The security service of Ukraine warns of possible new cyber attacks on the Ukrainian network of institutions and enterprises and asked to respect the recommendations. About it reports press-the SBU center.
“On June 27 of this year, Ukraine suffered a large-scale cyberattack using malicious software identified as computer virus “Petya”. At the analysis of consequences and assumptions of this attack it was found that it was preceded by the collection of data on the enterprises of Ukraine … and their subsequent cover-up in cookies and sent to the command server. The specialists of the SBU believe that this information was the target of the first wave of cyber-attacks and can be used with these initiators as a kiberrazvedki and in order to further destructive actions”, – stated in the message.
As noted, this is evidenced by discovered specialists in the study of cyber attacks Petya Mimikatz utility, which uses the architectural features of the Kerberos service in Microsoft Active Directory to save the hidden privileged access over the resources of the domain. Work of the Kerberos service is based on the exchange and verification of so-called ticket (TGT ticket). In regulations for information security of most institutions and organizations changing the password of the krbtgt user is not provided.
“Thus, the attackers, who as a result of cyber attacks Petya unauthorized received administrative data, there is a possibility of generating conditional indefinite TGT-ticket issued in the ID of the onboard administrator (SID 500). A feature of the TGT ticket is that in terms of disabling the compromised account, Kerberos authentication will be legitimate and be perceived by the system. To load the TGT ticket to the address space of the operating system root privileges are not necessary”, – stated in the message.
SEE ALSO
- Due to virus attacks Petya in Ukraine changed the Tax code
In this regard, and given the fact that the long-term presence in information and telecommunication systems, malicious software, which by its hidden functions can perform preparatory phase for the implementation of the second wave of attack through the interception of the details of access control and security policies in its SBU encourages system administrators to promptly take the following actions in this order:
- to carry out the mandatory replacement of the password of the krbtgt user;
- to carry out the mandatory replacement of passwords to all accounts in the domain controlled by the area of the its;
- to change the password of access to server hardware and the programs that operate in its;
- on identified compromised PCs to carry out the mandatory replacement of all passwords that have been stored in your browser;
- re-change the password of the krbtgt user;
- restart the KDC service”.
“We recommend in the future to avoid storing in its authentication data in clear text (to be used for such purposes, dedicated software)”, – stated in the message security services.
Previously head of the Department of postal and telecommunications Sergey Demediuk said that in Ukraine on Independence Day August 24 is expected to cyber attack.
