Ke noiʻi nei i nā hihia e pili ana i ka phishing, botnets, hoʻopunipuni a me nā pūʻulu hacker hewa, ua hoʻohana ka poʻe loea Group-IB i ka nānā ʻana i ka pakuhi no nā makahiki he nui e ʻike i nā ʻano pili like ʻole. Loaʻa i nā hihia like ʻole kā lākou mau ʻikepili ponoʻī, kā lākou algorithms no ka ʻike ʻana i nā pilina, a me nā pilina i hoʻopili ʻia no nā hana kikoʻī. Ua hoʻomohala ʻia kēia mau mea hana a pau e Group-IB a loaʻa wale i kā mākou limahana.

Kiʻikuhi kiʻi o ka ʻoihana pūnaewele (kiʻi pūnaewele) lilo i mea paahana kūloko mua a mākou i kūkulu ai i loko o nā huahana lehulehu āpau o ka hui. Ma mua o ka hana ʻana i kā mākou pakuhi pūnaewele, ua nānā mākou i nā hanana like ʻole ma ka mākeke a ʻaʻole i loaʻa kahi huahana hoʻokahi e hoʻokō i kā mākou pono ponoʻī. Ma kēia ʻatikala e kamaʻilio mākou e pili ana i ka hana ʻana i ka pakuhi pūnaewele, pehea mākou e hoʻohana ai a me nā pilikia i loaʻa iā mākou.

Dmitry Volkov, ʻO CTO Group-IB a me ke poʻo o ka ʻike cyber

He aha ka mea hiki ke hana i ka pakuhi pūnaewele Group-IB?

ʻImi ʻimi

Mai ka hoʻokumu ʻana o Group-IB i ka makahiki 2003 a hiki i kēia manawa, ʻo ka ʻike ʻana, ka deanoning a me ka lawe ʻana i nā cybercriminals i ka hoʻoponopono he mea nui i kā mākou hana. ʻAʻole i hoʻopau ʻia kahi hoʻokolokolo cyberattack me ka ʻole o ka nānā ʻana i ka ʻōnaehana pūnaewele o nā mea hoʻouka. I ka hoʻomaka ʻana o kā mākou huakaʻi, he "hana lima" ʻoi loa ka ʻimi ʻana i nā pilina e hiki ke kōkua i ka ʻike ʻana i ka poʻe lawehala: ʻike e pili ana i nā inoa inoa, nā IP address, nā manamana lima kikohoʻe o nā kikowaena, etc.

ʻO ka hapa nui o nā mea hoʻouka kaua e hoʻāʻo e hana me ka inoa ʻole ma ka pūnaewele. Eia naʻe, e like me nā kānaka a pau, hana hewa lākou. ʻO ka pahuhopu nui o ia ʻano loiloi ʻo ia ka ʻimi ʻana i nā papahana mōʻaukala "keʻokeʻo" a i ʻole "hina" o ka poʻe hoʻouka ʻia e pili ana i nā ʻano hana ʻino i hoʻohana ʻia i ka hanana o kēia manawa a mākou e noiʻi nei. Inā hiki ke ʻike i nā "papahana keʻokeʻo", a laila ʻo ka loaʻa ʻana o ka mea hoʻouka, ma ke ʻano he kānāwai, lilo ia i hana liʻiliʻi. I ka hihia o nā "hina", ʻoi aku ka nui o ka manawa a me ka hoʻoikaika ʻana o ka huli ʻana, no ka mea e hoʻāʻo nā mea nona ka inoa inoa ʻole a hūnā i ka ʻikepili inoa inoa, akā ke kiʻekiʻe loa ka manawa. Ma keʻano he kūlana, i ka hoʻomakaʻana o kā lākou mau hana hewa, hoʻemi iki ka poʻe hoʻouka kaua i ko lākou palekana a hana hewa hou aku, no laila,ʻo ka hohonu e hiki ai iā mākou ke luʻu i loko o ka moʻolelo,ʻo ka kiʻekiʻe o nā kūlana o ka hoʻokolokolo holomua. ʻO ia ke kumu o ka pakuhi pūnaewele me ka mōʻaukala maikaʻi he mea koʻikoʻi loa ia o ia hoʻokolokolo. ʻO ka ʻōlelo maʻalahi, ʻoi aku ka hohonu o ka ʻikepili mōʻaukala i loaʻa i kahi hui, ʻoi aku ka maikaʻi o kāna pakuhi. E ʻōlelo kākou e hiki i ka mōʻaukala 5 makahiki ke kōkua i ka hoʻoponopono ʻana, ma ke kūlana, 1-2 mai 10 mau hewa, a me ka mōʻaukala 15 makahiki e hāʻawi i kahi manawa e hoʻoponopono ai i nā ʻumi a pau.

Phishing a me ka ʻike hoʻopunipuni

I kēlā me kēia manawa e loaʻa iā mākou kahi loulou kānalua i kahi punawai phishing, hoʻopunipuni a pirated paha, kūkulu mākou i ka pakuhi o nā kumuwaiwai pili pili a nānā i nā pūʻali i loaʻa no ka ʻike like. ʻAe kēia iā ʻoe e ʻike i nā pūnaewele phishing kahiko i hana a ʻike ʻole ʻia, a me nā mea hou loa i mākaukau no nā hoʻouka kaua e hiki mai ana, akā ʻaʻole i hoʻohana ʻia. ʻO kahi laʻana haʻahaʻa e hana pinepine ʻia: ua loaʻa iā mākou kahi pūnaewele phishing ma kahi kikowaena me nā pūnaewele 5 wale nō. Ma ka nānā ʻana i kēlā me kēia o lākou, ʻike mākou i ka ʻikepili phishing ma nā pūnaewele ʻē aʻe, ʻo ia ka mea hiki iā mākou ke pale iā 5 ma kahi o 1.

Huli i nā hope hope

Pono kēia kaʻina hana no ka hoʻoholo ʻana i kahi e noho maoli ai ka server ʻino.
ʻO 99% o nā hale kūʻai kāleka, nā ʻaha hacker, nā kumuwaiwai phishing a me nā kikowaena hewa ʻē aʻe i hūnā ʻia ma hope o kā lākou mau kikowaena proxy a me nā proxies o nā lawelawe kūpono, no ka laʻana, Cloudflare. He mea koʻikoʻi ka ʻike e pili ana i ka backend maoli no nā noiʻi: ʻike ʻia ka mea hoʻolako kikowaena kahi e hopu ʻia ai ke kikowaena, a hiki ke kūkulu i nā pilina me nā papahana ʻino ʻē aʻe.

No ka laʻana, loaʻa iā ʻoe kahi paena phishing no ka hōʻiliʻili ʻana i ka ʻikepili kāleka panakō e hoʻoholo ai i ka helu IP 11.11.11.11, a me kahi helu kāleka kāleka e hoʻoholo ai i ka helu IP 22.22.22.22. I ka wā o ka hoʻopaʻa ʻana, ʻike ʻia ka loaʻa ʻana o ka wahi phishing pūnaewele a me ka hale kūʻai kāleka i kahi helu IP backend maʻamau, no ka laʻana, 33.33.33.33. Hāʻawi kēia ʻike iā mākou e kūkulu i kahi pilina ma waena o ka hoʻouka kaua phishing a me kahi hale kūʻai kāleka kahi e kūʻai ʻia ai ka ʻikepili kāleka panakō.

Hoʻopili hanana

Ke loaʻa iā ʻoe ʻelua mau mea hoʻoiho like ʻole (e ʻōlelo mākou ma kahi IDS) me nā polokalamu malware ʻē aʻe a me nā kikowaena ʻokoʻa e hoʻomalu i ka hoʻouka ʻana, e mālama ʻoe iā lākou e like me ʻelua hanana kūʻokoʻa. Akā inā loaʻa kahi pilina maikaʻi ma waena o nā ʻōnaehana ʻino, a laila e ʻike ʻia ʻaʻole kēia mau hoʻouka ʻokoʻa, akā nā pae o hoʻokahi, ʻoi aku ka paʻakikī o ka hoʻouka kaua ʻana. A inā ua pili kekahi o nā hanana i kekahi hui o nā mea hoʻouka, a laila hiki ke hoʻopili ʻia ka lua i ka hui like. ʻOiaʻiʻo, ʻoi aku ka paʻakikī o ke kaʻina hana, no laila e mālama i kēia ma ke ʻano he laʻana maʻalahi.

Hoʻonui hōʻailona

ʻAʻole mākou e noʻonoʻo nui i kēia, no ka mea ʻo kēia ka hiʻohiʻona maʻamau no ka hoʻohana ʻana i nā kiʻi i ka cybersecurity: hāʻawi ʻoe i hoʻokahi hōʻailona ma ke ʻano he hoʻokomo, a ma ke ʻano he hoʻopuka e loaʻa iā ʻoe kahi ʻano o nā hōʻailona pili.

ʻIke ʻana i nā mamana

He mea nui ka ʻike ʻana i nā mamana no ka hahai holoholona. ʻAʻole ʻae nā kiʻi iā ʻoe e ʻimi wale i nā mea pili, akā e ʻike pū i nā waiwai maʻamau i ʻike ʻia i kahi pūʻulu o nā hackers. ʻO ka ʻike o ia mau hiʻohiʻona ʻokoʻa e hiki ai iā ʻoe ke ʻike i ka ʻōnaehana o ka mea hoʻouka kaua ma ka pae hoʻomākaukau a me ka ʻole o nā hōʻike e hōʻoiaʻiʻo ana i ka hoʻouka ʻana, e like me nā leka uila phishing a i ʻole malware.

No ke aha mākou i hana ai i kā mākou pakuhi pūnaewele pono'ī?

Eia hou, ua nānā mākou i nā hoʻonā mai nā mea kūʻai like ʻole ma mua o ko mākou hiki ʻana i ka hopena e pono ai mākou e hoʻomohala i kā mākou mea hana ponoʻī e hiki ke hana i kahi mea ʻaʻole hiki i kahi huahana ke hana. Ua hala kekahi mau makahiki i ka hana ʻana, a ua hoʻololi mākou iā ia i nā manawa he nui. Akā, ʻoiai ka lōʻihi o ka hoʻomohala ʻana, ʻaʻole mākou i ʻike i kahi analogue e hoʻokō i kā mākou koi. Me ka hoʻohana ʻana i kā mākou huahana ponoʻī, ua hiki iā mākou ke hoʻoponopono i nā pilikia āpau a mākou i ʻike ai ma nā kiʻi pūnaewele i loaʻa. Ma lalo nei mākou e noʻonoʻo pono i kēia mau pilikia:

pilikia
olelo hooholo

ʻO ka nele o ka mea hoʻolako me nā hōʻiliʻili ʻikepili like ʻole: nā kāʻei, DNS passive, SSL passive, nā moʻolelo DNS, nā awa hāmama, nā lawelawe lawelawe ma nā awa, nā faila e pili ana me nā inoa domain a me nā helu IP. Wehewehe. ʻO ka maʻamau, hāʻawi nā mea hoʻolako i nā ʻano ʻikepili ʻokoʻa, a no ka loaʻa ʻana o ke kiʻi piha, pono ʻoe e kūʻai i nā kau inoa mai kēlā me kēia. ʻOiai, ʻaʻole hiki ke loaʻa i nā ʻikepili a pau: hāʻawi kekahi mau mea hoʻolako SSL passive i ka ʻikepili e pili ana i nā palapala hōʻoia i hāʻawi ʻia e nā CA hilinaʻi, a ʻo kā lākou uhi ʻana i nā palapala hōʻoia ponoʻī he ʻilihune loa. Hāʻawi pū kekahi i ka ʻikepili me ka hoʻohana ʻana i nā palapala hōʻoia ponoʻī, akā e hōʻiliʻili wale ia mai nā awa maʻamau.
Ua hōʻiliʻili mākou iā mākou iho i nā hōʻiliʻili āpau ma luna. No ka laʻana, no ka hōʻiliʻili ʻana i ka ʻikepili e pili ana i nā palapala SSL, ua kākau mākou i kā mākou lawelawe ponoʻī e hōʻiliʻili iā lākou mai nā CA hilinaʻi a me ka nānā ʻana i ke kikowaena IPv4 holoʻokoʻa. ʻAʻole i hōʻiliʻili ʻia nā palapala hōʻoia mai IP wale nō, akā mai nā kāʻei kapu a me nā subdomain mai kā mākou waihona: inā loaʻa iā ʻoe ka domain example.com a me kāna subdomain. www.example.com a hoʻoholo lākou a pau i ka IP 1.1.1.1, a laila ke hoʻāʻo ʻoe e kiʻi i kahi palapala SSL mai ke awa 443 ma kahi IP, domain a me kāna subdomain, hiki iā ʻoe ke loaʻa i ʻekolu mau hopena like ʻole. No ka hōʻiliʻili ʻana i ka ʻikepili ma nā awa hāmama a me nā lawelawe lawelawe, pono mākou e hana i kā mākou ʻōnaehana scanning puʻupuʻu ponoʻī, no ka mea, loaʻa pinepine nā lawelawe ʻē aʻe i nā IP address o kā lākou mau kikowaena scanning ma "nā papa inoa ʻeleʻele." Hoʻopau pū kā mākou mau kikowaena scanning ma nā papa inoa ʻeleʻele, akā ʻoi aku ka kiʻekiʻe o ka hopena o ka ʻike ʻana i nā lawelawe a mākou e pono ai ma mua o ka poʻe e nānā wale nei i nā awa he nui a kūʻai aku i ke komo ʻana i kēia ʻikepili.

Loaʻa ʻole i ka ʻikepili holoʻokoʻa o nā moʻolelo mōʻaukala. Wehewehe. Loaʻa i kēlā me kēia mea hoʻolako maʻamau ka mōʻaukala hōʻiliʻili maikaʻi, akā no nā kumu kūlohelohe mākou, ma ke ʻano he mea kūʻai aku, ʻaʻole hiki iā mākou ke komo i ka ʻikepili mōʻaukala āpau. ʻO kēlā mau mea. Hiki iā ʻoe ke kiʻi i ka mōʻaukala holoʻokoʻa no kahi moʻolelo hoʻokahi, no ka laʻana, ma ka domain a i ʻole IP address, akā ʻaʻole hiki iā ʻoe ke ʻike i ka mōʻaukala o nā mea āpau - a me kēia ʻaʻole hiki iā ʻoe ke ʻike i ke kiʻi piha.
No ka hōʻiliʻili ʻana i nā moʻolelo mōʻaukala e like me ka hiki, ua kūʻai mākou i nā ʻikepili like ʻole, hoʻopau i nā kumuwaiwai ākea he nui i loaʻa kēia mōʻaukala (maikaʻi ka nui o lākou), a kūkākūkā pū me nā mea kākau inoa inoa. ʻO nā mea hou a pau i kā mākou hōʻiliʻili pono e mālama ʻia me ka mōʻaukala hoʻoponopono piha.

ʻO nā haʻina āpau e loaʻa nei e ʻae iā ʻoe e kūkulu i kahi pakuhi me ka lima. Wehewehe. E ʻōlelo mākou ua kūʻai ʻoe i nā inoa inoa he nui mai nā mea hoʻolako ʻikepili āpau (i kapa pinepine ʻia ʻo "enrichers"). I ka wā e pono ai ʻoe e kūkulu i kahi pakuhi, hāʻawi ʻoe i nā "lima" i ke kauoha e kūkulu mai ka mea pili i makemake ʻia, a laila koho i nā mea pono mai nā mea i ʻike ʻia a hāʻawi i ke kauoha e hoʻopau i nā pilina mai ia mau mea, a pēlā aku. I kēia hihia, aia ke kuleana no ka maikaʻi o ke kūkulu ʻia ʻana o ka pakuhi i ke kanaka.
Hana mākou i ka hana ʻakomi o nā kiʻi. ʻO kēlā mau mea. inā pono ʻoe e kūkulu i ka pakuhi, a laila kūkulu ʻia nā pilina mai ka mea mua, a laila mai nā mea a pau ma hope, pū kekahi. Hōʻike wale ka loea i ka hohonu e pono ai ke kūkulu ʻia ka pakuhi. He maʻalahi ke kaʻina hana o ka hoʻopiha piha ʻana i nā kiʻi, akā ʻaʻole hoʻokō nā mea kūʻai aku no ka mea he nui nā hopena pili ʻole, a pono mākou e noʻonoʻo i kēia drawback (e ʻike i lalo).

He pilikia ka nui o nā hopena pili ʻole me nā kiʻi kiʻi ʻenehana āpau. Wehewehe. No ka laʻana, pili kahi "domain maikaʻi ʻole" (i komo i kahi hoʻouka kaua) me kahi kikowaena i loaʻa iā 10 mau kikowaena ʻē aʻe e pili ana me ia i nā makahiki he 500 i hala. Ke hoʻohui lima a i ʻole ke kūkulu ʻana i kahi pakuhi, pono e ʻike ʻia kēia mau kikowaena 500 āpau ma ka pakuhi, ʻoiai ʻaʻole pili lākou i ka hoʻouka ʻana. A i ʻole, no ka laʻana, nānā ʻoe i ka hōʻailona IP mai ka hōʻike palekana o ka mea kūʻai aku. ʻO ka maʻamau, hoʻokuʻu ʻia ia mau hōʻike me ka lohi nui a hoʻokahi makahiki a ʻoi aku paha. ʻO ka mea maʻamau, i ka manawa āu e heluhelu ai i ka hōʻike, ua hoʻolimalima ʻia ke kikowaena me kēia IP IP i nā poʻe ʻē aʻe me nā pilina ʻē aʻe, a ʻo ke kūkulu ʻana i kahi pakuhi e loaʻa hou iā ʻoe nā hopena pili ʻole.
Ua hoʻomaʻamaʻa mākou i ka ʻōnaehana e ʻike i nā mea pili ʻole me ka hoʻohana ʻana i ka loiloi like me kā mākou poʻe loea i hana lima. No ka laʻana, ke nānā nei ʻoe i kahi domain maikaʻi ʻole example.com, i kēia manawa e hoʻoholo i IP 11.11.11.11, a i hoʻokahi mahina i hala - i IP 22.22.22.22. Ma waho aʻe o ka domain example.com, pili pū ka IP 11.11.11.11 me example.ru, a pili pū ka IP 22.22.22.22 me 25 tausani mau kikowaena ʻē aʻe. ʻO ka ʻōnaehana, e like me ke kanaka, hoʻomaopopo ʻo 11.11.11.11 ka mea i hoʻolaʻa ʻia, a no ka mea, ua like ka domain example.ru i ka spelling me example.com, a laila, me kahi kūlana kiʻekiʻe, pili lākou a pono ma ka pakuhi; akā, aia ka IP 22.22.22.22 i ka hoʻolaha like ʻana, no laila ʻaʻole pono e hoʻokomo ʻia kāna mau kikowaena āpau i ka pakuhi ke ʻole he mau pilina ʻē aʻe e hōʻike ana e pono pū kekahi o kēia mau kikowaena 25 tausani (e laʻa, example.net) . Ma mua o ka hoʻomaopopo ʻana o ka ʻōnaehana pono e wāwahi ʻia nā pilina a ʻaʻole i hoʻoneʻe ʻia kekahi mau mea i ka pakuhi, e noʻonoʻo ia i nā waiwai he nui o nā mea a me nā puʻupuʻu i hui ʻia ai kēia mau mea, a me ka ikaika o nā pilina o kēia manawa. No ka laʻana, inā loaʻa iā mākou kahi puʻupuʻu liʻiliʻi (50 mau mea) ma ka pakuhi, e komo pū ana me kahi domain maikaʻi ʻole, a ʻo kekahi hui nui (5 tausani mau mea) a ua hoʻopili ʻia nā pūʻulu ʻelua e kahi pilina (laina) me ka ikaika haʻahaʻa (kaumaha). , a laila e uhaʻi ʻia kahi pilina a wehe ʻia nā mea mai ka hui nui. Akā inā he nui nā pilina ma waena o nā pūʻulu liʻiliʻi a me nā hui nui a piʻi mālie ko lākou ikaika, a laila ma kēia hihia ʻaʻole e haki ka pilina a e mau nā mea pono mai nā pūʻulu ʻelua ma ka pakuhi.

ʻAʻole noʻonoʻo ʻia ka kikowaena kikowaena a me ka ʻona. Wehewehe. E hoʻopau koke a kūʻai hou ʻia ʻo "nā kāʻei kapu maikaʻi" no nā kumu ʻino a kūpono paha. ʻOiai hoʻolimalima ʻia nā kikowaena hoʻokipa bulletproof i nā hackers ʻē aʻe, no laila he mea koʻikoʻi e ʻike a noʻonoʻo i ka wā i ka wā i mālama ʻia ai kahi domain / server ma lalo o ka mana o kahi mea nona. Kū pinepine mākou i kahi kūlana kahi i hoʻohana ʻia ai kahi kikowaena me IP 11.11.11.11 ma ke ʻano he C&C no kahi bot panakō, a ʻo 2 mau mahina i hala ua hoʻomalu ʻia e Ransomware. Inā mākou e kūkulu i kahi pilina me ka ʻole e noʻonoʻo i ka wā o ka mana, e like me ka pilina ma waena o nā mea nona ka botnet banking a me ka ransomware, ʻoiai ʻaʻohe mea. I kā mākou hana, he mea koʻikoʻi kēlā hewa.
Ua aʻo mākou i ka ʻōnaehana no ka hoʻoholo ʻana i nā wā kūʻokoʻa. No nā kāʻei kua maʻalahi kēia, no ka mea, loaʻa pinepine ka whois i nā lā hoʻomaka a me nā lā pau a, i ka wā e loaʻa ai kahi moʻolelo piha o nā loli whois, maʻalahi ke hoʻoholo i nā wā. Inā ʻaʻole i pau ka hoʻopaʻa inoa ʻana o kahi kikowaena, akā ua hoʻoili ʻia kāna hoʻokele i nā mea nona nā mea ʻē aʻe, hiki ke nānā ʻia. ʻAʻohe pilikia no nā palapala SSL, no ka mea ua hoʻopuka ʻia i hoʻokahi manawa a ʻaʻole i hoʻololi ʻia a hoʻololi ʻia. Akā me nā palapala hoʻopaʻa inoa ponoʻī, ʻaʻole hiki iā ʻoe ke hilinaʻi i nā lā i kuhikuhi ʻia i ka manawa kūpono o ka palapala hōʻoia, no ka mea hiki iā ʻoe ke hana i kahi palapala SSL i kēia lā, a kuhikuhi i ka lā hoʻomaka o ka palapala mai 2010. ʻO ka mea paʻakikī loa, ʻo ia ka hoʻoholo ʻana i nā manawa kūʻai no nā kikowaena, no ka mea, ʻo nā mea hoʻolako kikowaena wale nō ka lā a me nā manawa hoʻolimalima. No ka hoʻoholo ʻana i ka manawa nona ka server, hoʻomaka mākou e hoʻohana i nā hopena o ka nānā ʻana i ke awa a me ka hana ʻana i nā manamana lima o nā lawelawe holo ma nā awa. Ke hoʻohana nei i kēia ʻike, hiki iā mākou ke ʻōlelo pololei i ka wā i loli ai ka mea nona ka server.

Kakaikahi pili. Wehewehe. I kēia mau lā, ʻaʻole pilikia ka loaʻa ʻana o kahi papa inoa manuahi o nā kikowaena nona ka whois i loaʻa i kahi leka uila kikoʻī, a i ʻole e ʻike i nā kikowaena āpau i pili me kahi helu IP kikoʻī. Akā i ka wā e pili ana i nā mea hackers e hana i kā lākou mea maikaʻi loa e paʻakikī i ka hahai ʻana, pono mākou i nā hoʻopunipuni hou e ʻimi ai i nā waiwai hou a kūkulu i nā pilina hou.
Ua hoʻohana mākou i ka manawa nui e noiʻi pehea e hiki ai iā mākou ke unuhi i ka ʻikepili i loaʻa ʻole ma ke ʻano maʻamau. ʻAʻole hiki iā mākou ke wehewehe ma aneʻi pehea e hana ai no nā kumu maopopo, akā ma lalo o kekahi mau kūlana, nā mea hacker, i ka wā e hoʻopaʻa inoa ai i nā kikowaena a i ʻole hoʻolimalima a hoʻonohonoho i nā kikowaena, hana hewa e ʻae iā lākou e ʻike i nā leka uila, nā inoa hacker, a me nā helu hope. ʻOi aku ka nui o nā pilina āu e unuhi ai, ʻoi aku ka pololei o nā kiʻi āu e kūkulu ai.

Pehea kā mākou pakuhi

No ka hoʻomaka ʻana e hoʻohana i ka pakuhi pūnaewele, pono ʻoe e hoʻokomo i ka domain, IP address, leka uila, a i ʻole SSL palapala manamana lima i loko o ka pahu huli. ʻEkolu mau kūlana e hiki ai i ka mea loiloi ke hoʻomalu: ka manawa, ka hohonu o ka pae, a me ka hoʻomaʻemaʻe.

Wā

Ka manawa - ka lā a i ʻole ka wā i hoʻohana ʻia ai ka mea i ʻimi ʻia no nā kumu ʻino. Inā ʻaʻole ʻoe e kuhikuhi i kēia ʻāpana, ʻo ka ʻōnaehana ponoʻī e hoʻoholo i ka wā o ka mana hope no kēia kumuwaiwai. No ka laʻana, ma Iulai 11, hoʻopuka ʻo Eset hōʻike e pili ana i ke ʻano o ka hoʻohana ʻana o Buhtrap i ka hoʻohana ʻana i nā lā 0 no ka ʻike kipi. He 6 mau hōʻailona ma ka hopena o ka hōʻike. ʻO kekahi o lākou, secure-telemetry[.]net, ua kākau inoa hou ʻia ma Iulai 16. No laila, inā kūkulu ʻoe i ka pakuhi ma hope o Iulai 16, e loaʻa iā ʻoe nā hopena pili ʻole. Akā inā hōʻike ʻoe ua hoʻohana ʻia kēia kikowaena ma mua o kēia lā, a laila aia ka pakuhi i 126 mau kikowaena hou, 69 mau IP address ʻaʻole i helu ʻia ma ka hōʻike Eset:

ukrfreshnews[.]com
unian-search[.]com
vesti-world[.]info
runewsmeta[.]com
foxnewsmeta[.]biz
sobesednik-meta[.]info
rian-ua[.]net
a me kekahi poʻe'ē aʻe.

Ma waho aʻe o nā hōʻailona pūnaewele, ʻike koke mākou i nā pilina me nā faila maikaʻi ʻole i pili me kēia ʻenehana a me nā hōʻailona e haʻi iā mākou ua hoʻohana ʻia ʻo Meterpreter a me AZORult.

ʻO ka mea nui e loaʻa iā ʻoe kēia hopena i loko o hoʻokahi kekona a ʻaʻole pono ʻoe e hoʻolilo i nā lā i ka nānā ʻana i ka ʻikepili. ʻOiaʻiʻo, ʻo kēia ala i kekahi manawa e hoʻemi nui i ka manawa no nā noiʻi, ʻo ia ka mea nui.

Ka helu o nā ʻanuʻu a i ʻole ka hohonu recursion e kūkulu ʻia ai ka pakuhi

ʻO ka mea maʻamau, ʻo ka hohonu ka 3. ʻO ia ke ʻano e loaʻa nā mea pili pono āpau mai ka mea i makemake ʻia, a laila e kūkulu ʻia nā pilina hou mai kēlā me kēia mea hou i nā mea ʻē aʻe, a e hana ʻia nā mea hou mai nā mea hou mai ka hope. ʻanuʻu.

E lawe i kahi laʻana pili ʻole i ka APT a me ka hana 0-lā. I kēia mau lā, ua wehewehe ʻia kahi hihia hoihoi o ka hoʻopunipuni e pili ana i nā cryptocurrencies ma Habré. Hōʻike ka hōʻike i ka domain themcx[.]co, i hoʻohana ʻia e ka poʻe scammers e hoʻokipa i kahi pūnaewele i manaʻo ʻia he Miner Coin Exchange a me ke kelepona-lookup[.]xyz e huki ai i ke kaʻa.

Ua akaka mai ka wehewehe ʻana e koi ana ke kumumanaʻo i kahi ʻenehana nui loa e huki ai i nā kaʻa i nā kumuwaiwai hoʻopunipuni. Ua hoʻoholo mākou e nānā i kēia ʻano hana ma ke kūkulu ʻana i ka pakuhi ma nā ʻanuʻu 4. ʻO ka mea i hoʻopuka ʻia he pakuhi me 230 mau kikowaena a me 39 mau helu IP. Ma hope aʻe, hoʻokaʻawale mākou i nā kikowaena i 2 mau ʻāpana: nā mea like me nā lawelawe no ka hana ʻana me nā cryptocurcies a me nā mea i manaʻo ʻia e hoʻokele kaʻa ma o nā lawelawe hōʻoia kelepona:

Pili i ka cryptocurrency
Pili me nā lawelawe punching kelepona

mea mālama kālā [.]cc
kahua hoʻopaʻa kelepona [.]kahi.

mcxwallet[.]co
phone-records[.]space

btcnoise[.]com
fone-wehe[.]xyz

cryptominer[.] kiaʻi
helu-wehe[.]ʻike

Очистка

Ma ka maʻamau, hiki ke koho "Graph Cleanup" a wehe ʻia nā mea pili ʻole a pau mai ka pakuhi. Ma ke ala, ua hoʻohana ʻia i nā hiʻohiʻona mua. ʻIke au i kahi nīnau kūlohelohe: pehea mākou e hōʻoia ai ʻaʻole holoi ʻia kahi mea nui? E pane wau: no nā mea loiloi e makemake e kūkulu i nā kiʻi ma ka lima, hiki ke hoʻopau ʻia ka hoʻomaʻemaʻe automated a hiki ke koho ʻia ka helu o nā ʻanuʻu = 1. A laila, hiki i ka mea loiloi ke hoʻopiha i ka pakuhi mai nā mea e pono ai a wehe i nā mea mai ka pakuhi pili ole i ka hana.

Aia ma ka pakuhi, hiki ke loaʻa i ka mea loiloi ka mōʻaukala o nā loli i whois, DNS, a me nā awa hāmama a me nā lawelawe e holo ana ma luna o lākou.

phishing kālā

Ua noiʻi mākou i nā hana a hoʻokahi hui APT, kahi i hana ai i nā hoʻouka phishing no nā makahiki he nui i nā mea kūʻai aku o nā panakō like ʻole ma nā wahi like ʻole. ʻO kahi hiʻohiʻona o kēia pūʻulu, ʻo ia ka hoʻopaʻa inoa ʻana o nā kāʻei kua like loa me nā inoa o nā panakō maoli, a ʻo ka hapa nui o nā pūnaewele phishing he hoʻolālā like, ʻo ka ʻokoʻa wale nō ma nā inoa o nā panakō a me kā lākou mau logo.

I kēia hihia, ua kōkua nui ka nānā ʻana i ka pakuhi automated iā mākou. Ke lawe nei i kekahi o kā lākou mau kikowaena - lloydsbnk-uk[.]com, i loko o kekahi mau kekona ua kūkulu mākou i ka pakuhi me ka hohonu o nā ʻanuʻu 3, i ʻike ʻia ma mua o 250 mau inoa ʻino i hoʻohana ʻia e kēia hui mai 2015 a hoʻohana mau ʻia. . Ua kūʻai mua ʻia kekahi o kēia mau kikowaena e nā panakō, akā hōʻike nā moʻolelo mōʻaukala ua hoʻopaʻa inoa mua ʻia lākou i nā mea hoʻouka.

No ka akaka, hōʻike ke kiʻi i kahi pakuhi me ka hohonu o 2 mau ʻanuʻu.

He mea nui ia i ka makahiki 2019, ua hoʻololi iki nā mea hoʻouka i kā lākou mau hana a hoʻomaka e hoʻopaʻa inoa ʻaʻole wale i nā waihona o nā panakō no ka hoʻokipa ʻana i ka phishing pūnaewele, akā ʻo nā kāʻei o nā hui kūkākūkā like ʻole no ka hoʻouna ʻana i nā leka uila phishing. No ka laʻana, nā kikowaena swift-department.com, saudconsultancy.com, vbgrigoryanpartners.com.

ʻĀhui Cobalt

I Kekemapa 2018, ua hoʻouna aku ka hui hacker Cobalt, ka mea kūikawā i nā hoʻouka kaua ʻana i nā panakō, i hoʻouna i kahi leka uila ma ka inoa o ka National Bank of Kazakhstan.

Aia nā leka i nā loulou i hXXps://nationalbank.bz/Doc/Prikaz.doc. Aia i loko o ka palapala i hoʻoiho ʻia kahi macro i hoʻokuʻu iā Powershell, nāna e hoʻāʻo e hoʻouka a hoʻokō i ka faila mai hXXp://wateroilclub.com/file/dwm.exe ma %Temp%einmrmdmy.exe. ʻO ka faila %Temp%einmrmdmy.exe aka dwm.exe he CobInt stager i hoʻonohonoho ʻia e launa pū me ke kikowaena hXXp://admvmsopp.com/rilruietguadvtoefmuy.

E noʻonoʻo ʻaʻole hiki iā ʻoe ke loaʻa i kēia mau leka uila phishing a hana i kahi loiloi piha o nā faila ʻino. Hōʻike koke ʻia ka pakuhi no ka domain malicious nationalbank[.]bz i nā pilina me nā kāʻei kapu ʻē aʻe, hoʻohālikelike ia i kahi hui a hōʻike i nā faila i hoʻohana ʻia i ka hoʻouka ʻana.

E lawe kāua i ka helu IP 46.173.219[.]152 mai kēia pakuhi a kūkulu i ka pakuhi mai ia mea i hoʻokahi ala a hoʻopau i ka hoʻomaʻemaʻe. He 40 mau kāʻei kua pili me ia, no ka laʻana, bl0ckchain[.]ug
paypal.co.uk.qlg6[.]pw
cryptoelips[.]com

Ma ka hoʻoholo ʻana i nā inoa inoa, ʻike ʻia ua hoʻohana ʻia lākou i nā hoʻolālā hoʻopunipuni, akā ua ʻike ka algorithm hoʻomaʻemaʻe ʻaʻole pili lākou i kēia hoʻouka ʻana a ʻaʻole i kau iā lākou ma ka pakuhi, e hoʻomaʻamaʻa nui i ke kaʻina o ka nānā ʻana a me ka hoʻoili ʻana.

Inā kūkulu hou ʻoe i ka pakuhi me ka hoʻohana ʻana i ka nationalbank[.]bz, akā ke hoʻopau nei i ka algorithm hoʻomaʻemaʻe kiʻi, a laila e loaʻa iā ia ma mua o 500 mau mea, ʻaʻohe mea pili i ka hui Cobalt a i kā lākou hoʻouka ʻana. Aia ma lalo iho nei kekahi laʻana o ke ʻano o ia pakuhi.

hopena

Ma hope o kekahi mau makahiki o ka hoʻomaʻamaʻa maikaʻi ʻana, ka hoʻāʻo ʻana i nā noiʻi maoli, ka noiʻi hoʻoweliweli a me ka ʻimi ʻana i nā mea hoʻouka kaua, ua hoʻokō mākou ʻaʻole wale i ka hana ʻana i kahi mea hana kūʻokoʻa, akā no ka hoʻololi ʻana i ka ʻano o ka poʻe loea i loko o ka ʻoihana iā ia. I ka hoʻomaka ʻana, makemake ka poʻe loea loea i ka mana piha ma luna o ke kaʻina hana kiʻi. He mea paʻakikī loa ka hoʻomaopopo ʻana iā lākou e hiki ke hana i kēia hana ma mua o ke kanaka me nā makahiki he nui o ka ʻike. Hoʻoholo ʻia nā mea a pau e ka manawa a me nā loiloi "manual" he nui o nā hopena o ka mea i hana ʻia e ka pakuhi. I kēia manawa ʻaʻole hilinaʻi wale kā mākou poʻe loea i ka ʻōnaehana, akā hoʻohana pū kekahi i nā hopena i loaʻa i kā lākou hana i kēlā me kēia lā. Hana kēia ʻenehana i loko o kēlā me kēia o kā mākou ʻōnaehana a hiki iā mākou ke ʻike maikaʻi i nā mea hoʻoweliweli o kēlā me kēia ʻano. Hoʻokumu ʻia ke kikowaena no ka nānā ʻana i ka pakuhi manual i loko o nā huahana Group-IB āpau a hoʻonui nui i ka hiki ke hopu i ka cybercrime. Ua hōʻoia ʻia kēia e nā loiloi loiloi mai kā mākou mea kūʻai aku. A ke hoʻomau nei mākou i ka hoʻonui ʻana i ka pakuhi me ka ʻikepili a hana i nā algorithms hou me ka hoʻohana ʻana i ka naʻauao artificial e hana i ka pakuhi pūnaewele pololei loa.

Source: www.habr.com

ʻO kou ala i waho, ka pakuhi: pehea mākou i ʻike ʻole ai i kahi pakuhi pūnaewele maikaʻi a hana mākou iā mākou iho