Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.
网络安全研究人员在暗网详细介绍了勒索软件攻击者为掩盖其在线真实身份以及其网络服务器基础设施的托管位置而采取的各种措施。
“Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,” Cisco Talos researcher Paul Eubanks said. “They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.”
“大多数勒索软件运营商使用其原籍国(如瑞典、德国和新加坡)以外的托管服务提供商来托管他们的勒索软件运营网站,”思科 Talos 研究员 Paul Eubanks说。“当他们连接到他们的勒索软件网络基础设施以执行远程管理任务时,他们使用 VPS 跳跃点作为代理来隐藏他们的真实位置。”
Also prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.
重点是使用 TOR 网络和 DNS 代理注册服务为其非法操作提供额外的匿名层。
But by taking advantage of the threat actors’ operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups.
这家网络安全公司上周披露,通过利用攻击者在安全方面的操作失误和其他技术,能够识别托管在公共 IP 地址上的 TOR 隐藏服务,其中一些是与DarkAngels、Snatch、Quantum和Nokoyawa勒索软件组织。
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify “public IP addresses hosting the same threat actor infrastructure as those on the dark web.”
众所周知,勒索软件组织依赖暗网来隐藏他们的非法活动,从泄露被盗数据到与受害者协商付款整个过程。但 Talos 透露,它能够识别“公共 IP 地址托管与暗网相同的攻击者基础设施”网络”。
“The methods we used to identify the public internet IPs involved matching threat actors’ [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet,” Eubanks said.
“我们用来识别公共互联网 IP 的方法是将攻击者的 [自签名] TLS 证书序列号和页面元素与公共互联网上的索引匹配,”Eubanks 说。
Besides TLS certificate matching, a second method employed to uncover the adversaries’ clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.
除了 TLS 证书匹配之外,用于发现攻击者网络基础设施的第二种方法是使用 Shodan 等网络爬虫将与暗网网站相关的网站图标与公共互联网进行对比。
In the case of Nokoyawa, a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the “/var/log/auth.log” file used to capture user logins.
以Nokoyawa 为例,这是今年早些时候出现的一种新的 Windows 勒索软件,与 Karma 具有大量代码相似之处,托管在 TOR 隐藏服务上的站点被发现存在目录遍历漏洞,使研究人员能够访问“ /var/log/auth.log ” 用于捕获用户登录的文件。
The findings demonstrate that not only are the criminal actors’ leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.
调查结果表明,互联网上的任何用户都可以访问犯罪分子的泄密站点,而且包括识别服务器数据在内的其他基础设施组件都暴露在外,从而有效地获取了用于管理勒索软件服务器的登录位置。
Further analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.
对成功登陆的root 用户的进一步分析表明,它们来自两个 IP 地址 5.230.29[.]12 和 176.119.0[.]195,前者属于 GHOSTnet GmbH,这是一家提供虚拟专用服务器( VPS)服务。
“176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,” Eubanks noted. “It’s possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.”
“然而,176.119.0[.]195 属于 AS58271,它以 Tyatkova Oksana Valerievna 的名义列出,”Eubanks 指出。“操作员可能忘记使用基于德国的 VPS 进行混淆,并直接从其真实位置 176.119.0[.]195 登录到与该 Web 服务器的会话。”
LockBit adds a bug bounty program to its revamped RaaS operation
LockBit 在其改进的 RaaS 操作中添加了一个漏洞赏金计划
The development comes as the operators of the emerging Black Basta ransomware expanded its attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to conduct privileged file operations.
随着新兴Black Basta勒索软件的运营商通过使用 QakBot 进行初始访问和横向移动,并利用 PrintNightmare 漏洞 ( CVE-2021-34527 ) 进行特权文件操作来扩展其攻击库,这一发展便随之而来。
What’s more, the LockBit ransomware gang last week announced the release of LockBit 3.0 with the message “Make Ransomware Great Again!,” in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and “brilliant ideas” to improve its software.
更重要的是,LockBit 勒索软件团伙上周宣布发布 LockBit 3.0,并带有“让勒索软件再次伟大!”的信息,此外还推出了他们自己的漏洞赏金计划,提供 1,000 至 100 万美元的奖励,用于识别安全漏洞和“绝妙的想法”来改进其软件。
“The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
Tenable 高级研究工程师 Satnam Narang 在一份声明中表示:“LockBit 3.0 的发布和漏洞赏金计划的引入是对网络犯罪分子的正式邀请,以帮助该组织继续保持领先地位。”黑客新闻说道。
“A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.”
“漏洞赏金计划的一个重点是防御措施:防止安全研究人员和执法部门在其泄漏站点或勒索软件中发现漏洞,确定成员可能被人肉攻击的方式,以及在消息中发现该组织用于内部通信和 Tor 网络本身的软件漏洞。”
“The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group’s activity.”
“被人肉或被识别的威胁,显然是 LockBit 等组织的一个重大问题。最后,该组织计划提供 Zcash 作为支付选项,这很重要,因为 Zcash 比比特币更难追踪,让研究人员更难密切关注该组织的活动。”
道常无为,而无不为。
——《道德经.第三十七章》
本文翻译自:
https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html
如若转载,请注明原文地址