently the soldiers families get text message saying your son has been killed in action the parents then call or text the family member in the war zone which is doing quite a few things it's triangling their location it's validating their osynth it's uh generating Telemetry for Siegen collection so this is a fairly

complex effort by Russia to demoralize the Ukrainian troops and if they can find your cell phone on the network you can easily locate them with mortar shells artillery which is pretty devastating in combat so this is something we were training the NATO Coalition troops that when you go into combat you don't need to have your electronic devices with you because it's everything from U.S Special Forces down to that one of my students was a cherry farmer edible a former Soviet States doesn't understand cyber truly outstanding sniper which is what you need on the battlefield but he needs to understand the bumps on camera can't bring these things with you because it is going to give away your

location Ukraine also had some fantastic psychological operations during the conflict they released a list of all the Russian spies they claimed were operating in Europe names addresses SIM card numbers mz's a list of all the uh Foreign Service workers for the Russian Federation whether or not all 620 were truly Russian intelligence operatives doesn't matter because now they have the label of being one so the even though they may have had the most benign job working for the embassy Gathering contacts for a brain export I don't know but now that they've been tainted as being a possible Russian foreign service worker I can't talk today possible Russian spy they've now been isolated and they're ability to operate in Europe has been

severely degraded if we were in the classroom we'd pivot over to bellingcat and we look at some of the work billing cat has done where they can take the Russians as they change kind of change identities go overseas conduct assassination operations like the famous one where they two operatives claimed they went to London or went to Britain to look at a mosque or look at a church and then flew home the day after the uh Russian dissonant was murdered bellingcat has gone through sifted the ocean details and been able to identify each FSB officer so this would be something we would stop spend 30 45 minutes on to determine what can you find as a new student for

osynth on the Russian intelligence operations of course the intelligence Services react to this and acrylic uh our friend is saying I'm telling you right now that Russian Foreign Service Officer is not real so that's a pretty good psychological trick another one of NATO talked about both sides for Russians and NATO allies both created fake trender profiles to catfish and elicit information from each side again you're a Warsaw looking for love on Tinder is probably a bad idea but here we are so Russia invades Ukraine February 2022. the Cyber threat intelligence team we were directed where I am to monitor for new threats from the Russian invasion because they promised to take down the U.S economy for anyone who

assists the resistance to Russia so we mentioned the Colonial pipeline exploit that was still fresh in our minds less than a year later Russia invades Ukraine Kanti puts out a statement saying we thoroughly support Russia if anyone attacks Russia we'll use our resources still go against you know that goes up to a spot report goes up to leadership two hours later contina says well maybe not we're not taking they're trying to backpedal I don't need to read the wall of text to you something happened of where there's trying to backpell and dissemble from being closely tied to Russia most of us on the team found that a little bit odd most of the threat intelligence

community in cyber community as well as intelligence community yeah thumbs up with that we say who was Conti because that was the moment where Conti as they would say back in the 70s jumped the shark things go south the first emails start going out that Conte is is leaking all the data there's a very specific filing hyphen x v was it geez I can't see today xzvf1 dot tzg that's a very special file name that wouldn't be hard to find at all it's Splunk on your network they said we're going to delete everything internally so he's got recurring access things have been staged and this starts to grow just like any other viral event on the internet

headlines start coming out the security researcher we can't say that he is part of the the sole Ukrainian working for Conti he like 660 000 messages belonging to the ransomware game he played he released everything so the first thing that goes up and again the red student exercise we can see by the date joined February 2022 this wasn't something he's had ready to leave this is a spur of the moment decision this wasn't there's one Russian ransomware that hit a mortgage provider that never really made the U.S news but the leak came from an account dedicated to discussion of this months before the actual ransomware hit so right here realizing we're not live and I can't

point you can't see me who are they following who are their followers who's retweeting this who's quoting and if I was a Foreign Service adversary I would say this is of Interest who's looking at this journalist intelligence analyst sock puppets for more seasons threat intelligence analysts who are not using their true name and not using true uh location they're using a VPN there's a lot of intelligence you can gather from this in and of itself also you don't have to go in and follow them you can just remember twitter.com contileaks and not burn yourself that your corporate Twitter account is now following the Conti leaks that you have interest in this so again if this is a class would

probably take 30 minutes to discuss this go through do some analysis there are some where you can see the Facebook Links of official Army units and see all the people who like and thumbs up or whatever I'm not on Facebook everyone who's congratulating The Colonel on his recent award okay now we can go through and see everyone who's interested in this one action same thing here why are you following this and then we're going to talk about Kanti but getting to the data takes a little bit of operational security what I would do is go to teamfolique.com twitterinfolique.com and then I would plug in Conti leaks and my email address and I'll get a free report to my email

they're not I've been using this site for a few years it's not spammy you know I get names GPS I would get a report I can see what's coming in from this account this may or may not work still another opsec exercise we would do to say you know for the damage for things that can be leaked I would have the students go open Twitter just do a simple search for my new debit card and this blossomed out from a 20 minute exercise to a four hour exercise because of just the things people find that you wouldn't believe they were in cyber or getting started or experience doesn't matter but this is still a mind-numbing just

you have to shut the lid and worry about the state of humanity that people are still advertising and sharing their new debit cards their new passport their new airplane tickets so you can see that yeah leaks happen not only do they happen they happen a very personal level they have it on nation state level but it's out there getting back into this I like to give the idea of not just a talk but here's something you can work with to help learn the concept A little bit more uh the leaker went through separated these out this is great they're all acrylic and you can see when the leaks are starting to come out someone translates into English

now things truly take off 393 messages 60 694 total everything in the Rock means everything source code plans intents software quality assurance testing onboarding daily Chit Chat that we see in teams not the was it the 38 terabytes of teams AI data that was leaked from Microsoft oops this is dedicated just to Conti only so the yellow background is current stuff so right before I gave this presentation at uh b-sides Las Vegas they found a year and three months later that yes there is a connection between Conti leaders and Russian government contacts this is a nation-state operated Endeavor from the Russian intelligence service this is something that wasn't determined until months after analysis so you got

your triage and that's where we're going to get to the triage of the immediate impact to my company versus the Deep CIA DIA NSA fbi-ish level of analysis so we've seen what The Insider threat can do we've seen what he the one actor did what is an Insider threat usually when we're dealing with a data breach or discussing an external actor who's discovered a misconfigured C3 C3 bucket for Amazon solarwinds massive breach like we dealt with in 2021 the more recent MGM Caesar's breach brought on by ransomware but it's usually there's a hole in the dam when water is pouring toward as opposed to someone working in the dam who actually opens the lever to let beta

out whether it's Snowden Edwardson with uh his NSA leagues Robert Hansen disclosing the key data of very protected identities of people working against the Russians inside Russia or nebula betraying The Avengers team because he had 2014 nebula with 2023 Avengers team for the Battle of New York and people use science fiction and adventure movies because we have so many NBA's that we have things that happen we can't discuss we can go to the commonalities of science fiction movies that's why people do this it only takes one unexpected action to breach your organization no one's expecting this no one thought the one Ukrainian researcher on the team would leak this out no one thought vent I'm pointing the screen like y'all can

see me no one thought the one Shield ring over scarif would be the weak point even though it is very strongly shielding physical incursion it's shielding uh Transmissions out if you physically damage it with another spaceship just like we saw here with a hammerhead Corvette and take out that literal firewall then the data is going to be able to escape just like klop with move it we're still logging hundreds of breached organizations from this combination so the traditional motivations for espionage I don't know if it was a CIA training class or Tom Clancy novel where it came from Tom Clancy novels were so close to accuracy that we became using a lot of his writings for training so I'm not

sure if his chicken and egg thing but the ideology is mice money ideology conscience compromise eagle or excitement so we definitely have ideology this leakers country has been invaded by Russia we have conscience and then we have probably more I don't know if the eagle or excitement he said I can stand up I can do something about this getting into the more the deeper motivations for uh Espionage Rascals reciprocity Authority scarcity commitment career liking social proof those are more in-depth behavioral analysis of an asset rather than just ascribing motivation to One internal leaker however these are also the very same effective elements of phishing emails which is what we just had that took down in GMC's Palace which is one of the slot

machines are showing bios screens and doing knp of paper receipts right now the time of this talk so this talk this Insider threat it was a one-time event because after he's leaked everything out he's not coming back he's not reapplying to rejoin Conte he's lost his access he should have he should have been off boarded at this point directly attributable to one individual and it damages unquantifiable they are no longer a threat they've tried to resurface and use them the same C2 but it's not there it's not happening the data was compartmentalized by Conti but not effectively you had people who thought that Conti was operating as a pin testing they thought they're like a

bishop fox or a mandent instead of a brain smart group but data was saying she was organized they were showing the exact things that we look for as Insider threat analysts they're staging the data for reconnaissance they look for exfiltration they're conducting reconnaissance they're harvesting the data so this would be another discussion for Insider threat not the venue but to get the idea going how would you detect this Behavior would it be a leadership issue would it be sensors through EDR software would it be Splunk dashboard how would you do this does he have a personal Conti laptop for this data if you're harvesting a 100 million dollar 189 per year for a small team

you should probably have your own laptops so how is this individual leaking the data out did he copy today and email it from a secondary site I.E did he use USBS to get the data just like UNC was 58 out of China is now using North Korea using USBS with sobu this just broke right before my talk so how are they getting the data these are the things I would look at a little bit after the fact but how is heating the data how can we change this in our organization so we don't have massive breaches again if we can survive this leak so going pivoting back to the CTI chair giving this talk exactly from where I

process the first League we have raw intelligence from an unsourced with alleged first-hand access is this propaganda usually when you have a battlefield data find talking about drone forensics if a drone crashes on the compound of whatever site whatever here in Charlotte we'll go with the two nuclear sites that Duke Energy has on Lake Wiley if a drone crashes here the Cahaba River Site it's going to be a small incident probably Securities when I get involved should you know not a listening I don't work for Duke why is the Drone here was it just someone who landed their DJI because they lost signal is it an active is an active red team exercise or is it a hostile actor trying to get

in but it's a small team that's handling this so we would process the two SD cards the SD card from the Drone that has the video the audio not all excuse me the video and the pictures of where this drone has been because the first time people seen a drone up they spin it around they usually look at themselves as the first photo so we can get a lot of contact solutions to who owns a drone because that second SD chip underneath the motherboard people don't think to wipe that but it's tightly held it's only a small team processing this it's not put online for everyone to see so the mass days I can't talk today the

mass distribution of data from this conflict now they've uploaded all the intelligence analysts have access to this raw data from the Russia Ukraine award here in Tek South Carolina I'm processing this data the same data that it could be in a war zone but now I've got it right here released the same it's a different Paradigm we're dealing with so the key thing is all the state is out there from the ransomware operator what do we need to know how do we handle this because most people haven't been in war zones or processes it's been through sandstring or cyber security classes it's a different ball game going back to the uh NATO fundraising who was Conti there you see the NATO

fella bonking the Invaders Conti's pretty much dead after this league the methodology we used with Carver it was developed in World War II by the OSS precursor to the CIA for indigenous religions the French to um be able to rapidly analyze the key components of the German war effort of this one train track leaving this one facility that produces ball bearings if we take this out then we they can't produce ball bearings that can't produce ammunition and you see the supply chain crumble because this one key intersection on a real line was destroyed there's a mathematical formula that's not software the Carver site now will give you software you can download you can pay for it of course you can get

certified and it's just like anything with cyber and you can plug in the values to identify it but that of course World War II you didn't have computers you didn't have software to download you can like And subscribe it was a very simple methodology that was taught so that people could see here's what we need to reinforce or here's where we can attack most effectively so to read the slide to your criticality accessibility recoverability vulnerability effect and recognizability these are key components and I thought I had preparing for this The Insider threat knows the key weakness of a system at the bank I worked at oh well SunTrust I said that earlier on the new teller system it's now 25

years ago it's not sensitive geez 25 years if you clicked this box and processed a payment and clicked this box to also process the two bikado endless loop cycle and it would crash the entire banking Network we taught people in training don't do these two combined because you'll take the system down until the software is Rewritten excuse me only because I'm being recorded well you've seen the meme that says you know the entire banking system rests in that one windows Office 95 file running Excel what's that one spreadsheet that can control everything for your company for most situations grading by criticality and effect is enough what's the most important and what's going to be the biggest bang for the buck

so employing the Carver Matrix we can more easily identify the vulnerable targets I need to change that slide I'm sorry I want to see the highest risk the most and it may not be what you think it's going to be so here's the actual spreadsheet so I'm from the Carver website five is the most important one is leased so the lowest value you could have one times six would be a six so if we sum it up one's all the way across versus five so third to be the most important whereas a six be the least important so talking through the criticality of content I'm not going to discuss the full chart here that'd be filler right

uh the most important thing are the crown juice their source code how can we mitigate this what are their iocs what are their ttps so their infrastructure to rebuild that it can be done but it's going to be some effort the source code though the actual ransomware source code that's again the crown jewels if they lose that they're going to have to rebuild from everything and the other twin to that are the core designers you have staff the people running the ransomware the people doing recon the people who think they're part of just a red team they can be replaced they can get new people I'll say that as today as Citibank in Charlotte is announcing

three orgs and layoffs so that's not a good thing to bring up credentials or I don't want to say diamond doesn't it's more like a dollar per cred maybe but you can always get more creds on the dark Market if credits don't work there's always fishing but if Conti were to lose their crown jewels we can see there's a score of 27 it's the most important thing they have core designers going through vulnerability we don't really think the core designers of the Conte ransomware package are going to flip and betray their own company so we can see that was the Delta between making the core designers the most vulnerable the most important part of the Conte versus

credentials we need to protect credentials but if you lose the person who understands what to do once you're in the door with those leak creds there's no ransomware gang going through the company where I am the crown jewels the pii if we were to lose our Core Business function a lot of the US economy would not do well we recognize that that's why we've got that the most protected for a cooperability if we were to lose the crown jewels for what we do that would disable again a lot of the economy credentials yes those can be detected those can be reset those can be changed once we know the leak is there but down here our reputation if we

no longer have the U.S economy's faith that we can process what we do like the Federal Reserve we're gone people are going to find an alternate method of do what we do our company is going to go out of business with trillions of dollars of impact to the economy the staff isn't so much vulnerable it's our reputation and the loss of that Core Business methodology so now that we know what my company's most vulnerable firm is we can pivot and invest in securing those what's the one question from CIS of courses the one takeaway is you don't spend a hundred dollars on a fence to protect a ten dollar cow but that's the same thing here

we lose our reputation at this company is I see their logo all the way around me here then we're out of business that's it so the next slide if you want to get ready and get a screenshot um there's a blank content template in the actual class in the actual course this morning at besides Las Vegas I need more coffee but of course it had besides Charlotte we would step through and pick a company at random and we discussed this Pros cons strengths and weaknesses for the different steps and actually step through the scoring on this excuse me so Conti defines their crown jewels as the network filer shares other data that other companies had that can be

exfiltrated the emails address list contact information for phishing their databases what they have of Interest obviously the source code the accounting information for their Consultants to see what money they have what insurance policy they have for rents or what's the maximum we can get to actually reasonably get paid from this organization design documents is there another segment of the network we're unaware of that's a big thing because as we've seen not casting blame but with the Caesars Palace in Jam breaches it doesn't appear the networks are segmented so that the elevators and the slot machines shouldn't both go down the same time but here we are here's not putting a lot of screenshots out there from the late one of them you

can see they go through for the financial records of a name company and you can see what they're going for the balance sheets to see what assets are truly held so pivoting from that how does the USA Community Define intelligence we had an acronym thinker it's not classified obviously it's just using here Urban think of foreign of Interest it's new information it's not historical clandestinely acquired in its authoritative so you have that fine line of yeah it's oh synth they didn't mean to put it out there but we got it there's a little bit of brayland now for some of this and the joke we have for finka for I am intelligences of the financial industry

it's of interest it's new and the joke is it's copied and pasted from leaping computer and is authoritative because there's so much copying and pasting and threat intelligence so we know this is good we know he had access we know it was released we understand why it's released putting the lens of what we'd have is a mad minute when we'd meet a foreign asset or meet another op server sees security meeting excuse me security how much time do you have did you have any trouble getting here do you know that any imminent threats when can we have our next meeting what's our cover for meeting well in this context I'm not worried about the next meeting

I'm not worried about cover I'm in thread cyber threat and tell us I can't talk today cyber threat intelligence for this company I'm not worried about cover this is my full job it's what I do but the imminent threat are we under attack are we on the radar when's the next attack coming and what intent do they have to this segment of the U.S financial industry what are their overall plans and intents so I am definitely applying that don't want to do like some watching the words other people where you would see is your credit card number in a hackers database and people oh I wouldn't do this right you wouldn't there's obviously to us this is a joke

it shouldn't really work but on the dark web we've had to train there are sites on the dark web you know we have all the cies records for the past 10 years enter your assets crit enter your operation name into your tool name to see if there's leaked data on it pro tip there's nothing going to be there they're harvesting the intelligence from the searches to then pivot to see what's out there on those you're just giving them data they don't know so we want to get this data offline and what we want to look for going for our Carver chart we want to look for these core things are we targeted first and foremost is there an imminent threat

to this company yes or no been doing the same search across this what friends do we have linked what's the velocity of African swallow you know is company X listed in this for both targeting and Lead credentials as soon as I parse that and saw okay we're not on the X we don't have any lead credentials spot report went up to leadership that we Parts the data so far this core program's name isn't there we don't have credentials we're not on the X however our third party partners that we work with are they targeted well that's a separate team we can offload that to other people depending on the size of your team that's a secondary Target that's

important but first you have like the airplane you have to take care of your own mask first then going through and pivoting for the iocs CDs and ttps that are in play so these are all equal some are more equal than others July 30th 2023 cssd that roughly 87 percent of all attacks are due to compromised accounts so going back a slide if we can see that we don't have leak credentials from this they don't have a phishing email templates ready to hit my organization and I can say that okay 87-ish 88-ish percent of successful attacks did they compromise now now we're only worried about 12 percent and pivoting back here to what cves are in play

so using Carver we're going after like we're going after the direct threats the leak credentials that might be more of a credential management team an IAM team depends on how your company does it that's what we're looking for the malware I've got the source code that's cool we'll let someone else with a different machine not online not connected to the main corporate Network do your verse engineering you can see the testing or visions you can see on this laptop with this browser Conti doesn't work but it works here you can see them step through and start to get their quality insurance in place The Insider threat you can see the rules how this happened you can see the

compartmentalization kind of work but it kind of didn't for credentials there's a lot of credentials in this data dump but because we have to use operational security and respect the other people's data it would look like this username gom.com.gov whatever password be redacted there you go a lot of breach password managers if I shared that that would lead to hiring attorneys and posting I'm open for work on LinkedIn because I violated some ndas for these other companies we don't need that there you go you can see a lot of the creds that are there they're blacked out a lot of strong passwords here but they're still leak because I forget the name but a lot of these Bots will go after the

password managers that's shared in clear text leaked and clear text so don't go back and just add a number to the end and say well the updated that's not a good thing either so the county operator from the link they're using phishing to go after vulnerabilities and credentials and then that they'll create a spear fishing for the Target organization it's a diamond model I really wanted to use that asset everyone Drew an elementary school in junior high at least once in my career so there you go it's a diamond model both yes so again it's kind of getting granular you downloaded on air gap machine off the corporate Network you don't assume this is good data it could be still a

Honeypot operation once I have the data I can copy secondary third copy paste primary alternate contingency emergency is always a good backup plan searching for the corporate names they're I want to say a billion there's a lot of ways to parse data whether you're using control F in notepad whether you bring it into a something like analyst notebook new X excuse me

but as long as you use the methodology you don't need an expensive thirty thousand dollar per year piece of software search for it or you don't need to wait for your third party threat intelligence provider tell you you're on the X you can search for this yourself ask can I use AI I wouldn't use AI I wouldn't trust my job my company my reputation personally to AI to catch the nuances of searching yeah I know eventually I'll get to that point right now I don't feel comfortable with it that's me

also there's some spicy stuff in the chats and do you want to trust the Russian ransomware operators at their things they're discussing I'm being very polite aren't going to get you fired there's things in some of the chats that yeah yeah there's a lot of just glazed over there so listening is one thing people can put this on you you can again read the chart once we saw we weren't on the X we wrote up a report saying we're not targeted we have our core software model is not here we're now rolling through our third party Partnerships see who's there as well they're unique fishing templates for coffee provided to our ir and intrusion detection team so we can create some Er

roles the ICS those are easy to import those to your right to your threat detection platform that's an easy upload those are easy wins sharing this with other partners depending on the size of your organization whether you want to put that an FS Isaac chat or one of the information sharing group may or may not take legal oversight and approval so again we hit the 87-ish percent pivot to look at the cves in use going all the way back to 2015 here are the cves now we can talk to our vulnerability management team to say these are the ones in use by Conti are we 100 sure we patched all of these you don't want to assume

because unlike a large corporation not only does Conti use passions used the vulnerabilities they had YouTube tutorials on how to execute the Volume Plus step by step directions on how to do this so it's here's Acme Corporation they sell anvils to coyotes they're vulnerable to CBE 2019 1385 and 1405 so if we don't have creds we can pivot and use these because they are vulnerable for this and it's not a week-long process to wait they immediately pivot and go after the vulnerability

the long-term analysis of this ransomware software is fascinating I'm still finding some gyms in here for my purse just I'd rather do this and watch television but that's nothing this is a year and a half old event roughly there are things you can glean from it but it's not key like a cidi FBI role where you're going through and looking for the chain of command you're looking for the personality quirks this one guy says he likes to go on dates with people he meets in Bangkok oh he's got funding he can leave country he's a international criminal can we work with Kylie liaison to render this person the next time they leave country because they are cyber criminal for

millions of dollars a theft it's not where we're doing in a private sector so not as important these are things that we would break up into teens and have the different students go for to parse the data this Insider threat team this is the malware analysis team and let them look at each bin and see how putting on the different lenses gives you a different perspective for the Sleep data there's still data this came out past couple of weeks that Conti gives advice for The ransomware Operators which is also great advice for red teams so there's still data that can be used we talked that Conte is going for insurance policies right there's a screenshot

how they handle this gdpr versus U.S data the insurance policy in full so they can understand how to best negotiate with the targeted company you'll say but yeah I will but PX underground releases yes they do but you can look at the date the last time this is modified is 6 30 2023 in the breach happened in February 2022 there's a lot that can happen in those 14 15 months that I need to address for my Corporation before VX underground is the great work they do before they release this a little bit of humor they even have to avoid the appearance of NS not safe for work because there's a fantastic large fan manufacturing company and they even had to notate

it's nothing spicy it's a Thing company so getting to the end of this um secure your own mask first help others document as your process data just like anything else in cyber don't rely on your memory because you're going to forget it Source trust me using this carbon methodology doesn't require proprietary software it's simple math in a spreadsheet something you can take with you Corporation or Corporation agency to agency you don't have to pay thirty thousand dollars a year discussion questions we'd have in class do you remove The Insider thread knowing your if you're Russia knowing you're going to invade Ukraine do you remove the one Ukrainian before this happens you cut his access that might tip their hand I'm not sure

we don't need to pontificate these are opening questions on the other hand you're the bad guy you're running ransomware operations you're going to invade another sovereign country doing the right thing probably is the most important thing on your radar so is tipping your hand to the one Russian the one Ukrainian who's opposing the Russian Innovation here moved him before the invasion or do you put him on a special project compartmentalize him away from all the other data so you don't tip your hand I don't know

is it better to leak all the data the one and done or to work covertly working for U.S government intelligence agencies or Interpol whoever report on plans and dance and Report covertly put tracking software to allow for a bigger takedown which one's the greater effect but the person did was fantastic the cyber security Community has been able to mitigate the risk from Conti but what data are we missing so again that's the deeper seventh floor question of why are they doing it two more things one Conti's even got it right no one you can't see any point in the screen no one will restore your health and no one will take care of you but you take a vacation

if you don't take care of yourself who will in wrapping this up uh I gave this talk right before I spoke on voting machines at Defcon I had to thought I've not been through this to see if Conti was targeting the U.S elections I hadn't seen anything online so I've searched didn't find anything where they're targeting this but until you search yourself don't assume someone else has done the work you might be the first one to have that unique thought last is a little bit of a bonus if you have a Mac you have the stool built in mdls and we're going to try them I don't usually do this mdls's metadata list it's built into

most modern Macs so what you'll do is I'm going to gov.info to search for PDF very simple gov info over you 2009 or 1019 PDF had that stored here and I go to Unix and terminal here we go it's gonna work there we go so download the file I had the file saved in DLS I'm going to just simply drag and drop and it was you can do Unix but drag and drop and right here you can see this PDF was created by the author's name what they used to create it the file name PDF Library version number which is wonderful if you're going to do red team or spearfishing because now you know this one person is vulnerable

to maybe a cve for that exploit it's fantastic you can see that this document was actually created by the Swiss using you know Office 95 but it's going to give you that metadata for that came from two from so can you share your personal data you share a picture with someone from your iPhone your GPS may or may not be on there depending on your settings but this is a great way to extract a little bit more data from a PDF to see if the source is truly authentic with who they claimed it was from or if it was just stolen from the web and shared is authentic from Bob Jones when it's really from

Victor yoroshinko but that's it it works on a Mac it's also going to show you there's a beacon and a PDF going back to show the progress as you read the beacon but that's another talk for the other day thank you for coming and I appreciate your time