Izu gara aga Kommersant , na "ndị ahịa ahịa nke Street Beat na Sony Center nọ na mpaghara ọha na eze," ma n'eziokwu, ihe niile dị njọ karịa ihe e dere na isiokwu ahụ.
Emeela m nyocha teknuzu zuru oke nke ntapu a. , yabụ ebe a anyị ga-agafe naanị isi ihe.
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.Ihe nkesa Elasticsearch ọzọ nwere ndeksi dị n'efu:
- graylog2_0
- readme
- unauth_text
- http:
- graylog2_1
В graylog2_0 ndekọ nwere site na Nọvemba 16.11.2018, 2019 ruo Maachị XNUMX, yana n'ime graylog2_1 - ndekọ site na Machị 2019 ruo 04.06.2019/XNUMX/XNUMX. Ruo mgbe emechiela ịnweta Elasticsearch, ọnụọgụ ndekọ dị na graylog2_1 toro.
Dabere na igwe nchọta Shodan, Elasticsearch a adịla n'efu kemgbe Nọvemba 12.11.2018, 16.11.2018 (dị ka edere n'elu, ndenye mbụ na ndekọ ahụ bụ ụbọchị Nọvemba XNUMX, XNUMX).
N'ime ndekọ, n'ọhịa gl2_remote_ip A kọwapụtara adreesị IP 185.156.178.58 na 185.156.178.62, nwere aha DNS. srv2.inventive.ru и srv3.inventive.ru:
Agwara m ya Otu Retail Inventive (www.inventive.ru) banyere nsogbu ahụ na 04.06.2019/18/25 na 22:30 (oge Moscow) na site na XNUMX:XNUMX ihe nkesa "dị jụụ" kwụsịrị n'ihu ọha.
Ndekọ ndị dị n'ime ya (data niile bụ atụmatụ, ewepụghị oyiri na mgbako ahụ, yabụ ọnụọgụ nke ezigbo ozi leaked nwere ike ịdị obere):
- karịa adreesị ozi-e nde 3 nke ndị ahịa sitere na ụlọ ahịa re: Store, Samsung, Street Beat na Lego
- karịa nọmba ekwentị nde asaa nke ndị ahịa sitere na ụlọ ahịa re: Store, Sony, Nike, Street Beat na Lego ụlọ ahịa
- karịa 21 puku ụzọ nbanye / okwuntughe sitere na akaụntụ nkeonwe nke ndị na-azụ ahịa Sony na Street Beat.
- Ọtụtụ ndekọ nwere nọmba ekwentị na email nwekwara aha zuru oke (na-abụkarị na Latin) yana nọmba kaadị iguzosi ike n'ihe.
Ọmụmaatụ sitere na ndekọ metụtara onye ahịa ụlọ ahịa Nike (data niile nwere mmetụta nke ejiri mkpụrụedemede “X” dochie):
"message": "{"MESSAGE":"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Arrayn(n [contact[phone]] => +7985026XXXXn [contact[email]] => [email protected] [contact[channel]] => n [contact[subscription]] => 0n)n[ДАННЫЕ GET] Arrayn(n [digital_id] => 27008290n [brand] => NIKEn)n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7985026XXXXn [email] => [email protected] [channel] => 0n [subscription] => 0n )nn)n","DATE":"31.03.2019 12:52:51"}",Ma ebe a bụ ọmụmaatụ otu esi echekwa nbanye na okwuntughe sitere na akaụntụ nke ndị na-azụ ahịa na weebụsaịtị sc-store.ru и street-beat.ru:
"message":"{"MESSAGE":"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ GET] Arrayn(n [digital_id] => 26725117n [brand]=> SONYn)n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] ","DATE":"22.04.2019 21:29:09"}"Enwere ike ịgụ nkwupụta IRG gọọmentị gbasara ihe omume a , si na ya pụta:
Anyị enweghị ike ileghara isi ihe a anya wee gbanwee okwuntughe gaa na akaụntụ ndị ahịa ka ọ bụrụ nke nwa oge, iji zere iji data sitere na akaụntụ nkeonwe maka ebumnuche aghụghọ. Ụlọ ọrụ ahụ akwadoghị mwepu nke data nkeonwe nke ndị ahịa street-beat.ru. A na-enyochakwa ọrụ niile nke Inventive Retail Group. Enweghị ihe iyi egwu nye data nke ndị ahịa achọpụtara.
Ọ dị njọ na IRG enweghị ike ịchọpụta ihe gbapụrụ na ihe na-emeghị. Nke a bụ ọmụmaatụ sitere na ndekọ metụtara onye ahịa ụlọ ahịa Street Beat:
"message": "{"MESSAGE":"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Arrayn(n [contact[phone]] => 7915545XXXXn)n,'ДАННЫЕ GET' =nttArrayn(n [digital_id] => 27016686n [brand] => STREETBEATn)n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7915545XXXXn [email] => [email protected]","Дата":"01.04.2019 08:33:48"}",Agbanyeghị, ka anyị gaa n'ihu na akụkọ ọjọọ n'ezie wee kọwaa ihe kpatara nke a ji bụrụ mwepu nke data nkeonwe nke ndị ahịa IRG.
Ọ bụrụ na i leruo anya na indexes nke Elasticsearch a dị n'efu, ị ga-ahụ aha abụọ n'ime ha: readme и unauth_text. Nke a bụ akara njirimara nke otu n'ime ọtụtụ script ransomware. Ọ metụtara ihe karịrị puku sava Elasticsearch 4 gburugburu ụwa. Ọdịnaya readme yiri nke a:
"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"Ọ bụ ezie na ihe nkesa nwere ndekọ IRG na-enweta n'efu, script ransomware nwetara ohere ịnweta ozi ndị ahịa yana, dịka ozi ọ hapụrụ, ebudatara data ahụ.
Na mgbakwunye, enweghị m obi abụọ na a chọtara nchekwa data a n'ihu m ma budatalarị ya. M ga-asịkwa na ejiri m n'aka na nke a. Ọ dịghị ihe nzuzo na ndị dị otú ahụ na-emepe ọdụ data na-eji ebumnobi na-achọ ma na-agbapụta.
Enwere ike ịhụ ozi gbasara ntapu ozi na ndị na-eme ihe na ọwa Telegram m "»: .
isi: www.habr.com