JSC State Technical Service

The National Computer emergency response team KZ-CERT (hereinafter – KZ-CERT) JSC “State Technical Service” informs that on October 9, this year, employees of the Kazakhstan private TV channel “Channel 31” discovered files with suspicious extensions (encrypted files) on their file server.

To neutralize threats, the technical administrators of Channel 31 first of all disabled network interfaces on encrypted servers.

Then the system administrator noticed traces of malicious software (MS) running under the local administrator using programs (EgosessNaskek, UBitUnlocker). In addition, RDP (Remote Desktop Protocol) connections to other servers with hacking of local administrators’ accounts were noticed from this server.

In the list of encrypted servers, servers associated with the 1C program, accounting file server, WiFi, print server, etc. were noticed. The attackers managed to manually remove the installed antivirus software on all servers.

During the analysis, KZ-CERT employees carried out work on scanning encrypted servers. It was found that infected servers located in the same virtual local computer network (VLAN) had a vulnerability associated with authorization. Data backup was not performed in a timely manner.

Currently, KZ-CERT employees are continuing to investigate the incident in order to take organizational and technical measures, and initial recommendations on compliance with information security standards, logging and backup are given. Images of servers were taken for further computer forensics activities.

*FOR INFORMATION, recommendations on protection against malware and ransomware attacks are published on the official Internet resource KZ-CERT https://www.cert.gov.kz/news/13/2057 in the section tips and recommendations for small and medium-sized businesses.