The attacker will attack every new server in the group.
An unknown attacker carried out a DDoS attack on Cobalt Strike servers run by former members of Conti, accompanied by anti-Russian messages to interfere with their activities.
After turning off their internal infrastructure in May, Conti members joined other groups - Quantum, Hive and BlackCat. However, former Conti members continue to use the same Cobalt Strike infrastructure to carry out new attacks as part of other ransomware campaigns.
The cybercriminal uses the TeamServer C&C server to manage Cobalt Strike Beacon payloads on compromised hosts, allowing lateral movement. When attacking Cobalt Strike servers , the cybercriminal changed computer names to various anti - Russian messages .
AdvIntel CEO Vitaly Kremez said the attacker initially targeted at least 4 Cobalt Strike servers, which are allegedly controlled by former members of Conti. Kremez said the messages are flooding the servers at a rate of 2 messages per second.
As a result of such a large number of echo requests, the TeamServer Java application is overloaded and its activity is interrupted similar to a denial of service (DoS) condition.
According to Kremez, the hacker constantly targets these Conti servers, resuming attacks every time a new server is discovered.