Zvisingatauriki zvinokwezva: masikirwo atakaita huchi husingakwanisi kubudiswa pachena

Makambani eAntivirus, nyanzvi dzekuchengetedza ruzivo uye vanongofarira vanoisa masisitimu ehuchi paInternet kuitira kuti "vabate" mutsauko mutsva wehutachiona kana kuona maitiro asina kujairika ehacker. Huchi huchi hwakanyanya zvekuti cybercriminals vakagadzira rudzi rwekudzivirira: vanokurumidza kuona kuti vari pamberi pemusungo uye vanongozvisiya. Kuti tiongorore maitiro evabiki vemazuva ano, takagadzira huchi chaiyo yaigara paInternet kwemwedzi minomwe, ichikwezva kurwiswa kwakasiyana-siyana. Takataura kuti izvi zvakaitika sei mukudzidza kwedu "Akabatwa muChiito: Kumhanyisa Yechokwadi Fekitori Honeypot Kutora Kutyisidzira chaiko" Zvimwe zvinhu kubva muchidzidzo zviri mune ino post.

Kuvandudzwa kwehuchi: cheki

Basa guru mukugadzira supertrap yedu yaive yekutidzivirira kuti tisafumurwe nematsotsi airatidza kuzvifarira. Izvi zvaida basa rakawanda:

1. Gadzira ngano yechokwadi nezvekambani, kusanganisira mazita akazara uye mapikicha evashandi, nhamba dzenhare uye maemail.
2. Kuuya nekushandisa modhi yezvivakwa zveindasitiri inoenderana nengano nezvezviitwa zvekambani yedu.
3. Sarudza kuti ndeapi masevhisi etiweki achawanikwa kubva kunze, asi usatakurwe nekuvhura zviteshi zvine njodzi kuti zvisaite seriva revanoyamwa.
4. Ronga kuoneka kweruzivo rwunoburitswa nezve system isina njodzi uye govera ruzivo urwu pakati pevanogona kurwisa.
5. Ita hungwaru hwekutarisa zviitiko zvehacker mune yehuchi zvivakwa.

Uye zvino zvinhu zvekutanga kutanga.

Kugadzira ngano

Cybercriminals vakatojaira kusangana nehoneypot dzakawanda, saka chikamu chepamusoro-soro chazvo chinoitisa ongororo yakadzama yeimwe neimwe inotambura system kuti ive nechokwadi chekuti haisiri musungo. Nechikonzero chimwe chete, takatsvaga kuve nechokwadi chekuti bhodhoro reuchi rakanga risiri rechokwadi chete maererano nekugadzira uye hunyanzvi hwekuita, asiwo kugadzira chimiro chekambani chaiyo.

Kuzviisa isu pachedu shangu dzekufungidzira inotonhorera hacker, isu takagadzira verification algorithm yaizosiyanisa chaiyo system kubva pamusungo. Yaisanganisira kutsvaga kambani IP kero mune mukurumbira masisitimu, dzosera tsvakiridzo munhoroondo ye IP kero, kutsvaga mazita uye mazwi makuru ane chekuita nekambani, pamwe neayo, uye zvimwe zvinhu zvakawanda. Nekuda kweizvozvo, iyo ngano yakazova inogutsa uye inoyevedza.

Takasarudza kuisa fekitori yedecoy sediki diki prototyping boutique inoshandira vatengi vakakura vasingazivikanwe muchikamu chemauto nendege. Izvi zvakatisunungura kubva kumatambudziko emutemo ane chekuita nekushandisa brand iripo.

Zvadaro taifanira kuuya nechiratidzo, chinangwa uye zita resangano. Takasarudza kuti kambani yedu yaizova yekutanga nenhamba shoma yevashandi, mumwe nomumwe wavo ari muvambi. Izvi zvakawedzera kuvimbika kunyaya yemhando yehunyanzvi hwebhizinesi redu, iyo inoibvumira kubata mapurojekiti anonetsa evatengi vakakura uye akakosha. Isu taida kuti kambani yedu iite seyakaneta kubva pakuona kwecybersecurity, asi panguva imwe chete zvaive pachena kuti isu taishanda nezvinhu zvakakosha pane zvakanangwa masisitimu.

Screenshot yeMeTech honeypot webhusaiti. Kunobva: Trend Micro

Isu takasarudza izwi rekuti MeTech sezita rekambani. Iyo saiti yakagadzirwa zvichibva pane yemahara template. Mifananidzo yacho yakatorwa kubva kumabhangi emifananidzo, vachishandisa iyo isingafadzi uye kuigadzirisa kuti iite kuti isanyanya kuzivikanwa.

Isu taida kuti kambani itaridzike chaiyo, saka taifanira kuwedzera vashandi vane hunyanzvi hwekuita zvinoenderana nechimiro chechiitiko. Takauya nemazita uye hunhu kwavari uye takaedza kusarudza mifananidzo kubva kumabhangi emifananidzo zvinoenderana nerudzi.

Screenshot yeMeTech honeypot webhusaiti. Kunobva: Trend Micro

Kuti tisawanikwe, takatsvaga mapikicha eboka akanaka mataigona kusarudza zviso zvataida. Nekudaro, isu takabva tasiya iyi sarudzo, sezvo anogona hacker anogona kushandisa reverse kutsvaga mufananidzo uye kuona kuti "vashandi" vedu vanogara chete mumabhangi emifananidzo. Pakupedzisira, takashandisa mifananidzo yevanhu vasipo vakagadzirwa vachishandisa neural network.

Maprofiles evashandi akaburitswa pasaiti aya aive neruzivo rwakakosha nezvehunyanzvi hwavo hwehunyanzvi, asi isu takadzivisa kudoma zvikoro kana maguta chaiwo.
Kugadzira mabhokisi etsamba, takashandisa sevha yeanopa anotambira, uye ndokurenda nhamba dzenhare dzakati wandei muUnited States todzibatanidza kuita chaiyo PBX ine menyu yezwi nemuchina wekupindura.

Huchi zvivako

Kuti tidzivise kuratidzwa, takasarudza kushandisa musanganiswa weiyo chaiyo maindasitiri Hardware, makomputa emuviri uye akachengeteka chaiwo muchina. Tichitarisa mberi, tichataura kuti takatarisa mugumisiro wekuedza kwedu kushandisa Shodan yekutsvaga injini, uye yakaratidza kuti huchi hunoita sehutano hwemaindasitiri chaiwo.

Mhedzisiro yekuongorora poto yehuchi uchishandisa Shodan. Kunobva: Trend Micro

Isu takashandisa ina PLCs se Hardware yemusungo wedu:

• Siemens S7-1200,
• maviri AllenBradley MicroLogix 1100,
• Omron CP1L.

Aya maPLC akasarudzwa nekuda kwemukurumbira wavo mumusika wepasi rose control system. Uye mumwe nemumwe weava ma controller anoshandisa ayo protocol, iyo yakatibvumidza kutarisa kuti ndeipi yePLCs yaizorwiswa kazhinji uye kana vangafarira chero munhu musimboti.

Equipment yedu "fekitari" -musungo. Kunobva: Trend Micro

Hatina kungoisa hardware toibatanidza neInternet. Isu takaronga mutongi wega wega kuti aite mabasa, kusanganisira

• kusanganisa,
• burner uye conveyor bhandi kutonga,
• palletizing uchishandisa robhoti manipulator.

Uye kuita kuti maitiro ekugadzira ave echokwadi, isu takaronga pfungwa kuti tishandure zvimiro zvemhinduro, kutevedzera mota kutanga nekumira, uye zvinopisa zvinobatidza nekudzima.

Fekitari yedu yakanga ine makombiyuta chaiwo matatu uye imwe chaiyo. Makomputa chaiwo akashandiswa kudzora chirimwa, palletizer robhoti, uye senzvimbo yekushandira yePLC software injiniya. Iyo komputa yenyama yakashanda sevhavha yefaira.

Pamusoro pekutarisa kurwiswa kwePLCs, taida kutarisa mamiriro ezvirongwa zvakatakurwa pamidziyo yedu. Kuti tiite izvi, isu takagadzira chinongedzo chaititendera kuti tikurumidze kuona kuti maitirwo ematunhu edu echokwadi actuators uye kumisikidzwa akagadziridzwa. Tatove padanho rekuronga, takaona kuti zviri nyore kuita izvi uchishandisa chirongwa chekudzora pane kuburikidza nehurongwa hwakananga hweiyo controller logic. Isu takavhura mukana weiyo mudziyo manejimendi interface yehuchi yedu kuburikidza neVNC pasina password.

Marobhoti eindasitiri chinhu chakakosha chekugadzirwa kwemazuva ano kwakangwara. Panyaya iyi, takasarudza kuwedzera robhoti uye otomatiki nzvimbo yebasa kuti idzore kune zvigadzirwa zvemusungo fekitori yedu. Kuita kuti "fekitari" ive yechokwadi, takaisa software chaiyo pane yekudzora workstation, iyo mainjiniya anoshandisa kuronga zvine hunyanzvi kuronga marobhoti. Zvakanaka, sezvo marobhoti emaindasitiri anowanzo kuwanikwa mune yakasarudzika yemukati network, isu takasarudza kusiya isina kuchengetedzwa kupinda kuburikidza neVNC chete kune yekudzora workstation.

RobotStudio nharaunda ine 3D modhi yerobhoti yedu. Kunobva: Trend Micro

Isu takaisa iyo RobotStudio programming nharaunda kubva kuABB Robotics pamushini chaiwo une robhoti yekudzora workstation. Mushure mekugadzirisa RobotStudio, takavhura faira yekufananidza ine robhoti yedu mairi kuitira kuti mufananidzo wayo we3D uoneke pachiratidziri. Nekuda kweizvozvo, Shodan nedzimwe injini dzekutsvaga, pakuona isina kuchengetedzwa VNC server, inobata iyi skrini uye iratidze kune avo vari kutsvaga mabhobhoti eindasitiri ane mukana wakavhurika wekutonga.

Pfungwa yekutarisisa iyi kune zvakadzama yaive yekugadzira inoyevedza uye yechokwadi tarisiro yevanorwisa avo, kana vakangoiwana, vaizodzokera kwairi uye zvakare.

Engineer's workstation

Kuronga iyo PLC logic, isu takawedzera komputa yeinjiniya kune zvivakwa. Industrial software yePLC programming yakaiswa pairi:

• TIA Portal ye Siemens,
• MicroLogix yeAllen-Bradley controller,
• CX-Imwe yeOmron.

Isu takasarudza kuti nzvimbo yekushanda yeinjiniya yaisazowanikwa kunze kwetiweki. Pane kudaro, isu tinoseta password imwechete yeaccount account separobhoti control workstation uye fekitori yekudzora workstation inowanikwa kubva paInternet. Iyi gadziriso yakajairika mumakambani mazhinji.
Nehurombo, kunyangwe nekuedza kwedu kwese, hapana kana akarwisa akasvika panzvimbo yeinjiniya.

Faira server

Taida sechirango chevanorwisa uye senzira yokutsigira nayo “basa” redu pachedu mufekitari inonyengedza. Izvi zvakatibvumira kugovera mafaera nehoneypot yedu tichishandisa USB midziyo tisingasiyi mucherechedzo pane network yehuchi. Isu takaisa Windows 7 Pro seOS yeseva yefaira, matakagadzira folda yakagovaniswa iyo inogona kuverengerwa nekunyorwa nemunhu wese.

Pakutanga isu hatina kugadzira chero hierarchy yemaforodha uye zvinyorwa pane sevha yefaira. Nekudaro, takazoona kuti vapambi vaive vachishingaira kudzidza iyi folda, saka takasarudza kuizadza nemafaira akasiyana. Kuti tiite izvi, takanyora python script iyo yakagadzira faira rekusarudzika saizi neimwe yeakapihwa ekuwedzera, ichigadzira zita rinobva muduramazwi.

Script yekugadzira mazita efaira anoyevedza. Kunobva: Trend Micro

Mushure mekumhanyisa script, takawana mhedzisiro yaidiwa muchimiro cheforodha yakazadzwa nemafaira ane mazita anonakidza.

Mhedzisiro yezvinyorwa. Kunobva: Trend Micro

Monitoring nharaunda

Sezvo tapedza simba rakawanda kugadzira kambani yechokwadi, isu hatina kukwanisa kukundikana pane zvakatipoteredza kutarisa "vashanyi" vedu. Taida kuwana data rese munguva chaiyo pasina vanorwisa vaona kuti vari kutariswa.

Isu takaita izvi tichishandisa mana USB kune Ethernet adapter, ina SharkTap Ethernet matepi, Raspberry Pi 3, uye hombe yekunze drive. Yedu network diagraph yakaita seizvi:

Honeypot network diagram ine monitoring equipment. Kunobva: Trend Micro

Isu takaisa matatu eSharkTap matepi kuti atarise ese ekunze traffic kuPLC, inowanikwa chete kubva kune yemukati network. Yechina SharkTap yakatarisisa traffic yevaenzi yemuchina wakashata chaiwo.

SharkTap Ethernet Tap uye Sierra Wireless AirLink RV50 Router. Kunobva: Trend Micro

Raspberry Pi yakaitwa zuva nezuva traffic yekutora. Isu takabatana neInternet tichishandisa Sierra Wireless AirLink RV50 cellular router, inowanzo shandiswa mumaindasitiri emaindasitiri.

Nehurombo, iyi router haina kutitendera kuvharira kurwiswa kwaisaenderana nehurongwa hwedu, saka takawedzera Cisco ASA 5505 firewall kunetiweki mune yakajeka modhi yekuita kuvharira nekukanganisa kushoma kunetiweki.

Kuongorora kwemotokari

Tshark uye tcpdump zvakakodzera kukurumidza kugadzirisa nyaya dzemazuva ano, asi kwatiri kukwanisa kwavo kwakanga kusina kukwana, sezvo takanga tine magigabytes akawanda emotokari, ayo akaongororwa nevanhu vanoverengeka. Isu takashandisa yakavhurika-sosi Moloch analyzer yakagadziriswa neAOL. Inofananidzwa mukushanda neWireshark, asi ine humwe hunyanzvi hwekubatana, kutsanangura uye kumaka mapakeji, kutumira kunze uye mamwe mabasa.

Sezvo isu takanga tisingadi kugadzirisa data yakaunganidzwa pamakomputa ehuchi, PCAP dump yaitengeswa kunze zuva rega rega kuAWS kuchengetedza, kubva kwatakanga tatoipinza pamushini weMoloch.

Chinovhara kurekodha

Kunyora zviito zvevabiki muhari yedu yeuchi, takanyora script yakatora zvidzitiro zvemuchina chaiwo panguva yakapihwa uye, tichiienzanisa neyekare skrini, takaona kana chimwe chinhu chiri kuitika ipapo kana kuti kwete. Pakaonekwa chiitiko, script yaisanganisira kurekodha skrini. Iyi nzira yakazova yakanyanya kushanda. Isu takaedzawo kuongorora VNC traffic kubva kuPCAP dump kuti tinzwisise kuti ndedzipi shanduko dzakaitika musystem, asi mukupedzisira kurekodha kwescreen kwatakaita kwakave nyore uye kwakanyanya kuona.

Kuongorora zvikamu zveVNC

Kune izvi takashandisa Chaosreader uye VNCLogger. Zvose zvinoshandiswa zvinobvisa makiyi kubva kuPCAP dump, asi VNCLogger inobata makiyi seBackspace, Enter, Ctrl zvakanyanya.

VNCLogger ine zvipingamupinyi zviviri. Chekutanga: inogona kungobvisa makiyi ne "kuteerera" kune traffic pane iyo interface, saka taifanira kutevedzera VNC musangano wayo tichishandisa tcpreplay. Chechipiri chinokanganisa cheVNCLogger chakajairika neChaosreader: ese ari maviri haaratidze zviri mukati me clipboard. Kuti ndiite izvi ndaifanira kushandisa Wireshark.

Isu tinokwezva ma hackers

Isu takagadzira huchi kuti tirwiswe. Kuti tiite izvi, takagadzira ruzivo rwakaburitswa kukwezva kutarisa kwevanogona kurwisa. Zviteshi zvinotevera zvakavhurwa pahuchi:

Chiteshi cheRDP chaifanira kuvharwa nguva pfupi yadarika mushure mekunge taenda nekuti huwandu hukuru hwekutarisa traffic panetiweki yedu hwaikonzera nyaya dzekuita.
Iwo materminal eVNC akatanga ashanda mukutarisa-chete modhi pasina password, uye isu "nekukanganisa" takaachinja kuti aite yakazara nzira yekuwana.

Kukwezva vanorwisa, takatumira mapositi maviri ane ruzivo rwakaburitswa nezve iripo maindasitiri system paPasteBin.

Imwe yezvinyorwa zvakatumirwa paPasteBin kukwezva kurwiswa. Kunobva: Trend Micro

kurwisa

Honeypot yaigara online kwemwedzi ingangoita minomwe. Kurwiswa kwekutanga kwakaitika mwedzi mushure mekunge honeypot yaenda online.

Scanners

Pakanga paine traffic yakawanda kubva kuma scanner emakambani anozivikanwa - ip-ip, Rapid, Shadow Server, Shodan, ZoomEye nevamwe. Paive neakawanda awo zvekuti isu takatozosiya yavo IP kero kubva pakuongorora: 610 kubva pa9452 kana 6,45% yeese akasiyana IP kero yaive yema scanner ari pamutemo.

Scammers

Imwe yenjodzi huru yatakatarisana nayo ndeyekushandiswa kwehurongwa hwedu nekuda kwezvinangwa zvehutsotsi: kutenga mafoni efoni kuburikidza neakaundi yemunyoreri, mari yekuburitsa mamaira endege uchishandisa makadhi ezvipo uye mamwe marudzi ehutsotsi.

Miners

Mumwe wevakatanga kushanyira sisitimu yedu akazova mugodhi. Akadhawunirodha Monero mining software pairi. Angadai asina kukwanisa kuita mari yakawanda pane imwe system yedu nekuda kwekushomeka kwechigadzirwa. Nekudaro, kana tikasanganisa kuedza kweakati wandei kana kunyange mazana emasisitimu akadaro, zvinogona kubuda zvakanaka.

Rudzikunuro

Munguva yebasa rehuchi, takasangana nemavhairasi chaiwo erudzikinuro kaviri. Munyaya yekutanga yaive Crysis. Vashandisi vayo vakapinda muhurongwa kuburikidza neVNC, asi vakaisa TeamViewer uye vakaishandisa kuita zvimwe zviito. Mushure mekumirira meseji yekubiridzira ichida rudzikinuro rwemadhora gumi muBTC, takapinda mukunyorerana nevapambi, tichivakumbira kuti vanyore imwe yemafaira kwatiri. Vakateerera chikumbiro chacho ndokudzokorora chikumbiro chorudzikinuro. Takakwanisa kutaurirana kusvika zviuru zvitanhatu zvemadhora, mushure mezvo takangoisa zvakare sisitimu kumashini chaiwo, sezvo takagamuchira ruzivo rwese rwaidiwa.

Yechipiri ransomware yakazova Phobos. Hacker akaiisa akapedza awa achitsvaga honeypot file system nekupenengura network, ndokuzopedzisira aisa ransomware.
Kurwiswa kwechitatu kwerudzikinuro kwakave kwenhema. Mumwe "hacker" asingazivikanwi akadhawunirodha faira ye haha.bat pane yedu system, mushure mezvo takatarisa kwechinguva paaiedza kuti ishande. Imwe yekuedza kwaive kutumidza zita rekuti haha.bat kuti haha.rnsmwr.

Iyo "hacker" inowedzera kukuvadza kweiyo bat faira nekushandura kuwedzera kwayo kuita .rnsmwr. Kunobva: Trend Micro

Iyo batch faira payakazotanga kumhanya, "hacker" akaigadzirisa, achiwedzera rudzikinuro kubva pamadhora mazana maviri kusvika pamadhora mazana manomwe nemakumi mashanu. Mushure meizvozvo, "akanyora" mafaera ese, akasiya meseji yekubira padesktop ndokunyangarika, achichinja mapassword paVNC yedu.

Mazuva mashoma gare gare, mupambi akadzoka uye, kuti azviyeuchidze, akatanga batch faira iyo yakavhura mahwindo mazhinji aine saiti yezvinonyadzisira. Sezviri pachena, nenzira iyi akaedza kukwevera ngwariro kuchikumbiro chake.

Migumisiro

Munguva yekudzidza, zvakazoitika kuti pakangoburitswa ruzivo rwekusagadzikana, honeypot yakakwezva kutarisa, nebasa richikura zuva nezuva. Kuti musungo utarise, kambani yedu yemanyepo yaifanira kutambura nekutyorwa kwekuchengetedza kwakawanda. Nehurombo, mamiriro ezvinhu aya ari kure nekusajairika pakati pemakambani mazhinji chaiwo asina nguva yakazara IT uye ruzivo rwekuchengetedza vashandi.

Kazhinji, masangano anofanirwa kushandisa musimboti werombo, isu tichishandisa zvakapesana nazvo kukwezva vanorwisa. Uye nguva yatakatarisa kurwiswa kwacho, kwakawedzera kuve kwakaoma kana kuchienzaniswa neyakajairwa nzira dzekupinda dzekuyedza.

Uye zvinonyanya kukosha, kurwiswa kwese uku kungadai kwakakundikana kana matanho ekuchengetedza akakwana akaitwa pakumisikidza network. Masangano anofanirwa kuona kuti midziyo yavo uye zvigadzirwa zvemaindasitiri hazviwanikwe kubva paInternet, sezvatakaita musungo wedu.

Kunyangwe isu tisina kurekodha kurwiswa kumwe chete pachiteshi cheinjiniya, kunyangwe tichishandisa password yemutungamiriri wepanzvimbo pamakomputa ese, tsika iyi inofanirwa kudziviswa kuitira kuderedza mukana wekupinda. Mushure mezvose, kuchengetedzwa kusina simba kunoshanda sechimwe chikokero chekurwisa maindasitiri masisitimu, ayo ave achifarira kwenguva refu kune cybercriminals.

Source: www.habr.com