攻击者可操作射频信号从工业网络中窃取数据

近期,研究人员发现了一种新型的攻击方法,即攻击者可以通过控制可编程逻辑控制器(PLC)发射出的射频信号来从空气间隙工业网络(Air-Gapped IndustrialNetwork)中窃取数据。

攻击者可操作射频信号从工业网络中窃取数据

传统的攻击方式

攻击者也许可以在一个隔离网络中植入恶意软件,比如说通过更新恶意固件或插入USB驱动器来实现感染,但是在空气间隙网络中使用这种恶意软件来向外发送有价值的数据仍然是一项艰巨的任务。

在过去的几年里,以色列的安全研究专家们已经发现了多种能够从空气间隙网络中窃取数据的方法,例如通过红外线摄像机扫描仪路由器上的LED灯硬盘上的LED灯硬件发出的热辐射、无线电信号、以及硬盘和风扇发出的 噪音等多种方式。他们所给出的其中一个PoC恶意软件名叫AirHopper,而这款恶意软件将能够利用电脑显卡所发出的电磁信号来向附近的信号接收者发送数据。

攻击的新思路

CyberX(一家致力于保护工业控制系统安全的公司)的研究人员近期发现了一种能够从空气间隙网络中窃取数据的新方法。这种数据提取方法与AirHopper使用的方法比较相似,它们都能够从空气间隙工业控制网络中窃取数据,但是这种新方法利用的是可编程逻辑控制器(PLC)发射出的射频信号。

CyberX的研究人员David Atch已经在SecurityWeek举办于今年十月份的ICS网络安全大会上公布了这种新型的攻击方法,感兴趣的用户可以观看研究人员的演讲视频,视频在文章结尾。

攻击者可操作射频信号从工业网络中窃取数据

这种技术是基于PLC以及PLC所发出的射频信号实现的,测试场景使用的是当前流行的西门子S7-1200 PLC,但研究人员认为这种技术同样适用于其他厂商所生产的PLC。

CyberX所发现的数据提取方法并没有利用PCL中任何的安全漏洞以及设计缺陷,而且专家还表示,这项技术也不涉及设备本身的射频功能。相反,设备所发出的射频信号是设备向PLC内存反复写入数据所产生的副产品。

研究人员对这种系统所发出的无线电波进行了分析,并发现当数据在写入设备内存时电波频率会发生改变。如果攻击者能够修改这种频率,他们就能够按位来提取数据了。其中,一种频率代表“0”,另一种频率代表“1”。而这些信号可以通过附近所设置的天线来捕捉,并使用软件定义的无线电来解码数据。

以特定周期向PLC内存中写入数据将会使射频信号的频率发生变化,而这个过程可以通过向设备上传特殊制作的梯形图(PLC使用最多的编程语言)来实现。

攻击者如果可以访问目标组织的设备,他们就可以向PLC上传一个恶意梯形图,并通过它来提取敏感数据。

攻击者可操作射频信号从工业网络中窃取数据

在测试过程中,CyberX的研究人员成功从大约一米的距离之外通过现成的天线以每秒钟1位的速率提取出了数据。但是,研究人员认为如果使用高功率天线的话,这个距离还可以更远,而且再对信号处理算法进行改进的话,数据的传输速率还可以进一步提升。

研究人员表示,在捕捉提取出的数据时可用的方法也很多,例如在无人机上绑一根天线飞过目标设备上方,或者冒充保洁人员并在口袋里装一个天线等等。

虽然现在的数据提取速度可能有点慢,但是专家认为这种方法在攻击的侦查阶段还是非常实用的。比如说,攻击者可以通过这种方式来获取目标组织的网络拓扑、协议、相关设备信息、工作计划、以及存储在HMI中的知识产权信息等等。

是否有可行的解决方案?

研究人员警告称,由于PLC上目前还没有合适的安全解决方案,因此这种类型的攻击时很难被检测到的。除此之外,如果设备已被感染的话,恶意代码将能够持续长时间的感染,因为PLC一般都不会被格式化。

研究人员Atch在接受SecurityWeek的采访时表示:“组织可以通过持续监控以及异常行为检测来防止这种类型的攻击。”

演讲视频

参考来源:securityweek,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM

网络安全法学习课堂

猜您喜欢

信息安全意识微视频商业间谍防范教程
Energy and information sabotage: The threats facing our smart cities http://news.chinacybersecurity.org/201705301760.html
山东淄博张店:审计关注民生热点 强化幼儿园安全管理
Cyber Security Law 网络安全法宣传视频系列001
MEZBARLANG EMERCEDESBENZ
信息安全管理中的大部分事务都和人有关,而并非驾驭没有生命力的信息系统或信息数据,专业信息安全意识教育平台和内容服务可以帮助解决人员的沟通问题。
如何保障信息安全控制措施的有效性

Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files

公司应该建立信息系统灾难恢复管理机制。根据数据及系统的重要性,明确数据及系统的备份与灾难恢复策略。
Kudos to Dutch security firm Fox-IT which has gone public about a cyber attack it suffered in September:
“In the early morning of September 19 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.”
信息安全意识微视频商业间谍防范教程

Whoever launched the attack against Fox-IT was able to redirect emails going to the fox-it.com domain, and inbound traffic to their ClientPortal.
You can read more about the incident on Fox IT’s website, but I think one thing that is worth highlighting is that if such an attack can hit a security firm, it could most likely hit many other types of businesses which are less focused on security.
The weak link, it appears, was Fox-IT’s choice of domain registrar, responsible for maintaining the company’s DNS records. Those critical DNS entries should have been protected, to prevent this type of attack from succeeding, with two-factor authentication.
But it turns out that Fox-IT’s domain registrar didn’t offer any form of multi-factor authentication. All a criminal needed to hack into their DNS entries was a username and password:
“We chose our DNS provider 18 years ago when 2FA was neither a consideration nor a possibility. We were surprised to find that the registrar still does not support 2FA. It is always worth asking: does your DNS registrar support 2FA? The answer may surprise you.”
It’s a good question, especially when you consider that domain name hijacking can not just result in your customers thinking your systems have been hacked, but also lead to private communications being intercepted.
Past victims of DNS hacking have included WhatsApp, Lenovo, anti-virus firms AVG and Avira, and Bitcoin wallet service Blockchain.info.
To its credit, Fox-IT appears to have communicated clearly with its customers and partners, contacted those who may have had some data exposed, and is working with law enforcement in the hope of apprehending the culprits.
Given the nature of Fox-IT’s work there are likely to be some interesting theories as to who might have been behind this particular attack, and what they were attempting to spy upon.
One thing is clear. The company has some powerful enemies.
In the past, Fox-IT has published impressive research into the activities of cybercriminal gangs – including the Russian Anunak (aka Carbanak) criminal group which has stolen many millions of dollars from the banking industry and Western retailers.
Don’t learn the lesson the hard way. Protect your website’s DNS entries. Choose decent, unique passwords. Enable two-factor authentication on the account. And, if you have the clout, request that your DNS registrar confirm with a manual phone call if there is ever an attempt to point the records elsewhere.
在我国,网络攻击和病毒传播事件频频发生的部分原因,不得不归咎于网络空间的使用者和应用者自身的网络安全意识的淡薄。

猜您喜欢

值得关注的非革命性创新——基于云端的HSE培训服务
信息安全意识检验
Cyber Security Law 网络安全法宣传视频系列001
“亚洲第一美”晒泳装照清凉度夏
KEEPSCHOOL GEMINIDJ
保密培训第一课:准确定密并正确标识国家秘密

GDPR: Distinguishing Fact From Fiction

Brian Honan, president, BH Consulting
With just a few months left until the EU’s General Data Protection Regulation will be enforced, too many so-called “experts” are spreading fear and falsehoods about the regulation, says Brian Honan, a cybersecurity consultant based in Dublin.
要采取措施维护网络安全与信息安全,要加强用户的信息安全防范意识和技能,培养网民的网络道德和礼仪,让网民对自己的网络行为负责,才是关键。
“People are worried about what is going to happen come May 25 next year when GDPR will be enforced,” Honan says in an in-depth interview with Information Security Media Group. “Companies are struck by fear, and it’s not been helped either that suddenly everywhere you turn there is a GDPR or data protection ‘expert’ that has been known to say that GDPR in 2017 is similar to what Y2K was in 1999. … We have ‘experts’ in data protection that … a few years ago wouldn’t have even touched the topic.”
安泰科技(000969):关于12安泰债公司债券跟踪评级结果的公
Overcoming Misperceptions

Several facets of the regulation are poorly understood, and weeding out the facts can be difficult, Honan acknowledges.
One misperception, he points out, is that consent is required before an organization can use a European’s information. “That’s not true. You can use someone’s information if you can demonstrate a legitimate business need, or if you have an existing business relationship with that person,” he points out.
In this interview (see audio link below photo), Honan discusses:
Misperceptions about “the right to be forgotten” provision in GDPR;
How well prepared organizations are for the GDPR compliance; and
Penalties tied to enforcement of compliance.
Honan is president of Dublin-based cybersecurity firm BH Consulting and the founder of Ireland’s first computer emergency response team, IRISS-CERT. He’s also a cybersecurity adviser to the EU’s law enforcement intelligence agency, Europol.
信息面临的风险和信息的价值(包括直接价值和间接价值)成正比。对于企业来说,如何正视信息的价值,对不同价值的信息采取相应级别的安全措施,并形成持续改进的机制,是一个非常重要的课题。

猜您喜欢

浅谈安全培训对保障数据安全的重要性
互联网安全之软件下载
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
视频:巨星圣诞演唱会连唱三天 潘玮柏压轴登台嗨唱
TRISTAR NUPLEXA
如何防范智能手机、平板电脑和可穿戴式设备成为互联网犯罪人员的跳板或肉鸡呢?

The head of the British Armed Forces, Air Chief Marshal Sir Stuart Peach, has warned that Russia could cut off the UK by severing undersea communications cables.
In a speech made to military think-tank the Royal United Services Institute last night, the air marshal said: “There’s a new risk to our way of life, which is the vulnerability of cables which criss cross the sea beds. Can you imagine a scenario where those cables are cut or disrupted? Which would immediately and potentially catastrophically affect our economy and other ways of living if they were disrupted.”

Peach was giving the annual Chief of the Defence Staff Lecture, in which he talks about topical defence, security and geopolitical issues. He specifically highlighted Russia as the most likely nation state that might go around cutting cables and causing chaos.
“In response to the threat posed by the modernisation of the Russian navy, both nuclear and conventional submarines and ships, we, along with our Atlantic allies, have prioritised missions and tasks to protect the sea lines of communication,” he said, specifically mentioning the role of NATO.
The air marshal also joked about bringing back the Railway Squadron of the Royal Logistics Corps, which drove military-manned trains to and from West Berlin during the Cold War, as well as beefing up Britain’s military hackers with a “reservist and contractor”-led cyber force.
安全文化宣传之互联网搜索公司专利保护及信息安全意识
A stagnant defence budget, allied to possible inflation-driven cuts to internal spending, mean the Royal Navy is facing decades of severe overstretch. Peach’s speech ought to be read (or watched, if you’ve an hour of free time – the Russian comments are all in the first five minutes) with the military need to put pressure on politicians for extra funding in mind.
近几年恶性的停电事故、恶劣气候和自然灾害使人们渐渐认识到业务持续性和灾难恢复的重要性,相关的法律法规及监管力度也日渐加强,迫使企业决定增加安全相关的投资。
Laying cable
Peach’s warning comes in the context of Russian naval renewal over the last few years and increasing naval activity by Moscow’s armed forces, as well as a recent report highlighting potential legal vulnerabilities around cables and their landing stations. The basic argument goes that as everyone knows where they are, they are uniquely vulnerable.
Without doubt, this is true. It is also true that in our increasingly interconnected world, even “the baddies” like Russia and Iran are also coming to depend on communications over these cables. In spite of conspiracy theories around Russian spy ships interfering with undersea cables, the greater threat to global connectivity appears to be the West, which has inserted eavesdropping capabilities into a large number of cables around the world. Both the US and UK have the advanced technologies necessary to do this sort of work while underwater.
Russia, meanwhile, seems to like trolling professional Western observers by sailing along cable routes, raising watchers’ blood pressure all the while. Rather than some kind of high-tech interference, the main fear is that the Russians will simply drop anchor over a cable site and drag it through in order to sever the cable – as happened accidentally off the coast of Jersey last year thanks to the careless crew of an Italian-flagged gas tanker.
As we previously reported, naval gazers reckon the Russian spy ships may be looking for so-called dark cables used for dedicated defence and intelligence communications. The idea is that by cutting dedicated links, spies and other snoopers’ comms are forced onto public cables – where they can then be re-routed into areas where hostile states can collect and analyse them at leisure. ®
多数企业将防范网络犯罪提上董事会议程,在安全上进行投资仿佛不创造直接的商业价值,没有足够和聪明的投入则可能让创造的直接商业价值瞬间变为灰烬,信息科技时代,这不是在吹牛。

猜您喜欢

日华媒:中国游客赴日旅行需有安全防范意识
一分钟了解信息安全基础知识
Security-Frontline-安全前线
刘强东:不知道妻子漂不漂亮,章泽天发照回应:你给老娘看清楚!
PRIMICIA VACATIONOWNERS
网络安全公益短片个人信息保护实战

Triton Malware Targets Industrial Control Systems in Middle East

Researchers found malware called Triton on the industrial control systems of a company located in the Middle East. Attackers planted Triton, also called Trisis, with the intent of carrying out a “high-impact attack” against an unnamed company with the goal of causing physical damage, researchers said.
FireEye’s Mandiant threat research team revealed the existence of the malware on Thursday. They said adversaries behind Triton are targeting Triconex Safety Instrumented System controllers sold by Schneider Electric.
Related Posts
Researchers are comparing Triton’s targeting of industrial control systems to malware used in watershed attacks Stuxnet and Industroyer (or Crashoverride).

“It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016,” researchers said in a blog post outlining their research. “Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.”
On Wednesday, Schneider Electric warned its customers of Triton (PDF).
公司越来越重视员工的培训和职业发展,最近建立了专门的电子学习系统用于内部员工的在线学习。有了平台,就剩下开发或采购各种课程了!
“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the company said in a statement.
According to researchers at Dragos, credited for discovering the malware last month, Triton targets the Triconex Safety Instrumented System (SIS) by “enabling the replacement of logic in final control elements.”
“It is not currently known what exactly the safety implications of Trisis would be. Logic changes on the final control element implies that there could be risk to the safety as set points could be changed for when the safety system would or would not take control of the process in an unsafe condition,” Dragos stated in a report detailing the malware.
According to FireEye, Triton masquerades as a legitimate Triconex Trilog application used for reviewing system logs.  “The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers,” researchers wrote.
Triton attack scenarios include using the malware to shut down the Triconex SIS process that is in a safe state. The impact would be disruption of plant operations and service downtime.
Attackers could also reprogram the SIS controller not to shut down in an unsafe environment, creating risks to human safety or damage to equipment, according Mandiant researchers.
Each of the attack scenarios assume an adversary already has a foothold on targeted systems.
免费注册信息系统安全师CISSP在线培训
Lastly, attackers could manipulate Triconex’s distributed control system to create unsafe conditions at the same time program SIS to allow the unsafe state resulting in possible equipment failure or human harm.
“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” researchers said. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations,” Mandiant researchers said.
Dragos said Triton as having a “game-changing” impact on industrial control systems and specifically safety systems. “Targeting SIS equipment specifically represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life. Given these implications, it is important to ensure nuance in how the industry responds and communicates about this attack,” Dragos researchers said.
Schneider offers a number of detection and mitigation measures in its advisory that range from making sure Triconex  systems are deployed on isolated networks and that USB drives, CDs or laptops connecting to that network should be scanned for malware ahead of time.
云计算,需要为客户提供网站访问情况的详细统计分析功能,服务商也需要从中分析用户行为,用以发现问题和改善服务质量,不过小心随着人们的隐私保护意识得以加强,会挑战相关的用户数据搜集和保存条款。

猜您喜欢

云南省人民检察院电子数据云平台及手机司法鉴定取证设备采购项目采购结果…
适用于任何行业的EHS电子教学课程
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
我军少将称美在台海问题触动底线:我们没有回旋余地
GEODESICSOLUTIONS CHABADPR
互联网金融移动APP与虚假WIFI的信息安全教训

Simple research tool detects 19 unknown data breaches

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
Every now and then researchers come up with a security insight so simple you wonder why nobody has noticed it before.
If there was an award for such discoveries, a contender for this year’s prize would surely be a data breach early warning tool called Tripwire, the work of engineers at the University of California San Diego (UCSD).
In real-world tests, not only did Tripwire detect a number of unknown or undisclosed breaches, the team believes it could be used to detect many breaches long before organisations realise they’ve happened or stolen data appears on the dark web.

Too good to be true? Not if you harness the power of inference.
As anyone who studies data breaches knows, the first thing cybercriminals do when they steal and unscramble credentials is to try to them on lots of other sites, particularly the email services that underpin people’s online identity.
For instance, passwords taken from breaching small sites will be used to attack larger and more valuable ones (Gmail, say) in the hope that users have re-used the same passwords.
As numerous incidents show, it’s a strategy criminals use to amplify the effect of almost every breach.
The team’s reasoning was to detect when re-use attacks were happening by creating multiple honeypot accounts on each of 2,302 different online organisations, each tied to single email addresses at an unnamed email provider who’d agreed to collaborate with them.
If a honeypot account was breached, it followed that this would become apparent when the cybercriminals used the stolen credentials to access its accompanying email address.
Which means:
This approach allows a wide array of Internet sites to be efficiently monitored for compromises and admits no false positives – presuming the email provider itself is not compromised.
The clever bit is it worked.
Sophos Home
天威视讯:拟筹划重大对外投资的收购事项 股票停牌
Free home computer security software for all the family
Learn More
19 of the test sites were breached and passwords reused in the nine months to February 2017, including one at a “well-known American startup” with 45 million customer accounts.
Sixteen of these were unknown breaches, either because the organisation affected was keeping that fact secret or, very possibly, didn’t know it had been breached at all.
老总应确保安全预算得到了有效的使用,同时满足监管的要求。不应该试图封锁一切,我们应重新分配资源,重点保护最危险的数据。尽可能使用自动化方式来管理用户数据,以便节约资源。
A further three, including the site with 45 million users, showed minor public indications of compromise, that had not been confirmed (one was eventually confirmed during the study period).
To account for some sites storing passwords more securely than others, the researchers registered honeypot accounts with an “easy” password (8-character, containing a dictionary word), and a “hard” one (10-character, alpha-numeric, mixed case).
This meant that if Tripwire subsequently detected a breach on a given account, it could infer the level of security being used to secure passwords (i.e. a breach of a hard password might imply it was stored as a simple hash, or even as plain text).
One criticism might be to question how representative the test sites (adult, classified, gaming, wallpapers, BitTorrent, etc.) are of the internet more widely.
Which misses the point – the fact a breached account is at a small, obscure online company matters not if the user reuses the same password to secure their Gmail, Yahoo or Facebook accounts.
How might attackers evade Tripwire?
Only by choosing not to try password reuse attacks on big email providers, or by targeting smaller numbers of accounts in the hope the honeypot account wasn’t among them.
But, as its creators acknowledge, Tripwire’s biggest hurdle might simply be convincing breached providers to take its evidence seriously.
Too many don’t care or don’t want to know about breaches, viewing it as a private concern. Until this changes, or governments enforce better behaviour, Tripwire could find itself with plenty of work ahead of it.
乌云安全平台创始人方小顿谈架构师和互联网安全,国内互联网的安全情况与国外相比还是有很大差距的,用户意识跟不上是关键。

猜您喜欢

网络安全漫谈
信息安全知识考试
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
法国总统参观大熊猫宝宝“圆梦”
114HUOCHE SILVERCRK
移动金融服务中的信息安全问题实录

地下暗流系列 |“免费雇佣”数十万用户,TigerEyeing病毒云控推广上千应用

一、概要

近期,腾讯反诈骗实验室和移动安全实验室通过自研AI引擎–TRP,从海量样本中监测到一个后门病毒家族TigerEyeing,据腾讯反诈骗实验室和移动安全实验室安全专家分析发现,TigerEyeing病毒通过开源插件框架DroidPlugin来实现恶意插件动态下发,通过云端配置恶意插件列表来实现应用恶意推广、流氓广告等行为,根据腾讯反诈骗实验室神羊情报系统溯源发现,位于深圳的某家直播APP开发商深圳虎科技存在重大嫌疑。

timg.jpg

“TigerEyeing”木马长期潜伏用户设备,窃取用户隐私数据包括设备信息,应用安装列表,设备内存和sdcard容量等信息上报服务器,并定期与服务器通信获取需要安装的插件应用配置信息,使用DroidPlugin框架来加载运行插件应用,并在运行一段时间后,删除运行过的插件应用,神不知鬼不觉的进行各种恶意推广、恶意广告等流氓行为。

腾讯反诈骗实验室和移动安全实验室通过AI引擎聚类关联发现,“TigerEyeing”木马主要通过以下几种方式大量传播:

Ø  游戏、伪色情应用等root类病毒注入系统rom内

Ø  伪装成系统应用并通过某些线下渠道进行推广

目前腾讯手机管家已经全面支持查杀该木马家族,用户可以下载腾讯手机管家进行查杀拦截。

15129738602929_看图王.jpg

二、病毒影响面

2.png

三、“TigerEyeing”木马详细分析

3.1 感染方式

“TigerEyeing”木马通过嵌入了root能力的游戏、伪色情应用进行大范围推广。

3.png

我们选取了其中一个伪色情应用:女优猜猜猜 进行详细分析。

1)病毒基本流程:

4.png

2)病毒功能分析

病毒运行后,首先初始化各种短信扣费sdk,进行短信扣费

5.png

扣费短信

Sp号码 发送内容
106000 CZSXZ
10650195202 200#M903c2iz
1068018 HY303
10678 AT
……  

解密加载wryg.dex子包

6.png

wryg.dex子包主要功能是下载root子包进行提权,并在提权成功后,将“TigerEyeing”木马应用植入系统rom内

7.png

2017xxxxxx.jar为root子包,被动态加载后,下载运行poc文件进行提权

8.png

相关可执行文件

9.png

病毒root成功后,会在系统的/system/xbin/目录和/system/bin目录下释放多个root deamon文件,用于方便其他恶意模块快速的获取root权限。主要文件有:

/system/bin/cufsdosck   /system/xbin/cufsdosck

/system/bin/cufsmgr     /system/xbin/cufsmgr

/system/bin/cufaevdd    /system/xbin/cufaevdd

/system/bin/conbb       /system/xbin/conbb

 

‘TigerEyeing’木马应用,主要有

软件名 包名
管理工具 com.android.sys..vsleb
System com.androids.sys.
中心 com.sys..centers
管理 com.sys..manges

 10.png

“TigerEyeing”木马应用被植入rom内或直接安装

11.png

病毒相关url说明

12.png

3.2 “TigerEyeing”木马分析,以系统管理工具为例

1、使用了DroidPlugin插件框架

13.png13-2.png

DroidPlugin 是Andy Zhang在Android系统上实现了一种新的插件机制,通过Hook了Android系统Framework层的很多系统服务,欺骗了大部分的系统API,它可以在无需安装、修改的情况下以插件形式运行APK文件,插件的Activity、Service、BroadcastReceiver、ContentProvider四大组建无需在Host程序中注册。

占位Activity和Service

14.png

Hook  AMS

15.png

Hook  PMS

16.png 

2、应用启动后,会首先计算一个设备的phone_uuid,并存放在/sdcard/android/data/mrgo目录下,用于标识设备的唯一性

17.png

18.png

3、连接服务器,上报设备相关信息,包括手机型号、imei、imsi、uuid、网络、应用安装列表信息、内存和sdcard容量等,获取服务器下发的配置

CC服务器相关域名

19.png

20.png

21.png

动态抓取的上报信息

除了推送应用外,此恶意程序还窃取上报用户隐私数据,包括手机型号、imei、imsi、uuid、网络、应用安装列表信息、内存和sdcard容量等

22.png

23.png

24.png

根据服务器返回的结果,配置插件池,若服务器连接失败则直接从读取默认的信息

25.png

26.png

应用将默认的服务器域名配置信息和插件配置信息加密存放在/sdcard/android/data/com.android.sys.manage.vsleb//CYH目录下

27.png

解密得到

28.png

若服务器响应正常,则从服务段获取新的配置信息

29.png

解密得到json字符串,可以看到域名列表、downloadList、以及需要下载的应用的packageName,startType, startEntrace等信息

30.png

应用根据获取的配置信息配置插件库和其他的相关参数

31.png

32.png

33.png

4、根据插件池的配置,下载并运行插件

34.png

通过DroidPluig框架运行插件

35.png

此恶意木马不仅可以通过插件的形式运行插件应用,也可以将应用直接安装在设备上

36.png

5、下载的插件应用运行一段时间后,再次请求服务器获取新的插件应用,并将之前的插件应用放入UnInstallList,并删除插件应用

设置unInstallList

37.png

根据unInstallList删除应用

38.png

6、主要的恶意插件

a).恶意广告应用

软件名      安卓系统守护
包名        com..ads
证书        2b343f9539871c879a1

该插件应用动态加载DlPluginAds子包,并调用其相关代码来获取和展示各种广告

39.png40.png

恶意广告

41.png

b).恶意推送应用

软件名 MMService
包名 com..wte
证书 e02bad002c92fe72f4e1940e299

该应用会根据云端获取的json配置信息,下载并安装应用,进行恶意推广行为

42.png43.png

c).刷量应用

软件名 系统工具
包名 com..gglx
证书 a39c695d15a273525964f19f3172

应用会根据设置的目标url、间隔时间和访问次数进行刷url方位的行为,实现数据造假

44.png 

7、主要的推送应用

“TigerEyeing”木马使用恶意推送应用插件或自身下载推广应用的形式,下载安装大量的应用,获取推广收益,主要推送的应用有:

45.png

四、相关溯源分析

通过对一些样本签名、证书等相关数据的关联分析,我们发现位于深圳的某虎科技公司存在重大嫌疑。

111.png 

五、关于腾讯安全实验室

腾讯移动安全实验室:基于腾讯手机管家产品服务,通过终端安全平台、网络安全平台和硬件安全平台为移动产业打造云管端全方位的安全解决方案。其中腾讯御安全专注于为个人和企业移动应用开发者,提供全面的应用安全服务。

腾讯安全反诈骗实验室:汇聚国际最顶尖白帽黑客和多位腾讯专家级大数据人才,专注反诈骗技术和安全攻防体系研究。反诈骗实验室拥有全球最大安全云数据库并服务99%中国网民。

本文作者:腾讯手机管家,转载请注明来自FreeBuf.COM

日韩跨国公司惯用的HSE教育手段 https://demo.ehscloud.cn

猜您喜欢

保密培训第一课:准确定密并正确标识国家秘密
Cyberspace and the Growing Storm http://www.isvoc.com/2017053055.html
网络信息安全小调
网络安全法宣传片 002 国家网络安全的现状与重要性概述
BRIUM 1000ISLANDSPHOTOART
安全至上正确引导员工BYOD
南通建成房屋安全“大数据”系统

新手上路 | 德国电信网站从LFI到命令执行漏洞

几个月前,我对德国电信官网telekom.de作了一些子域名枚举,看看是否有一些新的子域名出现。因为德国电信只接收类似SQL注入和远程代码执行类的高危漏洞,所以如果够幸运的话,可以尝试在其子域名站点中去发现一些类似漏洞。

在跑了一遍aquatone 、dnsenum、 recon-ng 和 sublist3r之后,我收集到了telekom.de的所有子域名,在去除了重复项之后,我又创建了一个简单脚本利用dirb对每个子域名站点进行目录遍历。

本地文件包含(LFI)漏洞

几小时过后,当我检查dirb的运行结果后大吃一惊,竟然有一个子域名站点出现了info.php测试页面。我擅长PHP,而开发或架构者通常会在PHP部署上出现错误,留给黑客可入侵之机。info.php测试页中包含了路径、目录和位置等可用信息。

我尝试再进行试探之后,出现了一个登录页面,是时候启动Burpsuite进行一些spider操作了,不一会就跳出了一个这样的链接:

https://netweb.telekom.de/netweb/gui/help.php?HELPFILE=logon.hlp

我把其中的logon.hlp用以../../../../../../../../etc/passwd请求信息进行了替换:

https://netweb.telekom.de/netweb/gui/help.php?SID&HELPFILE=../../../../../../../../etc/passwd

Bingo:

01.png

再换成/etc/release:

02.png

最终,出现了多个本地文件包含(LFI)漏洞:

03.png

命令执行漏洞

有了LFI漏洞,但还不能构成命令执行条件。我尝试用error.log来发现一些信息,由于info.php ( phpinfo())文件是位于站点根目录下的,它里面的信息包含了error.log文件位置,如下:

https://netweb.telekom.de/netweb/gui/help.php?HELPFILE=../../../../../../../../../../../../../pkg/moip/netinfo/logs/apache-netweb-P/error.log

04.png

而在error.log的请求运行之后,其中还包含了之前用dirb跑出的文件soap.php信息,error.log中的一个数值还与referer值相关:

05.png

我们在curl请求下,用php echo方法来测试referer值响应输出是否会包含58-8=50的信息:

06.png

很好,error.log中竟然包含了58–8的测试值50输出:

07.png

那么也可以用它来响应phpinfo()信息:

08.png

利用error.log文件来执行phpinfo()的信息输出如下:

09.png

最终,我发给德国电信的漏洞报告如下:

20.png

最终,德国电信修复了这些漏洞。

参考来源:@maxon3,freebuf小编clouds编译,转载请注明来自FreeBuf.COM 

大数据的成功关键在公众安全信心

猜您喜欢

电子商务法草案本月或三审聚焦个人信息安全
What do you mean, amp;#8216;Windows bug in Linux? [Chet Chat Podcast 261] http://news.chinacybersafety.com/201705302632.html
2017年中国电信股份有限公司重庆分公司2017年新技术新业务信息安… https://www.skxox.com/20170830/1512513615.html
Cyber Security Law 网络安全法宣传视频系列001
ALLIANCETECH CSLEWIS
针对运维人员,入职安全培训、岗位安全培训和定期的全员安全意识培训必不可少。
甘肃省地理信息产业协会在兰成立

Uber says data breach compromised 380K users in Singapore

Uber says an estimated 380,000 users in Singapore were impacted by the 2016 data breach that compromised 58 million accounts globally, but finds no incidents of fraud related to the attack.
The ride-sharing operator posted a statement on its website Friday with the update, noting that the figure was “an approximation rather than an accurate and definitive count”. The number was determined from data extracted from its app or online site and based on codes assigned to specific countries, which might not always correspond with where the user actually lived, it explained.
Singapore’s proposed cybersecurity bill should put many on notice
安泰科技2016年完成营收5.22亿元 实现净利润4041.08万元
Questions remain over the kinds of services that will require a license and government officials’ liability, but the proposed legislation is clear in one thing–that cybersecurity must now be a top priority for any business operating critical infrastructures in Singapore.
Read More
Uber said it had taken “immediate steps to secure the data” when the breach was uncovered and blocked further unauthorised access. It added that affected customers need not take any action since there was no indication the breach had resulted in any fraudulent transactions.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded,” it said. “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Reports emerged last month that some customers in Singapore found charges made to their Uber accounts and credit cards for rides they never took, including transactions made in the UK and US and in foreign currencies. The company said then that these were not linked to the global data breach, since details related to credit card numbers or bank account numbers were not believed to have been compromised in the attack.
Uber admitted to have concealed the data breach for more than a year, paying off hackers US$100,000 to delete the data and keep quiet about the incident.
In a note commenting on Uber’s latest statement in Singapore, Sanjay Aurora, Asia-Pacific managing director for security vendor Darktrace, said the onus was on companies to safeguard their customers’ data.
“The reality is that there is only so much individuals can do. Ultimately, the responsibility lies with the companies that are entrusted with users’ sensitive data to defend it against cyberattacks,” Aurora said.
“Time and time again, we have seen attacks of this scale–and larger–plague the news. The reality is that such breaches, whether Uber, Equifax, or Yahoo, could have been resolved at an early stage [and] well before real damage was done,” he said, touting the need for artificial intelligence in helping companies identify and combat security threats.
Singapore authorities had said they were investigating Uber’s security incident and would determine if the US company had breached local data protection laws. They also underscored the need for Uber to be transparent and to cooperate with local authorities.
让ISP隔离被恶意软件感染的客户,可以帮助改进网络安全,可是用户可能不会认可这种增值安全服务。

Related Topics:
Cloud
Security TV
Data Management
四分之三的公司成为了内部员工背叛的受害者,媒体曝光的事件仅仅是冰山一角。加强员工的背景审查、提供职业道德培训,将职责分开、加强权限管理和工作监管可以帮助杜绝员工的不良行为。

猜您喜欢

1分钟的信息安全意识动画教程,包括信息安全注意事项及十字安全歌谣,白板动漫,让信息安全知识变得更有趣味。
企业安全歌,唱红中国,唱响全球
网络安全法学习课堂
文在寅夫妇与北京市民吃早餐
BASTEL-WELT TRAINGEEK
无节操黑客为不良搜索公司蝇头小利而入侵其竞争对手并窃取商业机密

“ROBOT”攻击:RSA TLS 加密攻击影响 Facebook、PayPal 等数以

安泰科技2016年完成营收5.22亿元 实现净利润4041.08万元

据外媒报道,相关安全专家在一些科技巨头和开源项目的软件中发现 TLS 网络安全协议存在一个 19 年之久的漏洞,能够影响全球许多软件( 如 Facebook 和 PayPal),以至于黑客组织可以窃取机密数据,包括密码、信用卡数据和其他敏感细节等。

安全专家介绍,RSA PKCS#1 v1.5 加密的缺陷影响了前100个网络域名中的27个服务器,黑客组织可以利用其加密或者解密通信。安全专家把这种缺陷称为 ROBOT 攻击(Bleichenbacher’s Oracle Threat)—— 一种允许使用 TLS 服务器的私钥进行 RSA 解密和签名操作的攻击技术 。

据悉,ROBOT 攻击可以让黑客组织在不恢复服务器私钥的情况下解密 RSA 密文,并且可以反复查询一个易受攻击的 TLS 堆栈实现的服务器 ,从而执行密码分析操作。这些操作可能会解密以前捕获的TLS 远程连接信息。

若想要利用 ROBOT 攻击,黑客组织者必须能够执行以下两项操作:

1、捕获客户端和受影响的 TLS 服务器之间的流量。

2、建立相当数量的 TLS 到易受攻击的服务器的连接。实际的连接数量因实现特定的漏洞而有所不同,大约范围在数十万到数百万。

幸运的是,ROBOT 攻击仅影响排名前一百万网站中的 2.8% ,这么小的数值是因为受影响的库主要用于昂贵的商业产品,而这些产品常被用于加强对热门网站的安全控制。( XML Encryption、 PKCS#11 interfaces、 Javascript Object Signing 和 Encryption (JOSE)、 以及 Cryptographic Message Syntax / S/MIME.也存在类似的问题。 )

资料显示,早在 1998 年,安全专家 Daniel Bleichenbacher 就发现,SSL 服务器给 PKCS#11.5 填充的错误信息提供了一个能够自主选择的密文攻击,此攻击与 RSA 加密一起使用时会彻底破坏 TLS 的机密性。所以即使现在攻击出现了一些细微变化,但仍然可以用于如今互联网上的许多 HTTPS 主机。其原因主要是因为当时制定的缓解策略不够,许多软件供应商没有提供正确的保护措施。以至于时隔多年,相关研究人员还在研究应对 ROBOT 攻击的有效措施。安全专家称, ROBOT 攻击在当时未得到根本解决的主要原因是由于协议设计者在 1999 年决定使用一种不安全的技术,而不是像 Bleichenbacher 在 1998 年推荐的那样使用安全的技术。

为了进一步确认 ROBOT 攻击 ,安全专家通过使用 facebook.com 的 HTTPS 证书的私钥签名信息息来展示其攻击实际的效果。

根据科技巨头的说法,Facebook 在其易受攻击的服务器上使用 OpenSSL 补丁版本,而这个问题是由公司定制补丁导致的。 幸好 Facebook 在 ROBOT 攻击文件披露之前修补了服务器,否则黑客组织可以访问目标的网络流量,并且利用 KRACK 攻击来获取 Wi-Fi 连接的位置。由此可见,ROBOT 攻击的影响非常严重,黑客组织可以窃取机密的数据(包括密码、信用卡数据和其他敏感细节。)
目前,一些供应商已经修复此缺陷,下面的列表包括已经可用的补丁:

F5 BIG-IP SSL vulnerabilityCVE-2017-6168

Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler GatewayCVE-2017-17382
Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerabilityCVE-2017-17427
Cisco ACE End-of-Sale and End-of-LifeCVE-2017-17428
Bouncy Castle Fix in 1.59 beta 9, Patch / CommitCVE-2017-13098
Erlang OTP 18.3.4.7, OTP 19.3.6.4, OTP 20.1.7CVE-2017-1000385
WolfSSL Github PR / patchCVE-2017-13099
MatrixSSL Changes in 3.8.3CVE-2016-6883

Java / JSSE Oracle Critical Patch Update Advisory – October 2012CVE-2012-5081
据相关人士透露,安全专家已经发布一个 Python工具,用于扫描易受攻击的主机,以便用户可以检查自己的 HTTPS 服务器是否受到 ROBOT 攻击。安全专家表示,对于旧漏洞,现有 TLS 实现的测试还不够充分。随着时间的推移,TLS 标准对 Bleichenbacher 攻击的对策变得越来越复杂。 只要在旧的TLS版本上保留 RSA 加密兼容密码套件,这些攻击仍然是一个问题。所以为了确保 Bleichenbacher 攻击最终得到解决,安全专家建议弃用 TLS 中的 RSA 加密密钥交换和 PKCS#1 v1.5 标准。
互联网安全联盟从技术上拯救了中国海量的低端用户,低端用户需要特定的安全解决方案,但是要让这些低端用户获得真正的安全保障,需要将他们从类似保姆似的安全保障中解放出来,需要加强安全意识教育。

(责任编辑:冬天的宇)

有后门的软件很多啊,开发者弄些不被人知的鬼动作,要怕就用开源,省钱又放心,只是使用开源系统需要懂些基本的技术。

猜您喜欢

数据恢复专家网—硬盘 RAID磁盘阵列数据恢复
陆易Louis是知名的搜索引擎公司搜度SoDo公司的一名资深研发组长,看看他遇到了什么搜索算法问题,以及信息安全调查人员有什么发现。
Security-Frontline-安全前线
《奔跑吧兄弟》倡导公益从自身做起
EXCELSIORINTEGRATED MOBILE
信息安全素养快速小贴士