无码中文字幕色专区_91av俱乐部_无码人妻h动漫_26uuu成人_91九色丨porny丨国产jk_青青视频在线播放_国内自拍第二页_国产又粗又长又爽又黄的视频_色哟哟免费网站_久久出品必属精品_a级黄色一级片_99日在线视频

Kaspersky ICS CERT Report: 2020 attacks target suppliers of equipment and software for industrial enterprises

卡巴斯基ICS CERT報(bào)告：2020年攻擊目標(biāo)為工業(yè)企業(yè)的設(shè)備和軟件供應(yīng)商

In early 2020, a series of targeted attacks on industrial organizations in various regions was reported. According to the latest Kaspersky ICS CERT findings, these hits were focused on systems in Japan, Italy, German and the UK and targeted suppliers of equipment and software for industrial enterprises. Research has shown that attackers used malicious Microsoft Office documents, PowerShell scripts and several other techniques to make it difficult to detect and analyze their malware. One such technique is steganography, a data-hiding technology that conceals messages within digital files.

2020年初，報(bào)告了不同地區(qū)工業(yè)組織的一系列針對(duì)性攻擊。根據(jù)卡巴斯基ICS CERT的最新調(diào)查結(jié)果，這主要集中在日本、意大利、德國和英國的系統(tǒng)上，目標(biāo)是工業(yè)企業(yè)的設(shè)備和軟件供應(yīng)商。研究表明，攻擊者使用惡意的Microsoft Office文檔、PowerShell腳本和其他一些技術(shù)，使得檢測(cè)和分析他們的惡意軟件變得困難。這樣的技術(shù)叫隱寫術(shù)，一種將信息隱藏在數(shù)字文件中的數(shù)據(jù)隱藏技術(shù)。

Targeted attacks on industrial objects organically attract attention from the cybersecurity community as they are sophisticated and focused on sectors that are of critical value. Any disruption in the continuity of work can lead to unwanted consequences from successful industrial espionage to comprehensive financial losses.

對(duì)工業(yè)目標(biāo)的定向攻擊有組織地吸引了網(wǎng)絡(luò)安全界的注意力，因?yàn)樗鼈兎浅?fù)雜，而且集中在具有關(guān)鍵價(jià)值的部門。工作連續(xù)性的任何中斷都可能導(dǎo)致從成功工業(yè)間諜活動(dòng)到全面財(cái)務(wù)損失的不良后果。

This examined series of attacks was no exception. Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email. For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization.

經(jīng)過審查的一系列攻擊也不例外。用作初始攻擊媒介的網(wǎng)絡(luò)釣魚電子郵件是根據(jù)每個(gè)特定受害者的特定語言量身定制的。只有當(dāng)操作系統(tǒng)的本地化與網(wǎng)絡(luò)釣魚電子郵件中使用的語言相匹配時(shí)，此攻擊中使用的惡意軟件才會(huì)執(zhí)行破壞性活動(dòng)。例如，在一家日本公司遭到攻擊的情況下，網(wǎng)絡(luò)釣魚電子郵件的文本和包含惡意宏的Microsoft Office文檔都是用日語編寫的。此外，要成功解密惡意軟件模塊，操作系統(tǒng)必須具有日語本地化。

Closer analysis has shown that attackers used the Mimikatz utility to steal the authentication data of Windows accounts stored on a compromised system. This information can be used by attackers to gain access to other systems within the enterprise network and develop attacks. This is particularly dangerous when attackers gain access to accounts that have domain administrator rights.

進(jìn)一步的分析表明，攻擊者使用Mimikatz實(shí)用程序竊取了存儲(chǔ)在受感染系統(tǒng)上的Windows帳戶的身份驗(yàn)證數(shù)據(jù)。攻擊者可以利用這些信息來訪問企業(yè)網(wǎng)絡(luò)中的其他系統(tǒng)并發(fā)起攻擊。當(dāng)攻擊者獲得對(duì)具有域管理員權(quán)限帳戶的訪問權(quán)限時(shí)，這尤其危險(xiǎn)。

詳細(xì)攻擊方案

In all detected cases, the malware was blocked by Kaspersky security solutions which prevented the attackers from continuing their activity. As a result, the ultimate goal of the criminals remains unknown. Kaspersky ICS CERT experts continue to monitor new, similar cases. If an organization encounters such an attack, it can be reported by using this special form on the Kaspersky website.

在所有檢測(cè)到的案例中，惡意軟件均被卡巴斯基安全解決方案阻止，從而阻止攻擊者繼續(xù)其活動(dòng)。因此，罪犯的最終目標(biāo)仍然不明。卡巴斯基ICS CERT專家將繼續(xù)監(jiān)控類似新案例。一旦組織遇到此類攻擊，可以通過卡巴斯基網(wǎng)站上的此特殊表格進(jìn)行報(bào)告。

“This attack attracted attention due to several, non-standard technical solutions used by the attackers,” said Vyacheslav Kopeytsev, a security expert at Kaspersky. “For instance, the malware module is encoded inside the image using steganography methods, and the image itself is hosted on legitimate web resources. This makes it almost impossible to detect the download of such malware using network traffic monitoring and control tools. From the point of view of technical solutions, such activity does not differ from the usual access given to legitimate image hosting. Coupled with the targeted nature of infections, these techniques indicate the sophisticated and selective nature of these attacks. It is a matter of concern that industrial contractors are among the victims of the attack. If the authentication data of employees of the contractor organization falls into malicious hands, this can lead to many negative consequences, starting with the theft of confidential data and ending with attacks on industrial enterprises through remote administration tools used by the contractor.”

卡巴斯基安全專家Vyacheslav Kopeytsev表示：“由于攻擊者使用了幾種非標(biāo)準(zhǔn)的技術(shù)解決方案，這種攻擊引起了人們的注意。例如，使用隱寫方法將惡意軟件模塊編碼在圖像內(nèi)部，并將圖像本身托管在合法的Web資源上。這使得幾乎不可能使用網(wǎng)絡(luò)流量監(jiān)視和控制工具來檢測(cè)此類惡意軟件的下載。從技術(shù)解決方案的角度來看，這種活動(dòng)與對(duì)合法映像托管的通常訪問沒有區(qū)別。結(jié)合感染的針對(duì)性，這些技術(shù)表明了這些攻擊的復(fù)雜性和選擇性。令人擔(dān)憂的是，工業(yè)承包商是襲擊的受害者。如果承包商組織員工的身份驗(yàn)證數(shù)據(jù)落入惡意人員手中，則可能導(dǎo)致許多負(fù)面后果，首先是盜竊機(jī)密數(shù)據(jù)，最后是通過承包商使用的遠(yuǎn)程管理工具對(duì)工業(yè)企業(yè)發(fā)動(dòng)攻擊。”

“The attack on contractors once again demonstrates that for electric power facilities to be operated reliably, it is critically important to ensure workstations and servers are protected – both on corporate and operational technology networks,” comments Anton Shipulin, solution business lead, Kaspersky Industrial CyberSecurity. “Although strong endpoint protection may be enough to prevent similar attacks, in this case, we still recommend using the most comprehensive approach to support the industrial facility’s cyber-defense. Attacks through contractors and suppliers can have completely different entry points within the enterprise, including ones on the OT network. Even though the attack’s objectives remained unclear, it is more accurate to follow the assumption that attackers have the potential to gain access to the facility’s critical systems. Modern means of network monitoring, anomaly and attack detection can help to detect signs of an attack on industrial control systems and equipment in a timely manner, and prevent a possible incident."

卡巴斯基工業(yè)網(wǎng)絡(luò)安全解決方案業(yè)務(wù)負(fù)責(zé)人Anton Shipulin表示:“對(duì)承包商的攻擊再次表明，要讓電力設(shè)施可靠運(yùn)行，確保工作站和服務(wù)器受到保護(hù)至關(guān)重要，無論是在企業(yè)網(wǎng)絡(luò)還是在運(yùn)營技術(shù)網(wǎng)絡(luò)上。雖然強(qiáng)大的端點(diǎn)保護(hù)可能足以防止類似的攻擊，但在這種情況下，我們?nèi)匀唤ㄗh使用最全面的方法來支持工業(yè)設(shè)施的網(wǎng)絡(luò)防御。通過承包商和供應(yīng)商進(jìn)行的攻擊在企業(yè)內(nèi)部可能有完全不同的入口點(diǎn)，包括在OT網(wǎng)絡(luò)上的入口點(diǎn)。盡管攻擊的目標(biāo)仍不清楚，但假設(shè)攻擊者有潛力獲得對(duì)該設(shè)施的關(guān)鍵系統(tǒng)的訪問權(quán)限，則更為準(zhǔn)確。現(xiàn)代的網(wǎng)絡(luò)監(jiān)視，異常和攻擊檢測(cè)手段可以幫助及時(shí)發(fā)現(xiàn)對(duì)工業(yè)控制系統(tǒng)和設(shè)備的攻擊跡象，并防止可能的事件發(fā)生。”

To reduce the risks of being attacked, industrial organizations are advised to:

• Provide training to employees of enterprises on how to work with email securely and, in particular, identify phishing emails.
• Restrict the execution of macros in Microsoft Office documents.
• Restrict execution of PowerShell scripts (if possible).
• Pay particular attention to PowerShell process startup events initiated by Microsoft Office applications. Restrict programs from receiving SeDebugPrivilege privileges (if possible).
• Install a security solution for corporate endpoints such as Kaspersky Endpoint Security for Business, with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
• Use security solutions for OT endpoints and network such as KICS for Nodes and KICS for Networks to ensure comprehensive protection for all industry critical systems.
• Install security solutions on all systems with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
• Use accounts with domain administrator rights only when necessary. After using such accounts, restart the system where authentication was performed.
• Implement a password policy with requirements for the level of complexity and regular password changes.
• Upon an initial suspicion that systems are infected, perform an antivirus check and force password changes for all accounts that were used to log in on compromised systems.

為了降低被攻擊的風(fēng)險(xiǎn)，建議工業(yè)組織:

• 為企業(yè)員工提供如何安全使用電子郵件的培訓(xùn)，尤其是識(shí)別網(wǎng)絡(luò)釣魚電子郵件。
• 限制Microsoft Office文檔中宏的執(zhí)行。
• 限制執(zhí)行PowerShell腳本（如果可能）。
• 特別注意由Microsoft Office應(yīng)用程序啟動(dòng)的PowerShell進(jìn)程啟動(dòng)事件。限制程序接收SeDebugPrivilege特權(quán)（如果可能）。
• 為企業(yè)終端安裝安全解決方案，如卡巴斯基企業(yè)終端安全軟件，能夠集中管理安全策略，并維護(hù)最新的防病毒數(shù)據(jù)庫和安全解決方案軟件模塊。
• 使用針對(duì)運(yùn)行點(diǎn)端點(diǎn)和網(wǎng)絡(luò)的安全解決方案，例如針對(duì)節(jié)點(diǎn)的KICS和針對(duì)網(wǎng)絡(luò)的KICS，以確保對(duì)所有行業(yè)關(guān)鍵系統(tǒng)的全面保護(hù)。
• 在所有系統(tǒng)上安裝安全解決方案，能夠集中管理安全策略，并維護(hù)最新的防病毒數(shù)據(jù)庫和安全解決方案軟件模塊。
• 僅在必要時(shí)使用具有域管理員權(quán)限的帳戶。使用這些帳戶后，重新啟動(dòng)執(zhí)行身份驗(yàn)證的系統(tǒng)。
• 實(shí)施密碼策略，并對(duì)復(fù)雜性和定期密碼更改提出要求。
• 初步懷疑系統(tǒng)受到感染時(shí)，執(zhí)行防病毒檢查，并強(qiáng)制更改用于登錄受感染系統(tǒng)所有帳戶的密碼