Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - Printable Version +- Bezbedan Balkan (https://bezbedanbalkan.net) +-- Forum: Bezbednost državnih resursa (https://bezbedanbalkan.net/forum-5.html) +--- Forum: Kompromitovani resursi (https://bezbedanbalkan.net/forum-6.html) +--- Thread: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije (/thread-63.html) Pages:
1
2
|
Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 Analiza nelogičnih objava zvaničnika povodom napada malicioznih hakera na Republički Geodetski Zavod Novi dokazi koji pokazuju da je mejl server 93.87.56.22/mailgw.rgz.gov.rs bio deo Mirai botnet-a: https://www.joesandbox.com/analysis/622091/0/html. Zatim BIRN je objavio nove dokaze gde se vidi da su mejlovi iscureli: https://birn.rs/hakeri-imali-pristup-mejlovima-zaposlenih-u-katastru-srbije-strucnjaci-kazu-da-opasnost-jos-nije-prosla/. RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 Dok ne dobijemo zaglavlje ovog mejla, možemo analizirati server sa kojeg je navodno poslat email tj. strumlineco_com i linka tj. iktoffice_com. RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 [email protected] se pojavljuje kao IOC za QakBot: https://github.com/executemalware/Malware-IOCs/blob/main/2022-02-23%20Qakbot%20IOCs RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 strumlineco.com => 46.4.22.188 => Hetzner Nemačka Pojavljuje se u raznim kampanjama, npr: - https://urlhaus.abuse.ch/host/iphm.info/ - https://any.run/report/1b1279f4eca61a6661eb687cba8566b20fdc0cfa17bed09a6c0b87d53e7055dd/99d71759-7f99-49ab-89ef-fe255a4f12e1 RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 Na ovom hostu ima i prilično Iranskih sajtova (čudno uzeći u obzir i druge kampanje koje su se desile u regionu, a za koje je optužen Iran): RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 iktoffice.com => 192.185.131.124 => USA Pojavljuje se u kampanjama, npr: - https://www.joesandbox.com/analysis/626149/0/html - https://www.hybrid-analysis.com/sample/1e425d7c71e5ee8877e60af6ba1d2df32023ac24da48bd0502e7b6e7b8c05359/6118ff95f28e246f02493425 Ova druga kampanja ima karakteristike sa našeg govornog područja: RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - srle - 09-21-2022 Nasao sam taj email, evo original header: Delivered-To: irrelevant - had to remove source Received: by 2002:a17:90a:e2d1:0:0:0:0 with SMTP id fr17csp546978pjb; Tue, 28 Jun 2022 06:34:35 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uDBYX/4Tfgs3tGMmhiv/P6k4DIjVJNEQ7Byi3A0UpC9a0j8U6kzUab6tO1feFk5tpOfp+H X-Received: by 2002:a5d:59af:0:b0:21d:21ca:32af with SMTP id p15-20020a5d59af000000b0021d21ca32afmr1731385wrr.145.1656423275024; Tue, 28 Jun 2022 06:34:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656423275; cv=none; d=google.com; s=arc-20160816; b=oSDFhgFGI2MeYiXRoPoif0HAu8ppTWsKpLnAVr7vO4hEgxPk1nSeVe/UFe1oHm4R83 lSqMFROOAkBqADQJtXd6BKwT6+UN3lE9WjNvK5SLeQR5HuVFxb/aVSlBcFemijtzrQEf 6E935TuZj6cDGjO+o3adqFMQfIvbWD5uKDdBPMeB7rtkNhglvlLNMfuJ7D1lKE5WASrh cRWqLYkzg9uTtP2SKg+4x1A2NK2frv68F39A8+mRvEeEF6K+BaGKTjT3OO5rL8k+tuVc UgqjVGiB1nCZYZ0kVfN2M1JSe2aM4Rd+a889pF4DITfMjCpcG9pO7Qib3kyzP42TaNza FOVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-idubject:to:from:content-transfer-encoding:date :mime-version:dkim-signature; bh=Gx1O2uDSD00fdeId42Zz3/ocxTejA0KkE7p+6N7aXUI=; b=U1EgWCH3Ptn2A4pHvTEuIcjtwFRQFzS+Y5iLJIA9WJvtryeNxsWGhUq10HbJJr5zT8 OkF1YV7EGp/6OoiIAlqWOKTB5z5yqXuw1Mvqlw8Ji6zIFLl0mDLx5s6QMm90IaHW+1D5 4nIPeNtYaY2coIlVoFnl1QfUz0LibE/8ScmPdb+WucKjG6f06P/yguYhOnBO9i2IXt3Z bOdUJASoNOk7eyfQPnwk8uPYGXDkFzZtqIYezc2ecvMItiq6JWctZ/ibtDm6tpL3r04B 2jPw+exdimT52/YoyuKVQzfLF9Q5Rlb15uSAlTq2Eam9dOJVyF6ku0MS9aPucierJYDp m6OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass [email protected] header.s=default header.b=MkECjmuP; spf=neutral (google.com: 46.4.22.177 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] Return-Path: <[email protected]> Received: from s64.himihan.com (s64user2.mylittledatacenter.com. [46.4.22.177]) by mx.google.com with ESMTPS id g18-20020a05600c141200b003a02cd14d9dsi16089612wmi.96.2022.06.28.06.34.34 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jun 2022 06:34:34 -0700 (PDT) Received-SPF: neutral (google.com: 46.4.22.177 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=46.4.22.177; Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=default header.b=MkECjmuP; spf=neutral (google.com: 46.4.22.177 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strumlineco.com; s=default; h=Message-ID:Subject:To:From: Content-Transfer-Encoding:Content-Typeate:MIME-Version:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Gx1O2uDSD00fdeId42Zz3/ocxTejA0KkE7p+6N7aXUI=; b=MkECjmuPo49u/k3pn300LqkAub 01vKqZZuFAhnLahgZutFIbT6tv+w2uyGWJB6/Tv0Abjv/bBqfrIAp3yPcQIVVT57t/KcR8btiveTE NSqYYAs1gbYWadO+v9kxQfCpgE6Vhf3Cg+cHRdPkytCvIpSqitLvAR3naMoyUV5BJZXKIcmOVIbPy 20SVSxcF6hYLnWIZTb9Cdk0LDGkhUi1zizW9WNzZASCradWV+O/g65SRpXEEIj+aEHJw/Cos/cEIa IR4vWPjoGTEyUa79Xn7F+JxOUVqGeHOj0+AkYWB1QG0aRrPwEK114572neUKIdLEbkHFra6rOwfyt 3odIilPQ==; Received: from [219.138.44.15] (port=12242 helo=s64.himihan.com) by s64.himihan.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.94.2) (envelope-from <[email protected]>) id 1o6BMO-006tQC-KK for ; Tue, 28 Jun 2022 18:04:33 +0430 MIME-Version: 1.0 Date: Tue, 28 Jun 2022 05:34:31 -0800 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) From: "Bojan Despic" <[email protected]> To: Subject: Re: Kreiran ugovor eKatastar Message-ID: <[email protected]> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - s64.himihan.com X-AntiAbuse: Original Domain - X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - strumlineco.com X-Get-Message-Sender-Via: s64.himihan.com: authenticated_id: [email protected] X-Authenticated-Sender: s64.himihan.com: [email protected] X-Source: X-Source-Args: X-Source-Dir: Trazili su da korisnik klikne na sledeci link: https://iktoffice.com/ru/inqteusne i unese pass za arhivu koju bi preuzeo sa sajta: U523 Goedemorgen Met deze brief stuur ik u alle nodige documentatie over onze komende bijeenkomst, precies zoals we onlangs hebben besproken. Bekijk de nodige gegevens via de volgende link: https://iktoffice.com/ru/inqteusne Wachtwoord: U523 Ovo je poprilicno zastarelo, ali ako neko zeli da proveri celu pricu. Sve se manje vise vrti oko domena: dbspssre.com/oelnrsotsud/ i strumlineco.com/laedlmsu/yh_3215567430.zip Taj malware koji cete naci na tim domenima, je poprilicno isti koji je distribuiran kao "RGZ" mail poruka. RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 09-21-2022 Virustotal za: strumlineco.com/laedlmsu/yh_3215567430.zip, https://www.virustotal.com/gui/url/91013d0db98b32a509b3e17b50548b1a3c16ffed39844df9e761eafd9a82572e/detection Virustotal za: dbspssre.com/oelnrsotsud/, https://www.virustotal.com/gui/url/0e50b2b7f858f028fc2907cf4e3230b8df3213f840c5b7125660e8619d824865?nocache=1 RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 01-11-2023 Još par detalja može se naći u prezentaciji Srđana Radosavljevića iz Kaspersky tima. RE: Analiza napada na Republički Geodetski Zavod (RGZ) Srbije - 1van - 03-18-2023 Probao sam da napravim još jedan presek sa svim informacijama koje imamo. Ostaje ukrštanje i sa drugim kampanjama ali to možda neki drugi put. |