Zowoneka bwino zosaneneka: momwe tidapangira mphika wa uchi womwe sungathe kuwululidwa

Makampani a antivayirasi, akatswiri oteteza zidziwitso, ndi okonda chabe amawulula makina amphika a uchi pa intaneti kuti "agwire nyambo yamoyo" yamitundumitundu yatsopano ya ma virus kapena kuwulula njira zachilendo zachinyengo. Miphika ya uchi imakhala yofala kwambiri kotero kuti ochita zachiwerewere apanga mtundu wa chitetezo: amazindikira mwamsanga kuti pali msampha patsogolo pawo ndikungonyalanyaza. Kuti tifufuze machenjerero a obera amakono, tidapanga mphika weniweni wa uchi womwe umakhala pa intaneti kwa miyezi isanu ndi iwiri, kukopa ziwonetsero zosiyanasiyana. Zinali bwanji, tinanena mu phunziro lathu "Zomwe Zachitika: Kuyendetsa Honeypot Yeniyeni Ya Factory Kuti Mugwire Zowopsa Zenizeni". Mfundo zina za kafukufukuyu zili mu positi iyi.

Kukula kwa Honeypot: Mndandanda

Ntchito yayikulu popanga supertrap yathu sikunali kutilola kuti tiwululidwe ndi akuba omwe adawonetsa chidwi nawo. Zinatenga ntchito yambiri kuti achite izi:

1. Pangani nthano zenizeni za kampaniyo, kuphatikiza dzina lathunthu ndi chithunzi cha ogwira ntchito, manambala a foni ndi maimelo.
2. Yambitsani ndikukhazikitsa njira zamafakitale zomwe zimagwirizana ndi nthano zamakampani athu.
3. Sankhani maukonde ati omwe angapezeke kuchokera kunja, koma musatengeke ndikutsegula madoko osatetezeka kuti asawoneke ngati msampha wa simps.
4. Konzani kuwoneka kwa chidziwitso chotayikira chokhudza dongosolo lomwe lili pachiwopsezo ndikufalitsa chidziwitsochi kwa omwe atha kuwukira.
5. Tsatirani kuwunika mwanzeru zochita za obera pazomangamanga za msampha.

Ndipo tsopano za zonse mu dongosolo.

Pangani nthano

Zigawenga zapaintaneti ndizozolowera kale kuwona miphika yambiri ya uchi, motero gawo lotsogola kwambiri la iwo limachita kafukufuku wozama pa dongosolo lililonse losatetezeka kuti atsimikizire kuti iyi si msampha. Pazifukwa zomwezo, tinkafuna kupanga uchi osati zenizeni zokhazokha zokhudzana ndi mapangidwe ndi luso, komanso kupanga maonekedwe a kampani yeniyeni.

Kudziyika tokha m'malo mwa munthu wongopeka, tinapanga ndondomeko yotsimikizira yomwe ingatilole kusiyanitsa dongosolo lenileni ndi msampha. Zinaphatikizapo kuyang'ana ma adilesi a IP a kampaniyo pamakina odziwika bwino, kubweza kufufuza mbiri ya ma adilesi a IP, kuyang'ana mayina ndi mawu osakira okhudzana ndi kampaniyo, komanso anzawo, ndi zina zambiri. Zotsatira zake, nthanoyo idakhala yokhutiritsa komanso yokopa.

Tinaganiza zoyika fakitale ya msampha ngati malo ogulitsa mafakitale ang'onoang'ono, ogwira ntchito kwa makasitomala akuluakulu osadziwika kuchokera ku gulu lankhondo ndi ndege. Izi zidatipulumutsa ku zovuta zamalamulo zomwe zimagwirizanitsidwa ndi kugwiritsa ntchito mtundu womwe ulipo.

Kenako, tinayenera kubwera ndi masomphenya, ntchito ndi dzina la bungwe. Tinaganiza kuti kampani yathu idzakhala yoyambira ndi antchito ochepa, omwe aliyense ali woyambitsa. Izi zidawonjezera kukhulupilika kunthano yaukadaulo wabizinesi yathu, zomwe zimalola kuti igwire ntchito ndi ma projekiti osakhwima kwa makasitomala akuluakulu komanso ofunikira. Tinkafuna kuti kampani yathu iwoneke yofooka pokhudzana ndi chitetezo cha pa intaneti, koma panthawi imodzimodziyo zinali zoonekeratu kuti tikugwira ntchito ndi katundu wofunikira m'machitidwe omwe akufuna.

Chithunzi cha tsamba la MeTech honeypot. Gwero: Trend Micro

Tasankha mawu akuti MeTech ngati dzina la kampaniyo. Tsambali linapangidwa pamaziko a template yaulere. Zithunzizo zinatengedwa kuchokera ku photobanks, pogwiritsa ntchito zomwe sizikukondedwa kwambiri ndikusintha kuti zisamawonekere.

Tinkafuna kuti kampaniyo iwoneke ngati yeniyeni, choncho tinkafunika kuwonjezera antchito omwe ali ndi luso lofanana ndi mbiri ya ntchitoyo. Tinabwera ndi mayina ndi zidziwitso kwa iwo, ndiyeno kuyesera kusankha zithunzi kuchokera ku photobanks malinga ndi fuko.

Chithunzi cha tsamba la MeTech honeypot. Gwero: Trend Micro

Kuti tisadziwike, tinayang'ana zithunzi zamagulu zabwino zomwe tingasankhepo nkhope zomwe timafunikira. Komabe, pambuyo pake tinasiya njira iyi, popeza wowononga akhoza kugwiritsa ntchito kusaka kwazithunzi ndikupeza kuti "ogwira ntchito" athu amakhala m'mabanki azithunzi okha. Pamapeto pake, tidagwiritsa ntchito zithunzi za anthu omwe kulibe omwe adapangidwa pogwiritsa ntchito ma neural network.

Mbiri ya ogwira ntchito omwe adasindikizidwa patsambali anali ndi chidziwitso chofunikira chokhudza luso lawo laukadaulo, koma tidapewa kutchula mabungwe ndi mizinda yophunzirira.
Kuti tipange mabokosi a makalata, tinkagwiritsa ntchito seva yochitira alendo, kenaka tinabwereka manambala amafoni angapo ku United States ndikuwaphatikiza kukhala PBX yeniyeni yokhala ndi menyu ya mawu ndi makina oyankha.

Zomangamanga za mphika wa uchi

Kuti tipewe kuwonekera, tidaganiza zogwiritsa ntchito zida zamakampani zenizeni, makompyuta akuthupi, ndi makina otetezedwa. Kuyang'ana m'tsogolo, tinayang'ana zotsatira za zoyesayesa zathu pogwiritsa ntchito makina osaka a Shodan, ndipo zinasonyeza kuti uchi umawoneka ngati ndondomeko yeniyeni ya mafakitale.

Zotsatira zakusanthula mphika wa uchi ndi Shodan. Gwero: Trend Micro

Tidagwiritsa ntchito ma PLC anayi ngati zida zamsampha wathu:

• Nokia S7-1200,
• awiri Allen-Bradley MicroLogix 1100s,
• Omron CP1L.

Ma PLC awa adasankhidwa chifukwa chotchuka pamsika wapadziko lonse lapansi. Ndipo aliyense wa olamulirawa amagwiritsa ntchito protocol yake, yomwe idatilola kuyang'ana kuti ndi ma PLC ati omwe angawukidwe pafupipafupi komanso ngati angasangalatse aliyense.

Zida za "fakitale" yathu ndi msampha. Gwero: Trend Micro

Sitinangoika zidutswa zachitsulo n’kuzilumikiza pa Intaneti. Tinasankha wolamulira aliyense kuti agwire ntchito, zomwe zinali

• kusanganiza,
• chowotcha ndi conveyor lamba wowongolera,
• palletizing pogwiritsa ntchito mkono wa robotic.

Ndipo kuti ntchito yopanga ikhale yotheka, tidakonza malingaliro oti tisinthe mosintha magawo oyankha, kutsanzira kuyambitsa ndi kuyimitsa ma mota, kuyatsa ndikuzimitsa.

Fakitale yathu inali ndi makompyuta atatu enieni ndi imodzi yakuthupi. Makina owoneka bwino adagwiritsidwa ntchito kuwongolera mbewuyo, palletizer ya loboti komanso ngati malo ogwirira ntchito a injiniya wamapulogalamu a PLC. Kompyuta yakuthupi idagwira ntchito ngati seva yamafayilo.

Kuphatikiza pakuwunika kuukira kwa ma PLC, tinkafuna kuyang'anira momwe mapulogalamu adatsitsidwa pazida zathu. Kuti tichite izi, tidapanga mawonekedwe omwe amatilola kudziwa mwachangu momwe ma actuators athu ndi makhazikitsidwe adasinthidwa. Kale pa siteji yokonzekera, tapeza kuti ndizosavuta kugwiritsa ntchito izi ndi pulogalamu yolamulira kusiyana ndi ndondomeko yachindunji ya logic yolamulira. Tinatsegula mwayi wopita ku mawonekedwe a kasamalidwe ka chipangizo cha honeypot yathu kudzera pa VNC popanda mawu achinsinsi.

Maloboti akumafakitale ndi chinthu chofunikira kwambiri pakupanga mwanzeru zamakono. Pachifukwa ichi, tinaganiza zoonjezera robot ndi malo ogwirira ntchito kuti tiziwongolera ku zipangizo za fakitale yathu ya msampha. Kuti "fakitale" ikhale yowona, tidayika mapulogalamu enieni pa malo ogwirira ntchito, omwe mainjiniya amagwiritsa ntchito pojambula zithunzi zamalingaliro a loboti. Chabwino, popeza maloboti am'mafakitale nthawi zambiri amakhala mu netiweki yakutali, tidaganiza zosiya mwayi wopita ku VNC kupita kumalo owongolera.

Malo a RobotStudio okhala ndi mtundu wa 3D wa loboti yathu. Gwero: Trend Micro

Pa makina enieni okhala ndi malo ogwirira ntchito, tidayika malo opangira mapulogalamu a RobotStudio kuchokera ku ABB Robotic. Titakhazikitsa RobotStudio, tidatsegula fayilo yoyeserera ndi loboti yathu momwemo kuti chithunzi chake cha 3D chiwonekere pazenera. Chotsatira chake, Shodan ndi injini zina zofufuzira, akapeza seva ya VNC yosatetezeka, adzalandira chithunzithunzi ichi ndikuwonetsa kwa iwo omwe akufunafuna ma robot a mafakitale omwe ali ndi mwayi wotsegula.

Cholinga cha chidwi ichi mwatsatanetsatane chinali kupanga chandamale chowoneka bwino komanso chowona momwe angathere kwa owukira omwe, atachipeza, amabwereranso mobwerezabwereza.

Ntchito ya Engineer

Kuti tikonze malingaliro a PLC, tidawonjeza kompyuta yaukadaulo pazomangamanga. Mapulogalamu a mafakitale a mapulogalamu a PLC adayikidwapo:

• TIA Portal ya Siemens,
• MicroLogix kwa woyang'anira Allen-Bradley,
• CX-Mmodzi wa Omron.

Tasankha kuti malo ogwira ntchito zauinjiniya sapezeka kunja kwa intaneti. M'malo mwake, timayika mawu achinsinsi omwe ali pa akaunti ya woyang'anira monga momwe zilili pa malo ogwirira ntchito a robot komanso malo ogwirira ntchito. Kusintha uku ndikofala kwambiri m'makampani ambiri.
Tsoka ilo, ngakhale titayesetsa, palibe wowukira m'modzi yemwe adafika pamalo ogwirira ntchito a injiniya.

Seva ya fayilo

Tinkachifuna ngati nyambo kwa olowa komanso ngati njira yothandizira "ntchito" zathu mu fakitale ya misampha. Izi zidatilola kugawana mafayilo ndi nkhokwe yathu ya uchi pogwiritsa ntchito zida za USB osasiya mwatsatanetsatane pa netiweki ya msampha. Monga OS ya seva yamafayilo, tidayika Windows 7 Pro, momwe tidapanga foda yogawana kuti iwerenge ndi kulembera aliyense.

Poyamba, sitinapange mndandanda wa zikwatu ndi zolemba pa seva yamafayilo. Komabe, pambuyo pake zidapezeka kuti owukirawo anali kuphunzira mwachangu chikwatuchi, motero tinaganiza zodzaza ndi mafayilo osiyanasiyana. Kuti tichite izi, tidalemba python script yomwe idapanga fayilo yachisawawa ndi imodzi mwazowonjezera zomwe zaperekedwa, ndikupanga dzina lotengera mtanthauzira mawu.

Script kuti mupange mafayilo owoneka bwino. Gwero: Trend Micro

Pambuyo poyendetsa script, tinapeza zotsatira zomwe tikufuna mu mawonekedwe a foda yodzaza ndi mafayilo omwe ali ndi mayina osangalatsa kwambiri.

Zotsatira za script. Gwero: Trend Micro

Kuwunika chilengedwe

Popeza tachita khama kwambiri popanga kampani yowona, sitingathe kulephera kuyang'anira "alendo" athu. Tinkafunika kupeza deta yonse mu nthawi yeniyeni kuti oukirawo asazindikire kuti akuyang'aniridwa.

Tidachita izi pogwiritsa ntchito ma adapter anayi a USB kupita ku Ethernet, matepi anayi a SharkTap Ethernet, Raspberry Pi 3, ndi drive yayikulu yakunja. Chithunzi chathu cha netiweki chidawoneka chonchi:

Chithunzi cha honeypot network chokhala ndi zida zowunikira. Gwero: Trend Micro

Tidayika matepi atatu a SharkTap m'njira yoyang'anira kuchuluka kwa magalimoto akunja kupita ku PLC, kupezeka ndi netiweki yamkati. SharkTap yachinayi idatsata kuchuluka kwa alendo pamakina omwe ali pachiwopsezo.

SharkTap Ethernet tap ndi rauta ya Sierra Wireless AirLink RV50. Gwero: Trend Micro

Raspberry Pi adajambula anthu tsiku lililonse. Tidalumikizana ndi intaneti pogwiritsa ntchito rauta ya Sierra Wireless AirLink RV50, yomwe imagwiritsidwa ntchito nthawi zambiri m'mabizinesi ogulitsa.

Tsoka ilo, rauta iyi siinatilole kuletsa kuukira komwe sikunafanane ndi mapulani athu, kotero tidawonjezera chowotcha moto cha Cisco ASA 5505 pamaneti mumawonekedwe owonekera kuti titseke osakhudzidwa kwambiri pamaneti.

Kusanthula magalimoto

Tshark ndi tcpdump ndizoyenera kuthetsa mwamsanga nkhani zamakono, koma kwa ife kuthekera kwawo sikunali kokwanira, popeza tinali ndi magalimoto ambiri a gigabytes, omwe adafufuzidwa ndi anthu angapo. Tidagwiritsa ntchito chowunikira chotsegula cha Moloch chopangidwa ndi AOL. Pankhani ya magwiridwe antchito, ikufanana ndi Wireshark, koma ili ndi njira zambiri zogwirira ntchito, kufotokozera ndikuyika mapaketi, kutumiza kunja, ndi ntchito zina.

Popeza sitinkafuna kukonza deta yosonkhanitsidwa pamakina a uchi, ma PCAP adatumizidwa tsiku lililonse kumalo osungirako AWS, kumene tidawatumizira kale ku makina a Moloch.

Kujambula pazenera

Kuti tilembe zomwe akuba mumphika wathu wa uchi, tidalemba script yomwe idatenga zithunzi zamakina nthawi yomweyo ndipo, poyerekeza ndi chithunzi cham'mbuyomu, tidatsimikiza ngati china chake chikuchitika pamenepo kapena ayi. Ntchito itadziwika, script idatsegula kujambula. Njira imeneyi inakhala yothandiza kwambiri. Tidayesanso kusanthula kuchuluka kwa magalimoto a VNC kuchokera ku dambo la PCAP kuti timvetsetse zomwe zidachitika m'dongosolo, koma pamapeto pake, kujambula pazenera komwe tidakhazikitsa kudakhala kosavuta komanso kowoneka bwino.

Kuyang'anira magawo a VNC

Pachifukwa ichi tidagwiritsa ntchito Chaosreader ndi VNCLogger. Zida zonsezi zimachotsa makiyi kuchokera pa PCAP, koma VNCLogger imagwira makiyi monga Backspace, Lowani, Ctrl molondola.

VNCLogger ili ndi zovuta ziwiri. Choyamba, imatha kungotenga makiyi ndi "kumvera" kuchuluka kwa magalimoto pamawonekedwe, chifukwa chake tidayenera kutengera gawo la VNC pogwiritsa ntchito tcpreplay. Kubwereza kwachiwiri kwa VNCLogger ndikofala ndi Chaosreader: onse samawonetsa zomwe zili pa clipboard. Pachifukwa ichi ndidayenera kugwiritsa ntchito Wireshark.

Timakopa ma hackers

Tinapanga uchi kuti tiwukidwe. Kuti tikwaniritse izi, tidapanga chidziwitso chotayikira chomwe chidapangidwa kuti chikope chidwi cha omwe angakhale akubera. Madoko otsatirawa atsegulidwa pamphika wa uchi:

Doko la RDP lidayenera kutsekedwa atangoyamba ntchito, chifukwa chifukwa cha kuchuluka kwa magalimoto ojambulira pamaneti athu, panali zovuta zogwirira ntchito.
Ma terminal a VNC adayamba kugwira ntchito mu "mawonekedwe-okha" popanda mawu achinsinsi, kenako "mwalakwitsa" tidawasinthira kuti alowemo.

Kuti tikope omwe akuwukirawo, tidayika zolemba ziwiri zomwe zili ndi chidziwitso "chotayikira" chokhudza makina omwe alipo pa PasteBin.

Chimodzi mwazolemba zomwe zatumizidwa pa PasteBin kuti zikope ziwawa. Gwero: Trend Micro

Zowukira

Honeypot amakhala pa intaneti pafupifupi miyezi isanu ndi iwiri. Kuwukira koyamba kunachitika patatha mwezi umodzi kuchokera pamene poto ya uchi idapita pa intaneti.

Makamera

Panali magalimoto ambiri ochokera kumakampani odziwika bwino - ip-ip, Rapid, Shadow Server, Shodan, ZoomEye ndi ena. Panali ambiri mwaiwo kotero kuti tidasiya ma adilesi awo a IP pakuwunika: 610 mwa 9452 kapena 6,45% mwa ma adilesi apadera a IP anali a masikanidwe ovomerezeka.

Scammers

Chimodzi mwa ziwopsezo zazikulu zomwe takhala tikukumana nazo ndikugwiritsa ntchito makina athu pazifukwa zaupandu: kugula mafoni a m'manja kudzera muakaunti ya olembetsa, kupereka ndalama zamakilomita andege pogwiritsa ntchito makadi amphatso ndi mitundu ina yachinyengo.

Ogwira ntchito m'migodi

Mmodzi mwa alendo oyambilira ku makina athu adapezeka kuti anali wogwira ntchito mumgodi. Anachiyika ndi pulogalamu ya migodi ya Monero. Sakanatha kupeza ndalama zambiri pamakina athu chifukwa cha kuchepa kwa magwiridwe antchito. Komabe, ngati tiphatikiza zoyesayesa za makumi angapo kapena mazana a machitidwe oterowo, zitha kukhala bwino.

Dipo

Panthawi yogwira ntchito ya uchi, tidakumana ndi ma virus enieni a ransomware kawiri. Poyamba anali Crysis. Othandizira ake adalowa mu VNC, koma adayika TeamViewer ndikuigwiritsa ntchito kuti achite zina. Titadikirira uthenga wachinyengo wofuna dipo la $ 10 ku BTC, tinalowa m'makalata ndi zigawengazo, ndikuwapempha kuti athetse imodzi mwa mafayilo athu. Iwo anamvera pempholi ndipo anabwerezanso zimene anawauza kuti apereke dipo. Tidakwanitsa kupanga ndalama zokwana madola 6, pambuyo pake tidangoyika makinawo pamakina enieni, popeza tidalandira zidziwitso zonse zofunika.

Chiwombolo chachiwiri chinali Phobos. Wobera yemwe adayiyika adadutsa mu fayilo ya honeypot ndikusanthula netiweki kwa ola limodzi, kenako adayika chiwombolo.
Kuukira kwachitatu kwa ransomware kunakhala zabodza. "Hacker" wosadziwika adatsitsa fayilo ya haha.bat ku dongosolo lathu, pambuyo pake tidayang'ana kwa kanthawi pamene akuyesera kuti agwire ntchito. Kuyesa kumodzi kunali kutchanso haha.bat kuti haha.rnsmwr.

"Hacker" imawonjezera kuipa kwa fayilo ya bat posintha kukulitsa kwake kukhala .rnsmwr. Gwero: Trend Micro

Fayilo ya batch itayamba kugwira ntchito, "wowononga" adayikonza, ndikuwonjezera dipo kuchokera pa $200 mpaka $750. Pambuyo pake, "adalemba" mafayilo onse, adasiya uthenga wolanda pa kompyuta ndikuzimiririka, ndikusintha mapasiwedi pa VNC yathu.

Patatha masiku angapo, woberayo adabweranso ndipo, kuti adzikumbutse, adatulutsa fayilo ya batch yomwe idatsegula mazenera ambiri okhala ndi malo olaula. Mwachionekere, mwa njira imeneyi iye anayesa kukopa chidwi chake ku zokhumba zake.

Zotsatira

Pa kafukufukuyu, zidapezeka kuti chidziwitso chokhudza chiwopsezochi chikangosindikizidwa, mphika wa uchi udakopa chidwi, ndipo ntchito idakula tsiku ndi tsiku. Kuti msampha ukope chidwi, zophwanya zambiri zachitetezo za kampani yathu yopeka zidayenera kupangidwa. Tsoka ilo, izi siziri zachilendo pakati pamakampani ambiri enieni omwe alibe nthawi zonse IT ndi ogwira ntchito zoteteza chidziwitso.

Nthawi zambiri, mabungwe akuyenera kugwiritsa ntchito mfundo yamwayi wocheperako, pomwe ife takhazikitsa zotsutsana nazo kuti tikope omwe akuukira. Ndipo nthawi yayitali yomwe tidawonera ziwonetserozo, zidakhala zotsogola kwambiri poyerekeza ndi njira zoyesera zolowera.

Ndipo koposa zonse, ziwopsezo zonsezi zikadatha kulephera ngati njira zotetezedwa zikadakhazikitsidwa pakukhazikitsa maukonde. Mabungwe akuyenera kuwonetsetsa kuti zida zawo ndi zida zamafakitale sizipezeka pa intaneti, monga momwe tidachitira mumsampha wathu.

Ngakhale sitinajambule kuukira kumodzi pa malo ogwirira ntchito a injiniya, ngakhale akugwiritsa ntchito mawu achinsinsi a woyang'anira m'deralo pamakompyuta onse, mchitidwewu uyenera kupewedwa kuti muchepetse kulowererapo. Kupatula apo, chitetezo chofooka chimakhala ngati kuyitanira kowonjezera kuti aukire machitidwe amakampani omwe akhala akusangalatsidwa kwa nthawi yayitali ndi apandu a pa intaneti.

Source: www.habr.com