Kamfanonin rigakafin ƙwayoyin cuta, ƙwararrun tsaro na bayanai da masu sha'awar kawai suna sanya tsarin saƙar zuma a kan Intanet don "kama" wani sabon nau'in ƙwayar cuta ko gano sabbin dabarun ɗanɗano. Tushen zuma ya zama ruwan dare cewa masu aikata laifuka ta yanar gizo sun haɓaka wani nau'in rigakafi: da sauri suna gane cewa suna gaban tarko kuma kawai suyi watsi da shi. Don bincika dabarun hackers na zamani, mun samar da wata tukunyar zuma ta gaskiya wacce ta rayu a Intanet tsawon watanni bakwai, yana jawo hare-hare iri-iri. Mun yi magana game da yadda hakan ya faru a cikin bincikenmu "" Wasu bayanai daga binciken suna cikin wannan sakon.
Ci gaban Honeypot: jerin abubuwan dubawa
Babban aikin samar da babban tarkon mu shi ne hana mu daga fallasa mu ta hanyar hackers da suka nuna sha'awar shi. Wannan yana buƙatar aiki mai yawa:
- Ƙirƙirar labari na gaskiya game da kamfani, gami da cikakkun sunaye da hotunan ma'aikata, lambobin waya da imel.
- Don fito da aiwatar da samfurin kayan aikin masana'antu wanda ya dace da almara game da ayyukan kamfaninmu.
- Yanke shawarar waɗanne sabis na cibiyar sadarwa za su iya samun dama daga waje, amma kar a ɗauke su tare da buɗe tashoshin jiragen ruwa masu rauni don kada ya yi kama da tarko ga masu tsotsa.
- Tsara ganuwa na leken asiri game da tsarin da ba shi da rauni kuma rarraba wannan bayanin tsakanin masu kai hari.
- Aiwatar da hankali kan ayyukan hacker a cikin kayan aikin gidan zuma.
Kuma yanzu abubuwa na farko.
Ƙirƙirar labari
An riga an yi amfani da masu aikata laifuka ta hanyar yanar gizo don cin karo da tukwane mai yawa, don haka mafi ci gaba daga cikinsu suna gudanar da bincike mai zurfi na kowane tsarin da ke da rauni don tabbatar da cewa ba tarko ba ne. A saboda wannan dalili, mun nemi tabbatar da cewa tukunyar zuma ba kawai ta dace ba ta fuskar ƙira da fasaha, amma har ma don ƙirƙirar kamannin kamfani na gaske.
Sanya kanmu a cikin takalman ɗan gwanin gwanin ban sha'awa, mun haɓaka algorithm na tabbatarwa wanda zai bambanta ainihin tsarin daga tarko. Ya haɗa da neman adiresoshin IP na kamfani a cikin tsarin suna, mayar da bincike kan tarihin adiresoshin IP, neman sunaye da kalmomin da suka shafi kamfanin, da kuma abokan hulɗarsa, da dai sauransu. Sakamakon haka, almara ya zama mai gamsarwa da ban sha'awa.
Mun yanke shawarar sanya masana'antar lalata a matsayin ƙaramin kantin sayar da samfuran masana'antu da ke aiki ga manyan abokan cinikin da ba a san su ba a cikin sashin soja da jirgin sama. Wannan ya 'yantar da mu daga matsalolin shari'a da ke da alaƙa da amfani da alamar data kasance.
Daga nan sai mu fito da manufa, manufa da suna ga kungiyar. Mun yanke shawarar cewa kamfaninmu zai zama farawa tare da ƙananan ma'aikata, kowannensu shine wanda ya kafa. Wannan ƙarin tabbaci ga labarin yanayin ƙwararrun kasuwancinmu, wanda ke ba shi damar gudanar da ayyuka masu mahimmanci ga manyan abokan ciniki masu mahimmanci. Muna son kamfaninmu ya bayyana rauni daga yanayin tsaro na yanar gizo, amma a lokaci guda ya bayyana a fili cewa muna aiki tare da mahimman kadarori akan tsarin da aka yi niyya.
Hoton hoton gidan yanar gizon MeTech honeypot. Source: Trend Micro
Mun zaɓi kalmar MeTech azaman sunan kamfani. An yi rukunin yanar gizon akan samfuri kyauta. An dauki hotunan ne daga bankunan daukar hoto, inda aka yi amfani da wadanda ba su da farin jini da kuma gyara su don kada a gane su.
Muna son kamfanin ya yi kama da gaske, don haka muna buƙatar ƙara ma'aikata tare da ƙwarewar ƙwararru waɗanda suka dace da bayanin martabar aikin. Mun fito da sunayensu da sunayensu sannan muka yi kokarin zabar hotuna daga bankunan hotuna bisa ga kabilanci.
Hoton hoton gidan yanar gizon MeTech honeypot. Source: Trend Micro
Don guje wa ganowa, mun nemi kyawawan hotuna na rukuni waɗanda za mu iya zaɓar fuskokin da muke buƙata. Koyaya, sai muka watsar da wannan zaɓi, tunda mai yuwuwar hacker zai iya amfani da binciken hoto baya kuma gano cewa "ma'aikatanmu" suna rayuwa ne a bankunan hoto kawai. A ƙarshe, mun yi amfani da hotunan mutanen da ba su wanzu waɗanda aka ƙirƙira ta amfani da hanyoyin sadarwa na jijiyoyi.
Bayanan martabar ma'aikata da aka buga akan rukunin yanar gizon sun ƙunshi mahimman bayanai game da ƙwarewar fasahar su, amma mun guji gano takamaiman makarantu ko birane.
Don ƙirƙirar akwatunan wasiku, mun yi amfani da uwar garken mai ba da sabis, sannan muka yi hayar lambobin tarho da yawa a cikin Amurka kuma muka haɗa su zuwa PBX mai kama-da-wane tare da menu na murya da injin amsawa.
Honeypot kayayyakin more rayuwa
Don guje wa fallasa, mun yanke shawarar yin amfani da haɗin haɗin kayan aikin masana'antu na gaske, kwamfutoci na zahiri da amintattun injuna. Idan muka duba gaba, za mu ce mun bincika sakamakon ƙoƙarinmu ta amfani da injin bincike na Shodan, kuma ya nuna cewa tukunyar zuma tana kama da tsarin masana'antu na gaske.
Sakamakon duba tukunyar zuma ta amfani da Shodan. Source: Trend Micro
Mun yi amfani da PLC guda huɗu azaman kayan aiki don tarkon mu:
- Siemens S7-1200
- biyu AllenBradley MicroLogix 1100,
- Farashin CP1L.
An zaɓi waɗannan PLCs don shahararsu a cikin kasuwar tsarin sarrafawa ta duniya. Kuma kowane ɗayan waɗannan masu sarrafa yana amfani da nasa ƙa'idar, wanda ya ba mu damar bincika ko wanene daga cikin PLCs za a kai hari da kuma ko za su sha'awar kowa.
Kayan aikin mu "masana'anta" - tarkon. Source: Trend Micro
Ba mu kawai shigar da kayan aiki da haɗa shi da Intanet ba. Mun tsara kowane mai sarrafawa don yin ayyuka, gami da
- hadawa,
- sarrafa bel da mai konewa,
- palletizing ta amfani da manipulator.
Kuma don tabbatar da aikin samarwa ya zama mai gaskiya, mun tsara dabaru don canza sigogin amsa ba da gangan, kwaikwayi injin farawa da tsayawa, da kunnawa da kashewa.
Masana'antarmu tana da kwamfutoci masu kama-da-wane guda uku da na zahiri daya. An yi amfani da kwamfutoci masu kama-da-wane don sarrafa shuka, robobin palletizer, da kuma matsayin wurin aiki na injiniyan software na PLC. Kwamfuta ta zahiri ta yi aiki azaman uwar garken fayil.
Baya ga saka idanu kan hare-haren da ake kaiwa PLC, muna son sanya ido kan matsayin shirye-shiryen da aka ɗora akan na'urorinmu. Don yin wannan, mun ƙirƙiri hanyar sadarwa wacce ta ba mu damar tantance saurin yadda aka gyaggyara jahohin masu aikin mu da kayan aiki. Tuni a matakin tsarawa, mun gano cewa yana da sauƙin aiwatar da wannan ta amfani da shirin sarrafawa fiye da tsara shirye-shiryen kai tsaye na dabarun sarrafawa. Mun bude hanyar yin amfani da na'urar sarrafa na'ura ta gidan zuma ta hanyar VNC ba tare da kalmar sirri ba.
Mutum-mutumin masana'antu muhimmin sashi ne na kera wayo na zamani. Dangane da wannan, mun yanke shawarar ƙara mutum-mutumi da wurin aiki mai sarrafa kansa don sarrafa shi zuwa kayan aikin masana'antar tarkon mu. Don sanya “masana’antar” ta zama mai haƙiƙa, mun shigar da software na gaske akan wurin sarrafa kayan aiki, waɗanda injiniyoyi ke amfani da su don tsara dabaru na robot. Da kyau, tunda mutummutumi na masana'antu galibi suna cikin keɓantaccen hanyar sadarwa na ciki, mun yanke shawarar barin hanyar da ba ta da kariya ta hanyar VNC kawai zuwa wurin sarrafa kayan aiki.
Yanayin RobotStudio tare da samfurin 3D na robot ɗin mu. Source: Trend Micro
Mun shigar da yanayin shirye-shiryen RobotStudio daga ABB Robotics akan na'ura mai kama da na'urar sarrafa robot. Bayan mun daidaita RobotStudio, mun buɗe fayil ɗin simulation tare da robot ɗinmu a ciki don ganin hotonsa na 3D akan allon. Sakamakon haka, Shodan da sauran injunan bincike, bayan gano wata uwar garken VNC mara tsaro, za su ɗauki wannan hoton allo kuma su nuna wa waɗanda ke neman robots na masana'antu tare da buɗe damar sarrafawa.
Manufar wannan kulawa ga daki-daki shine ƙirƙirar manufa mai ban sha'awa kuma ta gaske ga maharan waɗanda, da zarar sun same shi, za su sake komawa cikinsa akai-akai.
Wurin aikin injiniya
Don tsara dabaru na PLC, mun ƙara kwamfutar injiniya zuwa abubuwan more rayuwa. An shigar da software na masana'antu don shirye-shiryen PLC akanta:
- TIA Portal na Siemens,
- MicroLogix don mai sarrafa Allen-Bradley,
- CX-Daya don Omron.
Mun yanke shawarar cewa ba za a iya samun damar aikin injiniya a waje da hanyar sadarwa ba. Madadin haka, mun saita kalmar sirri iri ɗaya don asusun mai gudanarwa kamar na wurin sarrafa mutum-mutumi da wurin sarrafa masana'anta da ke samun dama daga Intanet. Wannan tsari ya zama ruwan dare gama gari a kamfanoni da yawa.
Abin takaici, duk da ƙoƙarin da muka yi, babu wani maharin da ya isa wurin aikin injiniyan.
Sabar fayil
Muna buƙatar shi a matsayin koto ga maharan kuma a matsayin hanyar tallafa wa namu "aiki" a cikin masana'antar lalata. Wannan ya ba mu damar raba fayiloli tare da tukunyar zumarmu ta amfani da na'urorin USB ba tare da barin wata alama a cibiyar sadarwar saƙar zuma ba. Mun shigar da Windows 7 Pro a matsayin OS don uwar garken fayil, wanda a ciki muka ƙirƙiri babban fayil ɗin da kowa zai iya karantawa da rubutawa.
Da farko ba mu ƙirƙiri kowane matsayi na manyan fayiloli da takardu a uwar garken fayil ba. Koyaya, daga baya mun gano cewa maharan suna nazarin wannan babban fayil ɗin sosai, don haka muka yanke shawarar cika ta da fayiloli daban-daban. Don yin wannan, mun rubuta rubutun python wanda ya ƙirƙiri fayil mai girman bazuwar tare da ɗayan kari da aka bayar, yana samar da suna bisa ƙamus.
Rubutun don ƙirƙirar sunayen fayil masu ban sha'awa. Source: Trend Micro
Bayan gudanar da rubutun, mun sami sakamakon da ake so a cikin nau'i na babban fayil cike da fayiloli tare da sunaye masu ban sha'awa.
Sakamakon rubutun. Source: Trend Micro
Yanayin kulawa
Bayan da muka yi ƙoƙari sosai don ƙirƙirar kamfani na gaske, ba za mu iya yin kasa a gwiwa ba kan yanayin don sa ido kan “maziyartan” mu. Muna buƙatar samun duk bayanan a ainihin lokacin ba tare da maharan sun fahimci ana kallon su ba.
Mun aiwatar da wannan ta amfani da USB guda huɗu zuwa adaftar Ethernet, famfo na SharkTap Ethernet guda huɗu, Rasberi Pi 3, da babban tuƙi na waje. Tsarin hanyar sadarwar mu yayi kama da haka:
Hoton cibiyar sadarwa na Honeypot tare da kayan sa ido. Source: Trend Micro
Mun sanya famfo SharkTap guda uku don saka idanu akan duk zirga-zirgar waje zuwa PLC, ana samun dama daga cibiyar sadarwa ta ciki kawai. SharkTap na huɗu ya kula da zirga-zirgar baƙi na injin kama-da-wane mai rauni.
SharkTap Ethernet Tap da Saliyo Wireless AirLink RV50 Router. Source: Trend Micro
Raspberry Pi yayi kama zirga-zirga yau da kullun. Mun haɗa da Intanet ta amfani da na'ura mai ba da hanya tsakanin hanyoyin sadarwa na Saliyo mara waya ta AirLink RV50, galibi ana amfani da ita a masana'antar masana'antu.
Abin baƙin ciki, wannan na'ura mai ba da hanya tsakanin hanyoyin sadarwa bai ƙyale mu mu zaɓi toshe hare-haren da ba su dace da tsare-tsarenmu ba, don haka mun ƙara Cisco ASA 5505 Tacewar zaɓi zuwa cibiyar sadarwar a cikin yanayin gaskiya don yin toshewa tare da ƙaramin tasiri akan hanyar sadarwar.
Binciken zirga-zirga
Tshark da tcpdump sun dace don magance matsalolin yau da kullun, amma a cikin yanayinmu ikonsu bai isa ba, tunda muna da gigabytes na zirga-zirgar ababen hawa, waɗanda mutane da yawa suka bincika. Mun yi amfani da buɗaɗɗen tushen Moloch analyzer wanda AOL ya haɓaka. Yana da kwatankwacinsa a cikin ayyuka zuwa Wireshark, amma yana da ƙarin damar yin haɗin gwiwa, kwatantawa da sawa fakiti, fitarwa da sauran ayyuka.
Tun da ba mu son aiwatar da bayanan da aka tattara a kan kwamfutoci na honeypot, PCAP ana fitar dasu kowace rana zuwa ma'ajiyar AWS, daga inda muka riga muka shigo da su a kan injin Moloch.
Rikodin allo
Don rubuta ayyukan masu satar bayanai a cikin kwandon zumarmu, mun rubuta rubutun da ya ɗauki hotunan na'urar kama-da-wane a wani ɗan lokaci kuma, kwatanta shi da hoton da ya gabata, mun ƙaddara ko wani abu yana faruwa a can ko a'a. Lokacin da aka gano aiki, rubutun ya haɗa da rikodin allo. Wannan hanya ta zama mafi inganci. Mun kuma yi ƙoƙarin yin nazarin zirga-zirgar VNC daga juji na PCAP don fahimtar sauye-sauyen da suka faru a cikin tsarin, amma a ƙarshe rikodin allo da muka aiwatar ya zama mafi sauƙi kuma mafi gani.
Kula da zaman VNC
Don wannan mun yi amfani da Chaosreader da VNCLogger. Dukansu utilities suna fitar da maɓalli daga juji na PCAP, amma VNCLogger yana sarrafa maɓallai kamar Backspace, Shigar, Ctrl daidai.
VNCLogger yana da rashin amfani guda biyu. Na farko: yana iya cire maɓallai ne kawai ta hanyar “sauraron” zirga-zirgar zirga-zirgar ababen hawa, don haka dole ne mu kwaikwayi zaman VNC don shi ta amfani da tcpreplay. Rashin lahani na biyu na VNCLogger ya zama ruwan dare tare da Chaosreader: dukansu ba sa nuna abubuwan da ke cikin allo. Don yin wannan, dole ne in yi amfani da Wireshark.
Muna yaudarar hackers
Mun kirkiro tukunyar zuma don a kai hari. Don cimma wannan, mun shirya fitar da bayanai don jawo hankalin masu kai hari. An buɗe tashoshin jiragen ruwa masu zuwa akan tukunyar zuma:
Dole ne a rufe tashar jiragen ruwa na RDP jim kadan bayan mun ci gaba da rayuwa saboda yawan yawan zirga-zirgar ababen hawa a kan hanyar sadarwar mu yana haifar da matsalolin aiki.
Tashoshin VNC sun fara aiki ne a yanayin gani-kawai ba tare da kalmar sirri ba, sannan mu “da kuskure” mun canza su zuwa yanayin isa ga cikakken.
Don jawo hankalin maharan, mun buga posts guda biyu tare da bayanan leken asiri game da tsarin masana'antu da ke akwai akan PasteBin.
Ɗaya daga cikin abubuwan da aka buga akan PasteBin don jawo hankalin hare-hare. Source: Trend Micro
Hare-hare
Honeypot ya rayu a kan layi kusan watanni bakwai. Harin na farko ya faru ne wata guda bayan shigar zuman a intanet.
Masu duba
An sami cunkoson ababen hawa da yawa daga na'urar daukar hoto na sanannun kamfanoni - ip-ip, Rapid, Shadow Server, Shodan, ZoomEye da sauransu. Akwai da yawa daga cikinsu wanda dole ne mu ware adiresoshin IP ɗin su daga bincike: 610 daga cikin 9452 ko 6,45% na duk adiresoshin IP na musamman na na'urar daukar hotan takardu ne.
Masu zamba
Ɗaya daga cikin manyan haɗarin da muka fuskanta shine amfani da tsarin mu don dalilai na laifi: don siyan wayoyin hannu ta hanyar asusun biyan kuɗi, fitar da mil na jirgin sama ta amfani da katunan kyauta da sauran nau'ikan zamba.
Masu hakar ma'adinai
Ɗaya daga cikin farkon baƙi zuwa tsarin mu ya zama mai hakar ma'adinai. Ya zazzage software na ma'adinai na Monero akan ta. Da ba zai iya samun kuɗi da yawa akan tsarinmu na musamman ba saboda ƙarancin aiki. Koyaya, idan muka haɗu da ƙoƙarin dozin da yawa ko ma ɗaruruwan irin waɗannan tsarin, zai iya fitowa sosai.
Fansa
A lokacin aikin saƙar zuma, mun ci karo da ƙwayoyin cuta na ransomware na gaske sau biyu. A cikin akwati na farko shi ne Crysis. Masu aiki da shi sun shiga cikin tsarin ta hanyar VNC, amma sai suka shigar da TeamViewer kuma suka yi amfani da shi don yin ƙarin ayyuka. Bayan mun jira sakon karbar kudin fansa na dala 10 a BTC, sai muka shiga wasiku tare da masu laifin, muna neman su cire mana daya daga cikin fayilolin. Sun bi wannan bukata kuma sun maimaita bukatar fansa. Mun sami damar yin shawarwari har zuwa dala dubu 6, bayan haka kawai mun sake shigar da tsarin zuwa na'ura mai mahimmanci, tunda mun sami duk mahimman bayanai.
Ransomware na biyu ya zama Phobos. Hacker da ya shigar da shi ya shafe sa’a guda yana binciken tsarin fayil din honeypot tare da duba hanyar sadarwar, sannan a karshe ya shigar da kayan fansho.
Harin ransomware na uku ya zama na bogi. Wani “hacker” da ba a san shi ba ne ya saukar da fayil ɗin haha.bat a kan tsarin mu, bayan an gama kallo na ɗan lokaci yana ƙoƙarin sa shi aiki. Ɗayan ƙoƙarin shine a sake sunan haha.bat zuwa haha.rnsmwr.
“Hacker” yana ƙara lahani na fayil ɗin jemage ta hanyar canza tsawo zuwa .rnsmwr. Source: Trend Micro
Lokacin da fayil ɗin batch ya fara aiki a ƙarshe, “hacker” ya gyara shi, yana ƙara kudin fansa daga $200 zuwa $750. Bayan haka, sai ya “rufe” duk fayilolin, ya bar saƙon ɓarna a kan tebur kuma ya ɓace, yana canza kalmomin shiga a kan VNC ɗin mu.
Bayan kwanaki biyu, dan gwanin kwamfuta ya dawo kuma, don tunatar da kansa, ya kaddamar da fayil ɗin batch wanda ya buɗe windows da yawa tare da shafin batsa. A fili, ta wannan hanya ya yi ƙoƙari ya jawo hankali ga bukatarsa.
Sakamakon
A yayin binciken, ya bayyana cewa, da zarar an buga bayanai game da raunin da ya faru, saƙar zuma ta ja hankalin jama'a, tare da karuwa a kowace rana. Domin tarkon ya sami hankali, kamfaninmu na al'ada ya sha wahala da yawa ta hanyar tsaro. Abin takaici, wannan halin da ake ciki ba shi da kyau a tsakanin yawancin kamfanoni na gaske waɗanda ba su da cikakken lokaci na IT da ma'aikatan tsaro na bayanai.
Gabaɗaya, ya kamata ƙungiyoyi su yi amfani da ƙa'idar mafi ƙarancin gata, yayin da muka aiwatar da ainihin akasin sa don jawo hankalin maharan. Kuma idan muka daɗe muna kallon hare-haren, ƙara haɓakar su idan aka kwatanta da daidaitattun hanyoyin gwajin shiga.
Kuma mafi mahimmanci, duk waɗannan hare-hare sun gaza idan an aiwatar da isassun matakan tsaro lokacin kafa hanyar sadarwar. Dole ne ƙungiyoyi su tabbatar da cewa kayan aikinsu da kayan aikin masana'antu ba sa samun damar Intanet daga Intanet, kamar yadda muka yi musamman a cikin tarkonmu.
Ko da yake ba mu yi rikodin hari ɗaya ba a kan wurin aikin injiniya, duk da yin amfani da kalmar sirrin mai gudanarwa na gida ɗaya akan duk kwamfutoci, ya kamata a guji wannan al'ada don rage yuwuwar kutsawa. Bayan haka, raunin tsaro yana zama ƙarin gayyata don kai hari ga tsarin masana'antu, waɗanda suka daɗe suna sha'awar masu aikata laifuka ta yanar gizo.
source: www.habr.com