第22集：微型故事：第一卷

好的。

Okay.

所以有一次在高中，我请了一些朋友来家里。

So this one time in high school, I had some friends over.

实际上，那是一次过夜聚会。

Actually, it was a sleepover.

那天晚上我父母不在家，但我得到了允许可以请朋友留宿。

My parents weren't home that night, but I had permission to have friends stay over.

我们熬夜到很晚，在前院玩耍。

We stayed up late at night, and we were playing outside in the front yard.

前面所有的灯都开着，车库门也敞开着。

We had all the lights on out front, and the garage door was open too.

我们玩累了，进屋拿些零食。

We took a break from playing and came in the house to get some snacks.

我们正坐在客厅里笑着吃薯片，就在这时，一个女人打开我家前门，走了进来。

We're sitting in the living room laughing and eating chips, and just then, a woman opens my front door and walks into my house.

我们都僵住了。

We all freeze.

没人认识这个女人。

Nobody knows this woman.

她看着我们，转过身，走回了外面。

She looks at us, turns around, and walks back outside.

我的朋友们问：‘那是谁？’

My friends ask, who was that?

我也不知道。

I have no idea.

我猛地站起来，从前面的窗户往外看。

I sprang up, peeked out the front window.

外面一个人也没有。

Nobody was there.

我能感觉到自己的心跳加速。

I could feel my heart pumping.

我慢慢打开前门，走了出去。

I slowly opened the front door and went outside.

我走出去时，看见有人从车库门进了我家。

As I got out there, I saw someone going into my house through the garage door.

我追了上去，跟着他们。

I go after them, following them.

等我进屋时，有三个陌生人站在客厅里，盯着我的朋友们。

And by the time I get inside, there are three strangers standing in my living room looking at my friends.

这太诡异了。

It was freaky.

我完全懵了。

I was bewildered.

其中一人转向我说：你一定是阿尔伯特。

One turned to me and said, you must be Albert.

我不是阿尔伯特！我喊道。

I'm not Albert, I shouted.

然后他们说：‘哦，那你一定是埃里克了。’

Then they said, oh, you must be Eric then.

我也不是埃里克。

I'm not Eric either.

这里没有人是阿尔伯特或埃里克。

Nobody here is Albert or Eric.

屋里的陌生人开始恐慌起来。

Panic set in on the strangers in my house.

他们全都彼此对视，眼睛睁得大大的。

They all looked at each other with their eyes widening.

于是我开口了。

I then spoke up.

但隔壁住着一个叫阿尔伯特和一个叫埃里克的人。

But there is an Albert and an Eric that live next door.

他们看了看手里那张纸，又看了看我，立刻开始道歉。

They looked at the piece of paper in their hand and back to me and immediately started apologizing.

我来拜访邻居，但他们没看清楚指示。

I came to visit the neighbors, but they didn't read the directions right.

邻居们告诉他们，门会开着，既然来得这么晚，直接进来就行。

The And neighbors told them they'll just leave the door open, and they should just walk on in since they're arriving so late.

但他们搞错了房子，误闯进了我家。

But then they got the house wrong and walked into my house instead.

我现在可以笑着讲这件事，但当时我吓坏了。

I can laugh about this now, but I was freaked out at the time.

你有没有过这样的错误：看错一个数字，就让你陷入一场后果严重的状况？

You ever make a mistake like this where when you misread one number, it puts you in a situation that has crazy consequences?

这些是来自互联网黑暗面的真实故事。

These are true stories from the dark side of the Internet.

我是杰克·雷西德。

I'm Jack Resider.

欢迎收听《暗网日记》。

This is Darknet Diaries.

这期节目我打算尝试一点不一样的东西。

Gonna try something a little different this episode.

通常我只讲一个长故事，但这次我会讲几个短篇故事。

Usually, I do one long story, but instead, I'm gonna do a few mini stories.

这些是较短的故事，但都很精彩，不容忽视，只是还不够长到能做成一整期节目。

These are shorter stories, which are too good to ignore, but not long enough for a full show.

第一个故事是关于一个叫罗布·富勒的人，他也叫Mubix。

This first story is about a guy named Rob Fuller, who also goes by Mubix.

我喜欢用黑客的绰号来称呼人，所以接下来我会一直叫他Mubix。

And I like using hacker names for people, so I'm gonna call him Mubix for the rest of the story.

我在优步担任高级安全工程师。

I work at Uber as a senior security engineer.

我同时也是HBO剧集《硅谷》的高级技术顾问，以及播客《Hack Five》的主持人Metasploit Bennett。

I'm a senior technical adviser for the HBO show Silicon Valley, as well as the host of the hack five show Metasploit Bennett.

在他从事这些工作之前，他是一名渗透测试员，工作内容是入侵公司以测试其安全性。

Before he did all that, he was a penetration tester, and his job was to hack into companies to test their security.

我们经常为不同的公司进行这些测试。

We were doing these tests pretty regularly for different companies.

他经常来上班，会被给一个网址和一组IP地址，并被告知何时开始扫描以尝试入侵客户的网络。

He'd often come into work, be given a URL and a block of IP addresses, and be told when to begin scanning to try to break into the client's network.

这是一份令人兴奋的工作，但常常会变得重复乏味。

It's exciting work, but it often gets repetitive.

但有一次测试是他永远都会记得的。

But there was one test he'll always remember.

所以这一开始就是一个标准的测试。

So it was just a standard test out of the gate.

甚至可以说是千篇一律。

It was really even cookie cutter even.

我们先进行范围确认通话。

We do the scoping call.

然后获取所有的IP地址。

We get all the IPs.

这次测试涉及一组IP地址。

The test was a bunch of IPs.

这是一家生产小部件的公司，我们需要攻击这家小部件制造商及其源代码。

It it was a company that, let's say, made widgets, and we were supposed to go after the widget maker and the source code for the widget maker.

穆比克斯和他的团队已具备所有必要条件，可以开始任务，尝试访问这家小部件制造商的服务器。

Mubix and his team have everything they need to start the mission, to see if they can gain access to this widget maker server.

于是我们开始扫描并查看网站，发现有点不对劲。

And so we start scanning and look at the website and it's kind of off ish.

拥有这些网站的公司是一家有限责任公司（LLC），而我们之前沟通的公司却是一家股份有限公司（Corporation），代码不同。

Like the company that had these websites was like an LLC and the company that we had talked to was like a corporation, a code.

这有点奇怪，但名字相似，应该没什么大不了的。

And it's like, this is weird, but like it's similar same name, not a big deal.

穆比克斯再次核对了客户给他的测试IP地址，确认这正是客户授权他测试的IP段。

Mubix double checks the IP addresses he was given to test and confirmed this was the same IP block that the client gave him to test on.

于是他和团队继续对网站进行渗透。

So him and his team proceeded to penetrate the website.

首先，他扫描了整个IP范围，寻找各种入口点。

First, he scans the entire IP range and starts looking for various points of entry.

有一个Web服务器、一个邮件服务器，还有更多。

There's a web server, an email server, and more.

但这些网站看起来相当安全。

But those sites look pretty secure.

扫描没有报告任何明显的漏洞。

No obvious vulnerabilities are reported on the scan.

他的团队成员开始深入挖掘不太为人所知的漏洞，试图找到任何可利用的弱点。

The members of his team start digging into lesser known vulnerabilities, trying to find anything that might be exploitable.

考虑到可能无法通过Web漏洞进入，Mubix制定了新计划，开始

Thinking that he may not be able to get in using web vulnerability, Mubix gets a new plan and starts to

设置钓鱼邮件，准备好钓鱼攻击，找出我们可以发送钓鱼邮件的域名，并找到一些用户。

Set up a phish, get our phish ready, find the different domains that we can send a phish to, find a couple of users.

钓鱼邮件是一种设计用来诱骗用户点击他们不该点击的内容的邮件，以便Mubix能够感染他们的设备。

A phish is an email that is designed to trick the user to click on something they shouldn't be clicking so Mubix can infect their machine.

但在他们发送钓鱼邮件之前

But before they send the phish

我们团队中的一名成员在其中一个网页应用中发现了一个远程代码执行漏洞。

One of our guys on the team finds a remote code execution on one of the web apps.

远程代码执行意味着他们可以在该网页服务器上运行命令。

Remote code execution means they can run commands on that web server.

这有时被称为获得一个shell。

This is sometimes called getting a shell.

这是很糟糕的，因为互联网上的任何人都不应该被允许直接在你的网页服务器上执行命令。

This is bad because people on the Internet should never be allowed to execute commands on your web server directly.

从那里，他们可以做很多恶意的事情。

From there, they can do a lot of malicious things.

他发现了一个可以远程运行代码的网页应用。

He found a web application that he could run code, just remotely.

团队在获得此访问权限后欣喜若狂。

The team brims with delight upon getting this access.

是的。

Yeah.

比如，在渗透测试中，你第一次获得shell时，那种感觉真的很棒。

Like, the first shell that you get on a on a pen test is is really, like, an amazing feeling.

太棒了。

It's great.

当然，你会对这家公司感到失望，觉得他们的安全措施不够好，不管是什么原因，这对他们来说确实很糟糕，但你还是会觉得非常兴奋，因为你有这个技能，或者时机正好，最终让你成功获得了shell。

Obviously, you have bad feelings for the company and, like, it sucks that, like, their security wasn't good enough for whatever it was or it's not so great for them, but it's still a great feeling that you had the skill or you had your you had the timing or whatever it was that ended up, with you as Shell.

但我们所有人都非常兴奋。

It's but so we all were really excited.

所以，其他所有事情都被抛到一边了，因为我们已经获得了内部访问权限。

So, like, everything else kind of dropped by the wayside because we had access internally.

我们获得了命令注入，大家都非常激动。

We get command injection, everybody's really excited.

我们觉得太棒了。

We're like, awesome.

所以我们把鱼放了。

So we dumped the fish.

我们不再做鱼了。

We're not going to do the fish anymore.

我们开始研究从那里还能去哪里。

We start looking at where we can go from there.

我们进入公司，启动执行，建立与命令控制服务器的回调。

So we get into the company, get the execution going, get callbacks going to command and control stuff.

比如在上面部署一个meterpreter会话，它会回连。

Like, dump a meterpreter session on there and it calls back.

Meterpreter会话是一种强大的工具，可以远程控制计算机。

A meterpreter session is sort of a super tool that lets you remotely control a computer.

你可以看到哪些应用程序正在运行，从他们的桌面视角看到什么，系统上有哪些文件，还可以开启麦克风、运行编程脚本等等。

You can see what applications are open and what it looks like from their desktop point of view and what files are on the system, you can turn on the microphone and run a programming script and so much more.

这是名为Metasploit的工具的一部分。

This is part of a tool called Metasploit.

然后我们渗透到网络中，发现这个网络简直像瑞士奶酪一样满是漏洞。

Then we pivot into the network and it's a pretty Swiss cheese network.

所以我们发现每台机器上都是同一个管理员账户。

So like we find the same admin on every single box.

Linux机器的密码和Windows机器的密码一模一样。

The Linux boxes have the same password as the Windows box.

这只是一个简单的测试，我们只是到处逛逛、大呼小叫，对这一切进展感到非常高兴。

This is just really a simple test, we're just, you know, hip hipping and hollering, very happy that all this is going on.

此时，他们已经获得了网络中大量系统的访问权限。

At this point, they have gained access to a large number of systems in the network.

他们对大多数Linux和Windows机器拥有管理员权限，并且已经基本绘制出了网络拓扑结构。

They have admin access to most Linux and Windows machines and have mapped out their network pretty well.

他们甚至入侵了邮件服务器，可以阅读所有进出的邮件。

They even gained access to their email server and can read all emails being sent in and out.

我们还没有找到目标，而那个目标就是小部件机器及其代码。

We hadn't found the goal yet, and that that goal was the widget machine and the code for it.

当我们进一步寻找这个小部件机器及其源代码的位置时，发现各个团队似乎都没有关于这个特定小部件名称的信息，而这个名称是该公司为其正在开发的新产品所使用的关键词或代号。

So as we find more detail in trying to figure out where this widget machine is and where the source code for it is and stuff like that, like no one on the different teams seems to have any information on this specific widget name and it's a keyword or a code name this company had for this new product they're building out.

我们在任何地方都找不到它。

And we couldn't find it anywhere.

我们在任何地方都找不到它。

We couldn't find it anywhere.

一周过去了，到了给客户汇报进展的时候。

A week is up, and it's time to call the client to give a progress report.

我们告诉他们：嘿，我们已经入侵进来了。

And we tell them, hey, we broke in.

我们发现了一个简单的网页应用。

We found a, an easy web app.

我们找到了大量管理员权限。

We found a bunch of admin access.

对方说：这很奇怪。

And the guy's like, that's weird.

我们通常根本不会共享管理员权限。

Like, we we don't really normally have admin, like, shared at all.

我们在安全方面做得非常好。

We do some really good security there.

太棒了。

That's awesome.

我非常期待这份报告。

I'm really looking forward to the report.

然后他问到了我们的目标，我们说：是的，我们甚至还没找到任何参与这个小部件项目的人。

And then he asked about our goal and we're like, yeah, we we haven't even found anyone who's on this widget thing.

他说道：嗯，这很好。

And he's like, well, well, that's good.

至少我们在安全方面做得不错，你们根本找不到这些开发人员。

At least we have some, like, security there where where you're not being able to find the developers of those pretty well.

他非常高兴。

He was and he was really happy.

周末过去了。

The weekend passes.

团队在周一重新开始在他们的网络中寻找这个小部件设备。

The team starts again on Monday looking for this widget machine in their network.

我们仍然完全找不到任何与我们正在寻找的这个小部件有关的人或事。

We're still having zero luck at all finding anyone that has anything remotely to do with this widget that we're searching for.

我们甚至找不到任何关于它的提及。

We can't even find mention of it anywhere.

我们几乎可以访问这家公司所有的东西，比如邮件、维基，甚至椅子。

Like, we have access to pretty much everything this company does, like emails, in Wikis, in chairs.

穆比克斯和他的团队整个星期都在公司内部彻底搜寻有关那个目标系统的任何信息，那是一个某种类型的小部件制造商。

Mubix and his team spend the whole week scouring through the entire company looking for any information about that target system they're trying to find, a widget maker of some kind.

但他们什么都没找到。

But they're finding nothing at all.

他们阅读了大量邮件。

They read tons of emails.

他们绘制了整个网络图。

They map the entire network.

他们完全控制了所有重要系统，但仍找不到它。

They took full control of all important systems and still couldn't find it.

因此，在周末时，他们与客户再次通话，汇报最新进展。

So at the end of the week, they get on another call with the client to give another progress report.

我们说，我们已经入侵了所有这些系统。

We're like, we broke into all these things.

我们还是没找到那个小部件。

We couldn't find the widget.

这是那些网站。

Here's the websites.

客户说：这不是我的网站。

And the client's like, that isn't my website.

这些不是我的IP段。

Those aren't my IP ranges.

所以我们说：‘这些不就是你们给我们的吗？’

So we're like, well, those are the ones you gave us.

于是我们迅速核对了一下，客户去查看了他发来的IP范围，然后说：‘天哪，这个IP地址错了一位。’

So we we quickly double check that we're right, and the client goes and looks at the IP range that he sent, and he's like, oh crap, that IP is one off.

我们说：‘好吧。’

And we're like, okay.

现在得找律师和保险公司介入了，我们需要想办法解决这个问题。

Time to get lawyers involved and insurance involved, and we need to figure out how to fix this.

鲁比克斯和他的团队意识到了问题的严重性。

Rubix and his team have realized the severity of what's wrong here.

他们系统而精确地入侵了一家他们没有权限入侵的公司。

They have systematically and precisely broken into a company that they do not have permission to break into.

不仅如此，他们还翻遍了该公司几乎所有的内容，阅读了大量私人信息。

Not only that, they've scoured through almost everything in that company, reading a lot of private information.

这是一个严重的问题。

This is a serious problem.

这比半夜走错房子还要严重。

This is worse than walking into the wrong house late at night.

这更像是特警队搞错了地址，砸开了错误人家的门。

This is more like when the SWAT team gets the address wrong and busts down the door of the wrong house.

不过，Mubix 并没有搞错 IP 地址。

Mubix didn't get the IP address wrong, though.

是他的客户搞错了。

His client did.

他们给了他一个错误的 IP 地址去测试。

They gave him the wrong IP to test against.

嗯。

Uh-huh.

而且这个拼写错误刚刚好指向了另一家公司，那家公司做的事几乎完全一样，这太疯狂了。

And it was just the perfect typo that went to this other company that did almost the exact same thing, which is insane.

这就像是有人拨错了你的电话，但接电话的人跟你同名、上同一所学校、在同一家公司工作，但他并不是你。

It's kind of like if someone misdialed your phone, but the person who picked up had the same name as you and went to the same school as you and worked at the same company as you, but it's not you.

这种事情发生简直不可思议。

Something like this happening is incredible.

当时我们作为客户的那家公司，参与过电话会议等，其IP地址仅比另一家公司差了一个数字，这纯粹是运气或命运的奇怪安排。

It was just a weird stroke of luck or fate, whatever, that the company we were a client of at the time, that had been on the phone calls and stuff was literally one digit in the IP range different than this other company.

而我们闯入的那家公司生产的产品非常相似，名称也几乎一样。

And the company that we'd broken into made very similar stuff with a very similar name.

只是他们不生产那种特定的部件，而我们当时没注意到。

They just didn't make that particular type of widget, and we hadn't noticed.

我们根本没注意到这一点。

We didn't notice it all.

穆比克斯和他的团队越来越担忧。

Mubix and his team were getting increasingly concerned.

办公室里的关注度非常高。

Attention in the office was very high.

简直高得离谱。

Absolutely astronomical.

律师们正在查阅各种网络法律，试图查明即使这是对方的过错，即联系人的过错，我们是否也要为此负责。

Like, the the lawyers were, looking up all kinds cyber law and trying to find if we were on the hook for this even though even though it was their fault, right, the point of contact's fault.

他们几乎整个周末都没怎么睡觉，仔细研究了所有相关的法律、诉讼和先例，并与保险公司沟通，看看我们可能承担多少责任以及这将花费多少。

They combed through, like, probably an entire weekend without getting much sleep of all of the different laws and and how and litigation and and precedence that's out there and trying to and talking to our insurance to see if what kind of liability we're in for and and how much that's gonna cost.

周末过去了。

The weekend passes.

星期一到了，是时候给那个被入侵的公司打电话，告诉他们发生了什么。

Monday comes, and it's time to call the company they broke into and tell them what happened.

律师们为最坏的情况做好了准备。

Lawyers prepare for the worst.

他们预料对方的联系人会把责任推到我们身上，说我们没有核实，或者没有对IP范围进行尽职调查。

They were bracing for the point of contact to point blame at us, That we hadn't verified it or that we hadn't done due diligence on the IP range.

他们的说法在某种程度上是合理的，你知道的。

They they were kinda legitimate, you know, claims.

对吧？

Right?

渗透测试公司本该注意到的。

The the pen test company should have noticed.

我们本该注意到这个IP地址范围不属于同一家公司。

We had we should have noticed that the IP range was not the same company.

但那家公司的名称和他们的业务实在太相似了。

But, like, the company and what they what they did were so the company name and what they did were so similar.

该给客户打电话了。

It's time to call the client.

他们想联系安全主管，但需要找到他的电子邮件和电话号码。

They wanted to speak to the head of security, but they needed to get his email address and phone number.

但他们找到了一个巧妙的方法获取这些信息。

But they found a clever way to get it.

很简单。

Easy.

我们能访问所有东西。

We had access to everything.

我们只是看了他们的全球地址簿，弗兰克特和米格尔，然后找到了那位安全负责人。

We just looked we just looked at their, global address list, Frankette and Miguel, and find the security guy.

由于他们完全控制了对方的活动目录服务器，可以通过全球地址簿内部查询任何人。

Since they had full control of their active directory server, they could look anyone up internally using their global address list.

所以，穆比克斯、他的经理、他的团队以及律师们都参加了电话会议。

So Mubix, his manager, his team, and the lawyers all get on the conference call.

他们打电话给刚刚被入侵的那家公司的安全主管。

They call the head of security of the company they just broke into.

穆比克斯的经理解释说，他们刚刚入侵了这家公司，并获得了所有权限。

Mubix's manager explains that they just broke into the company and gained access to everything.

他开始道歉，我们也全都开始道歉。

He started apologizing, and we all started apologizing.

而另一家公司那位安全人员则说：等等。

And, like, the security gentleman at the at the other company was like, wait.

发生什么事了？

What happened?

这怎么做到的？

How'd that work?

你们入侵了？

You broke in?

太好了。

Great.

我们一直想在这里做一次渗透测试，已经好几年了，但从来没人愿意支持我。

We've been trying to get a pen test here for, like, years, and no one hasn't ever given me enough buy in for it.

我心想：什么？

I'm like, what?

你很高兴？

You're happy?

是啊。

Yeah.

这太棒了。

This is great.

你有报告吗？

Do you have a report?

我们说：当然，这就是报告。

And we're like, yeah, here it is.

这是报告出来了。

Here's the report out.

他说道：太棒了。

He's like, that's amazing.

我们明年还能请你们回来吗？

Can we get you guys back next year?

我当时想：天哪。

And I was like, holy crap.

现在我可以为所有安全问题、那些我多年来一直知道的本地管理员问题争取预算了，可我就是没法解决它们。

It's like, now I can get budget for all the security problems, the the the local admin stuff I've known for years, and I I just can't get rid of it.

简直不敢相信。

And it's like, oh my god.

这本来可能会更糟。

Like, that could have gone so much worse.

律师们都在打电话，简直不敢相信。

That could like, the lawyers were on the phone and they couldn't believe it.

这简直难以置信，他特别高兴。

Like, it was unbelievable, and he was so happy.

到这个时候，已经过去两周了，穆比克甚至还没有开始测试他本应测试的公司。

At this point, two weeks into this, Mubick still hasn't even begun to test the actual company he was supposed to test against.

所以另一家公司非常高兴，因为不会有任何诉讼了——从技术上讲，是他们错在给了我们错误的信息，以至于他们甚至不想再让我们做一次测试。

So the other company was just so happy that there was not gonna be a lawsuit because technically they were at fault for giving us, providing us wrong information, that they didn't even want another test from us.

所以，我的意思是，他们的安全人员是满意的。

So, I mean, they were, the security guy was okay.

他们的律师有点生气，管理层也有点生气。

Their, the lawyers were kind of pissed, and their management were kind of pissed.

我能理解。

And I get it.

我的意思是，他们并不了解技术细节，不知道到底哪里出了问题，以及IP地址范围如此相似是多么巧合。

I mean, don't, they don't know the technical aspects of how, you know, of what went wrong and how serendipitous it was with the IP ranges being so similar.

所以我们没有再把他们当作客户，但我们得到了一个新客户。

So we didn't get them back as client, but we got a new client.

这家新公司后来成为了长期客户，多年来一直接受Mubix和他的团队的定期渗透测试。

This new company they actually tested against remained a client for years and would get regular penetration tests from Mubix and his team.

但几年后，Mubix最终不再从事渗透测试工作了。

But eventually, years later, Mubix moved on from doing pen tests.

我至今仍然经常和那个联系人保持联系，他到现在还在讲这个故事。

And I actually still talk to the point of contact pretty regularly, and he's still telling that story to this day.

很多事情都恰到好处地凑在了一起。

The world aligned in a lot of ways.

第一，那家公司离原公司太近，差点搞砸了我们。

One, to screw us up by having the company so close to the original.

第二，这家新公司完全不打算让我们承担责任，而且态度非常友好。

And two, to make it so that that new company wasn't gonna, you know, make us liable for it and was really totally cool about it.

本集由Vanta赞助。

This episode is sponsored by Vanta.

客户信任可以成就或摧毁你的业务。

Customer trust can make or break your business.

随着你的业务增长，你的安全和合规工具也会变得越来越复杂。

And the more your business grows, the more complex your security and compliance tools get.

这可能会变成混乱，而混乱并不是一种安全策略。

It can turn into chaos, and chaos isn't a security strategy.

这就是Vanta发挥作用的地方。

That's where Vanta comes in.

把Vanta想象成一位全天候的、由AI驱动的安全专家，它会随着你一起成长。

Think of Vanta as your always on AI powered security expert who scales with you.

Vanta自动化合规流程，持续监控你的控制措施，并为你提供合规与风险的单一信息来源。

Vanta automates compliance, continuously monitors your controls, and gives you a single source of truth for compliance and risk.

无论你是像Cursor这样的快速成长型初创公司，还是像Snowflake这样的大型企业，Vanta都能轻松融入你现有的工作流程，让你持续发展一家客户可以信赖的公司。

So whether you're fast growing startup like Cursor or an enterprise like Snowflake, Vanta fits easily into your existing workflows so you can keep growing a company your customers can trust.

请前往 vanta.com/darknet 开始使用。

Get started at vanta.com/darknet.

拼写为 vanta。

That's spelled vanta.

vanta.com/darknet。

Vanta.com/darknet.

本集由 DeleteMe 赞助。

This episode is sponsored by DeleteMe.

在监控和数据泄露日益普遍的今天，DeleteMe 让您能够轻松、快速且安全地删除网上的个人信息。

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

如今，在网上找到关于个人的隐私信息比以往任何时候都更容易。

It's easier than ever to find personal information about people online.

您的地址、电话号码和家人姓名在网络上公开，可能会在现实世界中带来实际后果，使每个人面临风险。

Having your address, phone number, and family members' names hanging out there on the Internet can have actual consequences in the real world and makes everyone vulnerable.

隐私对我来说是一个极其重要的议题。

Privacy is a super important topic to me.

几年前，我注册了DeleteMe，它立即开始在网上搜索我的名字，并向我报告了找到的信息。

So a few years ago, I signed up, and DeleteMe immediately got busy scouring the Internet looking for my name and then gave me reports on what they found.

然后它开始删除那些显示我个人信息的内容，并告诉我删掉了什么。

And then they got busy deleting things showing me what they got rid of.

在隐私方面，有人为我保驾护航真是太好了。

It's great to have someone on my team when it comes to my privacy.

通过注册DeleteMe，掌握你的数据，保护你的私人生活不被泄露。

Take control of your data and keep your private life private by signing up for DeleteMe.

现在，我的听众可以享受特别折扣，注册DeleteMe服务可享20%优惠。

Now with a special discount for my listeners, you can get 20% off your DeleteMe plan.

请前往 join deleteme.com/darknetdiaries 注册，并在结账时使用促销码 d d 20。

You go to join deleteme.com/darknetdiaries and use promo code d d 20 at checkout.

要享受20%折扣，唯一的方法是前往 join deleteme.com/darknetdiaries，并在结账时输入代码 d d 20。

The only way to get 20% off is to go to join deleteme.com/darknetdiaries and enter code d d 20 at checkout.

记住，前往 join deleteme.com/darknetdiaries，输入代码 d d 20。

That's join deleteme.com/darknetdiaries code d d 20.

我们的下一个故事非常奇怪，它让我们的嘉宾和我都感到震惊，也许也会让你震惊。

Our next story is so strange that it stunned our guest and me, and maybe it'll stun you too.

我想，是时候做个介绍了。

I suppose an introduction is in order.

当然。

Sure.

罗伯特·M·李。

Robert m Lee.

我是Gragos的首席执行官兼创始人。

I am the CEO and founder of Gragos.

罗伯特最初在空军服役，曾与许多国家支持的攻击者和高级持续性威胁对抗。

Robert started out in the air force where he faced off against many nation state attackers and advanced persistent threats.

之后，他进入私营部门，从事网络攻击的事件响应工作。

He then moved on to the private sector doing incident response for cyberattacks.

随后，他对工业控制系统产生了兴趣，并创立了自己的公司Dragos，专门防御针对大坝、核设施和水处理厂等工业设施的攻击。

He then took an interest in industrial control systems and started his own company called Dragos to defend against industrial attacks, like attacks against dams and nuclear facilities and water treatment plants.

有一天，他接到一个客户的电话，对方认为自己的系统感染了恶意软件。

And one day, he gets a call from a client who thinks they're infected with malware.

这位客户运营着风力涡轮机，他们开始注意到环境中出现了一些异常行为，于是联系了我们，希望我们协助进行事件响应。

The client operates wind turbines and effectively started noticing some abnormal behavior in their environment and ended up reaching out and calling us to go do an incident response with them.

当我第一次接电话时，我立刻问他们：你们是怎么知道你们遭遇了事件的？

When I first sort of took the call, my question immediately to them was, well, how do you know what are the indications that you have an incident?

你们凭什么确定自己需要进行事件响应？

How do you know that you already need an incident response?

通常情况下，除非情况非常明显，否则一开始总会有一些疑问，比如‘我们怀疑自己被入侵了’。

Usually, there's unless it's entirely obvious, there's questions at first about, Hey, we think we're compromised.

这些客户非常坚持地认为自己确实被入侵了，但每当我问他们一些常规问题，比如‘是否有数据外泄？’、‘涡轮机是否停机了？’，他们却异常冷静地回答：没有，没有，都没有。

These folks were pretty persistent that they were absolutely compromised, but every question I asked them around, hey, is data leaving your environment, or are any of the turbines down, you know, any of the normal things that might come up, they were just very cool headed about it all and said, no, no, no.

一切正常。

Everything's fine.

我们就是知道，我们被入侵了。

We just know we're compromised.

因此，我注意到他们对这次事件采取了一种漫不经心、轻松随意的态度，这让我第一次觉得这可能是个有趣的案例。

And so it struck me the kind of, lackadaisical, sort of laid back attitude they were taking to the incident, which was my first indication this might be an interesting case.

罗伯特接手了这个案件，前往风力发电场。

Robert takes the case and heads to the wind farm.

这并不是一个大型的风力发电场。

This is not a huge wind farm.

我们不是在说。

We're not we're not talking.

你并不是一个大型运营商。

You're you're you're a large operator.

在风能领域，从那些管理公司，到为多家公司提供控制中心和SCADA工作的团队，形形色色；但也有大量这样的小型公司，它们可能只拥有十几台、二十台、五十台发电机组，而且这些机组甚至根本没接入电网。

So in the world of, like, wind energy, you've got everything from those folks that are kinda your management companies to the folks that are maybe doing control centers and SCADA kind of work for multiple companies, but you've got tons of these small little companies that pop up that might have access to a dozen, 20, 50, you know, so when when the generating units, and they're just they're not even really connected to the grid.

它们并不是我们通常所理解的普通电力供应商。

They're not really normal electric providers like we think.

它们绝对不是公用事业公司。

They're definitely not utilities.

对吧？

Right?

他们只是产生少量电力，然后卖给更大的公司，或者由别人帮他们接入电网。

It's just they're just generating a small amount of electricity, and and they sell it off to a larger company or somebody who can get it onto the grid for them.

他环顾了一下风力涡轮机，查看网络状况。

He takes a look around the wind turbines to see what the network looks like.

客户报告说，他们有十几台风力涡轮机感染了恶意软件，每台风机都连接着一台独立的Windows电脑。

The client was reporting that a dozen of their wind turbines were infected with malware, and each of the turbines had their own Windows computer connected to it.

这台电脑会监测风速、发电量、健康状况，并能控制涡轮机的某些部件。

This computer would monitor the wind speed, production output, health checks, and be able to control parts of the turbine.

我们到现场后，就问：嘿，

As we got on-site, we asked, you know, hey.

到底发生了什么？

What all took place?

你们怎么确定一定出了问题？

How do you know for sure that something's wrong?

是什么让你如此冷静，知道那些事件并没有爆发？

What what made you so cool headed about knowing that those events that were not breaking out?

他们说，哦，这其实很简单。

They said, oh, it's it's real simple.

我们的风力涡轮机网络一直在自动打补丁。

Our our wind turbine network has been patching itself.

我们有点被驳回了，心想，好吧。

We were kind of pushed back a little bit, like, okay.

所以它一直在自动打补丁。

So it's been patching itself.

这确实是一种很有趣的行为。

That's definitely an interesting, you know, behavior.

你确定不是IT部门的人在未经运营团队协调的情况下偷偷打补丁吗？

You know, like, well, you sure there's not somebody from IT that's been doing, you know, patching without coordinating with the operations folks?

他们说，哦，不是的。

And said, oh, no.

没有。

No.

没有。

No.

我们咨询了IT部门。

We checked with IT.

这确实是自我补丁更新。

It's definitely just patching itself.

在那时，当然，我们认为这非常有趣。

And so at that point, you know, we we thought it was pretty interesting, of course.

我们去查看了一下，结果发现，在环境中的Windows操作系统确实正在被补丁更新。

We go and take a look, and as it turns out, where there were Windows operating systems in in the environment, they absolutely were being patched.

当我们进一步分析时，很明显系统上存在恶意活动。

And as we looked at it, it was pretty clear that there was malicious activity on the systems.

但并没有造成任何损害。

It wasn't hurting anything.

它并没有造成破坏，但本质上是一种早期的加密货币劫持软件，攻击者利用系统空闲的资源进行各种加密货币挖矿。

It wasn't damaging anything, but it was effectively, you know, early crypto jacking kind of software where they were effectively using the spare resources on the system to be able to do, you know, various cryptocurrency type mining.

如果我没记错的话，这个应该是比特币。

I think this one was actually Bitcoin, if I remember correctly.

入侵这些风力涡轮机计算机的黑客正在利用这些系统挖比特币。

The hackers who got into the computers at these wind turbines were using the systems to mine Bitcoin.

这类黑客的工作方式是，同时控制数十台、数百台甚至数千台他们并不拥有的计算机，为他们一起挖比特币。

The way hackers like this work is they get dozens or hundreds or thousands of computers that they don't own to all mine Bitcoin for them at once.

少数几台计算机这样挖比特币的利润并不高。

A handful of computers mining Bitcoin like this isn't much profit.

但如果成百上千台计算机同时运行，每日利润就会变得相当可观。

But if hundreds or thousands are going all at once, then the daily profit starts to become significant.

本质上，他们通过感染机器植入软件，利用空闲的CPU和显卡算力来赚钱。

Basically, they infect the machines with software that would utilize the spare CPU and graphics power to make money off it.

这些风力涡轮机连接到了互联网，黑客不知怎的就侵入了这些系统，并从中获利。

These wind turbines were connected to the Internet, and the hackers somehow found their way into these systems and were making money from it.

看起来对手一直在跟进补丁，我们对情况的评估是，他们通过更新和维护这些系统，防止其他恶意软件和其他对手入侵，以便在风电场中维持他们的加密货币挖矿农场。

It seemed that the adversary was keeping up with the patches, and our assessment of the situation was they were keeping other malware and other adversaries off those systems, by updating them and maintaining them so that they could have their little, you know, cryptocurrency farm, there across the wind farm.

但最有趣的地方，也是这个事件在事件响应故事中真正特别的地方，并不在于对手利用了Windows系统。

But probably the most interesting thing, what makes it really interesting from an IR story has nothing to do with the fact that adversaries are taking advantage of window systems.

当然。

Sure.

有趣的是这竟然是一个风电场，但真正让人感兴趣的是，我们提出了清理方案：这里是解决方法。

It's interesting that it was a wind farm, But what really got interesting is we made the recommendation, here's how we can clean this up.

所以我们把一切都弄清楚了。

So we we we figured it all out.

这是与网络犯罪相关的某个活动团体。

Here's this, you know, activity group that is related to cybercrime.

我们完全可以帮你解决这个问题。

We can absolutely take care of this for you.

没问题。

No problem.

这不会是什么大问题。

It won't won't be any big deal.

业务领导们回来告诉我们，运营部门提供的数据显示，我们对手的补丁更新周期比我们自己的IT部门更快、更可靠。

And the business leaders had come back to us and said, operations have pulled the data to show that we now have a faster and more reliable patch cycle with the adversaries than our own IT departments.

你看，你不能真的就让对手一直留在那里。

It's like, look, you you can't really just let the adversary stay.

这样做风险很大。

There's a lot of risk in doing that.

你不知道这些连接还可能被用来做什么。

You don't know what else the, you know, the connections to be used for.

所以，当他们最终犯错时，所有的风险都将由你承担。

So, you know, when they eventually make a mistake, it's all that risk is completely on you.

我的意思是，我尽了各种努力去倡导，但不得不承认，业务负责人决定允许这种活动继续存在，只是增加了一些监控措施，因为他们认为对手在全环境中部署补丁很有效。

I mean, I advocated every which way I could, but as much as I hate to admit it, the the business owners decided that they were going to let the activity remain, but just put some additional monitoring in place since they were effective at deploying patches across the environment.

从运营角度来看，我简直震惊了。

And and from an operations perspective, I was stunned.

这些系统本来就不在合同支持范围内。

These are systems that weren't really supported on their contract anyways.

它们也没有那种会因补丁部署而失效的保修条款。

They didn't have, like, warranties that were gonna be voided by kind of the deployment of the patch.

我的意思是，所有通常会阻止这种做法的常规考量，都碰巧遇上了一场完美风暴，让他们对攻击者存在于该环境中感到完全安心。

I mean, all all of the normal considerations that would have pushed against this kind of had met this perfect storm where they were completely comfortable with the adversary for being in that environment.

这真让我震惊。

It was just it was just stunning to me.

从攻击者的角度来看，我猜他们最初是想采取一种低调缓慢的方式，以免被发现或被赶出去。

The adversary's perspective, I imagine they were trying to do a fairly low and slow kind of approach to not be noticed in the first place or not be sort of kicked out in the first place.

所以他们并没有把系统拖慢到影响运营的地步。

So it wasn't like they were bogging down the systems to a point that it was having an impact to the operations.

我的意思是，这些系统确实变慢了，资源利用率也很高，但并没有严重到影响风力涡轮机发电的程度。

I mean, the systems were definitely slower, and the resource utilization was high on them, but it wasn't it wasn't making it where they couldn't produce energy from the wind turbines.

所以，是的，确实如此，我已经无能为力了。

And so, yeah, it was yeah, I was done.