According to foreign media reports recently, one of the world’s top jewelry brands – Graff (Graff), suffered a large-scale “Internet robbery”.
—Hackers stole the private information of its many rich and celebrity clients
– Victims believed to include Trump, David Beckham and more
— Hackers demand millions of dollars in ransom or reveal the privacy of billionaires and stars
— A criminal gang named Conti is behind it
—The Conti gang used the recently disclosed ProxyShell vulnerability to attack Microsoft Exchange servers
Introduction to the report on the security affairs website
The Conti ransomware gang is demanding millions of dollars in ransom from Graff or they will leak the privacy of many celebrities and billionaires.
The firm’s clients are some of the world’s richest people, including Trump, David Beckham, Tom Hanks, Samuel L. Jackson, Alec Baldwin and Sir Philip Green.
As evidence of the successful attack, the Conti gang has published documents related to the purchases of David Beckham, Trump and others on its leaked website. 69,000 confidential documents have been published, including customer lists, invoices, receipts and credit notes.
The Conti gang claimed that the information released involved about 11,000 of Graff’s customers and represented only 1 percent of the stolen files.
Foreign cybersecurity insiders say the impact on customer privacy could be greater than the value of the jewelry, and if Graff refuses to pay the ransom, the gang could try to blackmail its customers.
“Unfortunately, we, like many other businesses, have recently been targeted by criminals,” a Graff spokesperson said.
At this point, thousands of people have already visited leaked sites, digging through published files for sensitive information.
(Graff jewelry. The picture comes from the Internet)
Conti ransomware gang
The Conti gang is one of the most active and aggressive ransomware gangs.
The Conti gang runs a proprietary ransomware-as-a-service (RaaS) malware that emerged in the threat landscape at the end of December 2019 and spread via a TrickBot infection. Experts speculate that these operators are members of the Russian cybercrime organization Wizard Spider. Wizard Spider is also believed to be behind another notorious hacking group, Ryuk.
Since August 2020, the Conti gang also operates a leak site called Conti News, which lists victims and publicly leaks stolen data to threaten victims.
The Conti gang belongs to the dual ransomware camp, downloading unencrypted confidential material before encrypting a system with ransomware as a further ransom chip when victims refuse to pay the ransom in exchange for a decryption key. Conti is considered a variant of the popular Ryuk ransomware family, and more and more attackers are spreading malware through the same methods used to spread Ryuk in the past. For example, banking Trojans such as Trickbot/Emotet and BazarLoader malware are now being used to spread Conti. The Conti gang used a two-threat strategy of keeping the decryption key and selling or leaking the victim’s sensitive data. Once the malware infects the victim system, it tries to move laterally to access more sensitive content. Additionally, the Conti gang encrypts files quickly by using multithreading.
Some of the incidents involving the Conti gang this year
Scottish EPA under attack
In January 2021, the Scottish Environmental Protection Agency (SEPA) was hit by the Conti ransomware attack, where 1.2GB of data was stolen. Nearly a month after the attack, the bureau’s services remain disrupted. After the bureau refused to pay the ransom, hackers released thousands of stolen documents and released more than 4,000 documents and databases related to contracts, business services and strategies.
Florida school attacked
In February 2021, the Broward County Public Schools (BCPS) in Florida was attacked by the Conti ransomware and demanded a ransom of $40 million. The school district is the sixth largest in the United States and the second largest in Florida. The Conti gang said it had encrypted the district’s servers and stole more than a terabyte of data files, including student and employee personal information, contracts and financial documents.
Irish healthcare facility HSE under attack
In May 2021, HSE, an Irish medical institution, was attacked by Conti ransomware and demanded a ransom of $20 million. The agency shut down all IT systems after discovering the attack. But the Conti gang claimed to have been on the agency’s network for two weeks, during which time they stole 700GB of unencrypted files, including patient and staff information, contracts, financial statements and payslips.
FBI issues warning over Conti
In May 2021, the FBI said Conti ransomware had hit at least 16 U.S. healthcare and emergency services over the past year, affecting more than 400 global organizations, 290 of which were located in the U.S. .
Conti gang leaks attack manual on its own
On August 5, 2021, due to the uneven distribution of internal assets, the Conti gang caused its subordinate organizations to disclose their internal information and tools. The disclosed files include tools for stealing data, detecting anti-virus software, fighting anti-virus software, network scanning, remote control, etc. There is also a detailed attack tutorial, which lists the attack steps of the gang and its general attack. The main ideas include: by obtaining device access rights, understanding the company to which the device belongs, and then focusing on the company’s income; by obtaining device access rights, the intranet continues to penetrate horizontally; after obtaining more device rights, deploy remote control software to Prepare for subsequent attack operations; scan files in intranet devices, identify potentially valuable files by file name, and use data synchronization software to return these data; deploy ransomware, etc.
CISA, FBI and NSA issue warning over Conti
In September 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) reported an increase in the number of ransomware attacks against U.S. organizations by the Conti gang.
The warning states: “CISA and FBI observed an increase in the use of Conti ransomware in more than 400 attacks against U.S. and international organizations. In a typical Conti ransomware attack, malicious cyber attackers steal files, encrypt Servers and workstations, and demand ransom payment. To protect systems from Conti ransomware, CISA, FBI, and NSA recommend implementing the mitigations described in this bulletin.”
Mitigations provided in the warning include: using multi-factor authentication; implementing network segmentation and filtering traffic; scanning for vulnerabilities and keeping software updated; removing unnecessary applications and applying controls; implementing endpoints and detection response tools; limiting access to network resources Access, especially by restricting RDP; securing user accounts, etc.
Conti Exploited ProxyShell Vulnerability to Attack Microsoft Exchange Servers
In September 2021, the securityaffairs website published an article saying that the Conti ransomware gang was exploiting the recently disclosed ProxyShell vulnerability to attack Microsoft Exchange servers. We have compiled the article as follows for the reader’s reference.
ProxyShell is the name of three vulnerabilities that can be chained to execute code on Microsoft Exchange servers by a remote, unauthenticated attacker.
The three vulnerabilities used in the ProxyShell attack are:
CVE-2021-34473 – Pre-authentication path confusion leads to ACL bypass (KB5001779 patched in April)
CVE-2021-34523 – Elevation of Privileges for Exchange PowerShell Backend (KB5001779 Patched in April)
CVE-2021-31207 – Arbitrary file write after authorization causes RCE (KB5003435 patched in May)
The vulnerabilities were exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.
The flaws were discovered by Devcore security researcher Tsai orange, and the issues were awarded $200,000 in the April 2021 Pwn2Own hacking competition.
Researchers from Sophos found that attackers exploited a Microsoft Exchange ProxyShell vulnerability to compromise networks. The Conti gang is trying to target organizations using Exchange Server that have not yet updated their installations. Once it gains network access, Conti first drops a web shell to execute commands and compromise servers, then manually deploy the ransomware to infect as many systems as possible on the network.
“In a set of ProxyShell-based attacks Sophos observed, Conti successfully gained access to the target network and set up a remote web shell within a minute. Three minutes later, they installed a second backup web shell . Within 30 minutes, they generated a complete list of network computers, domain controllers, and domain administrators. After just four hours, Conti had obtained the credentials of the domain administrator account and started executing commands,” Sophos said. Within 48 hours of gaining initial access, the attackers had compromised approximately 1TB of data. Five days later, they deployed the Conti ransomware to every machine on the network, specifically targeting a single network share on each machine.”
Experts noted that the ransomware gang installed several backdoors, several web shells, Cobalt Strike, and commercial remote access tools from AnyDesk, Atera, Splashtop, and Remote Utilities on the target network.
Once they gain access to the target’s network, the ransomware gang uploads the stolen data to MEGA file sharing servers. Five days later, the group began encrypting devices on the network and launched attacks from unprotected servers.
write at the end
London-based Graff, founded by Laurence Graff, is one of the world’s top jewellery brands, renowned for its diamonds. Some cyber experts believe that blackmailers may demand payment in untraceable online currencies such as bitcoin, or even jewelry.
Some foreign media said that the “Graff Raid” may be the largest “diamond robbery” in history – although not a single diamond was touched; a large number of rich and famous Graff customers’ private information has been on the “dark web” It was exposed on the Internet, and there may be more victims in the next step.