Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.
網絡安全研究人員在暗網詳細介紹了勒索軟件攻擊者爲掩蓋其在線真實身份以及其網絡服務器基礎設施的托管位置而采取的各種措施。
“Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,” Cisco Talos researcher Paul Eubanks said. “They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.”
“大多數勒索軟件運營商使用其原籍國(如瑞典、德國和新加坡)以外的托管服務提供商來托管他們的勒索軟件運營網站,”思科 Talos 研究員 Paul Eubanks說。“當他們連接到他們的勒索軟件網絡基礎設施以執行遠程管理任務時,他們使用 VPS 跳躍點作爲代理來隱藏他們的真實位置。”
Also prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.
重點是使用 TOR 網絡和 DNS 代理注冊服務爲其非法操作提供額外的匿名層。
But by taking advantage of the threat actors’ operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups.
這家網絡安全公司上周披露,通過利用攻擊者在安全方面的操作失誤和其他技術,能夠識別托管在公共 IP 地址上的 TOR 隱藏服務,其中一些是與DarkAngels、Snatch、Quantum和Nokoyawa勒索軟件組織。
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify “public IP addresses hosting the same threat actor infrastructure as those on the dark web.”
衆所周知,勒索軟件組織依賴暗網來隱藏他們的非法活動,從泄露被盜數據到與受害者協商付款整個過程。但 Talos 透露,它能夠識別“公共 IP 地址托管與暗網相同的攻擊者基礎設施”網絡”。
“The methods we used to identify the public internet IPs involved matching threat actors’ [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet,” Eubanks said.
“我們用來識別公共互聯網 IP 的方法是將攻擊者的 [自簽名] TLS 證書序列號和頁面元素與公共互聯網上的索引匹配,”Eubanks 說。
Besides TLS certificate matching, a second method employed to uncover the adversaries’ clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.
除了 TLS 證書匹配之外,用于發現攻擊者網絡基礎設施的第二種方法是使用 Shodan 等網絡爬蟲將與暗網網站相關的網站圖標與公共互聯網進行對比。
In the case of Nokoyawa, a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the “/var/log/auth.log” file used to capture user logins.
以Nokoyawa 爲例,這是今年早些時候出現的一種新的 Windows 勒索軟件,與 Karma 具有大量代碼相似之處,托管在 TOR 隱藏服務上的站點被發現存在目錄遍曆漏洞,使研究人員能夠訪問“ /var/log/auth.log ” 用于捕獲用戶登錄的文件。
The findings demonstrate that not only are the criminal actors’ leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.
調查結果表明,互聯網上的任何用戶都可以訪問犯罪分子的泄密站點,而且包括識別服務器數據在內的其他基礎設施組件都暴露在外,從而有效地獲取了用于管理勒索軟件服務器的登錄位置。
Further analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.
對成功登陸的root 用戶的進一步分析表明,它們來自兩個 IP 地址 5.230.29[.]12 和 176.119.0[.]195,前者屬于 GHOSTnet GmbH,這是一家提供虛擬專用服務器( VPS)服務。
“176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,” Eubanks noted. “It’s possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.”
“然而,176.119.0[.]195 屬于 AS58271,它以 Tyatkova Oksana Valerievna 的名義列出,”Eubanks 指出。“操作員可能忘記使用基于德國的 VPS 進行混淆,並直接從其真實位置 176.119.0[.]195 登錄到與該 Web 服務器的會話。”
LockBit adds a bug bounty program to its revamped RaaS operation
LockBit 在其改進的 RaaS 操作中添加了一個漏洞賞金計劃
The development comes as the operators of the emerging Black Basta ransomware expanded its attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to conduct privileged file operations.
隨著新興Black Basta勒索軟件的運營商通過使用 QakBot 進行初始訪問和橫向移動,並利用 PrintNightmare 漏洞 ( CVE-2021-34527 ) 進行特權文件操作來擴展其攻擊庫,這一發展便隨之而來。
What’s more, the LockBit ransomware gang last week announced the release of LockBit 3.0 with the message “Make Ransomware Great Again!,” in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and “brilliant ideas” to improve its software.
更重要的是,LockBit 勒索軟件團夥上周宣布發布 LockBit 3.0,並帶有“讓勒索軟件再次偉大!”的信息,此外還推出了他們自己的漏洞賞金計劃,提供 1,000 至 100 萬美元的獎勵,用于識別安全漏洞和“絕妙的想法”來改進其軟件。
“The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
Tenable 高級研究工程師 Satnam Narang 在一份聲明中表示:“LockBit 3.0 的發布和漏洞賞金計劃的引入是對網絡犯罪分子的正式邀請,以幫助該組織繼續保持領先地位。”黑客新聞說道。
“A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.”
“漏洞賞金計劃的一個重點是防禦措施:防止安全研究人員和執法部門在其泄漏站點或勒索軟件中發現漏洞,確定成員可能被人肉攻擊的方式,以及在消息中發現該組織用于內部通信和 Tor 網絡本身的軟件漏洞。”
“The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group’s activity.”
“被人肉或被識別的威脅,顯然是 LockBit 等組織的一個重大問題。最後,該組織計劃提供 Zcash 作爲支付選項,這很重要,因爲 Zcash 比比特幣更難追蹤,讓研究人員更難密切關注該組織的活動。”
道常無爲,而無不爲。
——《道德經.第三十七章》
本文翻譯自:
https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html
如若轉載,請注明原文地址