2021在不确定的世界中驾驭网络安全.docx

CONTENTSTHE POWER OF SHARING2EXECUTIVE SUMMARY3THE FUTURE OF RANSOMWARE5Data theft creates a secondary extortion market5Ransoms rise as attacks increase7Days-in-the-life of a ransomware rapid responder9EVERYDAY THREATS TO ENTERPRISES - CANARIES IN THE COALMINE10Attacks targeting Windows & Linux servers10Underestimate “commodity” malware at your peril12Delivery mechanisms14Information security: A 20-year retrospective18COVID-19 AS A FORCE-MULTIPLIER IN ATTACKS20Home is the new perimeter20Crimeware as a service21Spam, scams, and broken promises22Remote work raises the importance of secure cloud computing25What the CCTC means for a rapid response to large scale threats27NOT LETTING YOUR GUARD DOWN: THREATS VIA NONTRADITIONAL PLATFORMS28Android Joker malware growing in volume28Ads & PUAs increasingly indistinguishable from malware29Using your own strengths against you: Criminal abuse of security tools31Digital epidemiology33EVERYDAY THREATS TO ENTERPRISES - CANARIES IN THE COAL MINEAttacks targeting Windows & Linux servers* - SFX ZIP volume unpacked 10,501,489 bytesU n$a.zipna dll«- ETERNALBIUEETERNAlCHAMPlOh* ETERNAIROMANC6.RERNALSYNERGY上Idllj. ETERNALBIUE ETERNALCHAMPION HERNAIROMANCE ETERNALSYNERGYPath=c:windows Sxlent=l Overwrite=liDjpdaSRlIdownShets, ' m.exe < ok32.dllSOPHOS lobsSOPHOS lobs，“：dll_ pau««d.confFig.3. One of the more prolific cryptojackers, called MyKings, distributed the components responsible for installing the botnet (highlighted in green) inside a Zip archive along with several of the exploits leaked from the NSA by the Shadow Brokers. Source: SophosLabs.RootkitRebuilt C2 PacketBackdoorSensitive DataFirewall RulesWeb TrafficHTTP Request(flosed ports：TTP Response C2 TrafficExfiltrationFig.4. A "wolf in sheep's clothing0 metaphor illustration of how the Cloud Snooper APT malware concealed its commands and exfiltrated data in the guise of conventional HTTP requests and responses, with the help of a tool that monitored network traffic and rewrote TCP/IP packets in real time. Source: SophosLabs.Underestimate "commodity" malware at your perilDridexand ZloaderAgent Tesla and RATicate, infostealers and RATsMayJune£UOEu s EiL£UOEu s EiLJulyAugustSeptemberOctoberNovember*02K4K6K8K10KNumber of sampleskeyloggerxtrat xtreme other fareit quasar remcos azorult blackshades spyrat spynet hawkeye agenttesla bladabindi orcus netwiredrc limitless ustealSOPHOSFig.5. We run all newly-discovered remote access trojan (RAT) malware samples through our internal sandbox system. This table illustrates how many new, unique samples we encountered over a seven-month period that we later classified to one of the 18 most common RAT families, broken out by the family names. * Partial-month data. Source: SophosLabs.RATicateTrickbot's takedown"type": "TEXT","size”: 101, “controllers” :Murl" : , ""controllers*" : Trickbot was taken down by a single line of code. Source: SophosLabs.Delivery mechanismsRDP, the #1 attack vector for ransomwareRDP login attempts per honeypotFig.7. We distributed honeypots to datacenters around the world and permitted attackers to try to brute-force their way in. The honeypot machines were discovered “organically," without being advertised in any way. Over the 1-month period of our tests, this map illustrates how many attacks each honeypot location received.Fig.7. We distributed honeypots to datacenters around the world and permitted attackers to try to brute-force their way in. The honeypot machines were discovered “organically," without being advertised in any way. Over the 1-month period of our tests, this map illustrates how many attacks each honeypot location received.Singapore236,490before the lockdown took effect,Top 5 usernames used in all failed login attempsUSERNAME administratorFAILED LOGIN ATTEMPTSadminuserssm-usertestFig.8. Remote Desktop brute-force attempts target the most common Windows usernames, including the default ''administrator0 account. Source: SophosLabs.Business Email Compromise and Business Email SpoofingFrom Bty01k J：*« RepAII ForwardSubject AvaBable?8/25/2020 12:12 PMPephy tc Bryan1 Xg)gmail >To cwilhamst- -w- - i .QOther Actions Hello Christopher,I am in a closed-Door meeting at the moment,I need you to handle a short task. Reply with your cells.Thankssophos labsIn this real-world example of a business-email compromise attempt, the fraudster poses as an executive asking an employee to respond to an urgent request. The email has a different Reply-To address (from a Gmail account) than the one in the From: header, a dead giveaway that something is awry - if the target is paying attention to the mail headers. Source: SophosLabs.From les, 一 下，Reply « Reply All ForwardSubject REQUEST8/20/2020 2:23 AMTo alasdairOther Actions -Hello Alasdair,I am planning a surprise for some of the staffs with gift cards and your confidentiality would be appreciated in order not to ruin the surprise. Are you available to get some purchase done?RegardsLesSent from my iPhonesophos labsFig. 10. After the target has acknowledged the initial request, the fraudster makes the “ask" - providing a pretext that appears plausible. Source: SophosLabs.From-ul： e：- RE：Expense To» Reply « Reply All ，Forward 9/16/2020 8JOAM Other Actions I need you to make a purchase. I am looking you to keep it between us till they get it. need 5 pieces of it amounting to $S00. Keep for reimbursement.to surprise some of the staff with gift cards today. I want I need Steam wallet gift card of $100 face value each, i each cards and receipt carefully so you can expense themGet the physical card at a local store then attach the scanned pictures showing the pinyou scratch the back out and scan them or take pictures and and email it to me.Can you get on this right away?Thanks.sophos labsFig.11. At some point during the attack, the BEC scammer will make a request that flies in the face of common sense, like a request to make a sudden, large wire transfer to an account unfamiliar to the scam's target. This provides another opportunity for a wary staffer to question the nature of the request: Why would the executive need a photograph of the back of a gift card with the PIN scratched off when they*re going to be handed out as gifts? Source: SophosLabs.Weird science: retro Office glitch strikes againSOPHOS 2021 THREAT REPORTInformation security: A 20-year retrospectiveWhile an annual report gives us an opportunity to look back at significant events of the past year, we thought a look further back - at the past two decades - would provide context for how we arrived in our current threat landscape. The turn of the millennium marked a milestone, when information security became a professional discipline and a bona fide industry. This timeline of threats and events represent significant, representative moments in the evolution of threat behavior.As both enterprises and individuals adopted the internet for both business and entertainment, large networks were ripe targets for the emergence of prolific worms - self-propagating malware. Cumulatively, worms infected tens of millions of systems worldwide and cost over $100 billion in damages and remediation costs.2000-2004The Worm Era2000ILOVEYOU2000ILOVEYOUJuly2001CodeRedJanuary2003SQLSlammerJanuary2004BagleAugustAugustJanuary200120032004CodeRed IIBlasterMyDoomAugust2003SobigApril2004SasserSeptemberAugustFebruary200120032004NimdaWelchiaNetsky2013CryptoLockerOctober2003Sober2005-2012The Malware Monetization Era20062007200820092010Blackhole exploit kit2011Rx SpamStormConfickerStuxnetMalvertising2013-PresentThe Ransomware Era2013Snowden leaks2014Point-of-sale (POS) malware2016MiraiMay 2017 WannaCry2018Magecart attacks2019Extortion ransomware2020APT tactics by threat actors2007ZeusJune 2017 NotPetyaSOPHOSFig.12. Source: Sophos1818November 2020SOPHOS 2021 THREAT REPORT2000-2004 - The Worm era2000-I LOVE YOUThe ILOVEYOU worm used a social engineering trick that persists even today: It arrived as a spam email attachment, eventually infecting about 10% of all internet-connected Windows computers.July 2001 - CodeRedNamed after the flavor of Mountain Dew its discoverers were drinking at the time, CodeRed used a buffer overflow vulnerability in IIS to spread itself and deface websites. It was followed a month later by an upgraded version that installed a backdoor on networked computers.August 2001 - CodeRed IISeptember 2001 - NimdaJanuary 2003 - SQL SlammerAt only 376 bytes, Slammer exploited a buffer overflow in Microsoft database applications. Doubling its infections every 8.5 seconds, Slammer took down large swaths of the internet in only 15 minutes.August 2003 - BlasterBlaster was created by reverse engineering a Microsoft patch a couple months ahead of the first Patch Tuesday. It exploited a buffer overflow vulnerability in the RPC service of Windows XP and 2000 systems and launched a DDoS attack against windowsupdate if the day of the month was greater than 15, or the month was September or later.August 2003 WelchiaAugust 2003 - SobigOctober 2003 - SoberJanuary 2004 - BagleJanuary 2004 - MyDoomIt is estimated that 25% of all emails sent in 2004 originated with the MyDoom worm, which prolifically emailed itself to new victims and engaged in a denial-of-service (DDoS) attack.February 2004 - NetskyApril 2004 - Sasser2005-2012 - The Malware Monetization eraUntil around 2005, malware incidents could be chalked up to curiosity or disruption. Botnet malware, designed for stealth and profit, dominated. This era also saw the start of so-called pharmacy spam. Exploits against software vulnerabilities became key components of malware, which enabled malvertising. Wherever there was the potential for financial gain, cybercriminals exploited those opportunities.2006 - Rx SpamWhat had been a mere annoyance (or a way to propagate worms), became a lucrative business selling mostly counterfeit prescription medicines advertised through spam. It's estimated that pharma spammers made billions of dollars selling medicines most people could get just by going to their doctors.2007 - Storm2007 - Zeus2008 - ConfickerConficker rapidly infected millions of computers worldwide but did not result in much damage. We still don't know the worm's true purpose, but thousands of hosts remain infected to this day, and Conficker scan traffic routinely is detected as part of the internet's "background radiation."2009 - StuxnetStuxnet was one of the first digital weapons to target a physical system: Nuclear refinement centrifuges used by Iran to enrich uranium. Stuxnet's enduring legacy is that it permanently opened the door to nation-states' use of malware as a tool of war.2010 - Blackhole exploit kitExploit kits - toolkits targeting software vulnerabilities - bound different parts of the cybercrime ecosystem together. Crimeware- as-a-Service was born when the creators of the Blackhole Exploit Kit began offering their services.2011 - Malvertising2013-Present - The Ransomware eraRansomware has had the most profound impact on this era. While worms, banking trojans, malvertising and spam persist, nothing has come close to rivaling ransomware's destructive force. Damage estimates from ransomware attacks over the past seven years are in the trillions of dollars. Ransomware is also most likely the first form of malware linked to a human death. Moreover, many of today's threats ultimately deliver ransomware and, like exploit kits, it has provided a nitro-fueled boost to an already thriving cybercrime ecosystem.2013 - Snowden leaks2013 - CryptoLockerDuring its short existence, CryptoLocker provided future criminals with a winning formula by mating two existing technologies: encryption and cryptocurrencies. The threat landscape was forever changed by CryptoLocker and its aftershocks are still being felt today. Three months after launch, the bitcoin wallet used by CryptoLocker contained nearly $30 million.2014 - Point-of-sale (POS) malware2016-MiraiMay 2017 - WannaCryWannaCry, the most widespread ransomware-worm hybrid seen, demonstrated (again) how a lapse in patching can have dire consequences. It relied on exploits stolen from the NSA and publicly released by The Shadow Brokers. The attacks forced Microsoft to release out-of-band updates for unsupported products.June 2017 - Not PetyaNotPetya crippled some of the world's largest shipping and logistics companies, reportedly causing over $10 billion in damages. Some of the affected companies have yet to fully recover.2018 - Magecart attacks2019 - Extortion ransomwareIn an attack against the city of Johannesburg, South Africa, the criminals behind Maze ransomware pioneered the use of extortion. They not only encrypted and stole data, but also threatened to publish the stolen data if companies didn't pay. This tactic has been copied by many other ransomware crews as a hedge against the targets having good backups.2020 - APT tactics by threat actorsThe adoption of nation-state tools and tactics, which began in the past couple of years, went mainstream in 2020. Professional cybercrime gangs use sophisticated tools like Cobalt Strike to devastating effect, while some groups (Dharma) are baking it into point and shoot toolkits for novices to use.19November 2020THE POWER OF SHARINGJoe Levy, CTO, SophosuIf you want to go quickly, go alone, but if you want to go far, go together JThis African proverb couldn't ring truer for the cybersecurity industry. By working collectively, with a strong sense of teamwork, we can achieve far more than fighting cybercrime as individual vendors.But, only by improving our approach and sharing threat intelligence more comprehensively, and by expanding the pool of participants who contribute to (and benefit from) this sharing and collaboration, will cybersecurity vendors continue to drive up costs for attackers, and make lasting, impactful change.In the spirit of that approach to working together, in 2017 Sophos joined the Cyber Threat Alliance, an organization dedicated to breaking down the barriers that, for years, stymied any chance for competitors in the information security industry to collaborate with one another. The CTA has succeeded far beyond its initial mandate to serve as a repository of shared threat intelligence and a place to resolve differences, and has become a