Set up network controls to block connections to its associated domains, such as .nz, mega.io, and mega.nz. Configure EDR tools to detect or prevent its use. If your organization does not have a legitimate business case for MEGA software, consider blocking it. MEGA Log Analysis - Identifying the Attacker's AccountĪn interesting entry appears if you search for "email" or "emails." Though we could not confirm it, the entry appears to reveal the email account that the attacker used to authenticate with MEGA.Įxamining the MEGA logs is a useful for investigating data theft and and extortion incidents. We can identify these failed uploads by searching the logs for "(UPLOAD) finished with error" In our case, many files failed to upload after we severed the system's network connection. Just because a file was queued, does not mean the upload was successful. MEGA Log Analysis - Identifying Failed File Uploads These entries are important because they show the specific systems, folders, and files that the attacker targeted. We believe these events are recorded as the files are queued but are not yet uploaded. We can identify the full file locations by reading the "Async open finished" events. However, this only gives us the filenames, not the full folder path and drives that those files came from. To count the number of uploaded files, pipe the zgrep results to wc and note the first number ( zgrep 'Upload complete' * | wc): MEGA keeps track of the file successfully uploaded and logs the entries as "Upload complete:" We can search for these files using zgrep ( zgrep 'Upload complete' *): MEGA Log Analysis - Identifying Stolen Files log *) or search them as-is using zcat -f and zgrep. You can decompress the logs using gunzip ( gunzip -S. Avenue Louise 54, Room S52, Brussels 1050, Belgium. Join them and protect your data using one of the Internet’s most secure cloud and communication providers. With the exception of the most recent active log file, the older logs are compressed using gzip. Millions of people trust MEGA to store billions of files using our state of the art infrastructure. MEGAsync's logs are stored in a "logs" folder in the same location as the MEGAsync.exe binary. Look for it installed in places like C:\Users\\AppData\Local\MEGAsync\MEGAsync.exe and C:\ProgramData\MEGAsync\MEGAsync.exe. It installs like any other Windows application. Their MEGAsync software works how you would expect it: you point it at folders and shared drives and it uploads those files up to the cloud. MEGA is a legitimate cloud backup service that has become a favorite for RaaS threat groups.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |