在飯店裡攻擊企業的高階主管

算是為什麼企業要提供 Full Routing VPN 的一個攻擊管道的說明...

這篇介紹了在飯店裡透過 WiFi 攻擊企業的高階主管,想辦法塞木馬取得資訊,或是滲透進企業內部的網路:「Hackers are using hotel Wi-Fi to spy on guests, steal data」。

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

有點介於 APT 與一般性的攻擊中間...

BGPmon 推出 BGP Stream 警告異常的 BGP 流量劫持

也是兩個禮拜前的新聞,在「OpenDNS BGP Stream Twitter Feed」這邊提到了 BGPmon 將會推出 BGP Stream 服務,將偵測到的 BGP 異常變化發到 Twitter 上。

其中 BGPmon 在幾個月前被 OpenDNS 併購 (2015 年 3 月),而 Cisco 則在上上個月底併購了 OpenDNS (2015 年 6 月)。而在過幾天的 DefCon 23 上將會透露更多細節。

前陣子 Hacking Team 洩漏的資料中就用到了 BGP hijack 來取回控制權:

That nugget that emerged from the 400 Gb of stolen Hacking Team data posted online where Italian law enforcement used Hacking Team’s Remote Control System monitoring software to regain control over a number IP addresses it was watching that were already infected with Hacking Team software by hijacking BGP routes in order to redirect traffic and regain control over a target’s machines.

除了示警外,另外一方面 BGP 上的簽名技術也愈來愈重要了,只是不知道最終會怎麼做...

Hacking Team 的 BGP Routing Hijack

Hacking Team 的事情告訴我們,只能是能做的,都有人會包成 Total Solution 賣。

洩漏出來的資料說明了 Hacking Team 在 2013 年幹的 BGP Routing Hijack:「How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack」。

The Wikileaks document described how the Italian ROS reached out to Hacking Team to work together on recovering the VPS server that ran on 46.166.163.175. In ROS terminology, the server was called “Anonymizer”. The emails also revealed that this server relays updates to another back end server called “Collector” from which ROS presumably recovers the targets’ data.

然後:

When we look at historical BGP data we can confirm that AS31034 (Aruba S.p.A) indeed started to announce the prefix 46.166.163.0/24 starting on Friday, 16 Aug at 2013 07:32 UTC. The Wikileaks emails outline how ROS complained to Hacking Team that the IP was reachable only via Fastweb but not yet through Telecom Italia, concluding not all RCS clients were able to connect back to the server immediately, since the prefix was not seen globally. BGP data further confirms this per the visualization below.

這些主要的 ISP 分別是:

AS12874 Fastweb
AS6939 Hurricane Electric, Inc.
AS49605 Reteivo.IT
AS4589 Easynet
AS5396 MC-link Spa

時間線:

這也證明了「鎖 IP」的方法其實還是很危險的。

Hacking Team 購買 Flash Exploit 的信件

前情提要:「Hacking Team 被黑而洩漏出來的資料」。

在「How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team」這邊提到了 Hacking Team 被黑而洩漏出來的信件,透漏了俄羅斯的人賣 Flash Exploit 給 Hacking Team 的過程。

從內容就可以看出不同的賣法,包括「首次」與「獨家」都是可以談的條件:

1) The price is US$45,000.00 for the non-exclusive sale of any special discount for the "first" deal together will be greatly appreciated :)

然後有些東西是另外加密通信的:

The two men then exchanged PGP keys, which they used to exchange a number of encrypted messages, presumably one including how Toporov would like to be paid.

然後還有 invoice:

而買了幾個建立關係後,後面還會有 discount:

Now your discount on the next buy is -5k and -10k is for a third bug.

最近應該會有不少人跳下去解讀洩漏出來的資料...

Hacking Team 被黑而洩漏出來的資料

這幾天資安領域最熱鬧的消息莫過於 Hacking Team 被黑之後洩漏出來的 400GB+ 的資料:「Hacking Team hacked, attackers claim 400GB in dumped data」、「Hacking Team hacked, attackers claim 400GB in dumped data」。

洩漏的資料可以在 GitHub 上的「hackedteam」取得,或是透過 BitTorrent 取得 (i.e. 51603bff88e0a1b3bad3962614978929c9d26955)。

烏雲上的「人手一份核武器 - Hacking Team 泄露(开源)资料导览手册」這篇寫得很完整了,現在的系統已經整合到這樣,於是要對這個人做任何事情都很容易:

也因為這次的 leak 而使得不少軟體在修正 0day exploit...

好精緻的核武...