Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Who is Conti? Why the Conti Leaks are valuable information? Practical Python for Threat Intelligence Exploring the Jabber Logs of the Conti Leaks Extracting and analyzing relevant information using MSTICpy

Slide 4

Slide 4 text

" T h e i n f o r m a t i o n a n d k n o w l e d g e a b o u t a n a d v e r s a r y o b t a i n e d t h r o u g h o b s e r v a t i o n , i n v e s t i g a t i o n , a n a l y s i s , o r u n d e r s t a n d i n g , i s t h e p r o d u c t t h a t p r o v i d e s b a t t l e s p a c e a w a r e n e s s " - E d w a r d W a l t z -

Slide 5

Slide 5 text

Easy to use and to learn Versatile Powerful for both big and small apps Work perfectly with a lot of data (pandas) Can be used to create workflow with Jupyter Can be used to automate boring stuff Whatever you need, Python will cover your ass!

Slide 6

Slide 6 text

Ransomware as a service Model and double extortion The state department official says. “They have been involved in malicious cyberactivity against our critical infrastructure. We view them as a national security threat.” Started in December 2019 Believed to be based in Russia, ~$50 Million

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Jabber is used as an internal chat tool of the Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination

Slide 9

Slide 9 text

Jabber is used as an internal chat tool of the Conti organisation The logs are from 2020 to 2022 and written in Russian Multiple affiliate groups and criminal element are connected to it to discuss operation and coordination I don't read nor understand Russian The Size is about 35 MB I want a quick way to analyze them and find relevant information ChAllenge Accepted!

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Stern Defender Bentley Mango Buza Target Target https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

Slide 15

Slide 15 text

Querying log data from multiple sources Extracting Indicators of Activity (IoA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts Enriching the data with TI, geolocations and Azure resource data Machine learning analysis

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Multiple services (HR, Coders, RE, Testers...) Defender Stern Mango Bentley Veron... Main Accounts: Interconnection with multiple cybercriminal groups that operates as affiliates. Conti deployment via CobaltStrike Trickbot, BazaLoader, Emotet... The chats represent a communication platform for coordination between multiple criminal elements that are in some cases distinct Well organised and Structured like a company 🤯

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. Threat intelligence can be used to proactively get details about a threat actor. Leaked data are valuable information. Python is the perfect companion for threat intelligence analysts MSTICpy can bolster your process in place for investigation

Slide 23

Slide 23 text

Observation Investigation & Analysis Understand

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

https://www.microsoft.com/security/blog/2022/06/01/using-python-to-unearth-a-goldmine-of-threat- intelligence-from-leaked-chat-logs/ https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime- gig-economy-and-how-to-protect-yourself/ https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start- up-sort-of/ https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html https://www.trellix.com/en-au/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of- ransomware.html https://twitter.com/seadev3/status/1498783071969099777?s=20&t=Z2KJgYrjiUMCQ5Phif3ZbA https://msticpy.readthedocs.io/en/latest/getting_started/Introduction.html https://twitter.com/fbi/status/1522939345711288320 https://www.vx-underground.org/