How I accidentally researched Conti for 4 years…

Intro…

Okay so the title is not entirely true but let me explain. For the last 4 years I have been researching how to exploit different container orchestration and implementation programs (docker and Kubernetes being the main staples). This all started as a ‘Final Project’ of sorts for my college career. I had seen the rise of containers as a way to have a testing environment that was slim and consistent across all developers working on a project. At the time we were using things like Vagrant to create a VM with our application running to do development on. I saw the benefit of containerizing our app for development, but something was odd to me. This ‘development’ tool was being used in prod. I had seen people just throw up their development folders from their machine onto a hosting server and…well…dork this…FOR RESEARCH PURPOSES AND CONTEXT ONLY!

`filetype:env intext:DB_PASSWORD`

Yeah…so…I have very little faith at this point in my career as to how ‘secure’ a developer deploying an application can be. Adding another toolset or a magic box doesn’t fix this. And docker and Kubernetes are no stranger to this. I explain this more in detail on my other blog posts on docker. I’ve also documented a cheat sheet of sorts here : https://redteam.wiki/en/misc/software/Docker (Thanks mubix for letting me in on that project)

Digging in…


So where is Conti in this.

Conti is now leveraging container cryptojacking practices. Or they ‘hired’ the guy to use their code. That guy is TeamTNT. Or as they like to go by Hilde.

Here’s the funny thing…I have been following that guy for years. Publicly showing when his stuff was out there and archiving his code along with all of the other botnets that I have found over the years. The interesting thing though is that this doesn’t surprise me.

In a talk I did first detailing how I had my ‘first encounter’ with a docker botnet I had this quote from my paper that can be summed up as ‘nation-state and criminal actors will use this technologies configuration deficiencies and features to create botnets to assist in operations’ That rang true a few times where I discovered multiple lone-wolf actors and a few that I suspect to be nation-state. But none of them were really in a ‘criminal group’ that is until the Conti Leak happened. Quickly going over an article to see whether or not I would really dig into it or not. I just randomly scrolled and saw “TeamTNT”. My first thought was I was just having a bad eye-sight moment. But no…it was there.

I quickly went to the sourced link to go and analyze it for myself. My main questions were:

  1. Did Hilde join Conti?
  2. Did Conti just rip the code?
  3. Is there anything else that is different in the codebase from other botnets? Or similar?
Monero wallet address discovered in Conti Leaks TeamTNT toolset.
The same monero address from Conti Leaks found in historical archive in October 2021.

It was pretty quick to discover the answer to the first question.

The same monero address from Conti Leaks found in historical archive in October 2021.

Yeah so to answer that question of if Hilde has joined Conti, the answer is yes. This also lines up with the fact that, and I can’t stress this enough, on their personal website Hilde stated that they were ‘leaving the scene’ and had ‘made the right connections’ to move onto the next thing. That was posted in about mid-October/November of last year (2021). My thought on this at the time was shoot he’s going to go underground and get into deep web comms and is trying to kill out his public presence before joining. Man was I right.

So we’ve already been able answer the first two questions. Now let’s look at the whole thing to see if there is anything different that I can find in the TeamTNT toolset.

Going through it looks to be an updated version of two of the ‘best’ that I’ve seen come out of the TeamTNT flavors of botnets. The ‘chimera’ and what I call ‘TeamTNT_SugarDaddy’.

TeamTNT_Chimera: https://github.com/Caprico1/Docker-Botnets/tree/master/TEAMTNT_MASTER_LIST/chimaera/45_9_148_35/45.9.148.35/chimaera

TeamTNT_SugarDaddy : https://github.com/Caprico1/Docker-Botnets/tree/master/TeamTNT_Sugar_daddy

However ample upgrades seem to have been made since Hilde went ‘dark’ and joined Conti. What’s interesting though is the sudden addition of Ethereum address.

Ethereum Address Discovered in TEAMTNT toolset

This is odd to me since Hilde never strayed away from Monero (XMR) due to the fact that it doesn’t track every single transaction ever like Bitcoin or Ethereum. This is new and can be further analyzed here : https://www.blockchain.com/eth/address/0xc098b2a3aa256d2140208c3de6543aaef5cd3a94

I have a feeling that this address is being actively used by the Conti group. One of the addresses that has been seen sending money to the account looks to be a mixer service.

https://www.blockchain.com/eth/address/0xc098b2a3aa256d2140208c3de6543aaef5cd3a94

So honestly speaking here. I only find it humorous that I’ve written on this for years and now am seeing every prediction I’ve made show up in the real world.

However, I’m a bit more concerned now about seeing this in a ‘Legion of Doom’ style grouping of characters.

Conclusion

I’ve been following docker botnets for years. Every day I’d watch as millions of dollars worth of Monero were being gained illegally. Yeah there’s something to be said about the people that were hosting vulnerable container toolsets in the cloud without proper hardening but I’ve ranted on that enough. The capabilities that you can do with the toolset that container technology gives you is honestly nuts. And I think we have only seen the surface of what is actually possible with attacks like this.

Imagine this. There are devices all over the world that have vulnerabilities that you can gain access to. But building up that infrastructure to have a secure(ish) operation security is consuming and expensive. Even for ransomware actors that are regularly getting payments from their victims (unreported or otherwise) and selling off data that they have exfiltrated in mass data dumps marketplaces that’s a lot of work and money expended on just infrastructure.

Now think of this. I as an actor find multiple vulnerable endpoints via OSINT for Bluekeep. Something like millions of devices are still vulnerable on this and are open to the internet. And I have all these container instances that are open to the internet that I can but any image onto it and then attack the host or the Bluekeep vulnerable devices.  I could automate my attack to go from me to the docker instances, launch the attack against multiple devices, run internal network discovery and exploitation tools (automated of course, see the rest of conti’s toolset it’s wild), and then infect all of those networks from a flurry of infrastructure from all over the world.

That’s the scary scenario that I have rolling in my mind. Just an all out chain of attacks happening across all container infrastructure to attack more things along the way.

As always. There has to be a push for educating developers and IT professionals on how to properly secure their production environments in a growingly more cloud/off-prem focused world. As well as a push for developers of the tools to be held somewhat responsible for having this functionality that is abused. Putting the proper protections and or warnings in place would be a good start.

I feel that the clock is ticking…and at some point…Wannacry was at the start of my career but there is something larger brewing that could give not just groups like Conti a way to conduct themselves but nation states as well.

One thought on “How I accidentally researched Conti for 4 years…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s