Kufufuza milandu yokhudzana ndi chinyengo, ma botnets, malonda achinyengo ndi magulu owononga zigawenga, akatswiri a Gulu-IB akhala akugwiritsa ntchito kusanthula ma graph kwa zaka zambiri kuti azindikire mitundu yosiyanasiyana yolumikizirana. Milandu yosiyanasiyana imakhala ndi ma seti awoawo, ma algorithms awo ozindikiritsa maulalo, ndi zolumikizira zomwe zimapangidwira ntchito zinazake. Zida zonsezi zidapangidwa mkati ndi Gulu-IB ndipo zidapezeka kwa antchito athu okha.
Kuwunika kwa ma graph a network network (graph network) idakhala chida choyamba chamkati chomwe tidapanga pazogulitsa zonse zakampani. Tisanapange graph yathu pamanetiweki, tidasanthula zochitika zambiri zofananira pamsika ndipo sitidapeze chilichonse chomwe chimakwaniritsa zosowa zathu. M'nkhaniyi tikambirana momwe tidapangira graph network, momwe timaigwiritsira ntchito komanso zovuta zomwe tidakumana nazo.
Wotchedwa Dmitry Volkov, CTO Gulu-IB ndi mutu wa cyber intelligence
Kodi gulu-IB network graph ingachite chiyani?
Zofufuza
Chiyambireni kukhazikitsidwa kwa Gulu-IB mu 2003 mpaka pano, kuzindikira, kufotokoza ndi kubweretsa olakwa pa intaneti kwakhala chinthu chofunikira kwambiri pantchito yathu. Palibe kafukufuku m'modzi wa cyberattack womwe udamalizidwa popanda kusanthula ma network omwe adawukirawo. Kumayambiriro kwenikweni kwa ulendo wathu, inali "ntchito yapamanja" yovutirapo kwambiri kufunafuna maubwenzi omwe angathandize kuzindikira zigawenga: zambiri za mayina amtundu, ma adilesi a IP, zisindikizo za digito zamaseva, ndi zina zambiri.
Otsutsa ambiri amayesa kuchita mosadziwika momwe angathere pa intaneti. Komabe, mofanana ndi anthu onse, amalakwitsa zinthu. Cholinga chachikulu cha kusanthula koteroko ndikupeza ma projekiti a mbiri yakale "oyera" kapena "otuwa" omwe ali ndi mphambano ndi zowonongeka zomwe zimagwiritsidwa ntchito pazochitika zamakono zomwe tikufufuza. Ngati n'kotheka kuzindikira "ntchito zoyera", ndiye kuti kupeza wowukirayo, monga lamulo, kumakhala ntchito yaing'ono. Pankhani ya "imvi", kufufuza kumatenga nthawi yambiri ndi khama, popeza eni ake amayesa kubisa kapena kubisa deta yolembetsa, koma mwayi umakhalabe waukulu. Monga lamulo, kumayambiriro kwa ntchito zawo zachigawenga, otsutsa saganizira kwambiri za chitetezo chawo ndikupanga zolakwika zambiri, kotero mozama tingathe kulowa m'nkhaniyo, ndiye kuti mwayi wofufuza bwino. Ichi ndichifukwa chake chithunzi cha network chokhala ndi mbiri yabwino ndichinthu chofunikira kwambiri pakufufuza kotere. Mwachidule, mbiri yakale yomwe kampani ili nayo, imakhala yabwinoko graph yake. Tinene kuti mbiri ya zaka 5 ingathandize kuthetsa, mokhazikika, 1-2 mwa milandu 10, ndipo mbiri yazaka 15 imapereka mwayi wothetsa zonse khumi.
Kuzindikira Zachinyengo ndi Zachinyengo
Nthawi zonse tikalandira ulalo wokayikitsa wonena zachinyengo, zachinyengo kapena zachinyengo, timangopanga chithunzi cha zinthu zokhudzana ndi netiweki ndikuwunika onse omwe apezeka kuti ali ndi zofanana. Izi zimakupatsani mwayi wopeza masamba akale achinyengo omwe anali achangu koma osadziwika, komanso atsopano omwe akonzekera kuwukira mtsogolo, koma sanagwiritsidwebe ntchito. Chitsanzo choyambirira chomwe chimapezeka pafupipafupi: tapeza tsamba lachinyengo pa seva yokhala ndi masamba 5 okha. Tikayang'ana chilichonse, timapeza zomwe zili pamasamba ena, zomwe zikutanthauza kuti titha kuletsa 5 m'malo mwa 1.
Sakani ma backends
Izi ndizofunikira kuti mudziwe komwe seva yoyipa imakhala.
99% ya malo ogulitsa makhadi, mabwalo owononga, zida zambiri zachinyengo ndi maseva ena oyipa amabisika kuseri kwa ma seva awo a proxy ndi ma proxies a ntchito zovomerezeka, mwachitsanzo, Cloudflare. Chidziwitso chokhudza kumbuyo kwenikweni n'chofunika kwambiri pakufufuza: wothandizira wothandizira omwe seva angatengedwe amadziwikiratu, ndipo zimakhala zotheka kupanga kugwirizana ndi ntchito zina zoipa.
Mwachitsanzo, muli ndi tsamba lachinyengo lomwe mungasonkhanitsire data yamakhadi aku banki omwe amafikira ku adilesi ya IP 11.11.11.11, ndi adilesi yapa makhadi yomwe imakhazikika ku adilesi ya IP 22.22.22.22. Pakuwunika, zitha kuwoneka kuti tsamba la phishing ndi cardshop lili ndi adilesi yofanana ya backend IP, mwachitsanzo, 33.33.33.33. Kudziwa kumeneku kumatithandiza kupanga mgwirizano pakati pa ziwopsezo zachinyengo ndi malo ogulitsira makhadi komwe deta yamakhadi aku banki ikhoza kugulitsidwa.
Mgwirizano wa zochitika
Mukakhala ndi zoyambitsa ziwiri zosiyana (tiyeni tinene pa IDS) yokhala ndi pulogalamu yaumbanda yosiyanasiyana ndi ma seva osiyanasiyana kuti muwongolere kuwukira, mudzawaona ngati zochitika ziwiri zodziyimira pawokha. Koma ngati pali kugwirizana kwabwino pakati pa zowonongeka zowonongeka, ndiye kuti zikuwonekeratu kuti izi sizikuukira kosiyana, koma masitepe a imodzi, zovuta zambiri zowonongeka. Ndipo ngati chimodzi mwazochitikazo chikunenedwa kale ndi gulu lirilonse la owukira, ndiye kuti chachiwiricho chikhoza kutchulidwanso ndi gulu lomwelo. Zoonadi, njira yowonetsera ndizovuta kwambiri, choncho chitani ichi ngati chitsanzo chosavuta.
Kuchuluka kwa chizindikiro
Sitidzalabadira kwambiri izi, chifukwa iyi ndi njira yodziwika kwambiri yogwiritsira ntchito ma graph pachitetezo cha cybersecurity: mumapereka chizindikiro chimodzi ngati cholowera, ndipo ngati chotulukapo mumapeza zizindikiro zofananira.
Kuzindikira machitidwe
Kuzindikira machitidwe ndikofunikira pakusaka kogwira mtima. Ma grafu amakulolani kuti mupeze zinthu zogwirizana, komanso kuti muzindikire katundu wamba omwe ali ndi gulu linalake la owononga. Kudziwa zamtunduwu kumakupatsani mwayi wozindikira zida za wowukirayo ngakhale panthawi yokonzekera komanso popanda umboni wotsimikizira zachiwembucho, monga maimelo achinyengo kapena pulogalamu yaumbanda.
Chifukwa chiyani tinapanga graph yathu pamanetiweki?
Apanso, tinayang'ana mayankho ochokera kwa ogulitsa osiyanasiyana tisanafike poganiza kuti tifunika kupanga chida chathu chomwe chingathe kuchita zomwe palibe mankhwala omwe alipo. Zinatenga zaka zingapo kuti tipange, momwe tidasinthiratu kangapo. Koma, ngakhale kuti nthawi yayitali yachitukuko, sitinapeze analogue imodzi yomwe ingakwaniritse zomwe tikufuna. Pogwiritsa ntchito zinthu zathu, tidatha kuthetsa pafupifupi mavuto onse omwe tidapeza pama graph omwe analipo kale. M'munsimu tidzakambirana za mavutowa mwatsatanetsatane:
vuto
chisankho
Kupanda wopereka ndi zosonkhanitsira zosiyanasiyana deta: madambwe, passive DNS, passive SSL, DNS marekodi, madoko otseguka, ntchito misonkhano pa madoko, owona kucheza ndi mayina ankalamulira ndi IP maadiresi. Kufotokozera. Nthawi zambiri, opereka amapereka mitundu yosiyanasiyana ya data, ndipo kuti mupeze chithunzi chonse, muyenera kugula zolembetsa kuchokera kwa aliyense. Ngakhale zili choncho, sizotheka nthawi zonse kupeza zidziwitso zonse: othandizira ena a SSL omwe amangopereka satifiketi amangoperekedwa ndi ma CA odalirika, ndipo kufalitsa kwawo ziphaso zodzilembera okha ndikosauka kwambiri. Ena amaperekanso deta pogwiritsa ntchito ziphaso zodzilembera okha, koma sonkhanitsani kuchokera kumadoko okhazikika.
Tatolera tokha zosonkhanitsidwa pamwambapa. Mwachitsanzo, kuti titole zambiri za satifiketi za SSL, tidalemba ntchito yathu yomwe imasonkhanitsa onse kuchokera ku ma CA odalirika komanso kusanthula malo onse a IPv4. Zikalata sizinasonkhanitsidwe kuchokera ku IP kokha, komanso kuchokera kumadera onse ndi ma subdomain kuchokera ku database yathu: ngati muli ndi domain example.com ndi subdomain yake. ndipo onse amatsimikiza IP 1.1.1.1, ndiye mukayesa kupeza satifiketi ya SSL kuchokera ku doko 443 pa IP, domain ndi subdomain yake, mutha kupeza zotsatira zitatu zosiyana. Kuti tisonkhanitse zidziwitso pamadoko otseguka ndi ntchito zomwe zikuyenda, tidayenera kupanga makina athu ojambulira, chifukwa mautumiki ena nthawi zambiri amakhala ndi ma adilesi a IP a maseva awo osanthula pa "mindandanda yakuda." Maseva athu ojambulira amathanso kukhala pamndandanda wakuda, koma zotsatira zakuwona ntchito zomwe timafunikira ndizokwera kuposa za omwe amangosanthula madoko ambiri momwe angathere ndikugulitsa mwayi wopeza izi.
Kusowa mwayi wopeza nkhokwe yonse ya zolemba zakale. Kufotokozera. Wopereka aliyense wabwinobwino amakhala ndi mbiri yabwino yosonkhanitsidwa, koma pazifukwa zachilengedwe ife, monga kasitomala, sitinathe kupeza zonse zakale. Iwo. Mutha kupeza mbiri yonse ya mbiri imodzi, mwachitsanzo, ndi domain kapena adilesi ya IP, koma simungathe kuwona mbiri ya chilichonse - ndipo popanda izi simungathe kuwona chithunzi chonse.
Kuti tisonkhanitse zolemba zambiri zamakedzana momwe tingathere, tidagula ma database osiyanasiyana, tidagawa zinthu zambiri zotseguka zomwe zinali ndi mbiri iyi (ndibwino kuti zinalipo zambiri), ndikukambirana ndi olembetsa mayina a domain. Zosintha zonse pazosonkhanitsa zathu zimasungidwa ndi mbiri yowunikiranso.
Mayankho onse omwe alipo amakupatsani mwayi wopanga graph pamanja. Kufotokozera. Tiyerekeze kuti mudagula zolembetsa zambiri kuchokera kwa onse omwe angathe kupereka deta (nthawi zambiri amatchedwa "enrichers"). Pamene mukufunikira kupanga graph, inu "manja" mumapereka lamulo loti mumange kuchokera ku chinthu cholumikizira chomwe mukufuna, kenaka sankhani zofunikira kuchokera kuzinthu zomwe zikuwonekera ndikupereka lamulo kuti mumalize kugwirizana kuchokera kwa iwo, ndi zina zotero. Pankhaniyi, udindo wa momwe graph imapangidwira bwino ili ndi munthuyo.
Tinapanga ma graph okha. Iwo. ngati mukufuna kupanga graph, ndiye kuti zolumikizira kuchokera ku chinthu choyamba zimamangidwa zokha, ndiye kuchokera pazotsatira zonse. Katswiriyo amangosonyeza kuya kwake komwe graph iyenera kumangidwa. Njira yokwaniritsira ma graph ndi yosavuta, koma ogulitsa ena samayigwiritsa ntchito chifukwa imatulutsa zotsatira zosafunikira, ndipo tidayeneranso kutengera zovuta izi (onani pansipa).
Zotsatira zambiri zosagwirizana ndi vuto ndi ma graph onse a network. Kufotokozera. Mwachitsanzo, "gawo loyipa" (lomwe lidachita nawo kuukira) limalumikizidwa ndi seva yomwe ili ndi madera ena a 10 omwe amagwirizana nawo pazaka 500 zapitazi. Mukawonjezera pamanja kapena kupanga graph, madera onse a 500 akuyeneranso kuwonekera pa graph, ngakhale sizogwirizana ndi kuukira. Kapena, mwachitsanzo, mumayang'ana chizindikiro cha IP kuchokera ku lipoti lachitetezo cha ogulitsa. Kawirikawiri, malipoti oterowo amatulutsidwa ndi kuchedwa kwakukulu ndipo nthawi zambiri amatenga chaka chimodzi kapena kuposerapo. Nthawi zambiri, panthawi yomwe mumawerenga lipotilo, seva yomwe ili ndi adilesi ya IP iyi yabwerekedwa kale kwa anthu ena omwe ali ndi maulumikizidwe ena, ndipo kupanga graph kumapangitsanso kuti mupeze zotsatira zosafunikira.
Tidaphunzitsa dongosololi kuti lizindikire zinthu zosafunika pogwiritsa ntchito malingaliro omwe akatswiri athu adachitira pamanja. Mwachitsanzo, mukuyang'ana domeni yoyipa example.com, yomwe tsopano yatsimikiza ku IP 11.11.11.11, ndipo mwezi wapitawo - mpaka IP 22.22.22.22. Kuphatikiza pa domain example.com, IP 11.11.11.11 imagwirizananso ndi example.ru, ndipo IP 22.22.22.22 imagwirizana ndi madera ena 25 zikwizikwi. Dongosolo, ngati munthu, limamvetsetsa kuti 11.11.11.11 ndi seva yodzipatulira, ndipo popeza domain ya example.ru ndi yofanana ndi kalembedwe ku example.com, ndiye, ndizotheka kwambiri, amalumikizidwa ndipo ayenera kukhala pa graph; koma IP 22.22.22.22 ndi ya kuchititsa kogawana, kotero madera ake onse safunikira kuphatikizidwa mu graph pokhapokha ngati pali maulumikizidwe ena omwe amasonyeza kuti imodzi mwa madera 25 zikwizikwi ikufunikanso kuphatikizidwa (mwachitsanzo, example.net) . Dongosololi lisanamvetsetse kuti kulumikizana kumayenera kusweka ndipo zinthu zina sizinasunthidwe ku graph, zimatengera zinthu zambiri zamagulu ndi masango momwe zinthuzi zimaphatikizidwira, komanso mphamvu zamalumikizidwe apano. Mwachitsanzo, ngati tili ndi gulu laling'ono (zinthu 50) pa graph, zomwe zimaphatikizapo dera loipa, ndi gulu lina lalikulu (5 zikwizikwi) ndi masango onsewa amalumikizidwa ndi kugwirizana (mzere) ndi mphamvu yochepa kwambiri (kulemera) , ndiye kugwirizana koteroko kudzasweka ndipo zinthu zochokera kugulu lalikulu zidzachotsedwa. Koma ngati pali maulumikizidwe ambiri pakati pa magulu ang'onoang'ono ndi akuluakulu ndipo mphamvu zawo zimawonjezeka pang'onopang'ono, ndiye pamenepa kugwirizana sikudzasweka ndipo zofunikira kuchokera kumagulu onse awiri zidzakhalabe pa graph.
Seva ndi nthawi ya eni ake sizimaganiziridwa. Kufotokozera. "Madera oyipa" posakhalitsa atha ntchito ndikugulidwanso pazifukwa zoyipa kapena zovomerezeka. Ngakhale ma seva osunga zipolopolo amabwerekedwa kwa obera osiyanasiyana, chifukwa chake ndikofunikira kudziwa ndikuganizira nthawi yomwe domain/seva inayake imayang'aniridwa ndi eni ake. Nthawi zambiri timakumana ndi vuto lomwe seva yokhala ndi IP 11.11.11.11 tsopano imagwiritsidwa ntchito ngati C&C kwa bot banki, ndipo miyezi 2 yapitayo idayendetsedwa ndi Ransomware. Ngati tipanga mgwirizano popanda kuganizira za umwini wa akaunti, zidzawoneka ngati pali mgwirizano pakati pa eni ake a botnet ya banki ndi ransomware, ngakhale kuti palibe. Mu ntchito yathu, kulakwitsa koteroko ndikofunikira.
Tinaphunzitsa dongosolo kuti lizindikire nthawi za umwini. Kwa madambwe izi ndizosavuta, chifukwa whois nthawi zambiri imakhala ndi masiku oyambira ndi omaliza ntchito ndipo, pakakhala mbiri yathunthu yakusintha kwa whois, ndikosavuta kudziwa nthawi. Pamene kulembetsa kwa domain sikunathe, koma kasamalidwe kake kasamutsidwa kwa eni ake ena, amathanso kutsatiridwa. Palibe vuto lotere la ziphaso za SSL, chifukwa zimaperekedwa kamodzi ndipo sizikusinthidwa kapena kusamutsidwa. Koma ndi ziphaso zodzisainira nokha, simungakhulupirire masiku omwe atchulidwa mu nthawi yovomerezeka ya satifiketi, chifukwa mutha kupanga satifiketi ya SSL lero, ndikufotokozerani tsiku lomwe satifiketiyo idayamba kuyambira 2010. Chovuta kwambiri ndikuzindikira nthawi za umwini wa ma seva, chifukwa operekera alendo okhawo ali ndi masiku ndi nthawi yobwereketsa. Kuti tidziwe nthawi ya umwini wa seva, tinayamba kugwiritsa ntchito zotsatira za kusanthula madoko ndikupanga zala za ntchito zamadoko. Pogwiritsa ntchito chidziwitsochi, tikhoza kunena molondola pamene mwiniwake wa seva anasintha.
Zolumikizana zochepa. Kufotokozera. Masiku ano, sikuli vuto ngakhale kupeza mndandanda waulere wa madera omwe whois ali ndi imelo yeniyeni, kapena kupeza madera onse omwe anali okhudzana ndi adilesi ya IP. Koma zikafika kwa obera omwe amachita zomwe angathe kuti akhale ovuta kuwatsata, timafunikira zidule zowonjezera kuti tipeze zinthu zatsopano ndikupanga maulumikizidwe atsopano.
Tinakhala nthawi yambiri tikufufuza momwe tingachotsere deta yomwe sinapezeke m'njira wamba. Sitingathe kufotokoza apa momwe zimagwirira ntchito pazifukwa zomveka, koma nthawi zina, owononga, polembetsa madambwe kapena kubwereka ndikukhazikitsa ma seva, amalakwitsa zomwe zimawalola kupeza ma adilesi a imelo, ma hacker aliases, ndi ma adilesi a backend. Mukatulutsa maulalo ambiri, mumatha kupanga ma graph olondola kwambiri.
Momwe graph yathu imagwirira ntchito
Kuti muyambe kugwiritsa ntchito graph ya netiweki, muyenera kuyika domeni, adilesi ya IP, imelo, kapena zala za satifiketi ya SSL mu bar yofufuzira. Pali zinthu zitatu zomwe wopenda akhoza kuwongolera: nthawi, kuya kwa masitepe, ndi kuyeretsa.
Nthawi
Nthawi - tsiku kapena nthawi yomwe chinthu chofufuzidwacho chinagwiritsidwa ntchito pazinthu zoyipa. Ngati simunatchule izi, dongosolo lokha lidzatsimikizira nthawi yomaliza ya umwini wazinthu izi. Mwachitsanzo, pa Julayi 11, Eset idasindikizidwa za momwe Buhtrap amagwiritsira ntchito 0-day exploit for cyber espionage. Pali zizindikiro 6 kumapeto kwa lipoti. Mmodzi wa iwo, safe-telemetry[.]net, adalembetsedwanso pa Julayi 16. Chifukwa chake, ngati mupanga graph pambuyo pa Julayi 16, mupeza zotsatira zosafunikira. Koma ngati mukuwonetsa kuti domain iyi idagwiritsidwa ntchito tsiku lino lisanafike, ndiye kuti chithunzicho chikuphatikiza madera atsopano 126, ma adilesi 69 a IP omwe sanalembedwe mu lipoti la Eset:
- ukrfreshnews[.]com
- unian-search[.]com
- vesti-world[.] info
- runewsmeta[.]com
- Foxnewsmeta[.]biz
- sobesednik-meta[.]chidziwitso
- rian-ua[.]net
- neri Al.
Kuphatikiza pazizindikiro zamaneti, timapeza nthawi yomweyo kulumikizana ndi mafayilo oyipa omwe anali ndi kulumikizana ndi zomangamanga izi ndi ma tag omwe amatiuza kuti Meterpreter ndi AZORult adagwiritsidwa ntchito.
Chachikulu ndichakuti mumapeza zotsatirazi mkati mwa sekondi imodzi ndipo simuyeneranso kuthera masiku mukusanthula deta. Inde, njira iyi nthawi zina imachepetsa kwambiri nthawi yofufuza, yomwe nthawi zambiri imakhala yovuta.
Chiwerengero cha masitepe kapena kuya kwa kubwereza komwe graph idzamangidwe
Mwachikhazikitso, kuya ndi 3. Izi zikutanthauza kuti zinthu zonse zogwirizana mwachindunji zidzapezedwa kuchokera ku chinthu chofunidwa, ndiye kugwirizana kwatsopano kudzamangidwa kuchokera ku chinthu chatsopano kupita kuzinthu zina, ndipo zatsopano zidzapangidwa kuchokera kuzinthu zatsopano kuchokera kuzinthu zomaliza. sitepe.
Tiyeni titenge chitsanzo chosagwirizana ndi APT ndi zochitika zamasiku 0. Posachedwapa, nkhani yochititsa chidwi yachinyengo yokhudzana ndi ndalama za crypto inafotokozedwa pa HabrΓ©. Lipotilo limatchula za domain themcx[.]co, yomwe imagwiritsidwa ntchito ndi achifwamba kuchititsa malo omwe amati ndi Miner Coin Exchange komanso kuyang'ana foni[.]xyz kukopa anthu.
Zikuwonekeratu kuchokera kukufotokozera kuti ndondomekoyi imafuna malo akuluakulu kuti akope anthu kupita kuzinthu zachinyengo. Tinaganiza zoyang'ana maziko awa pomanga graph mu masitepe 4. Zotsatira zake zinali graph yokhala ndi madambwe 230 ndi ma adilesi 39 a IP. Kenako, timagawa madambwe m'magulu a 2: omwe ali ofanana ndi ntchito zogwirira ntchito ndi ma cryptocurrencies ndi omwe cholinga chake ndi kuyendetsa magalimoto pamsewu wotsimikizira foni:
Zogwirizana ndi cryptocurrency
Zogwirizana ndi ntchito zokhometsa mafoni
coinkeeper[.] cc
woyimba-mbiri[.]tsamba.
mcxwallet[.]co
zolemba zamafoni[.]malo
btcnoise[.]com
fone-uncover[.]xyz
cryptominer[.]wotchi
nambala-vumbulutsa[.] zambiri
Kuyeretsa
Mwachikhazikitso, njira ya "Graph Cleanup" imayatsidwa ndipo zinthu zonse zosafunikira zidzachotsedwa pa graph. Mwa njira, idagwiritsidwa ntchito mu zitsanzo zonse zam'mbuyomu. Ndikuwoneratu funso lachilengedwe: tingatsimikizire bwanji kuti chinthu chofunikira sichichotsedwa? Ndidzayankha: kwa akatswiri omwe amakonda kupanga ma grafu ndi manja, kuyeretsa makina kungakhale kolephereka ndipo chiwerengero cha masitepe chingasankhidwe = 1. Kenaka, katswiriyo adzatha kumaliza graph kuchokera kuzinthu zomwe akufunikira ndikuchotsa zinthu kuchokera. graph yomwe ilibe ntchito.
Kale pa graph, mbiri ya kusintha kwa whois, DNS, komanso madoko otseguka ndi mautumiki omwe akuyenda pa iwo amapezeka kwa katswiri.
Phishing zachuma
Tidafufuza zomwe gulu limodzi la APT lidachita, lomwe kwa zaka zingapo lidachita zachinyengo kwamakasitomala amabanki osiyanasiyana m'magawo osiyanasiyana. Chikhalidwe cha gululi chinali kulembetsa madera ofanana kwambiri ndi mayina a mabanki enieni, ndipo malo ambiri a phishing anali ndi mapangidwe ofanana, kusiyana kokhako kunali mayina a mabanki ndi ma logos awo.
Pankhaniyi, kusanthula ma graph otomatiki kunatithandiza kwambiri. Kutenga madera awo - lloydsbnk-uk[.]com, mumasekondi pang'ono tidapanga graph yokhala ndi masitepe atatu akuya, omwe adazindikira madera opitilira 3 omwe agwiritsidwa ntchito ndi gululi kuyambira 250 ndikupitilizabe kugwiritsidwa ntchito. . Ena mwa madambwewa adagulidwa kale ndi mabanki, koma mbiri yakale ikuwonetsa kuti adalembetsedwa kale kwa omwe adawawukira.
Kuti zimveke bwino, chithunzichi chikuwonetsa graph yokhala ndi masitepe awiri akuya.
Ndizofunikira kudziwa kuti kale mu 2019, omwe adawawukirawo adasintha njira zawo pang'ono ndikuyamba kulembetsa osati madera amabanki okha kuti azichita nawo zachinyengo zapaintaneti, komanso madera amakampani osiyanasiyana amaupangiri kuti atumize maimelo achinyengo. Mwachitsanzo, madambwe swift-department.com, saudconsultancy.com, vbgrigoryanpartners.com.
Gulu la Cobalt
Mu Disembala 2018, gulu la owononga Cobalt, lomwe limayang'anira ziwopsezo zamabanki, adatumiza kampeni m'malo mwa National Bank of Kazakhstan.
Makalatawo anali ndi maulalo a hXXps://nationalbank.bz/Doc/Prikaz.doc. Chikalata chotsitsidwacho chinali ndi macro omwe adayambitsa Powershell, yomwe ingayesetse kutsitsa ndikuyika fayilo kuchokera ku hXXp://wateroilclub.com/file/dwm.exe mu %Temp%einmrmdmy.exe. Fayilo %Temp%einmrmdmy.exe aka dwm.exe ndi CobInt stager yokonzedwa kuti igwirizane ndi seva hXXp://admvmsopp.com/rilruietguadvtoefmuy.
Tangoganizani kuti simukutha kulandira maimelo achinyengowa ndikusanthula kwathunthu mafayilo oyipa. Grafu ya dameni yoyipa nationalbank[.]bz nthawi yomweyo imawonetsa kulumikizana ndi madambwe ena oyipa, ikuwonetsa gulu ndikuwonetsa mafayilo omwe adagwiritsidwa ntchito pakuwukira.
Tiyeni titenge adilesi ya IP 46.173.219[.]152 kuchokera pa grafu iyi ndikumanga graph kuchokera pamenepo ndikuzimitsa kuyeretsa. Pali madera 40 ogwirizana nawo, mwachitsanzo, bl0ckchain[.]ug
paypal.co.uk.qlg6[.]pw
cryptoelips[.]com
Tikayang'ana mayina ankalamulira, zikuoneka kuti ntchito ziwembu zachinyengo, koma kuyeretsa aligorivimu anazindikira kuti iwo sanali okhudzana ndi kuukira uku ndipo sanawaike pa graph, amene kwambiri wosalira njira kusanthula ndi kufotokoza.
Ngati mumanganso graph pogwiritsa ntchito bank bank[.]bz, koma kuletsa ma algorithm oyeretsa ma graph, ndiye kuti ikhala ndi zinthu zopitilira 500, zambiri zomwe sizikugwirizana ndi gulu la Cobalt kapena kuwukira kwawo. Chitsanzo cha momwe graph yotere imawonekera chaperekedwa pansipa:
Pomaliza
Pambuyo pa zaka zingapo zakukonzekera bwino, kuyesa kufufuza kwenikweni, kufufuza zoopseza ndi kusaka omwe akuukira, sitinathe kupanga chida chapadera, komanso kusintha maganizo a akatswiri mu kampani pa izo. Poyamba, akatswiri aukadaulo amafuna kuwongolera kwathunthu pakupanga ma graph. Kuwatsimikizira kuti kupanga ma graph okhawo kungathe kuchita bwino kwambiri kuposa munthu wazaka zambiri zachidziΕ΅itso kunali kovuta kwambiri. Chilichonse chidasankhidwa ndi nthawi komanso kuwunika "pamanja" kambiri pazotsatira zomwe graph idatulutsa. Tsopano akatswiri athu samangodalira dongosolo, komanso amagwiritsa ntchito zotsatira zomwe amapeza pa ntchito yawo ya tsiku ndi tsiku. Tekinoloje iyi imagwira ntchito mkati mwa makina athu onse ndipo imatithandiza kuzindikira zoopsa zamtundu uliwonse. Mawonekedwe owunikira ma graph amapangidwa muzinthu zonse za Gulu-IB ndipo amakulitsa kwambiri kuthekera kwakusaka kwaupandu pa intaneti. Izi zimatsimikiziridwa ndi ndemanga za akatswiri kuchokera kwa makasitomala athu. Ndipo ifenso, tikupitiriza kulemeretsa graph ndi deta ndikugwira ntchito pa ma aligorivimu atsopano pogwiritsa ntchito luntha lochita kupanga kupanga ma graph olondola kwambiri pamanetiweki.
Source: www.habr.com