Kibershpana attacks accounting. Analysis of attacks on 1C bases
Everyone has heard about the sensational hacker attacks on financial institutions. Attackers steal millions of dollars, their actions are thoroughly investigated by researchers, the whole industry feeds on means of protection against them. In the world of offline crime, loud murders are also widely discussed, not petty thefts. Small companies are of no interest to serious cybercrime, but they are attacked at least by large banks. This is usually a variety of malware, in particular encryption viruses, extort money for decrypting files. But there are also real “hackers” who want to profit from unlucky businessmen.
Recently, we were able to study two compromised systems that were subject to similar attacks. Using their example, we will look at how attackers act and what errors allowed them to successfully penetrate the servers of organizations.
A small company (less than 50 employees). 1 server running Win 2008. 1C Accounting is installed on the server, file balls are deployed. The domain is not deployed, on the automated workplace and server, local accounts for employees are used. Accountants can come from home via RDP to a server for remote work in 1C. Admin coming. In general, the picture is quite characteristic.
')
On Monday morning, accountants do not start 1C. This happens. According to the instructions of the administrator, the accountant enters the folder with the 1C databases in order to “distort” them. I do not know what this 1C mode of operation is, which requires “distorting” the bases, and what this generally means, but the bases in the folder are not found. Instead of them is the file "READ !!!!!!. Txt". It says (without any respect for spelling and punctuation) that the bases are stolen. If you wish to return the database, you are invited to contact the specified email-address (in the style of vasyanpetrov2001@mail.ru).
Panic begins. An administrator is called to the company and unsuccessfully trying to figure out what happened and restore the system. The director writes a letter to the hacker. The hacker succinctly requests the server’s IP address and then demands 30,000 rubles. for the return of bases. To be honest, we thought that we should demand an order of magnitude more, but the attackers obviously know their victims better.
Our specialist was asked to help. The administrator returned the server to the office from the house where he was taking it for analysis, and he joined our specialist. Hard disk analysis has shown that recovering deleted databases is already difficult. Due to the multiple inclusion of the server, attempts to restore backups and other manipulations, deleted files are overwritten with new ones. No signs of system infection, rootkits, etc. not found. In the logs (they were not cleaned), it was clearly visible that on Friday evening a brute force of logins / passwords started on the RDP. On Sunday, a simple password for one of the accountants was chosen. The search continued and ended only after the attacker's login to the car on Monday night.
Common sense suggested that the logic of the "business" of the attacker did not involve the return of databases, and indeed their copying to a remote server. Encryption viruses need a good reputation for the growth of payments, since they work massively and victims can read about them on the Internet. Here it was logical in place of the hacker to simply demand more money after receiving the first tranche. To check this version, data from the billing of the provider was requested. Indeed, no one downloaded the database. They just removed. Communication with not respecting Rosenthal hacker, respectively, was minimized.
Further research showed that, for some reason, in a panic, everyone decided that the last backup was a couple of months ago. Moreover, the backup bases were on the same hard disk as the combat bases, and were accessible to the hacker, but he did not bother to look for them. In fact, the backup was made 1 working day before the hacking and information can be quickly restored. Everyone mentally wished the hacker a painful death and the joyful ones parted ways.
Recommendations that could be given to the affected company (given its modest size):
A large company that has servers on collocation in one of the commercial data centers in Moscow. The data center receives information that a stream of malicious traffic is being recorded from one of the white IP companies (no details were provided). We were asked to help administrators figure out what was going on.
Analysis showed that the traffic comes from a virtual server with a management console of Kaspersky Anti-Virus. Those who have worked with this product know that, more often than not, control over the console gives administrator rights on all machines where antivirus is installed. It is clear that the gray hair from such news from the administration group greatly increased. Immediately, a snapshot of the virtual machine was created with the preservation of RAM data. After that, the machine in the work network was extinguished and the analysis of the copy in the isolated segment began.
What was our surprise when we discovered that the hacking was also carried out through a brute force password on the RDP from the Internet. Administrators claimed that the server was not published on the Internet. In parallel, they began to study the effects of hacking and how RDP was available from the external network.
The second came out quickly. It turned out that the network administrator edited the access lists (ACLs) on the Cisco border router through the console. After completing the work, he rolled the ACL on the interface ... vice versa. That is, incoming and outgoing were confused in places, opening up full access to a set of servers from the Internet. No one noticed.
The password was picked up very quickly. The company adopted a password policy, but then for some reason forgot about it. Then, 4 accounts with local administrator rights (Adm1n, Default User, Register, ASPNET) were created on the server. After some time, the attacker entered ASPNET account. Not finding 1C databases (it will become clear later, as we realized that hunters on 1C were also operating there), the hacker manually opened the browser, launched speedtest.net to understand the bandwidth of the channel to the server, and uploaded the RDP utility to the server for searching passwords. Manually poshamaniv with the settings, the hacker launched an attack on external servers. There were no signs of attempts to develop an attack on the internal network or use the Kaspersky console. If the malefactor could even think a bit about his brain, he would eventually be able to extort from the victim a lot more than 30,000 rubles.
For the password brutus, the utility downloaded from the popular “hacker” forum was used. A hacker manually uploaded brute force dictionaries and launched an attack. The search went for uchetok with speaking names: Administrator, User1, User2, Buh, Buh1, Buh2, Buhgalter, Glbuh.
You can laugh at the primitiveness of the approaches, the complete lack of automation and the weak technical knowledge of the hacker, but all this has turned out to be quite effective. During the work of the utility, 4 real servers of Russian companies were hacked (with passwords like 12345). The attacker manually entered the hacked server from which the attack was proceeding and checked the catch, which was added to a file in the folder with the utility.
In general, the company made conclusions after the incident:
The cause of both hacks is more likely not the money-craving scripts that are greedy for easy money, but the disorder or mistakes of the administrators themselves. There will be an opportunity to profit, there will be those who wish. Especially if it does not require much effort. Yes, and a superficial approach to hacking can be explained not by laziness and unprofessional hackers, but by a streaming approach to attacks: it is easier to sort out the extra hundred servers than to dig with one.
In any case, even such simple attacks can cost companies of any size very expensive. Offline banks build underground safes, and a barn lock is hung on a stall for the night.
Nobody leaves the door wide open. On the Internet, everything is still somewhat different. To the delight of attackers of all stripes and levels of professionalism.
Andrey Yankin, itsecurity
Recently, we were able to study two compromised systems that were subject to similar attacks. Using their example, we will look at how attackers act and what errors allowed them to successfully penetrate the servers of organizations.
Victim 1
A small company (less than 50 employees). 1 server running Win 2008. 1C Accounting is installed on the server, file balls are deployed. The domain is not deployed, on the automated workplace and server, local accounts for employees are used. Accountants can come from home via RDP to a server for remote work in 1C. Admin coming. In general, the picture is quite characteristic.
')
On Monday morning, accountants do not start 1C. This happens. According to the instructions of the administrator, the accountant enters the folder with the 1C databases in order to “distort” them. I do not know what this 1C mode of operation is, which requires “distorting” the bases, and what this generally means, but the bases in the folder are not found. Instead of them is the file "READ !!!!!!. Txt". It says (without any respect for spelling and punctuation) that the bases are stolen. If you wish to return the database, you are invited to contact the specified email-address (in the style of vasyanpetrov2001@mail.ru).
Panic begins. An administrator is called to the company and unsuccessfully trying to figure out what happened and restore the system. The director writes a letter to the hacker. The hacker succinctly requests the server’s IP address and then demands 30,000 rubles. for the return of bases. To be honest, we thought that we should demand an order of magnitude more, but the attackers obviously know their victims better.
Our specialist was asked to help. The administrator returned the server to the office from the house where he was taking it for analysis, and he joined our specialist. Hard disk analysis has shown that recovering deleted databases is already difficult. Due to the multiple inclusion of the server, attempts to restore backups and other manipulations, deleted files are overwritten with new ones. No signs of system infection, rootkits, etc. not found. In the logs (they were not cleaned), it was clearly visible that on Friday evening a brute force of logins / passwords started on the RDP. On Sunday, a simple password for one of the accountants was chosen. The search continued and ended only after the attacker's login to the car on Monday night.
Common sense suggested that the logic of the "business" of the attacker did not involve the return of databases, and indeed their copying to a remote server. Encryption viruses need a good reputation for the growth of payments, since they work massively and victims can read about them on the Internet. Here it was logical in place of the hacker to simply demand more money after receiving the first tranche. To check this version, data from the billing of the provider was requested. Indeed, no one downloaded the database. They just removed. Communication with not respecting Rosenthal hacker, respectively, was minimized.
Further research showed that, for some reason, in a panic, everyone decided that the last backup was a couple of months ago. Moreover, the backup bases were on the same hard disk as the combat bases, and were accessible to the hacker, but he did not bother to look for them. In fact, the backup was made 1 working day before the hacking and information can be quickly restored. Everyone mentally wished the hacker a painful death and the joyful ones parted ways.
Recommendations that could be given to the affected company (given its modest size):
- backups should be made regularly and stored separately;
- user rights should be minimized (all accountants had full access to everything on the server);
- Remote access is best organized by VPN and use the token in addition to the password. It practically does not require costs, and security will grow decently.
Victim 2
A large company that has servers on collocation in one of the commercial data centers in Moscow. The data center receives information that a stream of malicious traffic is being recorded from one of the white IP companies (no details were provided). We were asked to help administrators figure out what was going on.
Analysis showed that the traffic comes from a virtual server with a management console of Kaspersky Anti-Virus. Those who have worked with this product know that, more often than not, control over the console gives administrator rights on all machines where antivirus is installed. It is clear that the gray hair from such news from the administration group greatly increased. Immediately, a snapshot of the virtual machine was created with the preservation of RAM data. After that, the machine in the work network was extinguished and the analysis of the copy in the isolated segment began.
What was our surprise when we discovered that the hacking was also carried out through a brute force password on the RDP from the Internet. Administrators claimed that the server was not published on the Internet. In parallel, they began to study the effects of hacking and how RDP was available from the external network.
The second came out quickly. It turned out that the network administrator edited the access lists (ACLs) on the Cisco border router through the console. After completing the work, he rolled the ACL on the interface ... vice versa. That is, incoming and outgoing were confused in places, opening up full access to a set of servers from the Internet. No one noticed.
The password was picked up very quickly. The company adopted a password policy, but then for some reason forgot about it. Then, 4 accounts with local administrator rights (Adm1n, Default User, Register, ASPNET) were created on the server. After some time, the attacker entered ASPNET account. Not finding 1C databases (it will become clear later, as we realized that hunters on 1C were also operating there), the hacker manually opened the browser, launched speedtest.net to understand the bandwidth of the channel to the server, and uploaded the RDP utility to the server for searching passwords. Manually poshamaniv with the settings, the hacker launched an attack on external servers. There were no signs of attempts to develop an attack on the internal network or use the Kaspersky console. If the malefactor could even think a bit about his brain, he would eventually be able to extort from the victim a lot more than 30,000 rubles.
For the password brutus, the utility downloaded from the popular “hacker” forum was used. A hacker manually uploaded brute force dictionaries and launched an attack. The search went for uchetok with speaking names: Administrator, User1, User2, Buh, Buh1, Buh2, Buhgalter, Glbuh.
You can laugh at the primitiveness of the approaches, the complete lack of automation and the weak technical knowledge of the hacker, but all this has turned out to be quite effective. During the work of the utility, 4 real servers of Russian companies were hacked (with passwords like 12345). The attacker manually entered the hacked server from which the attack was proceeding and checked the catch, which was added to a file in the folder with the utility.
In general, the company made conclusions after the incident:
- It became quite obvious that the existence of policies does not guarantee their implementation. It is necessary to introduce control procedures.
- The process of stripping the internal network from unprotected machines has begun. Everyone was convinced that the attacker could get to them under certain circumstances.
- The procedure of automatic control of network changes on the network perimeter was introduced (automatic scanning 2 times per day).
- The change control procedures have been added.
- A regular scan for vulnerabilities outside and inside the network was introduced.
- In general, some kind of intrusion detection system, which would stop brute force during an attack, would not hurt.
Conclusion
The cause of both hacks is more likely not the money-craving scripts that are greedy for easy money, but the disorder or mistakes of the administrators themselves. There will be an opportunity to profit, there will be those who wish. Especially if it does not require much effort. Yes, and a superficial approach to hacking can be explained not by laziness and unprofessional hackers, but by a streaming approach to attacks: it is easier to sort out the extra hundred servers than to dig with one.
In any case, even such simple attacks can cost companies of any size very expensive. Offline banks build underground safes, and a barn lock is hung on a stall for the night.
Nobody leaves the door wide open. On the Internet, everything is still somewhat different. To the delight of attackers of all stripes and levels of professionalism.
Andrey Yankin, itsecurity
Source: https://habr.com/ru/post/369903/
All Articles