
2016幎7æãå°æ¹Ÿæ倧ã®éè¡ã®1ã€ã§ããFirst Bankã®æ¥åã麻çºããŸããã éè¡ã¯å€§èŠæš¡ãªæ»æã«çŽé¢ããŸããïŒãã¹ã¯ããã人ã ã¯åæã«200äžãã«ã§30åã®ATMã空ã«ããŸãããèŠå¯ã¯éæ¹ã«æ®ããŸããïŒãããã³ã°ããªãŒããŒãããããã€ã¹ã®å åã¯ãããŸããã§ããã æ»æè ã¯éè¡ã«ãŒããã䜿çšããŸããã§ããã
ãããªã«ã¡ã©ã¯ããã¹ãŠãã©ã®ããã«èµ·ãã£ãããèšé²ããŸããïŒãã¹ã¯ããã人ã ãæºåž¯é»è©±ã§åŒã°ããATMã«è¿ã¥ããŸãã-ATMã¯ãéãåºããç¯çœªè ã¯ãããããã¯ããã¯ã«è©°ããŠéããŸããã ãã®ãããªå€§èŠæš¡ãªè¥²æã®åŸãåœå ã®8倧éè¡ã¯900 ATMã§ã®çŸéã®çºè¡ãåæ¢ããŸããã
First Bankãééããããšãè«çæ»æãšåŒã³ãŸãã ãã®æ¬è³ªã¯ããµã€ããŒç¯çœªè ãéè¡ã®ããŒã«ã«ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããããããATMãå®å šã«å¶åŸ¡ã§ããããšã§ãã ãªã¢ãŒãã§åœŒãã¯ãéãçºè¡ããã³ãã³ããåãåããŸãã ããã«ãŒã®å ±ç¯è -ããã¥ãŒã«ã-ãéãåããæ»æã®äž»å¬è ã«æž¡ãã ãããã£ãŠãæã掻åçã§å±éºãªç¯çœªã°ã«ãŒãã§ããã³ãã«ãã¯ã1幎以å ã«20ãåœã®éè¡ãæ»æããŸããã

ATMã«å¯Ÿããæ»æã®å€ã®æ³¢ã¯ãæ°ããæ©èœããã¹ãããã ãã§ããã å°æ¥çã«ã¯ãç§ãã¡ã®äºæž¬ã«ãããšãè«ççãªæ»æã¯éè¡ãžã®äž»ãªææã®æ¹åã®1ã€ã«ãªããŸãã
ATMã«å¯Ÿããéæ¥è§Šæ»æã¯ãéè¡ã«å¯ŸããããŸããŸãªæšçåæ»æã®1ã€ã«ãããŸããã ãµã€ããŒç¯çœªè ã¯ãATM管çã·ã¹ãã ã«å ããŠãéè¡éæ¯æ¿ã·ã¹ãã ïŒSWIFTïŒãæ¯æãã²ãŒããŠã§ã€ãããã³ã«ãŒãåŠçãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãŠããŸãã
ATMã«å¯Ÿããè«çæ»æã®æŠè¡ãšå¯Ÿçã詳ããèŠãŠã¿ãŸãããã ãã®èšäºã¯ã2016幎ç§ã«ãªãªãŒã¹ãããCobaltã°ã«ãŒãã®æŽ»åã«é¢ããGroup-IBã¬ããŒãã«åºã¥ããŠããŸãã ãã®æ å ±ã®äžéšã¯ããããªãã¯ãã¡ã€ã³ã§åããŠå ¬éãããŸãã
浞é
Cobaltã¯ããšã¯ã¹ããã€ããå«ããã£ãã·ã³ã°ã¡ãŒã«ãŸãã¯ãã¹ã¯ãŒããå«ãã¢ãŒã«ã€ãå ã®å®è¡å¯èœãã¡ã€ã«ãé åžããããšã«ãããéè¡ãããã¯ãŒã¯ã«äŸµå ¥ããŸãã CISã®éè¡ã®å Žåãç¯çœªè ã¯æ·»ä»ãã¡ã€ã«ãStorage Agreement2016.zipããšãlist of documents.docããéä¿¡ããŸããã å€åœã®å Žå-ããšãŒãããã®éè¡ã®èŠåãdocããã³ãBitcoin ATM's.docãã
ãã¡ã€ã³ã³ã³ãããŒã©ãŒã«å®å
šã«ã¢ã¯ã»ã¹ããã«ã¯ã10åãã1é±éããããŸãã
ãã£ãã·ã³ã°ã¡ãŒã«ã¯ãã»ãšãã©ã®å Žåã欧å·äžå€®éè¡ãATMã¡ãŒã«ãŒã®Wincor NixdorfããŸãã¯å°æ¹éè¡ã代衚ããŠéä¿¡ãããŸããã 眮æãèªèããããšã¯ç°¡åã§ã¯ãããŸããã§ãããéä¿¡è ã®ã¢ãã¬ã¹ã¯å ¬åŒãã¡ã€ã³ã瀺ããŠããŸããã 6æã«åœã®ã¡ãŒã«ãéä¿¡ããããã«ãå¿åã¡ãŒã«ã·ã¹ãã ãyaPostalka v.2.0ãïŒå¥ã®ãµãŒãã¹åïŒãalexusMailer v2.0ãïŒã䜿çšããããã®åŸã®æ»æè ã¯Cobalt Strikeã®æ©èœã䜿çšãå§ããŸããã äžè¬ã«ãCobalt Strikeã¯äŸµå ¥ãã¹ããå®æœããããã®è±å¯ãªãã¬ãŒã ã¯ãŒã¯ã§ãããæ»æãããã³ã³ãã¥ãŒã¿ãŒã«ãã€ããŒããé ä¿¡ããŠç®¡çããããšãã§ããŸãã
ããã¯ã欧å·äžå€®éè¡ã代衚ããŠæžç°¡ãã©ã®ããã«èŠãããã§ãã

IPã¢ãã¬ã¹ã88.212.208.115ãš5.101.124.34ã®2å°ã®ãµãŒããŒããã¬ã¿ãŒãéä¿¡ãããŸããã äž¡æ¹ãšããã·ã¢ã«ãããŸãã ãããã®ãµãŒããŒããéä¿¡ãããæçŽã®äžéšãåãåããæªæã®ããæ·»ä»ãã¡ã€ã«ã調ã¹ããããã«é¢é£ä»ãããããã«ãŠã§ã¢ã³ããŒãèŠã€ãããŠã€ã«ã¹ãšãã«ãŠã§ã¢ãã¹ãã£ã³ãããªã³ã©ã€ã³ã¹ãã£ããŒã§ããVirus Totalã«å¯Ÿããæ»ææã«ãçããããã¡ã€ã«ãããŠã³ããŒããããå Žæã確èªããŸããã
ãããVirus Totalã«ããŠã³ããŒãããçµæã®äŸã次ã«ç€ºããŸãã

ãã®ããããã·ã¢ãè±åœããªã©ã³ããã¹ãã€ã³ãã«ãŒããã¢ãããŒã©ã³ãããšã¹ããã¢ããã«ã¬ãªã¢ããã©ã«ãŒã·ãã¢ã«ããããžã§ãŒãžã¢ãã¢ã«ã¡ãã¢ããã«ã®ã¹ã¿ã³ããã¬ãŒã·ã¢ã®éè¡ãå«ããããå®å šãªæ»æ察象ãªã¹ãã確ç«ããããšãã§ããŸããã First Bankã®å Žåãããã«ãŒã¯è±åœã®éè¡æ¯åºã®ãããã¯ãŒã¯ã«å ¥ãããããéããŠäžå€®ãªãã£ã¹ã®ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããŸããã
éè¡ã«å ããŠãéè¡ã®äŒæ¥ã°ã«ãŒãã®äžéšã§ãããªãŒã¹ããã³ä¿éºäŒç€ŸããæçŽãå±ããŸããã å Žåã«ãã£ãŠã¯ããã®ãããªäŒæ¥ã«ã¯å ±éã®ãããã¯ãŒã¯ãããããããæ»æè ã䜿çšãããã®ã§ãã
ã·ã¹ãã ãã³
æªæã®ããæ·»ä»ãã¡ã€ã«ãèµ·åãããåŸãã·ã¹ãã ã®ä¿®æ£ããã»ã¹ãéå§ãããŸããã
1.æ·»ä»ãã¡ã€ã«ã«ã¯ãè匱æ§CVE-2015-1641ãæªçšããæªæã®ããRTFããã¥ã¡ã³ããå«ãŸããŠããŸããã MetasploitãCobalt Strikeãªã©ã®äŸµå ¥ãã¹ãããŒã«ã«ãã£ãŠçæãããæšæºã·ã§ã«ã³ãŒãã䜿çšããŸããã
2. Cobalt Strikeã®äžéšã§ããBeaconãšåŒã°ãããã€ããŒããRAMã«ããŒããããŸããã
Cobalt Strikeã®ãµãŒããŒåŽãšã®çžäºäœçšã¯ãæšæºã®IDS / IPSã·ã¹ãã ã䜿çšãããããã¯ãŒã¯çžäºäœçšã®æ€åºãé²ãããã«ããããã³ã«DNSãHTTPãHTTPSã䜿çšããŠç§å¯ãã£ãã«ãäœæããããšã«ãã£ãŠè¡ãããŸãã
ããŒã³ã³ã®ã³ãã³ãã®ãªã¹ãïŒ

3.æªçšæ¹æ³ãæ©èœããªãã£ãå Žåãæ»æè ã¯åãããŒã³ã³ãé 眮ããããã¹ã¯ãŒãã§ä¿è·ãããã¢ãŒã«ã€ããå«ãæçŽãåéä¿¡ããŸããã
ãããã«ãããæªæã®ããæ·»ä»ãã¡ã€ã«ãèµ·åããåŸãããŒã³ã³ã¯RAMã«ã®ã¿ããŒããããŸããã ã€ãŸãããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãåèµ·åããåŸãæ»æè ã¯ãã®ã³ã³ãã¥ãŒã¿ãŒã®å¶åŸ¡ã倱ããŸããã
ã·ã¹ãã ã§ã®ç¶ç¶çãªåäœãä¿èšŒããããã«ãç¹å¥ãªããŒã³ã³ã¢ãžã¥ãŒã«ãèªåçã«ã¢ã¯ãã£ãåãããèµ·åæã«ã©ã®ã¢ããªã±ãŒã·ã§ã³ãèšè¿°ãããŠãããããã§ãã¯ãããããã®äžéšãåãååã®å®è¡å¯èœãã¡ã€ã«ã«çœ®ãæããŸããã
å®éã®æ»æã§ã¯ããã¡ã€ã«ãiusb3monãšããååã«çœ®ãæããããšã芳å¯ãããŸããã exeïŒIntel®USB 3.0 eXtensible Host ControllerïŒããã³jusched.exeïŒSun Java Update SchedulerïŒã ãã®ãããªçœ®ãæãã®çµæãåæ³çãªããã°ã©ã ãèªåçã«èµ·åããã¯ãã®ãµãŒãã¹ãæªæã®ããã¢ããªã±ãŒã·ã§ã³ãèµ·åããŸããã
4.眮ãæããããæå¹ãªå®è¡å¯èœãã¡ã€ã«ãé 眮ãããåããã£ã¬ã¯ããªã«ãcrssãšããã©ã€ãã©ãªãã³ããŒãããŸããã dllã ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãèµ·åãããã³ã«ã眮ãæããããã¢ããªã±ãŒã·ã§ã³ããã®ã©ã€ãã©ãªãã¡ã¢ãªã«ããŒãããŸããã ãã®äž»ãªã¿ã¹ã¯ã¯ãã€ã³ã¿ãŒãããããRAMã«ããŒã³ã³ã¢ãžã¥ãŒã«ãããŠã³ããŒãããããšã§ããã
ãããã£ãŠãã¡ã€ã³ããã°ã©ã ã®å®è¡å¯èœæ§ãä¿èšŒãããŸããã ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãåèµ·åãããã³ã«ãã¡ã€ã³ã¢ãžã¥ãŒã«ãåé€ãããŸããã äžèšã®ãã¹ãŠã®æé ã¯ãæªæã®ããæ·»ä»ãã¡ã€ã«ãèµ·åããåŸã«èªåçã«å®è¡ãããŸããã ææããã³ã³ãã¥ãŒã¿ãŒã®é»æºãåã£ããããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãåã€ã³ã¹ããŒã«ããå ŽåãããŒã«ã«ãããã¯ãŒã¯ãžã®åžžæã¢ã¯ã»ã¹ã確ç«ããå¿ èŠããããŸããã ãããè¡ãã«ã¯ãæš©éãå¢ããå¿ èŠããããŸããã
ç¹æš©ã®ååŸ
éè¡ã®ããŒã«ã«ãããã¯ãŒã¯ã調æ»ããéé¢ããããããã¯ãŒã¯ã»ã°ã¡ã³ããšæ å ±ã·ã¹ãã ã«ã¢ã¯ã»ã¹ããã«ã¯ãæ»æè ã¯ãã¡ã€ã³ç®¡çè ã®æš©éãå¿ èŠã§ãã
Windows Server 2008ãããã°ã«ãŒãããªã·ãŒ-ã°ã«ãŒãããªã·ãŒã®åºæ¬èšå®ïŒGPPïŒã«è¿œå æ©èœãè¿œå ãããŸããã GPPã«ããã管çè ã¯å€ãã®ããªã·ãŒãé©çšã§ããŸãããŠãŒã¶ãŒãã³ã³ãã¥ãŒã¿ãŒã«ãã°ãªã³ãããšãã«èªåçã«ãããã¯ãŒã¯ãã©ã€ããå²ãåœãŠãããã«ãã€ã³ç®¡çè ã¢ã«ãŠã³ãã®ååãæŽæ°ãããæ°ãããŠãŒã¶ãŒãäœæãããã¬ãžã¹ããªãå€æŽãããªã©
ããŒã«ã«ãŠãŒã¶ãŒã®è¿œå ããããã¯ãŒã¯ãã©ã€ããŸãã¯ããªã³ã¿ãŒã®æ¥ç¶ãªã©ã®ã¢ã¯ã·ã§ã³ã«ã¯ããã¹ã¯ãŒããå¿ èŠãªå ŽåããããŸãã ãã®ãããªããªã·ãŒãå¥ã®ã³ã³ãã¥ãŒã¿ãŒã§äœ¿çšããããã«ããŠã³ããŒãããããšãæå®ããããã¹ã¯ãŒãã䜿çšããŠããŠã³ããŒããããŸãã AES-256ã¢ã«ãŽãªãºã ã䜿çšããŠæå·åãããBase64ã䜿çšããŠããã«ãšã³ã³ãŒãããããã¹ã¯ãŒãã¯ãGPP Groups.xmlæ§æãã¡ã€ã«ã«ä¿åãããŸãã
ãã®XMLãã¡ã€ã«ã¯åžžã«äœæãããããã§ã¯ãããŸããããããšãã°ããã«ãã€ã³ç®¡çè ã¢ã«ãŠã³ããäœæãŸãã¯å€æŽããããšãã«äœæãããŸãã ãã¡ã€ã«ã¯ãã¡ã€ã³ã³ã³ãããŒã©ã®SYSVOLãã£ã¬ã¯ããªã®ãµããã£ã¬ã¯ããªã«æ ŒçŽããããã£ã¬ã¯ããªèªäœãšåæ§ã«ããã¡ã€ã³å ã®ãã¹ãŠã®ãŠãŒã¶ãŒãã¢ã¯ã»ã¹ã§ããŸãã
æ»æè ã¯Groups.xmlã䜿çšããŠã次ã®ããã«ãã¡ã€ã³ç®¡çè ã®ãã¹ã¯ãŒããååŸããŸãã
1.ããŒã«ã«ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ãããšãã³ã³ãã¥ãŒã¿ãŒã®èšå®ã§æå®ãããŠãããã¡ã€ã³ã³ã³ãããŒã©ãŒãèŠã€ããŸãã
2.ãã¡ã€ã³ã³ã³ãããŒã©ãŒã§ãSYSVOLãã£ã¬ã¯ããªãšGroups.xmlãã¡ã€ã«ã確èªããŸãããã®ãã¡ã€ã«ã¯ã次ã®ãã¹ã§äœ¿çšã§ããŸããã\\ [ãµãŒããŒå] \ sysvol \ [ãã¡ã€ã³å] \ããªã·ãŒ\ [ã°ã«ãŒãããªã·ãŒå] \ãã·ã³\èšå®\ã°ã«ãŒã\ã°ã«ãŒãã xml»
3. Groups.xmlãã¡ã€ã«ãããcpasswordããã³userNameãã£ãŒã«ããããã¡ã€ã³ç®¡çè ã®ãã°ã€ã³ãšãã¹ã¯ãŒããæœåºããŸãã
Groups.xmlãã¡ã€ã«ã®ãã©ã°ã¡ã³ãïŒ

4.æ確ãªãã¹ã¯ãŒããååŸããããã«ãæ»æè ã¯Base64ã䜿çšããŠãã¹ã¯ãŒãããã³ãŒããã2412D5A8073B0B9EEF429FB6AF94B737C95E66B685409A1FD9C36509DF7D6166ãšãã圢åŒã®æååãåãåããŸãã
AES-256ã䜿çšããŠæå·åããããã¹ã¯ãŒãã§ãã
5.åä¿¡ããæå·åããããã¹ã¯ãŒãã¯ãMicrosoft MSDNã®å ¬åŒWebãµã€ãã§å ¬éãããŠããããŒ4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1bã䜿çšããŠè§£èªãããŸãã

6.ãã¹ã¯ãŒããæ£åžžã«åŸ©å·åããåŸããã¡ã€ã³ã³ã³ãããŒã©ãŒã«ã¢ã¯ã»ã¹ãã以äžã§èª¬æããæ¹æ³ã䜿çšããŠãä»»æã®ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãã«ã¢ã¯ã»ã¹ã§ããŸãã
ãã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒã®æ§æã«ãããæ»æè ã¯10åã§ã¢ã¯ã»ã¹ã§ããŸããã
ææããã³ã³ãã¥ãŒã¿ãŒã®RAMãããã°ã€ã³ãšãã¹ã¯ãŒããæœåºããå¥ã®æ¹æ³ã¯ãç¡æã®MimikatzããŒã«ã䜿çšããããšã§ããã ãã®ãŠãŒãã£ãªãã£ã®ãœãŒã¹ã³ãŒãã¯Githudã§å ¬éãããŠããã誰ã§ãå©çšã§ããCobalt Strikeãªã©ã®ããã€ãã®äŸµå ¥ãã¹ãããŒã«ã«çµã¿èŸŒãŸããŠããŸãã
ææããã³ã³ãã¥ãŒã¿ãŒ/ãµãŒããŒãžã®ããŠã³ã
ãã®ãããæ»æè ã«ã¯å°ãªããšã1ã€ã®ããŒã³ã³ãæã€ãã¹ããããŸãã ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ããªãã³ã³ãã¥ãŒã¿ãŒãå«ãå€ãã®ã³ã³ãã¥ãŒã¿ãŒã«ã¢ã¯ã»ã¹ããå¿ èŠããããŸãã ãããè¡ãã«ã¯ãéè¡ã®ããŒã«ã«ãããã¯ãŒã¯ã§ãææããã³ã³ãã¥ãŒã¿ãŒãããããããã¯ãŒã¯ãæ§ç¯ããŸãããããã¯ããªã¢ãŒããµãŒããŒã«ã€ã³ã¹ããŒã«ãããåäžã®Cobalt Strikeã³ã³ãœãŒã«ã§å¶åŸ¡ã§ããå ±åäœæ¥ã®å¯èœæ§ãæäŸããŸãã
ããã»ã¹å šäœã¯æ¬¡ã®ããã«èª¬æã§ããŸãã
- ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ãããã¹ãã§ã¯ãããŒã³ã³ããŒãžã§ã³ãèµ·åããé衚瀺ã®ãã£ãã«ãä»ããŠãªã¢ãŒã管çãµãŒããŒãžã®æ¥ç¶ã確ç«ãããŸããã æšæºã®IDS / IPSã·ã¹ãã ã䜿çšãããã®ãããªãããã¯ãŒã¯çžäºäœçšã®æ€åºãé²ãããã«ããããã³ã«DNSãHTTPãHTTPSã䜿çšãããŸããã ãã®ãããªãã¹ãã¯ã»ãšãã©ãªããããŒã«ã«ãããã¯ãŒã¯äžã®ä»ã®ãã¹ããšå¯Ÿè©±ããæ©èœãæäŸããŠããŸããã ããããmaster-nodeãšåŒã³ãŸãããã
- éè¡ã§æãèå³æ·±ãã®ã¯ãã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ããªãå€ç«ãããã¹ãã§ãã ãã ããã¢ã¯ã»ã¹ãèš±å¯ãããŠããå Žåã§ããéèŠãªã·ã¹ãã äžã§ãªã¢ãŒããµãŒããŒãžã®æ¥ç¶ã確ç«ãããšãèŠæã»ãã¥ãªãã£ãµãŒãã¹ããã®çããçããŸãã ãã®ãããªãã¹ãã管çããç°åžžæ€åºã·ã¹ãã ã§çããåŒãèµ·ãããªãããã«ãæ»æè
ã¯ç¹å¥ãªããŒãžã§ã³ã®ããŒã³ã³ã䜿çšããŸãããããã¯ããã€ãã䜿çšããSMBãããã³ã«ã䜿çšããŠããŒã«ã«ãããã¯ãŒã¯ããã®ã¿å¶åŸ¡ã§ããŸãã ããããslave-nodeãšåŒã³ãŸãããã
- Cobalt Strikeã§ã¯ãSMBãããã³ã«ã䜿çšããŠç¹å¥ãªãã£ãã«ãä»ããŠãã¹ã¿ãŒããŒããšã¹ã¬ãŒãããŒããæ¥ç¶ã§ããŸãã ãããã£ãŠãã¹ã¬ãŒãããŒãã¯Cobalt Strike Remote Central Management Consoleã§äœ¿çšå¯èœã«ãªããŸãã ã€ãŸã éé¢ããããã¹ãã¯ãã¹ã¬ãŒãããŒããžã®ã²ãŒããŠã§ã€ãšãªãmaster-nodãä»ããŠã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããŸãã
ãã®ãããªã¹ããŒã ã«ãããç¯çœªè ã¯ãã§ããã ãç®ç«ããªããŸãŸãæ»æãããéè¡ã®ããŒã«ã«ãããã¯ãŒã¯ã«åžžæã¢ã¯ã»ã¹ããããã®ããªãä¿¡é Œã§ããã¡ã«ããºã ãæ§ç¯ã§ããŸããã

ãããã¯ãŒã¯ããæ»æè ãè¿œæŸããã«ã¯ãå°ãªããšããã¹ã¿ãŒããŒãã®åœ¹å²ãå®è¡ãããã¹ãŠã®ãã¹ããç¹å®ããäžåºŠã«ãããã¯ãŒã¯ããåé€ããå¿ èŠããããŸããããããªããšãç¯çœªè ã¯æ°å以å ã«äœæ¥ãå埩ããæ©äŒããããŸãã
ããã¯ã¢ããã¢ã¯ã»ã¹ãã£ãã«ã®æäŸ
ããŒã«ã«ãããã¯ãŒã¯ããã³ãã¡ã€ã³ã®äŸµå®³ã«æåããåŸãæ»æè ã¯æ£åœãªãªã¢ãŒãã¢ã¯ã»ã¹ãã£ãã«ã䜿çšããããšãã§ããŸããããšãã°ãã¿ãŒããã«ãµãŒããŒãŸãã¯VPNçµç±ã§ç®¡çè ãŸãã¯éåžžã®ãŠãŒã¶ãŒæš©éã§æ¥ç¶ããŸãã
Cobalt Strikeã«ã¯VNCãªã¢ãŒãã¢ã¯ã»ã¹ã¢ãžã¥ãŒã«ãçµã¿èŸŒãŸããŠãããšããäºå®ã«ãããããããæ»æè ã¯åä¿éºããããããä¿®æ£ãããTeamViewerã€ã³ã¹ããŒã©ãŒïŒåæ³çãªãªã¢ãŒãã¢ã¯ã»ã¹ããŒã«ïŒãããŠã³ããŒãããŸããã ã€ã³ã¹ããŒã©ãŒãå®å šã«åŸ©å ããããšã¯ã§ããªãã£ããããå ¬åŒã¢ããªã±ãŒã·ã§ã³ãšã®äž»ãªéãã¯ããã·ã¢ã®ä»ã®ç¯çœªã°ã«ãŒãã®æ»æã®å Žåã®ããã«ãã³ã³ãã¥ãŒã¿ãŒããªã¢ãŒãæ¥ç¶ããããšããéç¥ãé ãããšã§ãããšæ³å®ããŠããŸãã æºåã¯å®äºããŸãã-æåŸã®æ®µéã¯å ãè¡ããŸãã-ãéã®åŒãåºãã
ATMãžã®ã¢ã¯ã»ã¹
éè¡ã®å éšãããã¯ãŒã¯ãå¶åŸ¡ããããã¯ã¢ããã¢ã¯ã»ã¹ãã£ãã«ãæäŸããåŸãç¯çœªè ã¯ãATMã«ã¢ã¯ã»ã¹ã§ãããããã¯ãŒã¯ã»ã°ã¡ã³ããšãATMãç£èŠããåŸæ¥å¡ã®ä»äºãæ¢ãå§ããŸããã
ATMãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããŠããã³ã³ãã¥ãŒã¿ãŒãŸãã¯ãµãŒããŒãžã®ã¢ã¯ã»ã¹ãååŸããæ»æè ã¯ãéè¡ã§äœ¿çšãããŠããæšæºã®ãªã¢ãŒãã¢ã¯ã»ã¹ããŒã«ã䜿çšããŸããã ããã¯éåžžãMicrosoftãªã¢ãŒããã¹ã¯ããããããã³ã«ã§ãã
ATMã«ã¢ã¯ã»ã¹ã§ããããã«ãªã£ãåŸã圌ãã¯ç¹å¥ãªãœãããŠã§ã¢ãããŠã³ããŒãããçŸéã®çºè¡ã管çã§ããããã«ããŸããã
ATMãããéãçºè¡ããããã«äœ¿çšãããããã°ã©ã ã¯äžæã§ããããã®ã°ã«ãŒãã§ã®ã¿äœ¿çšãããŸãã
ATMæ»æãœãããŠã§ã¢
ATMãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ãåä¿¡ãããšã3ã€ã®ãã¡ã€ã«ãããŠã³ããŒããããŸãã
- ã¹ã¯ãªããdel.batãå¿ èŠãªãã©ã¡ãŒã¿ãŒãæå®ããŠSDeleteããã°ã©ã ãå®è¡ããŸããã
Del.batã¹ã¯ãªããã®å 容
sdelete.exe -accepteula -p 32 d2.exe
sdelete.exe -accepteula -p 32 xtl.exe
sdelete.exe -accepteula -p 32 * .txt
sdelete.exe -accepteula -p 32 d2s.exe
del sdelete.exe
del del.bat
- æ£åœãªSDeleteããã°ã©ã ïŒMicrosoft Webãµã€ãã§å
¬éïŒã ãã®ç®çã¯ããã©ã¬ã³ãžãã¯èª¿æ»äžã«åŸ©å
ã§ããªãããã«ãç¹å¥ãªæ¹æ³ã§ãã¡ã€ã«ãåé€ããããšã§ãã
- XFS ManagerïŒeXtensions for Financial ServicesïŒãä»ããŠXFSã€ã³ã¿ãŒãã§ã€ã¹ã§æšæºæ©èœã䜿çšããæªæã®ããããã°ã©ã ã éè¡ã®å éšãããã¯ãŒã¯ããã®åœä»€ã«åºã¥ããŠããã®ããã°ã©ã ããéã®çºè¡ãéå§ããŸãã
ããã°ã©ã ã®ãœãŒã¹ã³ãŒãã¯ä¿è·ãããŠããªãã£ããããåæãå€§å¹ ã«ç°¡çŽ åãããæäœã®ããžãã¯ã調æŽã§ããããã«ãªããŸããã ããã¯ãæªæã®ããããã°ã©ã ã®äœæè ããããé åžããããšãèšç»ããŠããªãã£ãããšãæå³ããŸãããã»ãšãã©ã®å Žåãæ»æè ã®ã°ã«ãŒãã®äžéšã§ãã
æªæã®ããããã°ã©ã ã«ãããXFS APIã䜿çšããŠATMã®ãã£ã¹ãã³ãµãŒãšããåããã空ã®ãã£ãã·ã¥ã«ã»ããã«ã³ãã³ããäžããããšãã§ããŸãã èµ·åæã«æž¡ãå¿ èŠãããåŒæ°ã«åŸã£ãŠæ©èœããŸãã ãã®ãããªåŒæ°ã¯5ã€ãããããããã®å€ãæå®ããå¿ èŠããããŸãã
ã³ãã³ãã©ã€ã³åŒæ°ã¯æ¬¡ã®é åºã§ããå¿ èŠããããŸãã
ServiceLogicalNameã¯ãWFSOpené¢æ°ã®åŒæ°ãšããŠäœ¿çšããããµãŒãã¹ã®ååã§ãïŒããšãã°ããCash Dispenser ModuleãïŒã
ã«ã»ããæ° -ããã€ã¹ã«ååšããã«ã»ããã®ç·æ°ã å€ã¯1ã15ã§ãªããã°ãªããŸããã
ã«ã»ããçªå· -çŸéãçºè¡ããã«ã»ããã®çªå·ã å€ã¯1ã15ã§ãªããã°ãªããŸããã
çŽå¹£æ° -ã«ã»ããããçºè¡ãããçŽå¹£ã®æ°ã å€ã¯1ãã60ã®éã§ãªããã°ãªããŸããã
調å€åæ° -çŸéã®èª¿å€ãç¹°ãè¿ãå¿ èŠãããåæ°ã å€ã¯1ãã60ã®éã§ãªããã°ãªããŸããã

ãããã®å€ã¯ãã¹ãŠãATMã«ãªã¢ãŒãã§æ¥ç¶ãããŠãããªãã¬ãŒã¿ãŒã«ãã£ãŠã³ã³ãœãŒã«ã«ç€ºãããŸãã
ãã¹ãŠã®åŒæ°ãæ£ããæž¡ãããå Žåãã¡ãã»ãŒãžã衚瀺ãããããã«åŸã£ãŠãããã«ã¢ã¯ã·ã§ã³ãå®è¡ããããã©ã¡ãŒã¿ãŒã衚瀺ãããŸãã

次ã«ãåèŠçŽ ãããã€ã¹ã®ã«ã»ããçªå·ã«å¯Ÿå¿ããé åãå ¥åãããŸãã é åèŠçŽ ã®æ°ã¯ãã«ã»ããã®ç·æ°ãšäžèŽããå¿ èŠããããŸãã é åã®åèŠçŽ ãæ ŒçŽããå€ã¯ã察å¿ããã«ã»ããããçºè¡ãããçŽå¹£ã®æ°ãæå³ããŸãã é åã®èŠçŽ ã®çªå·ã¯1ããå§ãŸããŸãã
æ©èœããéçšã§ãããã°ã©ã ã¯ã·ã¹ãã æéã«é¢ããããŒã¿ãåãåããããã°ã©ã ã³ãŒãã§æå®ããããã®ãšäžèŽããªãå Žåãäœæ¥ãçµäºããŸãã

ããã«ãããã°ã©ã ã¯äžé£ã®æšæºã¢ã¯ã·ã§ã³ãå®è¡ããŸããããããã®ã¢ã¯ã·ã§ã³ã¯çŸéåŒãåºãæäœã®åã«å®è¡ããå¿ èŠãããããã¹ãŠãæ£åžžã«å®äºããå ŽåãATMã¯ã©ãã®ããŒããçºè¡ããŸãã ãã®æäœã¯ãDispenses CountåŒæ°ã§æå®ãããåæ°ã ãç¹°ãè¿ãããŸãã
ãã®ãããªåæäœãæ£åžžã«å®äºãããšããdispã txtãã¯ããã«ãŠã§ã¢ãšåããã£ã¬ã¯ããªã«ããããCasss CountsïŒBanknotes Countããšããããã¹ãæååãæžã蟌ã¿ãŸãããCasssettes Countãããã³ãBanknotes Countãã¯ã察å¿ããåŒæ°ã®å€ã§ãã
ãã®ãããªããã°ã©ã ã®2ã€ã®ããŒãžã§ã³ãçºèŠãããŸããã 1ã€ã¯d2.exeãšããååã§ã2ã€ç®ã¯d2sleepã§ãã exeã ãããã®éã®éãã¯ã2çªç®ãçãäŒæ¢ã§ãã£ãã·ã¥ãæäŸããããšã ãã§ãã-1ç§ã
ATMã§çŽå¹£ããªããªããšããªãã¬ãŒã¿ãŒã¯SDeleteããã°ã©ã ãéå§ããæ å ±ã埩å ã§ããªãç¹å¥ãªã¢ã«ãŽãªãºã ã«åŸã£ãŠäœ¿çšæžã¿ãã¡ã€ã«ãåé€ããŸããã ãã®åŸãATMãåèµ·åããŸããã
ããã«ããªãã¬ãŒã¿ãŒã¯ãMBRã¬ã³ãŒãïŒãã¹ã¿ãŒããŒãã¬ã³ãŒãïŒãåé€ãããã«ãŠã§ã¢MBRkillerã䜿çšããŠãATMã«å¯Ÿããæ»æãè¡ãããéè¡ã®å éšãµãŒããŒãç¡å¹ã«ããŸããã ããã¯ãã¹ãŠãæ»æã®æ³å»åŠç調æ»ãéåžžã«è€éã«ããŸãã
ATMæ»æ
æ¡ä»¶ä»ãã®æ¥ã«ãç¹å¥ãªäººã âã©ãâãATMã«éãããŸããã 圌ãã¯é»è©±ã§å ±ç¯è ãšé£çµ¡ãåãåãå¿ èŠããããå ±ç¯è ã¯ATMãããéãçºè¡ããã³ãã³ããäžããŸããã ææãããã©ãã®é»è©±ã§6æ¡ã®ã¡ãã»ãŒãžãèŠã€ãããŸããã éåžžããã®ãããªã³ãŒãã¯ãç¹å®ã®ATMã§æªæã®ããããã°ã©ã ãã¢ã¯ãã£ãã«ããããã«ãªãŒã¬ãã€ã¶ãŒã«ãã£ãŠéä¿¡ãããŸãã
ATMã§ã®ãéãçµãã£ãåŸããã®äººã¯ããŒãããŒã«åé£çµ¡ããŠå»ã£ãã 空ã®ATMããªããŒãããŠããŸããã
å€ãã®å Žåãã©ãã¯æ»æã®ããã«èŠ³å ãã¶ã§å ¥åœããæè¡ãå®äºãããšããã«åºåœããŸãã å°åã®ç¬¬äžéè¡ATMãžã®æ»æã®æ°æ¥åŸãã©ããã¢ãšã«ãŒããã¢ã®åžæ°ãææãããŸããã ãã·ã¢åžæ°ãå«ãæ®ãã®13人ã®å®¹çè ã¯ããªããšã島ãå»ããŸããã
ç¯çœªå¶åºŠèªäœã®å®å šæ§ã«å¯Ÿããé¢å¿ãé«ãŸã£ãŠããŸãã äž»å¬è ãé¢äžããªãéãããªãã¬ãŒã¿ãŒãããã°ã©ã ã䜿çšããŠä»ã®ATMãæ»æã§ããªãããã«ãã³ãŒãã«èµ·åæéã®ãã§ãã¯ãçµã¿èŸŒãŸããŠããŸãã æ»æãããATMã®ã·ã¹ãã æéãã³ãŒãã§æå®ãããæã«å¯Ÿå¿ããŠããªãå Žåãã³ãã³ãã¯å®è¡ãããŸããã ãã®å Žåãããã°ã©ã ã¯ãšã©ãŒãçæãããã»ãšãã©ã®å Žåããªãã¬ãŒã¿ãŒã¯ãã®ãããªçµã¿èŸŒã¿ãã§ãã¯ãèªèããŠããŸããã
çŸéåŒãåºãæäœãæåãããã³ã«ãããã°ã©ã ã¯ãåã«ã»ããããçºè¡ãããçŽå¹£ã®æ°ã«é¢ããæ å ±ãå«ãç¹å¥ãªãã°ïŒãdisp.txtããšããååã®ãã¡ã€ã«ïŒãæžã蟌ã¿ãŸãã ãªãã¬ãŒã¿ãŒã¯ãã®ãã°ãã¡ã€ã«ããªãŒã¬ãã€ã¶ãŒã«è»¢éãããªãŒã¬ãã€ã¶ãŒã¯åãåã£ãæ å ±ã䜿çšããŠãã£ãã·ã³ã°ãã§ãŒã³ãå¶åŸ¡ããŸãã
ã°ã«ãŒãCobaltã¯ã©ãã§ãã

Buhtrapæ¥ç¶
ãã·ã¢ããã³ãšãŒãããã®éè¡ã«å¯ŸããCobaltã®è«ççãªæ»æã調æ»ãããšããããã£ãã·ã³ã°ã¡ãŒã«ãé ä¿¡ãããã¡ã€ã³ã³ã³ãããŒã©ãŒã«ã¢ã¯ã»ã¹ããã¡ã«ããºã ã¯ãBuhtrapã°ã«ãŒãã以å䜿çšããŠããæ¹æ³ãšåãã§ããããšãããããŸããã 2015幎8æãã2016幎1æãŸã§ã圌女ã¯ãã·ã¢ã®éè¡å£åº§ãã18åã«ãŒãã«ä»¥äžãçã¿ãŸããã
2016幎5æãBuhtrapã°ã«ãŒãã®ããã«çãŸãããéãçŸéåããé¢ä¿è ãæçãããåŸãååã®ããã€ã®æšéŠ¬ã䜿çšããéè¡å£åº§ããã®çé£ã¯åæ¢ããŸããããããããããã¯ååšãç¶ããŸããã
Buhtrapã°ã«ãŒãã®ã¡ã³ããŒã®å°ãªããšãäžéšãCobaltã«äŸµå ¥ããããBuhtrapã®ããã¯ããŒã³ãåçŽã«ATMãžã®æ»æã«åãæ¿ãã£ããšèããããŸãã
è«çæ»æãæéããæ¹æ³
è«çæ»æã®äººæ°ãé«ãŸã£ãŠããŸãã ã€ã³ã·ãã³ãã®æ°ã¯å¢ããã ãã§ãã æ»æã«ã¯ãé«åºŠãªãœãããŠã§ã¢ã®é«äŸ¡ãªéçºã¯å¿ èŠãããŸããâã»ãšãã©ã®ããŒã«ã¯å ¬éãããŠããŸãã
- ãšã¯ã¹ããã€ããæ·»ä»ããããã£ãã·ã³ã°ã¡ãŒã«ã«ããææãé²ãããã«ãçãããã¡ãŒã«ãéããããã¿ã€ã ãªãŒã«ãã€ã¯ããœããã®ãœãããŠã§ã¢ãæŽæ°ãããããªãããšããå§ãããŸãã Cobaltã¯ãŸã ãŒããã€è匱æ§ã䜿çšããŠããŸããã ãããã®ãšã¯ã¹ããã€ãã¯å€ããã®ã§ãã ãããã£ãŠãå®æçãªãœãããŠã§ã¢æŽæ°ã§ããæ»æè
ãäŒæ¥ãããã¯ãŒã¯ã«äŸµå
¥ããããšã¯ã§ããŸããã§ããã æ®å¿µãªãããæ»æãåããéè¡ã®äžã«ã¯ãã®èŠä»¶ãæºãããŠããªããã®ããããŸããã
- æ»æè
ãæŽæ°ããããœãããŠã§ã¢ã«ééããå Žåããã¹ã¯ãŒãä»ãã®ã¢ãŒã«ã€ãå
ã®å®è¡å¯èœãã¡ã€ã«ã®æ·»ä»ãã¡ã€ã«ãéä¿¡ããŸããã ãã®ãããªæ»æã¯ãéé¢ãããç°å¢ïŒããµã³ãããã¯ã¹ãïŒã§ã®åçåæã®ããã«ãã®çš®ã®æåãæ€ç«ã«éä¿¡ããããšã§æéã§ããŸãã
- éè¡ã®ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããŠããæ»æãå±éããã«ã¯ãæ°æ¥ãå Žåã«ãã£ãŠã¯æ°ãæãããããšããããŸãã ãã®æéã䜿çšããŠãæ»æè
ãç¹å®ããŸãã ç¹æš©ã®ååŸã®ã»ã¯ã·ã§ã³ã§èª¬æãããŠããããã«ãAES-256æšæºããŒã®æå·åããããã¹ã¯ãŒãã䜿çšããŠããã¡ã€ã³ã³ã³ãããŒã©ãŒã®èšå®ãšSYSVOLãã£ã¬ã¯ããªå
ã®Groups.xmlãã¡ã€ã«ã®ååšã確èªããŸãã
- ATMã«æŽåæ§ç£èŠãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ããŸãã
ãããã®æšå¥šäºé ã¯çé£ã®é²æ¢ã«åœ¹ç«ã¡ãŸãããè åšã€ã³ããªãžã§ã³ã¹ããŒã¿ã®å©ããåããŠåé²ããæšçåæ»æãæ€åºããããã®å°éçãªãœãªã¥ãŒã·ã§ã³ã䜿çšããããšã§ã®ã¿ãªã¹ã¯ãæå°éã«æããããšãã§ããŸãã
è åšã€ã³ããªãžã§ã³ã¹ãµãŒãã¹ã®å å ¥è ã¯ã2016幎ã®å€ã«Cobaltæ»æã®æŠè¡ãšä»çµã¿ã«ã€ããŠåŠã³ãŸãããåœç€Ÿã®çžè«ã¯ãããã€ãã®éè¡ãæ»æãæéå ã«æ¢ãããããã¯ãŒã¯ãå®å šã«ã¯ãªã¢ããæ»æè ã®ATMãžã®ã¢ã¯ã»ã¹ãééããã®ã«åœ¹ç«ã¡ãŸããã