Content

Latvijas IT drošības ziņu centrmezgls. Informācijas iesniegšana. Avota konfidencialitāti garantējam.

Lattelecom tīklā tiek uzturēts legālās ļaunatūras FinFisher komandcentrs

Kategorija: cert.lv + Ļaunatūra

We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest.

A spokesman from Gamma Group, the company producing the trojan allegedly involved with these attacks, promptly responded to the press stating that FinFisher was never sold to Bahrain and that a copy might have been stolen and re-engineered for some unauthorized use. We’re not able to confirm or deny this at the moment.

Follow is the list of the IP addresses discovered:
112.78.143.26 (Indonesia)
121.215.253.151 (Australia)
78.100.57.165 (Qatar)
213.55.99.74 (Ethiopia)
94.112.255.116 (Czech Republic)
213.168.28.91 (Estonia)
54.248.2.220 (USA)
202.179.31.227 (Mongolia)
80.95.253.44 (Czech Republic)
81.198.83.44 (Latvia)
86.97.255.50 (Dubai, UAE)

At the time of writing (Aug 8, 2012), only the Latvian sever is still successfully responding to our fingerprinting. All the others are instantly dropping the connection in the exact same way, most likely filtering off any payload that doesn’t match a given header. This makes us believe that all those C&Cs might have been updated in front of recent leaks and publications on FinFisher, Bahrain included.

Update #2: Even the ones that were actively responding until yesterday, like Latvia and Bahrain, are now inaccessible. A very odd timing, isn’t it?

Interesanti, ka CERT.LV mēnesi nav varējuši vai gribējuši komandcentru likvidēt.

inetnum:         81.198.83.40 – 81.198.83.47
netname:         APOLLO-LTC-CUSTOMER
descr:           LTC CUSTOMER
descr:           Riga
country:         LV
admin-c:         LTC777-RIPE
tech-c:          LTC777-RIPE
status:          ASSIGNED PA
mnt-by:          LTK
notify:          support@lattelecom.lv
changed:         ansis.ailis@lattelecom.lv 20120613
source:          RIPE

Starp citu šis nav LTC-HOME mājas lietotāju tīkls.

Avoti:
Rapid7: https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher

Tagged:

2012-08-11  »  edgars

  1. edc
    11 August 2012 @ 15:06

    Personīgā pieredze liecina, ka Lattelecom nekad nav pievērsis uzmanību ziņojumiem par to, ka viņu tīklā darbojas spameri vai arī tiek veiktas darbības, kas uzskatāmas par drošības incidentu. Kāre pēc katra santīma vai kompetentu speciālistu trūkums?

  2. !!!
    11 August 2012 @ 20:58

    Atļaušos nepiekrist. LAttelecom forumā ir skaista diskusiju grupa, kurā ikviens var iemest savu spama e-pastu vai komentāru, kas nācis no Lattelecom tīkla, un tas tiek ātri neitralizēts.

    http://forums.lattelecom.lv/spameris-ltc-tikla-t3983.html

  3. Anonymous
    14 August 2012 @ 16:12

    palasot LTK foruma postu neliekas ka kaut las tiek reali risinats :)

  4. edc
    14 August 2012 @ 17:38

    Jauks LTC forums ar standarta atbildi “centīsimies neitralizēt” un nespēju tikt galā ar vienu klientu. Tā vien izskatās, ka 5 gadu laikā LTC vēl joprojām nav ieslēdzis DHCP servera logu un nespēj noteikt kurām klientu iekārtām tiek iedalītas IP adreses. Kā bira spams no LTC tīkla tā birst…

Re: Lattelecom tīklā tiek uzturēts legālās ļaunatūras FinFisher komandcentrs







Tags you can use (optional):
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>