Yazan:
doğan kaya
How to Resolve a Siber Attack
A Russian company; He wanted Kaspersky Lab to investigate an incident that was about to be stolen from an enterprise account for $ 130,000. The company's representatives were suspicious of the malware behind this incident. The suspects were confirmed the first days of the investigation. Although this story goes on in Russia, such cyber crimes vary little from country to country.
The cybercriminals sent viruses to the company's computers by sending an e-mail containing a malicious attachment that gave the government a message from the tax office. To provide access to the accounting computer within the corporate network, users have used a modified version of a legitimate program. A malware program was used to steal the money. The software included the banking Trojan Carberp items, whose source code was publicly available. Cybercriminals made a mistake when configuring their C & C servers and allowed Kaspersky Lab experts to discover the IP addresses of other infected computers and to alert others to the threat.
The bank, which serves the company targeted by finance-focused cybercriminals, has prevented the attempted withdrawal of $ 130,000. However, the cybercriminals succeeded in making a payment of $ 8,000, which is too small to trigger any alarm in the bank and does not require additional confirmation from the customer's account.
Exploitation Code
Kaspersky Lab's Global Emergency Response Team (GERT) obtained an image of the computer's hard drive being attacked by the attacking entity. They have been working on it, and they have asked the agency to provide some documents as soon as they detect a suspicious e-mail message sent on behalf of the state tax office. A list of required documents was sent with an attached Word document. Belgede had exploit code CVE-2012-0158; This code was activated when the document was opened and the victim was downloading another malware program on the computer.
On the infected computer's hard drive, GERT experts identified a modified version of a legitimate program designed to access computers remotely. These programs are widely used by accountants or system administrators. However, this version of the program, found on the victim computer, has been changed to hide its presence on the infected system: the icon is hidden in the Windows Taskbar, the registry key where the settings are stored has been changed, and the GUI screen has been disabled. Kaspersky Lab products blocked this program with 'Backdoor.Win32.RMS' decision.
However, this was not the only malware program detected on the victim computer. Subsequent investigations showed that another backdoor code (Backdoor.Win32.Agent) was downloaded to the victim computer with the help of the Backdoor.Win32.RMS backdoor code that cybercriminals used to provide remote Virtual Network Computing (VNC) access to the victim computer. Interestingly, in the Backdoor.Win32.Agent code bankingTrojan Carberp's items were detected. Carberp's source code was published this year.
With the help of Backdoor.Win32.RMS, Cybercriminals downloaded the Trojan Backdoor.Win32.Agent code to the victim machine. With Backdoor.Win32.Agent code they could take control of the computer. Thus cyber criminals created an illegal payment order in the remote bank system, and the accounting computer's IPThis order by address approved. But how did the cybercriminal manage to get the passwords used by the accounting to perform the transaction? The experts continued their investigations and found that another malware programFound; Trojan-Spy.Win32.Delf. This program was a keystroke that captured the data input from the keyboard. In this way, the cybercriminals steal the accounting password and perform the illegal transaction.
New victims
At the end of the research, experts were aware of another interesting fact: all malware programs used in the attack were managed from C & C servers belonging to the same subnet as their IP addresses. Cybercriminals using this subnet made a mistake, allowing Kaspersky Lab experts to find addresses of other computers affected by Trojan-Spy.Win32.Delf. It has often been seen that these computers are computers of small and medium-sized businesses. Kaspersky Lab immediately alerted the owners of virus-infected computers to the thematic and threatened them.Mikhail Prokhorenko, a malware analyst at the Kaspersky Lab Global Emergency Response Team, said: "Although this story is in Russia, it is difficult to say that it is country specific from a technical point of view; In fact, such cyber crimes vary little from country to country. Many companies throughout the world use versions of Windows and Microsoft Office that contain unpatched vulnerabilities. In addition, banking services in different countries The differences between the way financial departments of companies communicate with banks. In order to minimize the risk of stolen money from institutional accounts, Kaspersky Lab specialists recommend that institutions using remote banking systems create reliable multi-factor authentication (symbols, one-time passwords provided by the bank, Etc.) recommend that corporate computers be confident that the installed software is being updated quickly (especially for computers used in finance departments), protect these computers with security solutions, recognize the signs of personnel attacks, and educate them to respond quickly to these events.
The cybercriminals sent viruses to the company's computers by sending an e-mail containing a malicious attachment that gave the government a message from the tax office. To provide access to the accounting computer within the corporate network, users have used a modified version of a legitimate program. A malware program was used to steal the money. The software included the banking Trojan Carberp items, whose source code was publicly available. Cybercriminals made a mistake when configuring their C & C servers and allowed Kaspersky Lab experts to discover the IP addresses of other infected computers and to alert others to the threat.
The bank, which serves the company targeted by finance-focused cybercriminals, has prevented the attempted withdrawal of $ 130,000. However, the cybercriminals succeeded in making a payment of $ 8,000, which is too small to trigger any alarm in the bank and does not require additional confirmation from the customer's account.
Exploitation Code
Kaspersky Lab's Global Emergency Response Team (GERT) obtained an image of the computer's hard drive being attacked by the attacking entity. They have been working on it, and they have asked the agency to provide some documents as soon as they detect a suspicious e-mail message sent on behalf of the state tax office. A list of required documents was sent with an attached Word document. Belgede had exploit code CVE-2012-0158; This code was activated when the document was opened and the victim was downloading another malware program on the computer.
On the infected computer's hard drive, GERT experts identified a modified version of a legitimate program designed to access computers remotely. These programs are widely used by accountants or system administrators. However, this version of the program, found on the victim computer, has been changed to hide its presence on the infected system: the icon is hidden in the Windows Taskbar, the registry key where the settings are stored has been changed, and the GUI screen has been disabled. Kaspersky Lab products blocked this program with 'Backdoor.Win32.RMS' decision.
However, this was not the only malware program detected on the victim computer. Subsequent investigations showed that another backdoor code (Backdoor.Win32.Agent) was downloaded to the victim computer with the help of the Backdoor.Win32.RMS backdoor code that cybercriminals used to provide remote Virtual Network Computing (VNC) access to the victim computer. Interestingly, in the Backdoor.Win32.Agent code bankingTrojan Carberp's items were detected. Carberp's source code was published this year.
With the help of Backdoor.Win32.RMS, Cybercriminals downloaded the Trojan Backdoor.Win32.Agent code to the victim machine. With Backdoor.Win32.Agent code they could take control of the computer. Thus cyber criminals created an illegal payment order in the remote bank system, and the accounting computer's IPThis order by address approved. But how did the cybercriminal manage to get the passwords used by the accounting to perform the transaction? The experts continued their investigations and found that another malware programFound; Trojan-Spy.Win32.Delf. This program was a keystroke that captured the data input from the keyboard. In this way, the cybercriminals steal the accounting password and perform the illegal transaction.
New victims
At the end of the research, experts were aware of another interesting fact: all malware programs used in the attack were managed from C & C servers belonging to the same subnet as their IP addresses. Cybercriminals using this subnet made a mistake, allowing Kaspersky Lab experts to find addresses of other computers affected by Trojan-Spy.Win32.Delf. It has often been seen that these computers are computers of small and medium-sized businesses. Kaspersky Lab immediately alerted the owners of virus-infected computers to the thematic and threatened them.Mikhail Prokhorenko, a malware analyst at the Kaspersky Lab Global Emergency Response Team, said: "Although this story is in Russia, it is difficult to say that it is country specific from a technical point of view; In fact, such cyber crimes vary little from country to country. Many companies throughout the world use versions of Windows and Microsoft Office that contain unpatched vulnerabilities. In addition, banking services in different countries The differences between the way financial departments of companies communicate with banks. In order to minimize the risk of stolen money from institutional accounts, Kaspersky Lab specialists recommend that institutions using remote banking systems create reliable multi-factor authentication (symbols, one-time passwords provided by the bank, Etc.) recommend that corporate computers be confident that the installed software is being updated quickly (especially for computers used in finance departments), protect these computers with security solutions, recognize the signs of personnel attacks, and educate them to respond quickly to these events.
- Get link
- X
- Other Apps
Labels
a Siber Attack How to Resolve Thecnology
Etiketler:
a Siber
Attack
How to
Resolve
Thecnology
- Get link
- X
- Other Apps
Comments
Post a Comment