FBI neNSA yakaburitsa yambiro yekuchengetedza nezuro pamwechete zvine ruzivo rwe malware nyowani anokanganisa Linux uye kuti maererano nemasangano maviri, Yakagadziriswa uye yakaiswa mukurwiswa chaiko nevapambi vemauto eRussia.
Masangano ese ari maviri anoti vatengesi veRussia vaishandisa iyo malware, inonzi drovorub, yekuisa backdoors mukati hacked network.
Nezve Drovorub
Malware ine ma module akasiyana anovimbisa kubira, kutsungirira uye kugona kuzere kumuchina wakazvipira kuropafadzo dzepamusoro soro.
Mumushumo wehunyanzvi wakaburitswa neNSA neFBI, Tsanangudzo paDrovorub's Kugona uye Zvirongwa zveKutsvaga Mhinduro Dzakaburitswa uye kudzivirira.
Maererano neshumo, iyo rootkit inoshanda kwazvo mukuhwanda pamushini une hutachiona uye inopona ichitangazve kunze kwekunge:
"Yakabatana Yakawedzerwa Firmware Interface (UEFI) Yakachengeteka Boot inogoneswa mu" Yakazara "kana" Yakazara "maitiro.
Chirevo chinotsanangura ruzivo rwehunyanzvi rwechikamu chimwe nechimwe cheDrovorub, izvo zvinotaurirana nemumwe neJSON pamusoro peWebSocket uye encrypt iyo traffic kuenda nekubva kune server module uchishandisa iyo RSA algorithm.
NSA uye FBI Inofungidzira kuti iyo malware yakatorwa kuInternational Intelligence Directorate yeRussia General Staff, 85. Main Special Services Center (GTsSS), Mauto Mauto 26165.
Zvekuita zvecyber zvesangano iri zvakabatana nemishandirapamwe yeboka repamberi rekubira rinozivikanwa seFancy Bear (APT28, Strontium, Boka 74, PawnStorm, Sednit, Sofacy, Iron Twilight).
Kugoverwa uku kunoenderana nemashandiro ekuraira uye ekudzora zvivakwa izvo makambani akabatana pachena neGTSS kudzivirira kubva ku cyberattacks. Imwe clue ikero ye IP iyo Microsoft yakawanikwa mushandirapamwe yeStrontium inoshanda zvishandiso zveIoT muna Kubvumbi 2019 uye zvakare yakashandiswa kuwana Drovorub C2 panguva imwecheteyo.
Kuziva uye kudzivirira
Kuongorora kweNSA kwakaratidza izvozvo chiitiko chemarware chinoonekwa kuburikidza nehunyanzvi hwekuwedzera hwekuona, asi izvi hazvinyanyo shanda kune iyo Drovorub kernel module.
Network kupindira yekutsvaga masisitimu (NIDS) senge Meerkat, Snort, Zeek inogona musimba kuvhura mameseji WebSocket protocol "yakavanzwa" (uchishandisa zvinyorwa) uye uone C2 mameseji pakati pemutengi uye mumiririri zvinhu uye iyo Drovorub server.
A TLS proxy yaizowana zvakafanana mhedzisiro kunyangwe chiteshi chekutaurirana chikashandisa TLS kunyorera. Nekudaro, imwe bakoat ine idzi nzira ndeyekuti kutarisa kunogona kuenda kusingaonekwe kana TLS ikashandiswa kana kana mutambi achichinjira kune rakasiyana meseji fomati.
Zvekutsvaga yakavakirwa-based, NSA uye FBI inopa mhinduro dzinotevera:
- Edza kuvepo kweiyo Drovorub kernel module uchishandisa script inowanikwa mumushumo (papeji 35)
- Zvigadzirwa zvekuchengetedza zvinogona kuona malware zvigadzirwa uye rootkit mashandiro, senge iyo Linux kernel yekuongorora system;
- Rarama mararamiro ekupindura, kutsvaga mamwe mazita emafaira, nzira, hashes, uye nemitemo yaYara (yakapihwa mushumo weSnort's rules)
- Memory scan, ndiyo inoshanda kwazvo nzira yekuwana iyo rootkit;
- Disk mufananidzo wekutarisa, malware zvigadzirwa zvinoramba zviripo pane diski, asi rootkits dzinozviviga kubva kumabhainari mafaera uye zvakajairika system mafoni.
Senzira dzekudzivirira, ese mairi masangano anokurudzira kuisa yazvino Linux inogadziridza uye shandisa yazvino shanduro software.
Uye zvakare, system manejimendi ivo vanofanirwa kuve nechokwadi chekuti michina iri kumhanya zvirinani Linux kernel 3.7, iyo inopa kuiswa kweiyo kernel siginecha. Kugadzira masisitimu ekungotakura chete ma module ane siginicha yedhijitari inoshanda inowedzera padanho rekuoma mukudzivirira kernel module dzakaipa.
Kumwe kurudziro ndeyekugonesa iyo UEFI Yakachengeteka Boot ongororo mashandiro (kuzara kunyorera) izvo zvinongobvumidza zviri pamutemo kernel module kutakurwa. Nekudaro, izvi hazvidziviriri pakurwiswa kuchangobva kuburitswa kweBootHole.
mabviro: https://www.zdnet.com