Cloned Boy
Professional
- Messages
- 1,164
- Reaction score
- 884
- Points
- 113
HACKED THE FISHERS.
Famous carder Sergey Pavlovich continues his conversation with employees of Group-IB, the main Russian private fighter against hackers, carders and other cybercriminals, and in the eighteenth episode of the series we met in the company's office to see everything live, and we talk with Alexander Kalinin, head of the Group-IB CERT.
Enjoy reading!
Contents:
CERT Department
Head:
Look, we are going to SERT now, there is such a cool room there. These are the guys who monitor the Internet, and when phishing resources appear there, someone starts spreading denunciations, someone was hacked and they start doing something in his name, they are the ones who revoke registrations, take data from hosters, block domains. It is to them that angry resource owners write, like "You blocked my domain, why?", and they just do not know, let's say, that they were hacked and all sorts of things are spilled from them.
Well, plus they are the ones who monitor our solutions, our products from our clients. What is happening there and how. That is why we go into that very SERT hype.
Alexander Kalinin - Head of the CERT Department Group-IB
Pavlovich:
Well, and the last person. Us today. Our tour of the Group-IB office is coming to an end. Not everyone was removed who they wanted. Some have already physically left, because there were a lot of us removed. And here is Alexander, he is the head of the SERT department, yes. So it is a centaur. Emergency response team. So it is an incident response department, yes? Cyber threats. Cyber threats. And tell us what you do, your main profile, and what is interesting about you here?
And why did you come to this department?
Reference:
Alexander Kalinin (Head of the Computer Emergency Response Team (CERT) at Group-IB).
What does the department do?
Head:
Lots of interesting things. We have a 24/7 department, and something is always happening, especially with our clients, who are the largest organizations in the world. Not only in Russia, most of them are already located abroad. We mainly profile two of our key products. This is the thread hunting framework, where we see everything that happens inside the network that we protect. These are both relaxed files and some communications with the outside world, suspicious, so to speak.
Analysis of what is happening on the computers of these companies and their employees. And the second part is our interaction with CERT organizations similar to us around the world, plus the fight against phishing, to put it simply.
Pavlovich:
As I understand it, you track some kind of abnormal activity in the networks of your clients, different from the usual regular activity?
Head:
Yes, including. Naturally, under each of the modules of our products has a specifically written rule, which has already been created by analysts over many years of all this improvement of all processes. Plus we are engaged in hunting for what has not yet been written, new threats somehow came out, we look for their traces in the company network. If clients have any questions, we answer these questions, conduct additional analysis, take the data we need, help within the network.
And if something is beyond our area of competence, then we pass it on to other departments, which you probably visited today, including the labs.
Cost of protection Who uses CERT services
Pavlovich:
And how much does such protection cost? For example, it is clear that companies of all different levels, but some minimum, minimum price per month.
Manager:
In the Threat Hunting Framework, we are simply included in the package, so a person does not spend additional money on us.
Pavlovich:
How are you included in the package? That is, are you shareholders of the company or what?
Manager:
No, I mean that if we say how much it costs the client, then it does not cost the client anything directly when we talk about the Threat Hunting Framework. They buy it, and it already has support from SERT. And if we talk about anti-phishing, then it is included in two of our products - digital risk protection and threat intelligence and attribution. We are included there. There is no separate additional payment for such things of ours.
Pavlovich:
Well, who are the main customers, that is, companies from what areas? Who needs to constantly keep their finger on the pulse in terms of IT security?
Manager:
The organization's finances, naturally.
Pavlovich:
Banks, payment system.
How does the analytics happen?
Manager:
What is it here, right? This is to better understand how the analyst's shift goes. He works with this kind of data. He sees that something is happening in the company's network, these are, of course, demonstration triggers, but, nevertheless, combat ones are not very different. He sees that part of the conditional packet, or malware, which triggered this or that signature, or this or that marker, and he then carries out further work with it.
He notifies the client about what happened here, and explains in human language what is here, because not everyone understands what a meter, a preter, a trojan, and so on are. We call him, it doesn't matter where exactly, we have employees abroad, they work with local clients, we work with Russian clients, with Russian-speaking clients, we tell them what's going on, answer their questions, and if he needs help, but doesn't know what to do, then we either offer ours, We have the ability for some clients to connect to this host at all.
Well, like, figuratively, through some Steam Viewer or RDP, something else.
Pavlovich:
Well, only the internal system. Internal, of course.
Manager:
Everything is logged there, that is, it is completely transparent for the client and only for the one who allowed it. This is always an important issue, so I focus on it. And we communicate with him through the internal Ticket system.
Pavlovich:
Here we see that, as you defined it, Trojan is there, yes, TrojanWin32, target, I understand, and remote host, where it is tapping out.
Manager:
Yes, who was the initiator inside and where it is going outside. They, this is a standard view of what the signature shows inside, and it can be written for different things. Here you can see, if you are interested, what the signature looks like, but suricata, it is essentially the same. Is it called surikata? Surikata, yes, this is the language in which the signature is written, which works by comparing what is inside the packet.
Pavlovich:
Yes, but here is the signature.
Manager:
Well, yes, it could have been written, for example, for this word, to put it simply. Reflexive loader, well, here is the loader, I understand. Something abnormal is happening in the network. Here too, too.
Pavlovich:
Yeah, it is clear here how much... This is purely network activity.
Manager:
Yes, yes, yes.
Pavlovich:
It could have been the same brought in from files.
Manager:
And what is this? This is a built network map. Of the client? Of the client, yes. So it's his network, right? Well, that is, the system itself builds what is connected to what. And you understand where some editor could have knocked. Who could already be affected by this or that threat. You work with them in a localized manner. And you don't run around the entire network, thinking.
Pavlovich:
Some kind of centralized office, right? Because everything is organized that way. Yes, but there's already a lot of chaos there. Well, yes, yes, yes.
Manager:
This is all the Threat Hunting Framework. I'll probably go through it to the end, and then move on to phishing a little. It's also interesting. This is when we talk about beast-carrying software, that is, some sample, we either pull it out of the traffic ourselves, from the computer to the client's employee, or get it from ... Sometimes they throw it at us manually, so that we can check it additionally and make some kind of verdict.
And now, give me the keyboard, please. Just the most picturesque example, in my opinion, is all the encryptors that we have there. You can even full-screen. What does the system do? It launches it in a special isolated environment. Launches it, right, this is also the emphasis, because not every software can be simply launched on some artificial platform. Oh, well, it's a locker, right? CTB
Locker, yes, in this case.
Encryptors, ransomware
Manager:
The virtual machine is encrypted now. And there is no need to launch cash anywhere, fortunately. And the client is also interested. Here the attribution is immediately pulled up, what it is. You can click there, and it will describe what it is. The data is pulled from our Threat Intelligence.
Pavlovich:
Yeah, well, a ransomware, in general, now, you see, after this DarkSide, after this gas pipeline in the US, of course, all the journalists are going crazy. I had the New York Times yesterday, tomorrow there will be ABC News. Everyone wants to hear, to find out about these ransomware encryptors.
Manager:
I recommend the report that we recently released about ransomware. It’s about everything that we have, the MITRE ATT CK matrix is superimposed. Really beautiful.
Pavlovich:
We’ll leave a link to your telegram channel, let them download it from there.
Manager:
Yeah, I’m enjoying it. Just last week, at the end of the week, even I started to get confused about this report, for America and the Caribbean Region, I was talking about this report. They’re all like that at once. Very interesting, tell me more. What’s shown here from such a top level?
Ransomware markers
Pavlovich:
Why did he decide that this was a ransomware at all?
Manager:
As for the set of markers, I won't go into too much detail, but here's BR, renamed 500 or more files. Regular malware doesn't do that, it's typical of encryptors.
They inject like other processes. In principle, it's a fairly common tactic for malware, but in this case it adds weight to the fact that it's malicious in itself. Here it found signs of a blocker network, and so on. Naturally, you can look at any of them, see what it did there, what processes or files it interacted with. Excellent information for an analyst, both on our side and on the client's side, and we also work with an MSP partner.
Deleting backups. Shadow copies. In short, I worked thoroughly to make it extremely difficult to restore, which, in fact, all encryptors do. And so as not to forget to remind you, we help our MSSP partners serve their clients with this information. That is, they buy our products, distribute them to their clients, and we help them with some complex cases.
Well, we train them. And who writes the most decryptors?
Decryptors
Pavlovich:
Recently, one of my friends encrypted his data, and I googled it and contacted an avant, I don’t remember who, some antivirus company, and they said, well, there’s nothing for this encryptor. They say we don’t have a decryptor specifically for this.
Manager:
There might not be any, that is, it can often be based on some vulnerability. Maybe, in principle, the encryption algorithm was unstable, so it can be written using certain methods, well, a decryptor. Or maybe it’s fake, it just tells you that we encrypted your background image, but in fact it didn’t do anything, maybe it didn’t have time, or maybe it was a bad developer. They also have this problem, in principle.
What’s here, on this screen?
Graph Visualization of actions
Manager:
Here, for example, attributions with Cobalt. Cobalt is also a well-known group. Last year, no, even a little earlier, I think, a letter was sent from the National Bank of Kazakhstan, in this case it was. No, it's Brazil. But the domain was like this. It was one of the triggers that would be nice to check.
Pavlovich:
KZ, BZ, right? Visually, an inattentive eye, maybe without problems on KZ. Found a bank, yes, Z, there is something.
Manager:
And we have everything in the background, always checked with the help of, among other things, a tool that removes unnecessary, leaves necessary and attributes when there is such an opportunity. Well, in this case he said that it relates to cobalt. The domain itself was registered to such and such an email. He found another domain name for this email, and a bunch of malware files for it. This can be for further research. It is extremely useful information that you, for example, realized that your sample mentions a certain client, some other company, but there is no malware in it yet.
But you know that there will be a certain brand. This is the next target, yes. And what is this? This all relates to the attribution of the owner of this domain name. We know that he had such an e-mail. And it relates to him, we know that he has 3 such domain names, which he can then use for something.
Pavlovich:
Then you can contact the domain registrars, contact those who gave them hosting, that is, quickly remove all these servers and so on, and so on. Depending on the goal, yes.
Manager:
You can block somewhere, somewhere it is not useful, it can even be harmful to block something. You can remove the only way to decrypt later, it can be difficult. Somewhere a synchal can be very useful. What is a synchal? This technology, it is used in different ways, but to make it simpler, some malware, it accesses a domain name and dumps some data there, or waits for control from there.
And you want to stand in place of the attacker, control this nerd. I understand, that is, where the admin is tapping, right? For example, yes, and you can intercept this control in different ways. If it is DGA, Domain Generated Algorithm, you can register domain names for yourself in advance that are not registered yet, because there can be hundreds, thousands, and so on, choose any of them, and wait there, intercept traffic, and then give it back, if you know how to do it.
This is a very interesting event. Then, I think, we will move on to the bottom, it’s just that all this relates to phishing. I will achieve this here.
Attacks, malware
Manager:
Here we have malicious files that come to the client. They are visible like this in a stream, that is, when some kind of mass attack is visible, it happens on our clients, we are
Attacks on Belarusian security forces
Manager:
Below are some striking examples, including last year's, when there were political events in Belarus, attackers always react very quickly to all such news items.
Here we have some kind of unscheduled inspection of security forces and so on, and attackers sent out malware in this way. Here is a link to the downloader. The downloader already pulls up what you need. It was either an encryptor or remote control, they had their own written there. Such letters are not always written beautifully and competently, because they still need to do it quickly. You don't have a week to prepare. You need to do all this on the hype of events.
However, remote control in the encryptor is the best. And a similar example, but already on behalf of lok.ru, the sender's forgery is still used. The malware was right in the archive, but password-protected, i.e. not every gunman can catch one like that, here the access code is still there, not a passport, not a password, etc. And here, in my opinion, there was RMS, also remote control, which will connect to you later, and with its help they can take your data, or slip you something, what you have, and also encrypt it.
Now it’s more about hype. Below is shown one of the phishing groups. Here is what intelligence looks like from the inside of the phishing part.
Pavlovich:
What this resource looks like. This is a form of payment for a bank card. Yes, yes, yes. Naturally, this is some kind of fake site.
Manager:
In different ways. It’s like a payment system. There are many of them here. Internal attribution is called that.
Phishing attacks
Pavlovich:
Look, it’s cool, Galina is written fake.
Manager:
Yes, it was our employee who attributed its author’s name. But why? Because the domain names involved in this phishing attack are registered to the owner Galina. Galina Katsubinskaya. Yes, she has different posts. This is what the graph looks like, which shows the connections between different attacks, but which are connected into one big ball. If it would be possible to show less here. Now. This is an extremely cleaned graph, which does not contain any unnecessary data.
But all these domain names that are connected with it, they were phishing. From here, the machine is pulled up there, and there they are processed by our phishing signatures, of which employees also write in huge quantities of thousands, so that this is automatically tied to the brand, and we understand what is stolen from there, where it goes, and in general, this is an extremely interesting job, so that ...
Domain protection
Pavlovich:
And what was the domain you were protecting in this example? Because everything, pricing, pricing, I see, something related to e-commerce.
Manager:
In this case, it was a self-payment system that was protected, but there could be some brand, and the domains they use could be completely unrelated to this brand, because here is getpricing.Online, but before that, there could be something related to the brand in the subdomain. I probably won't invent any brands, but this could be used in the subdomain, and you won't even find it, taking all the domain names from all the registrars. That is, we need to look even deeper here, passive DNS, collect some top data, some feeds from third-party providers, and so on.
But the main thing is that we know the e-mail, we know the set of parameters, such as SSH, SSL, e-mail, IP-shniki, which, if properly cleared, focus us on one editor.
Pavlovich:
So, it turns out that we are looking for this parameter, yes, that is, we are approaching the one who...
Manager:
It is still far from always there, thanks to DMCA, that all this has become hidden in many zones, but not in all, not always, and some data can be historically pulled up, many technical data allow us to bypass such things that we know if the page code contains certain patterns, we attribute everything to a certain phishing group.
Pavlovich:
So, it's just that in my time, it was a long time ago, well, it was rare when groups were engaged in that is, someone was phishing there on behalf of a bank collection, for example, definitely on behalf of payment systems from charitable foundations, they even sent out that is, a mailing and there is a fake charitable foundation, but you are still more single now in groups, mostly phishing occurs here or still.
Manager:
If we talk about my terminology, this is precisely a term because we do not know in advance how many people are with, and we need to attribute within ourselves. When they are caught, then we will know how many were there, whether it was just him or a whole team of friends.
Search for phishing groups
Pavlovich:
Well, what percentage of them are caught there? Let's say you found, identified 100 phishing groups in the dock. How many of them will go to jail in different countries of the world?
Manager:
This is an extremely lengthy process. Find someone, catch them and then convict them.
Pavlovich:
But in general, at least one out of a hundred goes to jail?
Manager:
They go to jail, yes. One of the articles definitely says yes, more specifically, but we need to count, and this is more of a request to the investigation department, which, naturally, then has this data and can use it right away, without collecting additional data over a long period of time.
Pavlovich:
Here, I see, they also identified the phone number, that is, email, phone number, perhaps.
Manager:
Yes, this is a lot of experience data, nothing was needed, no illegal manipulations were required for this. And it is not always available right now. That is why we collect history, any change is lagged in the system. If he did not remove his data for at least 2 hours, then this will be a plus for us, we will see this.
I want to show, probably, what a large graph looks like when analytics still does not quite understand how much... How can analytics work look when everything is still not very obvious? You found some new site, which is not clear where it leads, and you get just a heap of a million domains, IP addresses and other indicators, which you will then have to work with. You remove unnecessary nodes. I threw out a grouping for you because you are not sure about it,
maybe you are removing unnecessary certificates, and slowly untangling the real tangle, a digital tangle of sorts, mostly manually, you want to attribute as accurately as possible, so as not to say that everything that is registered by such and such a registrar, this is your grouping, it will simply be wrong, well, unprofessional, and by doing this kind of cleaning, you eventually come to the truth, let's call it that now I will try to make it smaller and this is still a pretty good graph, it goes far there
its universe, both here and there.
Pavlovich:
Such as a star galaxy, yes, like a star system.
Fake tickets
Manager:
It is similar to the Big Bang, when you just start it is really a dot, and then it starts to fly apart, to beat in its own groups, in its own constellations. Here we had something else, probably from the latest, yes, before the May holiday there was news that fake tickets for Sapsan were again being sold on...
Pavlovich:
Like fake Russian Railways sites, right?
Manager:
Yes, for example. For us, this is how it looks: they found one site, Using the graph, they found links to this site, tickets for Lastochka, Sapsan, Sapsannek and so on.
And then you just check them.
Pavlovich:
And are you defending Sapsan in this case or Russian Railways? Or is this just some kind of personal initiative? Is this your client?
Manager:
It always varies. Sometimes we work not for clients. We have emergency services, when they call us. That is why we have a device at each workstation. And victims write. If this is within our area of competence, where we can help, then we definitely do it. And if there is time for research, then we release the research.
Pavlovich:
And then you inform the victims, the companies.
Manager:
Again, this may not only be on our side, but also in our other places of presence.
Pavlovich:
As I understand it, if I ask which department is the most important in your company, you will say that all of them are important. All of them are important, yes. Well, which one is the most responsible then? Who bears the greatest responsibility?
Interaction of Group-IB departments
Manager:
Well, listen, this is real. Each has its own huge points of responsibility. If some system does not work for us, we will suffer. And some systems, and some clients will simply not be protected. If we do not do our job, then a bunch of fraudulent and phishing sites will multiply. If the client does not receive our support on time, he simply will not be able to do anything. It will also be bad for the client. He will not go to the lab.
He will not help with the incident response on site, the clients will continue to be active within the company.
Pavlovich:
They will have to work with the investigation.
Manager:
They will not catch the criminal.
Pavlovich:
But if forensic experts are also more like that, already investigating incidents that have taken place, then you, probably, still work more on prevention.
Manager:
And for prevention, and you are in the investigation.
To be continued...
Pavlovich:
And for early detection. Yes, everything is correct. In general, I understood everything. NTZ Belarusian. Lukashenko, hello. Thank you for the great story. So, until we meet on the screens, if you forgot anything, you can call us.
Famous carder Sergey Pavlovich continues his conversation with employees of Group-IB, the main Russian private fighter against hackers, carders and other cybercriminals, and in the eighteenth episode of the series we met in the company's office to see everything live, and we talk with Alexander Kalinin, head of the Group-IB CERT.
Enjoy reading!
Contents:
- CERT Department
- Alexander Kalinin – Head of CERT Department Group-IB
- What do they do in the department?
- Cost of protection who uses CERT services
- How does analytics work?
- Encryptors, ransomware
- Encryption Markers
- Decoders
- Graph Visualization of actions
- Attacks, malware
- Attacks on Belarusian security forces
- Phishing attacks
- Domain protection
- Search for phishing groups
- Fake tickets
- Interaction of Group-IB departments
- To be continued...
CERT Department
Head:
Look, we are going to SERT now, there is such a cool room there. These are the guys who monitor the Internet, and when phishing resources appear there, someone starts spreading denunciations, someone was hacked and they start doing something in his name, they are the ones who revoke registrations, take data from hosters, block domains. It is to them that angry resource owners write, like "You blocked my domain, why?", and they just do not know, let's say, that they were hacked and all sorts of things are spilled from them.
Well, plus they are the ones who monitor our solutions, our products from our clients. What is happening there and how. That is why we go into that very SERT hype.
Alexander Kalinin - Head of the CERT Department Group-IB
Pavlovich:
Well, and the last person. Us today. Our tour of the Group-IB office is coming to an end. Not everyone was removed who they wanted. Some have already physically left, because there were a lot of us removed. And here is Alexander, he is the head of the SERT department, yes. So it is a centaur. Emergency response team. So it is an incident response department, yes? Cyber threats. Cyber threats. And tell us what you do, your main profile, and what is interesting about you here?
And why did you come to this department?
Reference:
Alexander Kalinin (Head of the Computer Emergency Response Team (CERT) at Group-IB).
What does the department do?
Head:
Lots of interesting things. We have a 24/7 department, and something is always happening, especially with our clients, who are the largest organizations in the world. Not only in Russia, most of them are already located abroad. We mainly profile two of our key products. This is the thread hunting framework, where we see everything that happens inside the network that we protect. These are both relaxed files and some communications with the outside world, suspicious, so to speak.
Analysis of what is happening on the computers of these companies and their employees. And the second part is our interaction with CERT organizations similar to us around the world, plus the fight against phishing, to put it simply.
Pavlovich:
As I understand it, you track some kind of abnormal activity in the networks of your clients, different from the usual regular activity?
Head:
Yes, including. Naturally, under each of the modules of our products has a specifically written rule, which has already been created by analysts over many years of all this improvement of all processes. Plus we are engaged in hunting for what has not yet been written, new threats somehow came out, we look for their traces in the company network. If clients have any questions, we answer these questions, conduct additional analysis, take the data we need, help within the network.
And if something is beyond our area of competence, then we pass it on to other departments, which you probably visited today, including the labs.
Cost of protection Who uses CERT services
Pavlovich:
And how much does such protection cost? For example, it is clear that companies of all different levels, but some minimum, minimum price per month.
Manager:
In the Threat Hunting Framework, we are simply included in the package, so a person does not spend additional money on us.
Pavlovich:
How are you included in the package? That is, are you shareholders of the company or what?
Manager:
No, I mean that if we say how much it costs the client, then it does not cost the client anything directly when we talk about the Threat Hunting Framework. They buy it, and it already has support from SERT. And if we talk about anti-phishing, then it is included in two of our products - digital risk protection and threat intelligence and attribution. We are included there. There is no separate additional payment for such things of ours.
Pavlovich:
Well, who are the main customers, that is, companies from what areas? Who needs to constantly keep their finger on the pulse in terms of IT security?
Manager:
The organization's finances, naturally.
Pavlovich:
Banks, payment system.
How does the analytics happen?
Manager:
What is it here, right? This is to better understand how the analyst's shift goes. He works with this kind of data. He sees that something is happening in the company's network, these are, of course, demonstration triggers, but, nevertheless, combat ones are not very different. He sees that part of the conditional packet, or malware, which triggered this or that signature, or this or that marker, and he then carries out further work with it.
He notifies the client about what happened here, and explains in human language what is here, because not everyone understands what a meter, a preter, a trojan, and so on are. We call him, it doesn't matter where exactly, we have employees abroad, they work with local clients, we work with Russian clients, with Russian-speaking clients, we tell them what's going on, answer their questions, and if he needs help, but doesn't know what to do, then we either offer ours, We have the ability for some clients to connect to this host at all.
Well, like, figuratively, through some Steam Viewer or RDP, something else.
Pavlovich:
Well, only the internal system. Internal, of course.
Manager:
Everything is logged there, that is, it is completely transparent for the client and only for the one who allowed it. This is always an important issue, so I focus on it. And we communicate with him through the internal Ticket system.
Pavlovich:
Here we see that, as you defined it, Trojan is there, yes, TrojanWin32, target, I understand, and remote host, where it is tapping out.
Manager:
Yes, who was the initiator inside and where it is going outside. They, this is a standard view of what the signature shows inside, and it can be written for different things. Here you can see, if you are interested, what the signature looks like, but suricata, it is essentially the same. Is it called surikata? Surikata, yes, this is the language in which the signature is written, which works by comparing what is inside the packet.
Pavlovich:
Yes, but here is the signature.
Manager:
Well, yes, it could have been written, for example, for this word, to put it simply. Reflexive loader, well, here is the loader, I understand. Something abnormal is happening in the network. Here too, too.
Pavlovich:
Yeah, it is clear here how much... This is purely network activity.
Manager:
Yes, yes, yes.
Pavlovich:
It could have been the same brought in from files.
Manager:
And what is this? This is a built network map. Of the client? Of the client, yes. So it's his network, right? Well, that is, the system itself builds what is connected to what. And you understand where some editor could have knocked. Who could already be affected by this or that threat. You work with them in a localized manner. And you don't run around the entire network, thinking.
Pavlovich:
Some kind of centralized office, right? Because everything is organized that way. Yes, but there's already a lot of chaos there. Well, yes, yes, yes.
Manager:
This is all the Threat Hunting Framework. I'll probably go through it to the end, and then move on to phishing a little. It's also interesting. This is when we talk about beast-carrying software, that is, some sample, we either pull it out of the traffic ourselves, from the computer to the client's employee, or get it from ... Sometimes they throw it at us manually, so that we can check it additionally and make some kind of verdict.
And now, give me the keyboard, please. Just the most picturesque example, in my opinion, is all the encryptors that we have there. You can even full-screen. What does the system do? It launches it in a special isolated environment. Launches it, right, this is also the emphasis, because not every software can be simply launched on some artificial platform. Oh, well, it's a locker, right? CTB
Locker, yes, in this case.
Encryptors, ransomware
Manager:
The virtual machine is encrypted now. And there is no need to launch cash anywhere, fortunately. And the client is also interested. Here the attribution is immediately pulled up, what it is. You can click there, and it will describe what it is. The data is pulled from our Threat Intelligence.
Pavlovich:
Yeah, well, a ransomware, in general, now, you see, after this DarkSide, after this gas pipeline in the US, of course, all the journalists are going crazy. I had the New York Times yesterday, tomorrow there will be ABC News. Everyone wants to hear, to find out about these ransomware encryptors.
Manager:
I recommend the report that we recently released about ransomware. It’s about everything that we have, the MITRE ATT CK matrix is superimposed. Really beautiful.
Pavlovich:
We’ll leave a link to your telegram channel, let them download it from there.
Manager:
Yeah, I’m enjoying it. Just last week, at the end of the week, even I started to get confused about this report, for America and the Caribbean Region, I was talking about this report. They’re all like that at once. Very interesting, tell me more. What’s shown here from such a top level?
Ransomware markers
Pavlovich:
Why did he decide that this was a ransomware at all?
Manager:
As for the set of markers, I won't go into too much detail, but here's BR, renamed 500 or more files. Regular malware doesn't do that, it's typical of encryptors.
They inject like other processes. In principle, it's a fairly common tactic for malware, but in this case it adds weight to the fact that it's malicious in itself. Here it found signs of a blocker network, and so on. Naturally, you can look at any of them, see what it did there, what processes or files it interacted with. Excellent information for an analyst, both on our side and on the client's side, and we also work with an MSP partner.
Deleting backups. Shadow copies. In short, I worked thoroughly to make it extremely difficult to restore, which, in fact, all encryptors do. And so as not to forget to remind you, we help our MSSP partners serve their clients with this information. That is, they buy our products, distribute them to their clients, and we help them with some complex cases.
Well, we train them. And who writes the most decryptors?
Decryptors
Pavlovich:
Recently, one of my friends encrypted his data, and I googled it and contacted an avant, I don’t remember who, some antivirus company, and they said, well, there’s nothing for this encryptor. They say we don’t have a decryptor specifically for this.
Manager:
There might not be any, that is, it can often be based on some vulnerability. Maybe, in principle, the encryption algorithm was unstable, so it can be written using certain methods, well, a decryptor. Or maybe it’s fake, it just tells you that we encrypted your background image, but in fact it didn’t do anything, maybe it didn’t have time, or maybe it was a bad developer. They also have this problem, in principle.
What’s here, on this screen?
Graph Visualization of actions
Manager:
Here, for example, attributions with Cobalt. Cobalt is also a well-known group. Last year, no, even a little earlier, I think, a letter was sent from the National Bank of Kazakhstan, in this case it was. No, it's Brazil. But the domain was like this. It was one of the triggers that would be nice to check.
Pavlovich:
KZ, BZ, right? Visually, an inattentive eye, maybe without problems on KZ. Found a bank, yes, Z, there is something.
Manager:
And we have everything in the background, always checked with the help of, among other things, a tool that removes unnecessary, leaves necessary and attributes when there is such an opportunity. Well, in this case he said that it relates to cobalt. The domain itself was registered to such and such an email. He found another domain name for this email, and a bunch of malware files for it. This can be for further research. It is extremely useful information that you, for example, realized that your sample mentions a certain client, some other company, but there is no malware in it yet.
But you know that there will be a certain brand. This is the next target, yes. And what is this? This all relates to the attribution of the owner of this domain name. We know that he had such an e-mail. And it relates to him, we know that he has 3 such domain names, which he can then use for something.
Pavlovich:
Then you can contact the domain registrars, contact those who gave them hosting, that is, quickly remove all these servers and so on, and so on. Depending on the goal, yes.
Manager:
You can block somewhere, somewhere it is not useful, it can even be harmful to block something. You can remove the only way to decrypt later, it can be difficult. Somewhere a synchal can be very useful. What is a synchal? This technology, it is used in different ways, but to make it simpler, some malware, it accesses a domain name and dumps some data there, or waits for control from there.
And you want to stand in place of the attacker, control this nerd. I understand, that is, where the admin is tapping, right? For example, yes, and you can intercept this control in different ways. If it is DGA, Domain Generated Algorithm, you can register domain names for yourself in advance that are not registered yet, because there can be hundreds, thousands, and so on, choose any of them, and wait there, intercept traffic, and then give it back, if you know how to do it.
This is a very interesting event. Then, I think, we will move on to the bottom, it’s just that all this relates to phishing. I will achieve this here.
Attacks, malware
Manager:
Here we have malicious files that come to the client. They are visible like this in a stream, that is, when some kind of mass attack is visible, it happens on our clients, we are
Attacks on Belarusian security forces
Manager:
Below are some striking examples, including last year's, when there were political events in Belarus, attackers always react very quickly to all such news items.
Here we have some kind of unscheduled inspection of security forces and so on, and attackers sent out malware in this way. Here is a link to the downloader. The downloader already pulls up what you need. It was either an encryptor or remote control, they had their own written there. Such letters are not always written beautifully and competently, because they still need to do it quickly. You don't have a week to prepare. You need to do all this on the hype of events.
However, remote control in the encryptor is the best. And a similar example, but already on behalf of lok.ru, the sender's forgery is still used. The malware was right in the archive, but password-protected, i.e. not every gunman can catch one like that, here the access code is still there, not a passport, not a password, etc. And here, in my opinion, there was RMS, also remote control, which will connect to you later, and with its help they can take your data, or slip you something, what you have, and also encrypt it.
Now it’s more about hype. Below is shown one of the phishing groups. Here is what intelligence looks like from the inside of the phishing part.
Pavlovich:
What this resource looks like. This is a form of payment for a bank card. Yes, yes, yes. Naturally, this is some kind of fake site.
Manager:
In different ways. It’s like a payment system. There are many of them here. Internal attribution is called that.
Phishing attacks
Pavlovich:
Look, it’s cool, Galina is written fake.
Manager:
Yes, it was our employee who attributed its author’s name. But why? Because the domain names involved in this phishing attack are registered to the owner Galina. Galina Katsubinskaya. Yes, she has different posts. This is what the graph looks like, which shows the connections between different attacks, but which are connected into one big ball. If it would be possible to show less here. Now. This is an extremely cleaned graph, which does not contain any unnecessary data.
But all these domain names that are connected with it, they were phishing. From here, the machine is pulled up there, and there they are processed by our phishing signatures, of which employees also write in huge quantities of thousands, so that this is automatically tied to the brand, and we understand what is stolen from there, where it goes, and in general, this is an extremely interesting job, so that ...
Domain protection
Pavlovich:
And what was the domain you were protecting in this example? Because everything, pricing, pricing, I see, something related to e-commerce.
Manager:
In this case, it was a self-payment system that was protected, but there could be some brand, and the domains they use could be completely unrelated to this brand, because here is getpricing.Online, but before that, there could be something related to the brand in the subdomain. I probably won't invent any brands, but this could be used in the subdomain, and you won't even find it, taking all the domain names from all the registrars. That is, we need to look even deeper here, passive DNS, collect some top data, some feeds from third-party providers, and so on.
But the main thing is that we know the e-mail, we know the set of parameters, such as SSH, SSL, e-mail, IP-shniki, which, if properly cleared, focus us on one editor.
Pavlovich:
So, it turns out that we are looking for this parameter, yes, that is, we are approaching the one who...
Manager:
It is still far from always there, thanks to DMCA, that all this has become hidden in many zones, but not in all, not always, and some data can be historically pulled up, many technical data allow us to bypass such things that we know if the page code contains certain patterns, we attribute everything to a certain phishing group.
Pavlovich:
So, it's just that in my time, it was a long time ago, well, it was rare when groups were engaged in that is, someone was phishing there on behalf of a bank collection, for example, definitely on behalf of payment systems from charitable foundations, they even sent out that is, a mailing and there is a fake charitable foundation, but you are still more single now in groups, mostly phishing occurs here or still.
Manager:
If we talk about my terminology, this is precisely a term because we do not know in advance how many people are with, and we need to attribute within ourselves. When they are caught, then we will know how many were there, whether it was just him or a whole team of friends.
Search for phishing groups
Pavlovich:
Well, what percentage of them are caught there? Let's say you found, identified 100 phishing groups in the dock. How many of them will go to jail in different countries of the world?
Manager:
This is an extremely lengthy process. Find someone, catch them and then convict them.
Pavlovich:
But in general, at least one out of a hundred goes to jail?
Manager:
They go to jail, yes. One of the articles definitely says yes, more specifically, but we need to count, and this is more of a request to the investigation department, which, naturally, then has this data and can use it right away, without collecting additional data over a long period of time.
Pavlovich:
Here, I see, they also identified the phone number, that is, email, phone number, perhaps.
Manager:
Yes, this is a lot of experience data, nothing was needed, no illegal manipulations were required for this. And it is not always available right now. That is why we collect history, any change is lagged in the system. If he did not remove his data for at least 2 hours, then this will be a plus for us, we will see this.
I want to show, probably, what a large graph looks like when analytics still does not quite understand how much... How can analytics work look when everything is still not very obvious? You found some new site, which is not clear where it leads, and you get just a heap of a million domains, IP addresses and other indicators, which you will then have to work with. You remove unnecessary nodes. I threw out a grouping for you because you are not sure about it,
maybe you are removing unnecessary certificates, and slowly untangling the real tangle, a digital tangle of sorts, mostly manually, you want to attribute as accurately as possible, so as not to say that everything that is registered by such and such a registrar, this is your grouping, it will simply be wrong, well, unprofessional, and by doing this kind of cleaning, you eventually come to the truth, let's call it that now I will try to make it smaller and this is still a pretty good graph, it goes far there
its universe, both here and there.
Pavlovich:
Such as a star galaxy, yes, like a star system.
Fake tickets
Manager:
It is similar to the Big Bang, when you just start it is really a dot, and then it starts to fly apart, to beat in its own groups, in its own constellations. Here we had something else, probably from the latest, yes, before the May holiday there was news that fake tickets for Sapsan were again being sold on...
Pavlovich:
Like fake Russian Railways sites, right?
Manager:
Yes, for example. For us, this is how it looks: they found one site, Using the graph, they found links to this site, tickets for Lastochka, Sapsan, Sapsannek and so on.
And then you just check them.
Pavlovich:
And are you defending Sapsan in this case or Russian Railways? Or is this just some kind of personal initiative? Is this your client?
Manager:
It always varies. Sometimes we work not for clients. We have emergency services, when they call us. That is why we have a device at each workstation. And victims write. If this is within our area of competence, where we can help, then we definitely do it. And if there is time for research, then we release the research.
Pavlovich:
And then you inform the victims, the companies.
Manager:
Again, this may not only be on our side, but also in our other places of presence.
Pavlovich:
As I understand it, if I ask which department is the most important in your company, you will say that all of them are important. All of them are important, yes. Well, which one is the most responsible then? Who bears the greatest responsibility?
Interaction of Group-IB departments
Manager:
Well, listen, this is real. Each has its own huge points of responsibility. If some system does not work for us, we will suffer. And some systems, and some clients will simply not be protected. If we do not do our job, then a bunch of fraudulent and phishing sites will multiply. If the client does not receive our support on time, he simply will not be able to do anything. It will also be bad for the client. He will not go to the lab.
He will not help with the incident response on site, the clients will continue to be active within the company.
Pavlovich:
They will have to work with the investigation.
Manager:
They will not catch the criminal.
Pavlovich:
But if forensic experts are also more like that, already investigating incidents that have taken place, then you, probably, still work more on prevention.
Manager:
And for prevention, and you are in the investigation.
To be continued...
Pavlovich:
And for early detection. Yes, everything is correct. In general, I understood everything. NTZ Belarusian. Lukashenko, hello. Thank you for the great story. So, until we meet on the screens, if you forgot anything, you can call us.
