Toddobaadkii hore Kommersant , in "saldhigyada macaamiisha ee Street Beat iyo Sony Center ay ku jireen qaybta dadweynaha," laakiin dhab ahaantii wax walba ayaa aad uga xun waxa ku qoran maqaalka.
Waxaan mar hore sameeyay falanqayn farsamo oo faahfaahsan oo ku saabsan daadintan. , hadaba halkan waxaan ku dul mari doonaa kaliya qodobada ugu muhiimsan.
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.Seerfar kale oo Elasticsearch ah oo leh tusmooyin si xor ah ayaa loo helay:
- graylog2_0
- readme
- unauth_text
- http:
- graylog2_1
В graylog2_0 Diiwaanada laga bilaabo Noofambar 16.11.2018, 2019 ilaa Maarso XNUMX, iyo gudaha graylog2_1 - diiwaannada laga bilaabo Maarso 2019 ilaa 04.06.2019/XNUMX/XNUMX. Ilaa gelitaanka Elasticsearch la xirayo, tirada diiwaannada ku jira graylog2_1 koray.
Marka loo eego matoorka raadinta ee Shodan, Elasticsearch-kan waxa uu ahaa mid si xor ah loo heli karo ilaa Noofambar 12.11.2018, 16.11.2018 (sida kor ku qoran, gelida ugu horraysa ee diiwaanku waxa ay ku taariikhaysan yihiin Noofambar XNUMX, XNUMX).
In loda, in duurka gl2_remote_ip Ciwaanada IP 185.156.178.58 iyo 185.156.178.62 ayaa la cayimay, oo wata magacyo DNS srv2.inventive.ru и srv3.inventive.ru:
waan ogeysiiyay Kooxda Tafaariiqda Hal-abuurka (www.inventive.ruDhibaatada ku saabsan 04.06.2019/18/25 saacadu markay tahay 22:30 (waqtiga Moscow) iyo XNUMX:XNUMX serverka "si degan" ayaa laga waayay marinka dadweynaha.
Diiwaanada ku jira (dhammaan xogtu waa qiyaaso, nuqulada lagama saarin xisaabaadka, markaa cadadka macluumaadka dhabta ah ee la daatay waxay u badan tahay inay ka yar tahay):
- in ka badan 3 milyan oo ciwaan email oo macaamiisha ah oo ka yimid dukaamada re:Store, Samsung, Street Beat iyo Lego dukaamada
- in ka badan 7 milyan oo nambaro telefoon oo macaamiisha ah oo ka socda dukaamada re:Store, Sony, Nike, Street Beat iyo Lego dukaamada
- in ka badan 21 kun oo lammaane login/password ka ah akoonnada gaarka ah ee iibsadayaasha dukaamada Sony iyo Street Beat.
- Inta badan diiwaanada leh nambarada taleefanka iyo iimaylka sidoo kale waxaa ku jiray magacyo buuxa (badanaa Laatiinka) iyo lambarada kaararka daacadnimada.
Tusaalaha diiwaanka laxiriira macmiilka dukaanka Nike (dhammaan xogta xasaasiga ah waxaa lagu badalay xarfo "X")
"message": "{"MESSAGE":"[URI] /personal/profile/[МЕТОД ЗАПРОСА] contact[ДАННЫЕ POST] Arrayn(n [contact[phone]] => +7985026XXXXn [contact[email]] => [email protected] [contact[channel]] => n [contact[subscription]] => 0n)n[ДАННЫЕ GET] Arrayn(n [digital_id] => 27008290n [brand] => NIKEn)n[ОТВЕТ СЕРВЕРА] Код ответа - 200[ОТВЕТ СЕРВЕРА] stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7985026XXXXn [email] => [email protected] [channel] => 0n [subscription] => 0n )nn)n","DATE":"31.03.2019 12:52:51"}",Oo halkan waa tusaale ku saabsan sida login-ka iyo furaha sirta ah ee akoonnada gaarka ah ee iibsadayaasha ee mareegaha loo kaydiyay sc-store.ru и street-beat.ru:
"message":"{"MESSAGE":"[URI]/action.php?a=login&sessid=93164e2632d9bd47baa4e51d23ac0260&login=XXX%40gmail.com&password=XXX&remember=Y[МЕТОД ЗАПРОСА] personal[ДАННЫЕ GET] Arrayn(n [digital_id] => 26725117n [brand]=> SONYn)n[ОТВЕТ СЕРВЕРА] Код ответа - [ОТВЕТ СЕРВЕРА] ","DATE":"22.04.2019 21:29:09"}"Qoraalka rasmiga ah ee IRG ee dhacdadan waa la akhriyi karaa , laga soo xigtay:
Ma aannan iska indho tiri karin qodobkan oo waxaan u beddelnay furaha sirta ah ee akoonnada gaarka ah ee macaamiisha una beddelnay kuwo ku meel gaar ah, si aan uga fogaano isticmaalka suurtagalka ah ee xogta akoonnada gaarka ah ujeeddooyin been abuur ah. Shirkadu ma xaqiijinayso xogta shakhsiyeed ee macaamiisha street-beat.ru Dhammaan mashaariicda Kooxda Tafaariiqda Inventive ayaa sidoo kale la hubiyay. Ma jiraan wax khatar ah oo ku wajahan xogta gaarka ah ee macaamiisha lama helin.
Waa wax xun in IRG aysan garan karin waxa soo daatay iyo waxa aan dhicin. Waa kan tusaale ka mid ah log-ka laxiriira macmiilka dukaanka Street Beat:
"message": "{"MESSAGE":"'DATA' => ['URI' => /local/components/multisite/order/ajax.php,'МЕТОД ЗАПРОСА' = contact,'ДАННЫЕ POST' = Arrayn(n [contact[phone]] => 7915545XXXXn)n,'ДАННЫЕ GET' =nttArrayn(n [digital_id] => 27016686n [brand] => STREETBEATn)n,'ОТВЕТ СЕРВЕРА' = 'Код ответа - '200,'RESPONCE' = stdClass Objectn(n [result] => successn [contact] => stdClass Objectn (n [phone] => +7915545XXXXn [email] => [email protected]","Дата":"01.04.2019 08:33:48"}",Si kastaba ha ahaatee, aynu u gudubno warka ugu xun oo aan sharaxno sababta ay tani u tahay daadinta xogta shakhsi ahaaneed ee macaamiisha IRG.
Haddii aad si dhow u eegto tusmooyinka Elasticsearch-ka bilaashka ah ee la heli karo, waxaad ogaan doontaa laba magac oo ku dhex jira: readme и unauth_text. Tani waa calaamad muujinaysa mid ka mid ah qoraallada badan ee ransomware. Waxay saamaysay in ka badan 4 kun oo adeegayaasha Elasticsearch adduunka oo dhan. Nuxurka readme sidan oo kale:
"ALL YOUR INDEX AND ELASTICSEARCH DATA HAVE BEEN BACKED UP AT OUR SERVERS, TO RESTORE SEND 0.1 BTC TO THIS BITCOIN ADDRESS 14ARsVT9vbK4uJzi78cSWh1NKyiA2fFJf3 THEN SEND AN EMAIL WITH YOUR SERVER IP, DO NOT WORRY, WE CAN NEGOCIATE IF CAN NOT PAY"In kasta oo server-ka leh diiwaannada IRG uu ahaa mid si xor ah loo heli karo, qoraalka ransomware wuxuu xaqiiqdii helay gelitaanka macluumaadka macaamiisha, marka loo eego farriinta ay ka tagtay, xogta waa la soo dejiyay.
Intaa waxaa dheer, wax shaki ah iigama jiro in xogtan la helay horteyda oo horay loo soo dejiyey. Xitaa waxaan dhihi lahaa waan hubaa tan. Ma jirto wax sir ah in macluumaadka furan ee noocaas ah si ula kac ah loo raadiyo lagana soo saaro.
Wararka ku saabsan daadinta macluumaadka iyo kuwa ku jira had iyo jeer waxaa laga heli karaa kanaalkayga Telegram "»: .
Source: www.habr.com