Svondo rapfuura Kommersant , kuti "mabhesi evatengi eStreet Beat neSony Center aive munharaunda yeruzhinji," asi chaizvoizvo zvinhu zvose zvakanyanya kuipa kupfuura zvakanyorwa munyaya yacho.
Ndakatoita ongororo yakadzama yekudonha uku. , saka pano tichapfuura chete pfungwa huru.
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.Imwe Elasticsearch server ine indexes yaiwanikwa mahara:
- greylog2_0
- readme
- unauth_text
- http:
- greylog2_1
В greylog2_0 yaive nematanda kubva munaNovember 16.11.2018, 2019 kusvika Kurume XNUMX, uye mukati greylog2_1 - matanda kubva munaKurume 2019 kusvika 04.06.2019/XNUMX/XNUMX. Kusvika kuwanikwa kweElasticsearch kwavharwa, huwandu hwemarekodhi mukati greylog2_1 yakakura.
Zvinoenderana neiyo Shodan yekutsvaga injini, iyi Elasticsearch yave kuwanikwa mahara kubva Mbudzi 12.11.2018, 16.11.2018 (sezvakanyorwa pamusoro, ekutanga manyorerwo mumatanda akanyorwa Mbudzi XNUMX, XNUMX).
Mumatanda, mumunda gl2_remote_ip IP kero 185.156.178.58 uye 185.156.178.62 dzakatsanangurwa, dzine mazita eDNS srv2.inventive.ru и srv3.inventive.ru:
Ndakazivisa Inventive Retail Group (www.inventive.ru) nezvedambudziko pa04.06.2019/18/25 pa22:30 (nguva yeMoscow) uye naXNUMX:XNUMX sevha "yakanyarara" yakanyangarika kubva paruzhinji.
Iwo matanda arimo (ese data fungidziro, zvakapetwa hazvina kubviswa kubva mukuverenga, saka huwandu hwechokwadi hwakaburitswa ruzivo hunogona kushoma):
- anopfuura mamirioni matatu eemail kero dzevatengi kubva zvakare: Chitoro, Samsung, Street Beat uye Lego zvitoro
- nhamba dzenhare dzinopfuura mamirioni manomwe evatengi kubva zvakare: Chitoro, Sony, Nike, Street Beat uye Lego zvitoro
- zvinopfuura zviuru makumi maviri nerimwe zvekupinda/password pairs kubva kumaakaundi emunhu evatengi vezvitoro zveSony neStreet Beat.
- marekodhi mazhinji ane nhamba dzenhare uye email zvakare aive nemazita akazara (kazhinji muchiLatin) uye nhamba dzemakadhi ekuvimbika.
Muenzaniso kubva kurogi rine hukama nemutengi wechitoro cheNike (data rese rakatsiviwa rakatsiviwa nemavara e "X"):
"message": "{"MESSAGE":"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Arrayn(n [contact[phone]] => +7985026XXXXn [contact[email]] => [email protected] [contact[channel]] => n [contact[subscription]] => 0n)n[ДАННЫЕ GET] Arrayn(n [digital_id] => 27008290n [brand] => NIKEn)n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7985026XXXXn [email] => [email protected] [channel] => 0n [subscription] => 0n )nn)n","DATE":"31.03.2019 12:52:51"}",Uye heino muenzaniso wekuti logins uye mapassword kubva kumaakaundi ega evatengi pamawebhusaiti akachengetwa sc-store.ru и street-beat.ru:
"message":"{"MESSAGE":"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ GET] Arrayn(n [digital_id] => 26725117n [brand]=> SONYn)n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] ","DATE":"22.04.2019 21:29:09"}"Chirevo chepamutemo che IRG pane ichi chiitiko chinogona kuverengwa , chidimbu kubva pazviri:
Hatina kukwanisa kufuratira pfungwa iyi uye takashandura mapassword kuakaundi evatengi kuakaundi enguva pfupi, kuitira kudzivirira kushandiswa kwedata kubva kumaakaundi emunhu nekuda kwehutsotsi. Iyo kambani haitsigire kuburitswa kwedata rako revatengi vestreet-beat.ru. Mapurojekiti ese eInventive Retail Group akatariswa zvakare. Hapana kutyisidzira kune data revatengi rakaonekwa.
Zvakaipa kuti IRG haigone kuona kuti chii chakadonha uye chii chisina. Heino muenzaniso kubva kurogi ine chekuita neStreet Beat store client:
"message": "{"MESSAGE":"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Arrayn(n [contact[phone]] => 7915545XXXXn)n,'ДАННЫЕ GET' =nttArrayn(n [digital_id] => 27016686n [brand] => STREETBEATn)n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7915545XXXXn [email] => [email protected]","Дата":"01.04.2019 08:33:48"}",Nekudaro, ngatiendererei kunhau dzakaipa chaizvo uye titsanangure kuti sei uku kuri kudonha kwedata remunhu revatengi veIRG.
Kana iwe ukanyatsotarisisa ma indexes eiyi Elasticsearch inowanikwa pachena, uchaona mazita maviri mavari: readme и unauth_text. Ichi chiratidzo chechimiro cheimwe yeakawanda ransomware script. Yakabata anopfuura zviuru zvina Elasticsearch maseva kutenderera pasirese. Content readme rinotarisa seizvi:
"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"Nepo sevha ine IRG matanda yaiwanikwa mahara, chinyorwa cherekiware chakawana ruzivo rwevatengi uye, maererano neshoko raakasiya, data rakatorwa.
Mukuwedzera, handina mubvunzo kuti dhatabhesi iyi yakawanikwa pamberi pangu uye yakanga yatodhindwa. Ndingatoti ndine chokwadi nazvo. Iko hakuna chakavanzika chekuti madhatabhesi akavhurika akadaro anotsvakwa nemaune uye nekupomba kunze.
Nhau nezve ruzivo rwunoburitswa uye vemukati vanogona kugara vachiwanikwa pane yangu Telegraph chiteshi "»: .
Source: www.habr.com