Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,363
- Points
- 113
Security researchers have published publicly the data of the server where Conti is negotiating with the victims.
Cyber ransomware group Conti fell victim to a data breach after security researchers managed to establish the real IP address of one of its most important servers and retain console access to the system for more than a month.
A compromised server (called a payment portal or recovery site) is where Conti discusses the ransom payment with its victims.
"Our team discovered a vulnerability in Conti's recovery servers and used it to determine the real IP addresses of a hidden service hosted on the recovery site," according to a 37-page report from Swiss information security firm Prodaft.
We are talking about the IP address 217.12.204.135, which belongs to the Ukrainian hosting company ITL LLC. Within a month, Prodaft specialists had access to this server, which enabled them to monitor network traffic.
While most of the connections to the server are from Conti's victims, SSH connections were also recorded, apparently related to Conti itself. However, luck was not on the side of the researchers here, since the SSH IP addresses belonged to the Tor exit nodes. In other words, they could not be used to identify the Conti operators.
Other valuable information provided in the report also includes information about the OS of the Conti server and its htpasswd file, which contains the hashed password to access the server.
Upon publication, the report immediately caught the attention of the group. She was particularly concerned about the publication of the server's IP address and password hash to access it, since ransomware groups competing with Conti could have taken advantage of this information. She ended up having to shut down her payment portal in order to find a new hosting, which prevented victims around the world from contacting ransomware and had to suffer prolonged downtime.
The researchers turned over all their findings to law enforcement agencies. However, their publication in the open access is rare. As a rule, such details are not made public so that law enforcement agencies have time to take appropriate action, which sometimes takes many months. The researchers' actions were also criticized by other information security experts, because they led to the fact that Conti increased its security.
Cyber ransomware group Conti fell victim to a data breach after security researchers managed to establish the real IP address of one of its most important servers and retain console access to the system for more than a month.
A compromised server (called a payment portal or recovery site) is where Conti discusses the ransom payment with its victims.
"Our team discovered a vulnerability in Conti's recovery servers and used it to determine the real IP addresses of a hidden service hosted on the recovery site," according to a 37-page report from Swiss information security firm Prodaft.
We are talking about the IP address 217.12.204.135, which belongs to the Ukrainian hosting company ITL LLC. Within a month, Prodaft specialists had access to this server, which enabled them to monitor network traffic.
While most of the connections to the server are from Conti's victims, SSH connections were also recorded, apparently related to Conti itself. However, luck was not on the side of the researchers here, since the SSH IP addresses belonged to the Tor exit nodes. In other words, they could not be used to identify the Conti operators.
Other valuable information provided in the report also includes information about the OS of the Conti server and its htpasswd file, which contains the hashed password to access the server.
Upon publication, the report immediately caught the attention of the group. She was particularly concerned about the publication of the server's IP address and password hash to access it, since ransomware groups competing with Conti could have taken advantage of this information. She ended up having to shut down her payment portal in order to find a new hosting, which prevented victims around the world from contacting ransomware and had to suffer prolonged downtime.
The researchers turned over all their findings to law enforcement agencies. However, their publication in the open access is rare. As a rule, such details are not made public so that law enforcement agencies have time to take appropriate action, which sometimes takes many months. The researchers' actions were also criticized by other information security experts, because they led to the fact that Conti increased its security.
