Ukuphenya amacala ahlobene nobugebengu bokweba imininingwane ebucayi, ama-botnets, ukuthengiselana okuwumgunyathi namaqembu ezigebengu ezigebengayo, ochwepheshe be-Group-IB sebeneminyaka eminingi besebenzisa ukuhlaziya igrafu ukuze bahlonze izinhlobo ezihlukahlukene zokuxhuma. Izimo ezihlukene zinamasethi azo edatha, ama-algorithms azo okuhlonza ukuxhumana, kanye nezindawo zokusebenzelana eziklanyelwe imisebenzi ethile. Wonke la mathuluzi athuthukiswe ngaphakathi yi-Group-IB futhi atholakala kubasebenzi bethu kuphela.

Ukuhlaziywa kwegrafu yengqalasizinda yenethiwekhi (igrafu yenethiwekhi) ibe yithuluzi lokuqala langaphakathi esakhele kuyo yonke imikhiqizo yomphakathi yenkampani. Ngaphambi kokudala igrafu yethu yenethiwekhi, sihlaziye intuthuko eminingi efanayo emakethe futhi asizange sithole umkhiqizo owodwa owanelisa izidingo zethu. Kulesi sihloko sizokhuluma ngokuthi sidale kanjani igrafu yenethiwekhi, ukuthi siyisebenzisa kanjani nokuthi yiziphi izinkinga esihlangabezane nazo.

UDmitry Volkov, I-CTO Group-IB kanye nenhloko ye-cyber intelligence

Yini engenziwa igrafu yenethiwekhi ye-Group-IB?

Uphenyo

Kusukela kwasungulwa i-Group-IB ngo-2003 kuze kube manje, ukuhlonza, ukudicilela phansi kanye nokuletha izigebengu zama-inthanethi kube yinto eseqhulwini emsebenzini wethu. Akukho nophenyo olulodwa lwe-cyberattack oluqediwe ngaphandle kokuhlaziya ingqalasizinda yenethiwekhi yabahlaseli. Ekuqaleni kohambo lwethu, “kwakuwumsebenzi wezandla” onzima kakhulu ukucinga ubudlelwano obungasiza ekuhlonzeni izigebengu: ulwazi olumayelana namagama esizinda, amakheli e-IP, izigxivizo zeminwe zedijithali zamaseva, njll.

Abahlaseli abaningi bazama ukwenza ngokungaziwa ngangokunokwenzeka kunethiwekhi. Nokho, njengabo bonke abantu, bayawenza amaphutha. Umgomo oyinhloko wokuhlaziya okunjalo ukuthola amaphrojekthi omlando “amhlophe” noma “ampunga” abahlaseli anempambano nengqalasizinda enonya esetshenziswe kusigameko samanje esisiphenyayo. Uma kungenzeka ukuthola "amaphrojekthi amhlophe", khona-ke ukuthola umhlaseli, njengomthetho, kuba umsebenzi omncane. Endabeni "yempunga", ukusesha kuthatha isikhathi esiningi nomzamo, njengoba abanikazi babo bezama ukufihla noma ukufihla idatha yokubhalisa, kodwa amathuba ahlala eningi kakhulu. Njengomthetho, ekuqaleni kwezenzo zabo zobugebengu, abahlaseli abanaki kancane ukuphepha kwabo futhi benza amaphutha amaningi, ngakho-ke lapho sijula ​​kakhulu endabeni, ayanda amathuba ophenyo oluyimpumelelo. Yingakho igrafu yenethiwekhi enomlando omuhle iyingxenye ebaluleke kakhulu yophenyo olunjalo. Kalula nje, idatha yomlando ejulile inkampani enayo, iba ngcono igrafu yayo. Ake sithi umlando weminyaka emi-5 ungasiza ekuxazululeni, ngokwemibandela, ubugebengu obu-1-2 kwabayi-10, futhi umlando weminyaka engu-15 unikeza ithuba lokuxazulula zonke eziyishumi.

Ukutholwa kobugebengu bokweba imininingwane ebucayi nokukhwabanisa

Ngaso sonke isikhathi lapho sithola isixhumanisi esisolisayo sobugebengu bokweba imininingwane ebucayi, esiwumgunyathi noma esikokotelwe, sakha ngokuzenzakalelayo igrafu yezinsiza zenethiwekhi ezihlobene futhi sihlole bonke abasingathi abatholiwe bokuqukethwe okufanayo. Lokhu kukuvumela ukuthi uthole womabili amasayithi obugebengu bokweba imininingwane ebucayi abesebenza kodwa angaziwa, kanye namasha ngokuphelele alungiselwe ukuhlaselwa okuzayo, kodwa angakasetshenziswa. Isibonelo sokuqala esenzeka kaningi: sithole isayithi lobugebengu bokweba imininingwane ebucayi kuseva enamasayithi angu-5 kuphela. Ngokuhlola ngayinye yazo, sithola okuqukethwe kobugebengu bokweba imininingwane ebucayi kwamanye amasayithi, okusho ukuthi singavimba u-5 esikhundleni sika-1.

Sesha okungemuva

Le nqubo iyadingeka ukuze kutholwe ukuthi iseva enobungozi ihlala kuphi.
U-99% wezitolo zamakhadi, izinkundla zabaduni, izinsiza eziningi zobugebengu bokweba imininingwane ebucayi namanye amaseva anonya afihlwe ngemuva kokubili kwamaseva awo ababamba kanye nama-proxi wezinsizakalo ezisemthethweni, isibonelo, i-Cloudflare. Ulwazi mayelana ne-backend yangempela lubaluleke kakhulu ekuphenyweni: umhlinzeki wokusingatha lapho iseva ingabanjwa khona uyaziwa, futhi kuyenzeka ukwakha ukuxhumana namanye amaphrojekthi anonya.

Isibonelo, unesayithi lobugebengu bokweba imininingwane ebucayi yokuqoqa idatha yekhadi lasebhange elixazululeka kukheli lasesizindeni se-inthanethi elithi 11.11.11.11, kanye nekheli le-cardshop elixazululeka kukheli lasesizindeni se-inthanethi elingu-22.22.22.22. Ngesikhathi sokuhlaziya, kungase kuvele ukuthi kokubili isayithi lobugebengu bokweba imininingwane ebucayi kanye nesitolo samakhadi kunekheli le-IP elivamile le-backend, isibonelo, 33.33.33.33. Lolu lwazi lusivumela ukuthi sakhe ukuxhumana phakathi kokuhlaselwa kobugebengu bokweba imininingwane ebucayi kanye nesitolo samakhadi lapho idatha yekhadi lasebhange ingathengiswa khona.

Ukuhlobana komcimbi

Uma unezibangeli ezimbili ezihlukene (ake sithi ku-IDS) ezinohlelo olungayilungele ikhompuyutha namaseva ahlukene ukuze ulawule ukuhlasela, uzoziphatha njengemicimbi emibili ezimele. Kodwa uma kukhona ukuxhumana okuhle phakathi kwengqalasizinda enonya, khona-ke kuba sobala ukuthi lokhu akukona ukuhlasela okuhlukile, kodwa izigaba zokuhlasela okukodwa, okuyinkimbinkimbi kwezigaba eziningi. Futhi uma esinye sezehlakalo sesivele sibalulwe kunoma yiliphi iqembu labahlaseli, khona-ke owesibili angaphinde abalwe eqenjini elifanayo. Vele, inqubo yokulinganisa iyinkimbinkimbi kakhulu, ngakho-ke phatha lokhu njengesibonelo esilula.

Ukunothiswa kwenkomba

Ngeke sikunake kakhulu lokhu, njengoba lesi kuyisimo esivame kakhulu sokusebenzisa amagrafu ku-cybersecurity: unikeza inkomba eyodwa njengokungenayo, futhi njengokukhiphayo uthola izinkomba eziningi ezihlobene.

Ukuhlonza amaphethini

Ukuhlonza amaphethini kubalulekile ekuzingeleni okuphumelelayo. Amagrafu akuvumela ukuthi ungagcini nje ngokuthola izakhi ezihlobene, kodwa futhi ukukhomba izakhiwo ezivamile eziyisici seqembu elithile labaduni. Ulwazi lwezici ezinjalo eziyingqayizivele lukuvumela ukuthi ubone ingqalasizinda yomhlaseli ngisho nasesiteji sokulungiselela futhi ngaphandle kobufakazi obuqinisekisa ukuhlasela, njengama-imeyili obugebengu bokweba imininingwane ebucayi noma uhlelo olungayilungele ikhompuyutha.

Kungani sizenzele eyethu igrafu yenethiwekhi?

Futhi, sibheke izixazululo kubathengisi abahlukene ngaphambi kokuba sifinyelele esiphethweni sokuthi sidinga ukuthuthukisa ithuluzi lethu elingenza into okungekho umkhiqizo okhona ongayenza. Kwathatha iminyaka eminingana ukuyidala, lapho sayishintsha ngokuphelele izikhathi eziningana. Kodwa, naphezu kwesikhathi eside sokuthuthuka, asikakayitholi i-analogue eyodwa ezokwanelisa izidingo zethu. Sisebenzisa owethu umkhiqizo, ekugcineni sikwazile ukuxazulula cishe zonke izinkinga esizithole kumagrafu enethiwekhi akhona. Ngezansi sizocubungula lezi zinkinga ngokuningiliziwe:

Inkinga
Isixazululo

Ukushoda komhlinzeki ngamaqoqo ahlukene wedatha: izizinda, i-DNS engenzi lutho, i-SSL yokwenziwa, amarekhodi e-DNS, izimbobo ezivulekile, izinsiza ezisebenzayo kumachweba, amafayela asebenzisana namagama wesizinda namakheli e-IP. Incazelo. Ngokuvamile, abahlinzeki bahlinzeka ngezinhlobo ezihlukene zedatha, futhi ukuze uthole isithombe esigcwele, udinga ukuthenga okubhaliselwe kuwo wonke umuntu. Noma kunjalo, akwenzeki ngaso sonke isikhathi ukuthola yonke idatha: abanye abahlinzeki be-SSL abangenzi lutho bahlinzeka ngedatha kuphela mayelana nezitifiketi ezikhishwe ama-CA athembekile, futhi ukufakwa kwabo kwezitifiketi ezizisayinele kubi kakhulu. Abanye futhi bahlinzeka ngedatha kusetshenziswa izitifiketi ezizisayinele, kodwa iqoqe kuphela ezimbobeni ezijwayelekile.
Siqoqe wonke amaqoqo angenhla ngokwethu. Isibonelo, ukuqoqa idatha mayelana nezitifiketi ze-SSL, sibhale isevisi yethu eziqoqa kokubili kuma-CA athembekile nangokuskena sonke isikhala se-IPv4. Izitifiketi aziqoqwanga kuphela ku-IP, kodwa futhi nakuzo zonke izizinda nezizinda ezingaphansi kusizindalwazi sethu: uma unesizinda esithi example.com kanye nesizinda saso esincane. www.example.com futhi bonke banquma ku-IP 1.1.1.1, khona-ke uma uzama ukuthola isitifiketi se-SSL ku-port 443 ku-IP, isizinda kanye nesizinda saso esingaphansi kwesinye, ungathola imiphumela emithathu ehlukene. Ukuze siqoqe idatha ezimbobeni ezivulekile kanye nezinsiza ezisebenzayo, bekufanele sidale isistimu yethu yokuskena esabalalisiwe, ngoba ezinye izinsiza zazivame ukuba namakheli e-IP eziphakeli zazo zokuskena “ezinhlwini ezimnyama.” Iziphakeli zethu zokuskena nazo zigcina sezisohlwini oluvinjelwe, kodwa umphumela wokuthola amasevisi esiwadingayo uphakeme kunalowo walabo abavele baskene izimbobo eziningi ngangokunokwenzeka futhi bathengise ukufinyelela kule datha.

Ukuntuleka kokufinyelela kuyo yonke imininingwane egciniwe yamarekhodi omlando. Incazelo. Wonke umnikezeli ojwayelekile unomlando omuhle oqoqwe, kodwa ngenxa yezizathu ezingokwemvelo thina, njengeklayenti, asikwazanga ukufinyelela kuyo yonke idatha yomlando. Labo. Ungathola wonke umlando ngerekhodi elilodwa, isibonelo, ngesizinda noma ikheli le-IP, kodwa awukwazi ukubona umlando wakho konke - futhi ngaphandle kwalokhu awukwazi ukubona isithombe esigcwele.
Ukuze siqoqe amarekhodi amaningi omlando ezizindeni ngangokunokwenzeka, sathenga imininingwane egciniwe ehlukahlukene, sahlukanisa izinsiza eziningi ezivuliwe ezazinalo mlando (kuhle ukuthi beziningi zazo), futhi saxoxisana nababhali begama lesizinda. Zonke izibuyekezo zamaqoqo ethu vele zigcinwa nomlando wokubuyekeza ogcwele.

Zonke izixazululo ezikhona zikuvumela ukuthi wakhe igrafu ngesandla. Incazelo. Ake sithi uthenge okubhaliselwe okuningi kubo bonke abangaba abahlinzeki bedatha (ngokuvamile okubizwa ngokuthi "abanothisi"). Uma udinga ukwakha igrafu, wena "izandla" unikeza umyalo wokwakha kusukela kusici sokuxhuma oyifunayo, bese ukhetha okudingekayo ezakhini ezivelayo futhi unikeze umyalo wokuqedela ukuxhumana okuvela kuzo, njalonjalo. Kulokhu, umthwalo wemfanelo wokuthi igrafu izokwakhiwa kahle kangakanani ukumuntu ngokuphelele.
Senza ukwakhiwa okuzenzakalelayo kwamagrafu. Labo. uma udinga ukwakha igrafu, khona-ke ukuxhumana okuvela entweni yokuqala kwakhiwe ngokuzenzakalelayo, bese kusuka kuzo zonke ezilandelayo, futhi. Uchwepheshe ubonisa kuphela ukujula lapho igrafu idinga ukwakhiwa khona. Inqubo yokuqedela amagrafu ngokuzenzakalelayo ilula, kodwa abanye abathengisi abayisebenzisi ngoba ikhiqiza inani elikhulu lemiphumela engabalulekile, futhi kwakudingeka sicabangele lesi sici (bheka ngezansi).

Imiphumela eminingi engabalulekile iyinkinga yawo wonke amagrafu we-elementi yenethiwekhi. Incazelo. Isibonelo, "isizinda esibi" (esibambe iqhaza ekuhlaselweni) sihlotshaniswa neseva enezinye izizinda ezingama-10 ezihlotshaniswa naso phakathi neminyaka eyi-500 edlule. Lapho wengeza ngokuzenzela noma wakha ngokuzenzakalelayo igrafu, zonke lezi zizinda ezingama-500 kufanele zivele kugrafu, nakuba zingahlobene nokuhlasela. Noma, isibonelo, uhlola inkomba ye-IP kusuka kumbiko wokuphepha womthengisi. Ngokuvamile, imibiko enjalo ikhishwa ngokubambezeleka okukhulu futhi ngokuvamile ithatha unyaka noma ngaphezulu. Kungenzeka ukuthi, ngesikhathi ufunda umbiko, iseva enaleli kheli lasesizindeni se-inthanethi isivele iqashelwe abanye abantu abanokunye ukuxhumana, futhi ukwakha igrafu kuzophinde kuphumele ekutheni uthole imiphumela engabalulekile.
Siqeqeshe isistimu ukukhomba izinto ezingabalulekile sisebenzisa ingqondo efanayo njengoba ochwepheshe bethu benzile mathupha. Isibonelo, uhlola isizinda esibi example.com, manje esixazulula ku-IP 11.11.11.11, kanye nenyanga edlule - kuya ku-IP 22.22.22.22. Ngaphezu kwesizinda sesizinda esithi example.com, i-IP 11.11.11.11 iphinde ihlotshaniswe ne-example.ru, futhi i-IP 22.22.22.22 ihlotshaniswa nezinye izizinda eziyizinkulungwane ezingama-25. Uhlelo, njengomuntu, luyaqonda ukuthi i-11.11.11.11 cishe iyiseva ezinikezele, futhi njengoba isizinda se-example.ru sifana nesipelingi ku-example.com, ngakho-ke, ngokusemathubeni aphezulu, axhumekile futhi kufanele abe ku- igrafu; kodwa i-IP 22.22.22.22 ingeyokusingathwa okwabiwe, ngakho zonke izizinda zayo azidingi ukufakwa kugrafu ngaphandle uma kukhona okunye ukuxhumana okubonisa ukuthi enye yalezi zizinda eziyizinkulungwane ezingama-25 nayo idinga ukufakwa (isibonelo, isibonelo.net) . Ngaphambi kokuthi isistimu iqonde ukuthi ukuxhumana kudinga ukuphulwa futhi ezinye izici zingathuthelwa kugrafu, kucabangela izici eziningi zezakhi namaqoqo lapho lezi zakhi zihlanganiswa khona, kanye namandla okuxhumana kwamanje. Isibonelo, uma sineqoqo elincane (izakhi ezingu-50) kugrafu, elihlanganisa isizinda esibi, kanye nelinye iqoqo elikhulu (ama-elementi ayizinkulungwane ezingu-5) futhi womabili amaqoqo axhunywe uxhumano (umugqa) onamandla aphansi kakhulu (isisindo) , khona-ke ukuxhumana okunjalo kuzophulwa futhi izakhi ezivela kuqoqo elikhulu zizokhishwa. Kodwa uma kukhona ukuxhumana okuningi phakathi kwamaqoqo amancane namakhulu futhi amandla awo akhula kancane kancane, khona-ke kulesi simo uxhumano ngeke luphuke futhi izakhi ezidingekayo ezivela kuzo zombili amaqoqo zizohlala kugrafu.

Iseva nesikhawu sobunikazi besizinda asicatshangelwa. Incazelo. "Izizinda ezimbi" zizophelelwa yisikhathi maduze noma ziphinde zithengwe ngezinjongo ezinonya noma ezisemthethweni. Ngisho namaseva abamba amabhulethi aqashwa kubaduni abahlukene, ngakho-ke kubalulekile ukwazi futhi ucabangele isikhathi lapho isizinda/iseva ethile yayingaphansi komnikazi oyedwa. Sivame ukuhlangana nesimo lapho iseva ene-IP 11.11.11.11 manje isisetshenziswa njenge-C&C yebhothi yasebhange, futhi ezinyangeni ezi-2 ezedlule ibilawulwa yi-Ransomware. Uma sakha uxhumano ngaphandle kokucabangela izikhathi zobunikazi be-akhawunti, kuzobukeka sengathi kukhona ukuxhumana phakathi kwabanikazi be-botnet yasebhange kanye ne-ransomware, nakuba empeleni kungekho. Emsebenzini wethu, iphutha elinjalo libalulekile.
Sifundise uhlelo ukunquma izikhawu zobunikazi. Ezizindeni lokhu kulula, ngoba i-whois ivame ukuqukatha izinsuku zokuqala zokubhalisa nokuphelelwa yisikhathi futhi, uma kunomlando ophelele wezinguquko ze-whois, kulula ukunquma izikhathi. Uma ukubhaliswa kwesizinda kungakaphelelwa yisikhathi, kodwa ukuphathwa kwaso kudluliselwe kwabanye abanikazi, kungalandelelwa futhi. Ayikho inkinga enjalo yezitifiketi ze-SSL, ngoba zikhishwa kanye futhi azivuselelwa noma zidluliselwe. Kodwa ngezitifiketi ezizisayinele wena, awukwazi ukwethemba amadethi ashiwo esikhathini sokuqinisekisa sesitifiketi, ngoba ungakwazi ukukhiqiza isitifiketi se-SSL namuhla, futhi ucacise idethi yokuqala yesitifiketi kusukela ngo-2010. Into enzima kakhulu ukucacisa izikhawu zobunikazi zamaseva, ngoba abahlinzeki bokusingatha kuphela abanezinsuku nezikhathi zokuqashwa. Ukuze sinqume isikhathi sobunikazi beseva, siqale ukusebenzisa imiphumela yokuskena kwembobo nokudala izigxivizo zeminwe zokusebenzisa amasevisi ezimbobeni. Ngokusebenzisa lolu lwazi, singasho ngokunembile ukuthi umnikazi weseva eshintshile nini.

Ukuxhumana okumbalwa. Incazelo. Namuhla, akuyona ngisho inkinga ukuthola uhlu lwamahhala lwezizinda eziqukethe ikheli le-imeyili elithile, noma ukuthola zonke izizinda ezazihlotshaniswa nekheli le-IP elithile. Kodwa uma kuziwa kubaduni abenza konke okusemandleni abo ukuze kube nzima ukulandelela, sidinga amaqhinga engeziwe ukuze sithole izakhiwo ezintsha nokwakha ukuxhumana okusha.
Sichithe isikhathi esiningi sicwaninga ukuthi singakhipha kanjani idatha ebingatholakali ngendlela evamile. Asikwazi ukuchaza lapha ukuthi kusebenza kanjani ngezizathu ezisobala, kodwa ngaphansi kwezimo ezithile, abaduni, lapho bebhalisa izizinda noma beqasha futhi bemisa amaseva, benza amaphutha abavumela ukuthi bathole amakheli e-imeyili, iziteketiso ze-hacker, namakheli angemuva. Lapho ukhipha ukuxhumana okwengeziwe, ungakha amagrafu anembe kakhulu.

Igrafu yethu isebenza kanjani

Ukuze uqale ukusebenzisa igrafu yenethiwekhi, udinga ukufaka isizinda, ikheli le-IP, i-imeyili, noma izigxivizo zeminwe zesitifiketi se-SSL kubha yosesho. Kunezimo ezintathu umhlaziyi angakwazi ukuzilawula: isikhathi, ukujula kwesinyathelo, nokusula.

Isikhathi

Isikhathi – usuku noma isikhawu lapho okuseshiwe kusetshenziselwa izinjongo ezinonya. Uma ungayicacisi le pharamitha, isistimu ngokwayo izonquma isikhawu sokugcina sobunikazi balesi sisetshenziswa. Isibonelo, ngoJulayi 11, i-Eset yashicilelwa bika mayelana nendlela i-Buhtrap esebenzisa ngayo ukuxhashazwa kwezinsuku ezingu-0 kubunhloli be-cyber. Kunezinkomba eziyisi-6 ekupheleni kombiko. Enye yazo, i-security-telemetry[.]net, yabhaliswa kabusha ngoJulayi 16. Ngakho-ke, uma wakha igrafu ngemva kukaJulayi 16, uzothola imiphumela engabalulekile. Kodwa uma ubonisa ukuthi lesi sizinda sisetshenziswe ngaphambi kwalolu suku, igrafu ihlanganisa izizinda ezintsha ezingu-126, amakheli e-IP angu-69 angekho kumbiko we-Eset:

• ukrfreshnews[.]com
• i-unian-search[.]com
• vesti-world[.]ulwazi
• runewsmeta[.]com
• Foxnewsmeta[.]biz
• sobesednik-meta[.]info
• rian-ua[.]net
• nabanye.

Ngaphezu kwezinkomba zenethiwekhi, ngokushesha sithola ukuxhumana namafayela anonya abenokuxhumana nale ngqalasizinda nomaka abasitshela ukuthi i-Meterpreter ne-AZORult zisetshenzisiwe.

Okuhle kakhulu ukuthi uthola lo mphumela phakathi nomzuzwana owodwa futhi awusadingi ukuchitha izinsuku uhlaziya idatha. Yiqiniso, le ndlela ngezinye izikhathi inciphisa kakhulu isikhathi sophenyo, okuyinto evame ukuba bucayi.

Inombolo yezinyathelo noma ukujula kwe-recursion igrafu ezokwakhiwa ngayo

Ngokuzenzakalelayo, ukujula kungu-3. Lokhu kusho ukuthi zonke izakhi ezihlobene ngokuqondile zizotholakala kusukela ku-elementi oyifunayo, bese kwakhiwa ukuxhumana okusha kusuka ku-elementi entsha kuya kwezinye izakhi, futhi izakhi ezintsha zizokwakhiwa kusukela kuzakhi ezintsha kusukela ekugcineni. isinyathelo.

Ake sithathe isibonelo esingahlobene ne-APT kanye nezenzo ze-0-day. Muva nje, icala elithakazelisayo lokukhwabanisa elihlobene ne-cryptocurrencies lichazwe ku-Habré. Umbiko ukhuluma ngesizinda se-themcx[.]co, esisetshenziswa abakhohlisi ukusingatha iwebhusayithi okuhloswe ngayo ukuthi i-Miner Coin Exchange kanye nokubheka ifoni[.]xyz ukuheha ithrafikhi.

Kuyacaca encazelweni ukuthi lolu hlelo ludinga ingqalasizinda enkulu ukuze luhehe ukugcwala kwabantu emithonjeni ewumgunyathi. Sinqume ukubheka le ngqalasizinda ngokwakha igrafu ngezinyathelo ezi-4. Okukhiphayo bekuyigrafu enezizinda ezingama-230 namakheli e-IP angama-39. Okulandelayo, sihlukanisa izizinda zibe izigaba ezi-2: lezo ezifana nezinsizakalo zokusebenza nge-cryptocurrencies nalezo ezihloselwe ukushayela ithrafikhi ngezinsizakalo zokuqinisekisa ifoni:

Ihlobene ne-cryptocurrency
Ihlotshaniswa nezinsizakalo zokubhoboza ifoni

umgcini wemali[.]cc
irekhodi lofonayo[.]isayithi.

mcxwallet[.]co
amarekhodi efoni[.]isikhala

btcnoise[.]com
fone-uncover[.]xyz

i-cryptominer[.]washi
vula inombolo[.]ulwazi

Ukuhlanza

Ngokuzenzakalelayo, inketho "Yokuhlanza Igrafu" inikwe amandla futhi zonke izici ezingabalulekile zizokhishwa kugrafu. Ngendlela, yayisetshenziswa kuzo zonke izibonelo zangaphambili. Ngibona kusengaphambili umbuzo wemvelo: singaqinisekisa kanjani ukuthi into ebalulekile ayisuswa? Ngizophendula: kubahlaziyi abathanda ukwakha amagrafu ngesandla, ukuhlanza okuzenzakalelayo kungakhutshazwa futhi inani lezinyathelo lingakhethwa = 1. Okulandelayo, umhlaziyi uzokwazi ukuqedela igrafu kusuka ezintweni azidingayo futhi asuse izakhi igrafu engahlobene nomsebenzi.

Kakade kugrafu, umlando wezinguquko ku-whois, i-DNS, kanye namachweba avulekile kanye nezinsizakalo ezisebenza kuwo zitholakala kumhlaziyi.

Ubugebengu bokweba imininingwane ebucayi

Siphenye imisebenzi yeqembu elilodwa le-APT, okwathi iminyaka embalwa lenza ubugebengu bokweba imininingwane ebucayi kumakhasimende amabhange ahlukahlukene ezifundeni ezihlukene. Isici sesici saleli qembu kwakuwukubhaliswa kwezizinda ezifana kakhulu namagama amabhange angempela, futhi iningi lezindawo zobugebengu bokweba imininingwane ebucayi zazinomklamo ofanayo, umehluko okuwukuphela kwegama lamabhange namalogo awo.

Kulokhu, ukuhlaziywa kwegrafu okuzenzakalelayo kusisize kakhulu. Sithatha esinye sezizinda zabo - lloydsbnk-uk[.]com, emizuzwaneni embalwa sakhe igrafu enezinyathelo ezi-3 ezijulile, ekhombe izizinda ezinonya ezingaphezu kuka-250 ezisetshenziswe yileli qembu kusukela ngo-2015 futhi ezisaqhubeka nokusetshenziswa. . Ezinye zalezi zizinda sezivele zithengiwe amabhange, kodwa amarekhodi omlando abonisa ukuthi ngaphambilini bezibhaliswe kubahlaseli.

Ukuze kucace, isibalo sibonisa igrafu enezinyathelo ezi-2 ezijulile.

Kuyaphawuleka ukuthi kakade ngo-2019, abahlaseli bashintsha amaqhinga abo futhi baqala ukubhalisa hhayi kuphela izizinda zamabhange zokusingatha ubugebengu bokweba imininingwane ebucayi kuwebhu, kodwa nezizinda zezinkampani ezihlukahlukene zokubonisana zokuthumela ama-imeyili obugebengu bokweba imininingwane ebucayi. Isibonelo, izizinda swift-department.com, saudconsultancy.com, vbgrigoryanpartners.com.

Iqembu le-Cobalt

NgoZibandlela wezi-2018, iqembu labaduni i-Cobalt, eligxile ekuhlaseleni okuhlosiwe kwamabhange, lathumela umkhankaso wokuposa egameni leBhange Likazwelonke laseKazakhstan.

Izinhlamvu zaziqukethe izixhumanisi eziya ku-hXXps://nationalbank.bz/Doc/Prikaz.doc. Idokhumenti elandiwe ibiqukethe i-macro eyethule i-Powershell, engazama ukulayisha nokusebenzisa ifayela ku-hXXp://wateroilclub.com/file/dwm.exe kokuthi %Temp%einmrmdmy.exe. Ifayela %Temp%einmrmdmy.exe aka dwm.exe isiteji se-CobInt esilungiselelwe ukusebenzisana neseva hXXp://admvmsopp.com/rilruietguadvtoefmuy.

Cabanga ungakwazi ukuthola lawa ma-imeyili obugebengu bokweba imininingwane ebucayi futhi wenze ukuhlaziya okuphelele kwamafayela anonya. Igrafu yesizinda esinonya nationalbank[.]bz ikhombisa ngokushesha ukuxhumana nezinye izizinda ezinonya, iyimalulisa eqenjini futhi ikhombisa ukuthi yimaphi amafayela asetshenziswe ekuhlaselweni.

Masithathe ikheli le-IP 46.173.219[.]152 kule grafu futhi sakhe igrafu kuyo endaweni eyodwa bese sivala ukuhlanzwa. Kunezizinda ezingama-40 ezihlotshaniswa nayo, isibonelo, bl0ckchain[.]ug
paypal.co.uk.qlg6[.]pw
cryptoelips[.]com

Ukwahlulela ngamagama wesizinda, kubonakala sengathi asetshenziswa ezinhlelweni zokukhwabanisa, kodwa i-algorithm yokuhlanza yaqaphela ukuthi yayingahlobene nalokhu kuhlasela futhi ayizange iwabeke kugrafu, okwenza kube lula kakhulu inqubo yokuhlaziya nokuchazwa.

Uma wakha kabusha igrafu usebenzisa i-nationalbank[.]bz, kodwa ukhubaza i-algorithm yokuhlanza igrafu, izoqukatha izinto ezingaphezu kuka-500, eziningi zazo ezingahlanganise lutho neqembu le-Cobalt noma ukuhlasela kwabo. Isibonelo sokuthi igrafu enjalo ibukeka kanjani sinikezwe ngezansi:

isiphetho

Ngemva kweminyaka embalwa yokulungisa kahle, ukuhlola ophenyweni lwangempela, ucwaningo lokusongela nokuzingela abahlaseli, asikwazanga nje ukudala ithuluzi eliyingqayizivele, kodwa futhi nokuguqula isimo sengqondo sochwepheshe ngaphakathi kwenkampani mayelana nalo. Ekuqaleni, ochwepheshe bezobuchwepheshe bafuna ukulawula okuphelele phezu kwenqubo yokwakha igrafu. Ukubenza bakholelwe ukuthi ukwakhiwa kwegrafu okuzenzakalelayo kungakwenza lokhu kangcono kunomuntu onolwazi lweminyaka eminingi kwakunzima kakhulu. Yonke into yanqunywa ngesikhathi kanye nokuhlola okuningi “ngesandla” kwemiphumela yalokho okukhiqizwa yigrafu. Manje ochwepheshe bethu abathembeli kuphela uhlelo, kodwa futhi basebenzisa imiphumela eyitholayo emsebenzini wabo wansuku zonke. Lobu buchwepheshe busebenza ngaphakathi kwesistimu yethu ngayinye futhi busivumela ukuthi sibone kangcono izinsongo zanoma yiluphi uhlobo. Isixhumi esibonakalayo sokuhlaziywa kwegrafu okwenziwa ngesandla sakhelwe kuyo yonke imikhiqizo ye-Group-IB futhi sandisa ngokuphawulekayo amakhono okuzingela ubugebengu ku-inthanethi. Lokhu kuqinisekiswa ukubuyekezwa komhlaziyi okuvela kumakhasimende ethu. Futhi thina, ngokulandelayo, siyaqhubeka nokucebisa igrafu ngedatha futhi sisebenzela ama-algorithms amasha sisebenzisa ubuhlakani bokwenziwa ukuze sakhe igrafu yenethiwekhi enembe kakhulu.

Source: www.habr.com