坐在一起解决这些数据泄露

Verizon公司最近发布年度报告违约that examines some of its cases where the RISK Team was called in to hunt down culprits. The “ride –along edition” of Verizon’s report gets a first-person perspective of the company that calls in the heavy hitters to find out why the network has slowed or where a leak is. With all the accounts, the names of the companies have been changed to protect the brand from public ridicule.

风险团队执行网络安全调查数以百计的商业企业和政府机构，每年在全球各地。在过去三年里，他们进行了为我们的客户超过1400订婚。以下是他们的一些报告：

一个地区的水供应商不得不事件，影响了它们的一些中小型企业客户。他们的客户最近通知他们，他们的网上帐户细节发生了变化。当客户有自己的密码重置，并重新进入自己的账户，许多注意到，注册的银行帐户资料也已改变。这意味着，由于客户退款已被欺骗性地转移到新的银行账户。

银行允许账户持有人在迪拜和巴哈马的钱转移90％的应收尽快支付他们的英国账户到来。在孟买第三方呼叫中心负责管理在线帐户和处理电话支付。

原来，在呼叫中心一个用户已经访问的所有已被欺诈退还账户。用户拒绝的这个任何的知识和建议的计算机必须已被黑客入侵。

初步审查用户的主计算机系统em revealed so little datat that it appeared to have been systematically wiped. The wiping software did not fully clean the volume. Shadow copies of data revealed numerous emails between the call center employee and another individual, later identified to be his cousin in the UK.

当从他家中的电脑检索的数据呈现，工人终于对犯罪事实供认不讳。

Mr. Simpson’s team was being merged with another team and he was unhappy with the new hierarchy. After being informed by a friend in HR about the changes, Mr. Simpson began using his administrative access to take over other accounts. He ultimately attempted to disrupt operations and downloaded confidential files.

本次调查止跌回升显示辛普森先生登录到应用服务器的问题开始前几分钟多个可疑的日志条目。日志显示出失败辛普森先生超级用户帐户访问，其次是服务帐户的密码重置。辛普森先生承认使用服务帐户插入旨在破坏他的新团队的工作流程安排的作业访问多个电子邮件信箱。

Beyond the stolen files was a second listing of scheduled jobs inserted by Mr. Simpson. The jobs were exclusively mass delete commands scheduled to occur at critical times over the next year: During tax season, prior to holiday bonuses, and a few seemingly random dates.

另外，尽管USB键盘发出命令堵漏，研究者发现在插头本身的延伸。当撬开，它弹出，露出截止的，现成的，秘密键盘记录。Thhe键盘记录器被设计来捕捉任何输入通过键盘提供的用户，并发送采集到租来的罗马尼亚服务器。

最近的一次跳闸后，CSO报告了他的智能手机“古怪的行为”。他离开该设备在他的旅馆，而他使用的健身房，以及连接到无线接入点在咖啡厅，以节省一给家里打电话的费用。员工被赋予“旅行”智能手机和笔记本电脑，被消灭和每一次旅行后重建。

许多Windows注册表的变化和计划的任务已经确定在笔记本电脑上，每个使用已知的恶意软件的名称。智能手机上的应用程序日志表明，第三方应用程序，安装，以避免使用Wi-Fi和VoIP国际长途费用。研究上的应用表明，它被称为是脆弱的代码注入攻击。

笔记本电脑显示Web缓存提供的网页上的驱动器，从一个广告下载和注射显示的证据。恶意Java文件在本地目录指向被发现在广泛的攻击中使用的攻击工具包。

It was believed the traveling executive was simply in the wrong place at the wrong time.

该公司没有与他们签约的清洁卫生服务酝酿的问题的想法。该承包公司已经宣布减薪所有员工，并选择节前透露这些信息仅仅是几个星期。校工被秘密被怀有恶意的个体为他们提供“奖励工资”，如果他们在每一天中携带的USB闪存驱动器，并将它插入系统接近。门卫曾获得的一切，并能不避嫌妥协多个系统。

管理员在登录时发现一个意外的命令shell的弹出窗口。这些任务的地方行政帐户下运行，并没有似乎与任何合法的商业活动。该系统中的日志的分析表明可疑命令行活动和开发尝试，以及随后，不成功清理尝试。物理安全主任提供的徽章访问日志，显示出很大的出入的周围的USB设备活动被确定在系统上的时间余地。唯一的那个站出来的东西是清洁人员在那个时候做他们清洗两轮。看门人最终被终止，并且利用停止尝试。

The IT guy at a large media firm received alerts for a number of public-facing client websites showing modifications to their content. The configuration file comparison revealed that only newly deployed applications were affected, with nothing created prior to the most recent code release showing signs of compromise.

In the most recent change, an update to how the installation scripts initialized the environment had been included. This change was designed to allow for additional flexibility in applications, which leveraged custom fields. However, the feature had been enabled by default in all new installations due to a forgotten debugging option left by a developer.

It was found that if enabled on sites not leveraging custom fields, this option bypassed input validation features and ultimately allowed the threat actors to upload malware. The messages posted to client websites for more than 24 hours were inflammatory and extremely negative. While no data had been stolen and the compromise was quickly handled. Following their incident response plan, each client was informed of the web site defacement.

对公司的威胁演员的软件作为一个服务部门的目的是拒绝客户端访问，以处理他们的节日工作量的重要工具。这种攻击恰逢新产品的发布日期和用户在其中的大量涌入，预计一个星期。NetFlow的图表表明在样品中增加300％;最高用量者亮了起来，其大部分流量所针对的目标前缀;和PPP GRE隧道开始上下弹跳因过饱和。其结果是，一些应用是用户无法访问。

Review of the collected packets revealed four types of DDoS: A SSDP flood; a SYN flood; a TCP flood using invalid flag combinations; and a UDP flood to non-web ports. The IT team was unable to quickly adjust the publicly advertised border routes. Initially, the routes were added to pass traffic through a scrubbing service prior to being sent to our servers; however, without clear documentation the engineer making the changes left the existing routes in place. This oversight allowed roughly half of the incoming traffic to bypass the DDoS mitigation provider.

非伪造的IP地址有一个开放的SSDP端口（1900），这是从互联网公开访问。这些系统大多被泄露运行旧固件与通用即插即用N播放（UPnP）的路由器启用。已知的黑客组织发现使用DDoS攻击，以此来宣传他们的服务。威胁者要求的费用。

一个电子商务网站收到了来自客户的电话说，他们将进入他们的付款细节和最初被告知交易失败，他们需要再次尝试。在再次尝试，本次交易将正常完成。虽然这可能偶尔发生，热线已超过刚刚那一天100个电话接收。付款处理器表示没有过多的失败交易的迹象，该问题可能与我们的电子商务网站。

在该过程的审查中发现，弹出时的支付请求的网站缺少公司的标准页眉，页脚和徽标，以及只是一个准系统付款页面。Web开发是在欧盟（捷克共和国），谁曾利用其在印度的低成本云服务提供商的服务。和网站托管在位于马来西亚的数据中心系统。雷竞技电脑网站

The threat actor had created a fake payment page that was presented to our customers as a means of harvesting their credit card data, after which it would present our legitimate payment page so the transaction could still successfully complete. The fake payment page was coded to upload in real time the harvested credit card data via HTTPS to an external IP address geolocated in Belarus.

关键业务关键型应用程序处于离线状态，影响了该组织，包括面向客户的领域日常运营。IT运营团队发现改变了对网络共享文件名和扩展多台服务器，以及居住在目录赎金笔记。在网络共享修改后的文件已经由网络管理员的帐号，这也有域管理权被最后修改。

For some, the solution was a quick fix of just restoring the individual files from the most recent backups in order to return to normal business. As for others, some systems hadn’t been included as part of the backup routine so those files needed to be located from other sources ranging from local copies saved by users, to the reinstallation of applications. Virtual machines were quickly fixed by restoring from a recent snapshot.

而此时，从分析和谈论问题的用户初步调查结果显示，网络管理员已经打开电子邮件的附件。此附件已包含在利用应用程序漏洞的最新变种勒索之一。

The final decision was made not to pay the ransom, as this would have supported the people behind the ransomware.

有人怀疑它的生产网络遭到黑客攻击，并且玩家点正在从顶部账户抽走了。该事件的性质有CSO非常关注客户的个人信息可能被暴露为好。

情报报告包含了一些基于网络的指标，这些指标都指向一个毒常春藤感染。所有标识的系统是客户的主域的一部分。您正在访问的通过自动化的过程，这意味着他们可以终端代理快速推送到所有可能受影响的系统支持远程软件安装。

据进一步确定分配给该用户帐户的员工早已离开了公司。他们能够识别该前员工的经理，并确定了未知系统是一个观念的上述证明的遗迹。服务器设置了一个开源的项目管理工具的默认安装，并最终被遗忘。服务器，监听，便于远程访问的公开面向接口上，是通过简单的蛮力破坏软目标。由于其连接到域，并保留在文件系统上的凭证文件，威胁者能够利用该服务器为立足点环境中破坏其他系统。

ALSO:Read about two more scenarios |见去年的报告。