Umlingisi ongase abe sengozini yenoveli usanda kuphazamisa ababili Izinhlangano zezokuxhumana ezizinze eMpumalanga Ephakathi, kusetshenziswa izicabha ezimbili ezingemuva ezinezindlela ebezingabonwa ngaphambilini zokulayisha isinyenyela ikhodi yegobolondo enonya kusistimu eqondiwe.
Embikweni owabiwe ne-Dark Reading, u-Cisco Talos uqambe isethi yokungena ngokuthi “ShroudedSnooper,” njengoba ayikwazanga ukuhlobanisa umsebenzi nanoma yimaphi amaqembu akhonjwe ngaphambilini.
I-ShroudedSnooper isebenzisa izicabha ezimbili ezingemuva - “HTTPSnoop” kanye “NePipeSnoop” - enezindlela ezibanzi zokunqanda ukubona, okuhlanganisa ukuzenza njengemikhiqizo yesofthiwe edumile kanye nokuthelela izingxenye ezisezingeni eliphansi zamaseva e-Windows. Uma sezitshaliwe, zisebenzisa i-shellcode ukuze zinikeze abahlaseli be-inthanethi indawo eqhubekayo kumanethiwekhi ezisulu, benamandla hambisa eceleni, ukhiphe idatha, noma udedele uhlelo olungayilungele ikhompuyutha olwengeziwe.
"Kufanele ngisho: lezi zinobuqili kakhulu," kusho uVitor Ventura, umcwaningi oholayo wezokuphepha noCisco Talos. “Bayocasha obala. Futhi kunzima ngendlela emangalisayo ukuhlukanisa ukuziphatha kwabo okubi nokuhle. Ihlakaniphe kakhulu.”
Usongo Olusha Olungemuva: I-HTTPSnoop
Akukacaci ukuthi ukungena kwe-ShroudedSnooper kufinyelelwa kanjani, nakuba abacwaningi beqagela ukuthi abahlaseli bangase basebenzise amaseva asengozini, abhekene ne-inthanethi ngaphambi kokusebenzisa i-HTTPSnoop - epakishwe njengomtapo wezincwadi we-dynamic-link noma ifayela elisebenzisekayo - ukuze baqinise ukufinyelela kokuqala.
Esikhundleni sokuthatha umzila ojwayelekile we iwisa igobolondo leWebhu kuseva ye-Windows eqondisiwe, i-HTTPSnoop ithatha indlela ecashile, ejikelezayo, isebenzisa izinga eliphansi. Windows APIs ukuxhumana ngqo neseva ye-HTTP kusistimu eqondiwe.
Njenge-parasite, isebenzisa ukufinyelela kwezinga le-kernel ukuze izibophe kumaphethini athile e-HTTP(S) URL, bese ilalela izicelo ezingenayo. Uma isicelo se-HTTP esingenayo sihlangabezana nephethini ethile, sikhipha amakhodi idatha esicelweni.
“Eqinisweni abakwenzayo wukuthi basebenzisa kabi isici esithile. Asebenza kanjalo amaseva eWebhu ye-Windows,” kusho u-Ventura, ngaphambi kokungeza ukuthi “angikaze ngilubone lolu hlobo lokuhlukumeza lwenziwa ukwakha izimila ngaphambili.”
Ukwengeza kulokho okuyimfihlo, amaphethini e-URL okukhulunywa ngawo avame ukuhambisana nemikhiqizo yesofthiwe edumile, evamile. Isibonelo, i-Ventura ithi, “ngisho noma umhlaziyi ebheka ama-URL, kuzobukeka sengathi I-imeyili yewebhu ye-Outlook evamile. Kuzofanele banake, ngaphandle uma bazi kahle ukuthi bafunani.”
Leyo datha ekhishwe ezicelweni ze-HTTP, ngokwemvelo, izoba yi-shellcode enonya, bese ibulawa kudivayisi ethelelekile.
Ubunzima bokumisa i-ShroudedSnooper
NgoMeyi, abahlaseli beShroudedSnoop bathuthukise i-HTTPSnoop, “PipeSnoop.” Njengomfowabo, ihlose ukunika amandla i-shellcode engaqondakali ukuthi isebenze endaweni ehlosiwe, kodwa ngokufunda nokubhalela ipayipi elikhona ngaphambili - ingxenye yememori eyabiwe esetshenziselwa ukuxhumana kwezinqubo (IPC).
Ukuqhubeka nokubalekela amehlo okubuka, kufanele kuqashelwe, womabili ama-Snoops afika apakishwe kumafayela asebenzisekayo alingisa. Isicelo sePalo Alto Networks 'Cortex XDR.
Ukuthi i-HTTPSnoop esivele igcwele isinyenyela iyathuthukiswa futhi isebenza kuphela ukukhombisa ukuthi kungaba nzima kangakanani ngezingcingo ukuhlonza nokukhipha lezi zindlu ezingemuva.
“Yebo izisulu zingayithungatha. Bangakwazi ukuhlola ukuthi yimaphi ama-URL abhalisiwe ngaphakathi kweseva yeWebhu, bese bezama ukubona ukuthi yiziphi izinkokhelo ezibizwayo, nokuthi yimaphi ama-DLL ahlotshaniswa nalawo ma-callback. Kepha futhi, lowo ngumsebenzi wezobunhloli, okungelula kangako ukuwenza ezinhlelweni zokukhiqiza bukhoma,” kuchaza uVentura.
“Ngakho-ke ngingasho ukuthi ukuvimbela kuyisici esibalulekile ngempela kulokhu,” kuphetha yena. Kunokuba zizame ukunqoba ama-backdoors ngokwawo, “ngoba kunezinga elithile lelungelo elidingekayo ukwenza lokhu, izinkampani zingasebenzisa amathuluzi ezinawo ukuze zithole izinyathelo zangaphambilini ngaphambi kokuthi uhlelo olungayilungele ikhompyutha lufakwe, ngoba ludinga phezulu. amalungelo.”
- I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
- I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
- I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
- I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
- I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
- Source: https://www.darkreading.com/dr-global/shroudedsnooper-backdoors-ultra-stealth-mideast-telecom-attacks