The Security Service of Ukraine warns about possible cyber-attack on the networks of the Ukrainian institutes and enterprises and asks to stick to the worked out recommendations as the press service of the department reported.
A large-scale cyber attack hit dozens of companies and enterprises across Ukraine on June 27 due to the usage of the malicious software identified as Pety.A virus.
It was established during the analysis of the consequences that the data harvesting about the Ukrainian enterprises (e-mails, passwords of the accounts used by the enterprises and the workers, access details of the command and control servers and hash data of the account in the attacked systems and other confident information), hiding of it in the cookies files and mail of it to the command server preceded the cyber attack.
The SBU specialists think that exactly this data was the aim of the first wave of the cyber-attack and it can be used by the real initiators for cyber intelligence or further attacks.
The utility Mimikatz that was found during the investigation of the cyber-attack witnesses this. This utility uses the architectural features of the Kerberos Service of the Microsoft Active Directory for hidden saving of the privileged access to the domain's recourses. This allows the attackers to get the highly privileged authentication data from the system in the unclose view. The work of the Kerberos Service is based on the exchange and the verification of the so-called access tickets.
The change of the account password in the Kerberos Service is not provided according to the regulations of the most institutes and enterprises.
The lawbreakers who received the administrative data during Pety.A cyber-attack also have the possibility to generate the access ticket without expiration date. This ticket allows entering the system legally and will not be identified as an attack.