本周即将打破坏事。 今天我们讨论:好的勒索软件日,,,,一只骗子小马以及我们有趣的新游戏,两个真相和谎言。
以下是我们讨论的每篇文章中的一些亮点:
好的勒索软件日
- 这一特殊的十二人确实依赖于佛法的部署而卑鄙的行为,并且肯定代表了致命的二人洛克加尔加和巨型巨星。挖掘更深入地,傻瓜表现出对Trickbot的依赖,其次是犯罪嫌疑人Cobalt Strike和Powershell Empire进行横向运动。
- Dharma勒索软件(也称为Crysy)是一种相当讨厌的“ Trojanized”病毒,针对威胁参与者使用的窗户,以勒索家庭计算机用户,但也是中小型组织。关于它的可爱事实:在典型的Dharma Phish中,要求用户下载一个名为Defender.exe的受密码保护的附件。
- 然后,您得到了Lockergoga,这是在2019年NORSK Hydro Attack背后的Warez之外著名的。安装后,Lockergoga通过更改密码来修改受感染系统中的用户帐户。它还试图注销登录系统的用户。然后,它将自身重新定位到temp文件夹中,并使用命令行(CMD)重命名自身。但是,这也许是最可爱的事情:由于LG既没有给受害者一个恢复文件的机会,也没有具体要求付款,因此其发行很可能是针对性的,并且旨在破坏操作。
- 现在大巨星呢?在这里,Windows域控制器是关键。一旦妥协了脆弱的域控制器,攻击者将其配置为删除批处理文件,PSEXEC和Winnit.exe,这是其他机器的核心恶意软件文件组件。PSEXEC就像中和环境的前进团队一样,使坏人可以做自己的行为 - 在这种情况下,它将终止Windows进程以及任何其他可以停止或阻止勒索软件执行流程的服务。然后,它插入了–winnit.exe,它搜索可以加密的文件,然后还提取了带有随机生成的文件名的DLL,并使用rundll32.exe运行,执行加密。Pretty routine stuff, and keep in mind that these arrests are the culmination of a fairly lengthy effort, so when we’re looking at the malware involved, we’re sort of looking back in time to around 2019. So these aren’t necessarily the latest warez, and there are a lot of detections for them out there.
- 十月26日,在乌克兰和瑞士遥远的土地上进行了这些逮捕。This was quite the constabulary cooperation, with a total of ten different nations or groups involved, and if you go a layer deeper into those countries and the organizations involved, you’ve got a total of fifteen entities and a total of 50 investigators that worked together on getting these arrests. But how did all this start? Well, with the French. A joint investigation team, which strangely enough has nothing to do with cannabis, was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support from Eurojust. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these cyber actors to establish a joint strategy. (See, nothing to do with Snoop’s and Willie Nelson’s biggest shared interest.)
- 至于他们从这里去的地方,任何时候您被捕,您都有潜在的金矿来源,可以进一步逮捕。当然,他们将在他们所抓住的任何资产上都有很多取证(我并不是说要驾驶Lambos进行测试,尽管这当然也可能是可能的)。
- 我们知道他们遭受了网络犯罪跟腱的痛苦:汽车虚荣心。但是,是的,除了用1,000美元的欧元账单照明雪茄之外,让我们谈谈他们的工作。目标嫌疑人在这些组织中起着不同的作用。其中一些人在纯技术方面,例如在渗透阶段工作,使用不同的机制来损害受害者环境,包括蛮力攻击,SQL注射,被盗的凭证和带有恶意附件的网络钓鱼电子邮件。然后,您有一些负责洗钱的赎金支付:他们将通过混合服务汇款,然后兑现,然后兑现。
- 对于现在居住在狱中的那个卑鄙的十几岁,我可以告诉您,他们将不得不完全重新校准他们的时尚制度和饮食。至于我们其他人,我认为实际上有两种方法可以研究它。From one point of view, it’s a drop in the bucket...even though the activities represented by the groups that are compromised by these arrests were far-ranging, and thus these are kind of big fish, we know that in the grand scheme of things, it’s not likely that the pace of ransomware is going to slow noticeably, at least not for long. But the other perspective, and the one that I think is more interesting, deals with the question of what we are going to learn from this operation in terms of looking at ways to disrupt the business model, to get even better and more extensive international cooperation, and potentially beneficial changes at the policy level and so forth. Or put simply: can what we learned here help us do more of these, and at increasingly high levels of effectiveness?
一只骗子小马
- 如果没有听到神秘科学剧院的介绍3000的介绍,我无法读过Trickbot。[可怕的唱歌],因此欢迎您。In any case, TrickBot is a piece of malware that goes back to 2016. Spread through a ton of different methods, it’s evolved over the years originally as a banking trojan, then shifting to stealing keys, propagating through a network, AD credentials, and eventually on to infecting LInux systems as well. On top of that, it is known to install both the Ryuk and Conti families of ransomware. It’s seen now as an initial infection that often leads to the next set of trouble whether that be ransomware or otherwise on your network. TrickBot has been both creative in its mutation and prolific.
- 您可能还记得几个月前,USDOJ捡起了拉脱维亚国民Alla Witte Aka Max,他被指控写了《 Trickbot Code》的大块。The research community kind of knew that multiple developers worked on these things, but as the case has progressed it’s kind of appeared that maybe she worked on only individual components, perhaps didn’t know the extent of what she was working on or that this was somehow siloed. I doubt that, but that’s some of the murmur and arguments we’ve seen and certainly other crime groups have done that before, hiring developers to work on a specific component and not telling them about the larger project. Anyways, this new extradition is of Vladimir Dunaev, another person tied to TrickBot, is further showing what the FBI stated in their press release: “Pursuing cyber criminals requires considerable patience, expertise, and resources, but the FBI has a long memory and will ensure that these malicious actors cannot evade detection or avoid the full weight of law enforcement actions.” Great line if you ask me. Anyways, they grabbed Dunaev in Southeast Asia, extraditing him through South Korea, and to the Northern District of Ohio for this case.
- 起诉书中的一些关键要点是:首先是Trickbot在2015年开始根据起诉书,因此他们必须对我过去没有见过的智慧有一些智慧。最重要的是,它说明了一个更大的Trickbot组,它使用了自由职业者,就像Alla Witte一样,听起来像是为了创建,部署和管理恶意软件。自杜纳耶夫(Dunaev)显然不仅参与了恶意软件的部署,而且还包括电汇欺诈和银行欺诈之外,这项起诉书将在阳光下的一切都承担了阳光下。如果一切都按照司法部的起诉计划进行,那么杜纳耶夫将面临60年的监禁。
- 杜纳耶夫(Dunaev)从实际的计算机欺诈部分参与了身份盗用到电线和银行欺诈。根据文件,他还参与了洗钱。看来这里有足够的计数,有些(如果不是全部)将被起诉证明。正如联邦调查局(FBI)所说,他们的记忆很长,与计算机犯罪的可怕事情之一是,他们记录了一切并在任何地方留下痕迹。正如我们想说的那样,任何攻击都有要求,这通常是别人攻击的网络组件。
- 我认为,如果联邦调查局(FBI)有一个与Trackbot有关的人,他们可能也知道所有其他运营商。我猜想杜纳夫不会有太多他能透露他们不知道的操作员。一旦他们有很多罪名来指控某人并引渡了他们,他们就一直在扭曲他们的拇指,等待操作员的失误。我们知道许多这些团体都位于俄罗斯,我们不能从那里引渡,因此我认为这不会阻止其余的与Trickbot团体相关的人继续。可能会肯定地阻止他们去海外度假。我怀疑这会妨碍骗人,但这就是这些大团体将被击倒的方式。慢慢地,一次是通过耐心,当他们的运营安全失效时,USDOJ将在一个引渡的国家的某个机场等待。
两个真理和一个谎言
介绍我们有关破坏坏处的最新部分。我们将玩一个游戏,您都可能熟悉称为两个真相和谎言,并带有有趣的转折。每周,我们都准备好三个文章标题,其中两个是真实的,一个是一个谎言。
您必须收听才能找出答案!
当前记分牌
本周的连帽衫/糖果秤
好的勒索软件日[乍得]:9/10好东西
[蒂姆]:9/10好东西
一只骗子小马[乍得]:8/10好东西
[蒂姆]:8/10好东西
这就是我们本周所拥有的一切,您可以在Twitter上找到我们@Domaintools,我们播客中提到的所有文章将始终包含在我们的播客回顾中。当我们发布下一个播客和博客时,太平洋时间上午9点在星期三赶上我们。
*特别感谢约翰·罗德里克(John Roderick)令人难以置信的播客音乐!