Makon da ya gabata Kommersant , cewa "tushen abokin ciniki na Street Beat da Cibiyar Sony sun kasance a cikin jama'a," amma a gaskiya duk abin da ya fi muni fiye da abin da aka rubuta a cikin labarin.
Na riga na yi cikakken bincike na fasaha game da wannan zubewar. , don haka a nan za mu wuce kawai manyan abubuwan.
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.Wani uwar garken Elasticsearch tare da fihirisa yana samuwa kyauta:
- graylog2_0
- Fayil
- unauth_text
- http:
- graylog2_1
В graylog2_0 dauke da rajistan ayyukan daga Nuwamba 16.11.2018, 2019 zuwa Maris XNUMX, da kuma a graylog2_1 - rajista daga Maris 2019 zuwa 04.06.2019/XNUMX/XNUMX. Har sai an rufe damar zuwa Elasticsearch, adadin bayanan da ke ciki graylog2_1 girma.
Dangane da injin binciken Shodan, wannan Elasticsearch yana samuwa kyauta tun daga Nuwamba 12.11.2018, 16.11.2018 (kamar yadda aka rubuta a sama, shigarwar farko a cikin rajistan ayyukan an yi kwanan watan Nuwamba XNUMX, XNUMX).
A cikin katako, a cikin filin gl2_remote_ip Adireshin IP 185.156.178.58 da 185.156.178.62 an ƙayyade, tare da sunayen DNS srv2.inventive.ru и srv3.inventive.ru:
Na sanar Ƙirƙirar Retail Group (www.inventive.ru) game da matsalar a ranar 04.06.2019/18/25 a 22:30 (lokacin Moscow) da kuma XNUMX:XNUMX uwar garken "a hankali" ya ɓace daga shiga jama'a.
Rubutun da ke ƙunshe (duk bayanan ƙididdiga ne, ba a cire kwafi daga lissafin ba, don haka adadin ainihin bayanan da aka leke ya fi zama ƙasa da ƙasa):
- fiye da adiresoshin imel miliyan 3 na abokan ciniki daga re: Store, Samsung, Street Beat da Lego Stores
- fiye da lambobin waya miliyan 7 na abokan ciniki daga re:Store, Sony, Nike, Street Beat da shagunan Lego
- fiye da 21 dubu XNUMX login / kalmar sirri nau'i-nau'i daga sirri asusun na masu siyan Sony da Street Beat Stores.
- yawancin bayanan da lambobin waya da imel kuma sun ƙunshi cikakkun sunaye (sau da yawa a cikin Latin) da lambobin katin aminci.
Misali daga log ɗin da ke da alaƙa da abokin ciniki na Nike (duk bayanan da aka maye gurbinsu da haruffan “X”):
"message": "{"MESSAGE":"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Arrayn(n [contact[phone]] => +7985026XXXXn [contact[email]] => [email protected] [contact[channel]] => n [contact[subscription]] => 0n)n[ДАННЫЕ GET] Arrayn(n [digital_id] => 27008290n [brand] => NIKEn)n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7985026XXXXn [email] => [email protected] [channel] => 0n [subscription] => 0n )nn)n","DATE":"31.03.2019 12:52:51"}",Kuma ga misalin yadda aka adana abubuwan shiga da kalmomin shiga daga asusun masu saye a gidajen yanar gizo sc-store.ru и titi-beat.ru:
"message":"{"MESSAGE":"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ GET] Arrayn(n [digital_id] => 26725117n [brand]=> SONYn)n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] ","DATE":"22.04.2019 21:29:09"}"Ana iya karanta bayanin IRG na hukuma akan wannan lamarin , an cire daga gare ta:
Ba za mu iya yin watsi da wannan batu ba kuma mu canza kalmomin shiga zuwa asusun abokan ciniki zuwa na wucin gadi, don guje wa yiwuwar amfani da bayanai daga asusun sirri don dalilai na yaudara. Kamfanin ba ya tabbatar da yoyon bayanan sirri na abokan cinikin titi-beat.ru. An kuma duba duk ayyukan Ƙirƙirar Retail Group. Ba a gano wata barazana ga bayanan sirri na abokan ciniki ba.
Yana da muni cewa IRG ba za ta iya gano abin da ya faɗo da abin da bai faru ba. Ga misali daga log ɗin da ke da alaƙa da abokin ciniki na kantin Titin Beat:
"message": "{"MESSAGE":"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Arrayn(n [contact[phone]] => 7915545XXXXn)n,'ДАННЫЕ GET' =nttArrayn(n [digital_id] => 27016686n [brand] => STREETBEATn)n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7915545XXXXn [email] => [email protected]","Дата":"01.04.2019 08:33:48"}",Duk da haka, bari mu matsa zuwa ga ainihin mummunan labari kuma mu bayyana dalilin da yasa wannan ya zama ɓarna na bayanan sirri na abokan ciniki na IRG.
Idan ka kalli fihirisar wannan Elasticsearch da ake samu kyauta, zaku lura da sunaye biyu a cikinsu: Fayil и unauth_text. Wannan alama ce ta ɗaya daga cikin yawancin rubutun ransomware. Ya shafi sabar Elasticsearch sama da dubu 4 a duniya. Abun ciki Fayil ya yi kama da wannan:
"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"Yayin da uwar garken da ke da rajistan ayyukan IRG ke samun damar samun damar shiga, babu shakka rubutun ransomware ya sami damar yin amfani da bayanan abokan ciniki kuma, bisa ga sakon da ya bari, an zazzage bayanan.
Bugu da ƙari, ba ni da shakka cewa an samo wannan ma'auni a gabana kuma an riga an sauke shi. Zan ma cewa na tabbata da wannan. Babu wani sirrin cewa ana bincikar irin waɗannan buɗaɗɗen bayanan bayanai da gangan kuma ana fitar da su.
Ana iya samun labarai game da leken asirin bayanai da masu ciki koyaushe a tashar Telegram ta "»: .
source: www.habr.com