2021在不确定的世界中驾驭网络安全.docx

《2021在不确定的世界中驾驭网络安全.docx》由会员分享，可在线阅读，更多相关《2021在不确定的世界中驾驭网络安全.docx（39页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、CONTENTSTHE POWER OF SHARING2EXECUTIVE SUMMARY3THE FUTURE OF RANSOMWARE5Data theft creates a secondary extortion market5Ransoms rise as attacks increase7Days-in-the-life of a ransomware rapid responder9EVERYDAY THREATS TO ENTERPRISES - CANARIES IN THE COALMINE10Attacks targeting Windows & Linux serv

2、ers10Underestimate “commodity” malware at your peril12Delivery mechanisms14Information security: A 20-year retrospective18COVID-19 AS A FORCE-MULTIPLIER IN ATTACKS20Home is the new perimeter20Crimeware as a service21Spam, scams, and broken promises22Remote work raises the importance of secure cloud

3、computing25What the CCTC means for a rapid response to large scale threats27NOT LETTING YOUR GUARD DOWN: THREATS VIA NONTRADITIONAL PLATFORMS28Android Joker malware growing in volume28Ads & PUAs increasingly indistinguishable from malware29Using your own strengths against you: Criminal abuse of secu

4、rity tools31Digital epidemiology33EVERYDAY THREATS TO ENTERPRISES - CANARIES IN THE COAL MINEAttacks targeting Windows & Linux servers* - SFX ZIP volume unpacked 10,501,489 bytesU n$a.zipna dll- ETERNALBIUEETERNAlCHAMPlOh* ETERNAIROMANC6.RERNALSYNERGY上Idllj. ETERNALBIUE ETERNALCHAMPION HERNAIROMANCE

5、 ETERNALSYNERGYPath=c:windows Sxlent=l Overwrite=liDjpdaSRlIdownShets, m.exe To cwilhamst- -w- - i .QOther Actions Hello Christopher,I am in a closed-Door meeting at the moment,I need you to handle a short task. Reply with your cells.Thankssophos labsIn this real-world example of a business-email co

6、mpromise attempt, the fraudster poses as an executive asking an employee to respond to an urgent request. The email has a different Reply-To address (from a Gmail account) than the one in the From: header, a dead giveaway that something is awry - if the target is paying attention to the mail headers

7、. Source: SophosLabs.From les, 一 下，Reply Reply All ForwardSubject REQUEST8/20/2020 2:23 AMTo alasdairOther Actions -Hello Alasdair,I am planning a surprise for some of the staffs with gift cards and your confidentiality would be appreciated in order not to ruin the surprise. Are you available to get

8、 some purchase done?RegardsLesSent from my iPhonesophos labsFig. 10. After the target has acknowledged the initial request, the fraudster makes the “ask - providing a pretext that appears plausible. Source: SophosLabs.From-ul： e：- RE：Expense To Reply Reply All ，Forward 9/16/2020 8JOAM Other Actions

9、I need you to make a purchase. I am looking you to keep it between us till they get it. need 5 pieces of it amounting to $S00. Keep for reimbursement.to surprise some of the staff with gift cards today. I want I need Steam wallet gift card of $100 face value each, i each cards and receipt carefully

10、so you can expense themGet the physical card at a local store then attach the scanned pictures showing the pinyou scratch the back out and scan them or take pictures and and email it to me.Can you get on this right away?Thanks.sophos labsFig.11. At some point during the attack, the BEC scammer will

11、make a request that flies in the face of common sense, like a request to make a sudden, large wire transfer to an account unfamiliar to the scams target. This provides another opportunity for a wary staffer to question the nature of the request: Why would the executive need a photograph of the back

12、of a gift card with the PIN scratched off when they*re going to be handed out as gifts? Source: SophosLabs.Weird science: retro Office glitch strikes againSOPHOS 2021 THREAT REPORTInformation security: A 20-year retrospectiveWhile an annual report gives us an opportunity to look back at significant

13、events of the past year, we thought a look further back - at the past two decades - would provide context for how we arrived in our current threat landscape. The turn of the millennium marked a milestone, when information security became a professional discipline and a bona fide industry. This timel

14、ine of threats and events represent significant, representative moments in the evolution of threat behavior.As both enterprises and individuals adopted the internet for both business and entertainment, large networks were ripe targets for the emergence of prolific worms - self-propagating malware. C

15、umulatively, worms infected tens of millions of systems worldwide and cost over $100 billion in damages and remediation costs.2000-2004The Worm Era2000ILOVEYOU2000ILOVEYOUJuly2001CodeRedJanuary2003SQLSlammerJanuary2004BagleAugustAugustJanuary200120032004CodeRed IIBlasterMyDoomAugust2003SobigApril200

16、4SasserSeptemberAugustFebruary200120032004NimdaWelchiaNetsky2013CryptoLockerOctober2003Sober2005-2012The Malware Monetization Era20062007200820092010Blackhole exploit kit2011Rx SpamStormConfickerStuxnetMalvertising2013-PresentThe Ransomware Era2013Snowden leaks2014Point-of-sale (POS) malware2016Mira

17、iMay 2017 WannaCry2018Magecart attacks2019Extortion ransomware2020APT tactics by threat actors2007ZeusJune 2017 NotPetyaSOPHOSFig.12. Source: Sophos1818November 2020SOPHOS 2021 THREAT REPORT2000-2004 - The Worm era2000-I LOVE YOUThe ILOVEYOU worm used a social engineering trick that persists even to

18、day: It arrived as a spam email attachment, eventually infecting about 10% of all internet-connected Windows computers.July 2001 - CodeRedNamed after the flavor of Mountain Dew its discoverers were drinking at the time, CodeRed used a buffer overflow vulnerability in IIS to spread itself and deface

19、websites. It was followed a month later by an upgraded version that installed a backdoor on networked computers.August 2001 - CodeRed IISeptember 2001 - NimdaJanuary 2003 - SQL SlammerAt only 376 bytes, Slammer exploited a buffer overflow in Microsoft database applications. Doubling its infections e

20、very 8.5 seconds, Slammer took down large swaths of the internet in only 15 minutes.August 2003 - BlasterBlaster was created by reverse engineering a Microsoft patch a couple months ahead of the first Patch Tuesday. It exploited a buffer overflow vulnerability in the RPC service of Windows XP and 20

21、00 systems and launched a DDoS attack against windowsupdate if the day of the month was greater than 15, or the month was September or later.August 2003 WelchiaAugust 2003 - SobigOctober 2003 - SoberJanuary 2004 - BagleJanuary 2004 - MyDoomIt is estimated that 25% of all emails sent in 2004 originat

22、ed with the MyDoom worm, which prolifically emailed itself to new victims and engaged in a denial-of-service (DDoS) attack.February 2004 - NetskyApril 2004 - Sasser2005-2012 - The Malware Monetization eraUntil around 2005, malware incidents could be chalked up to curiosity or disruption. Botnet malw

23、are, designed for stealth and profit, dominated. This era also saw the start of so-called pharmacy spam. Exploits against software vulnerabilities became key components of malware, which enabled malvertising. Wherever there was the potential for financial gain, cybercriminals exploited those opportu

24、nities.2006 - Rx SpamWhat had been a mere annoyance (or a way to propagate worms), became a lucrative business selling mostly counterfeit prescription medicines advertised through spam. Its estimated that pharma spammers made billions of dollars selling medicines most people could get just by going

25、to their doctors.2007 - Storm2007 - Zeus2008 - ConfickerConficker rapidly infected millions of computers worldwide but did not result in much damage. We still dont know the worms true purpose, but thousands of hosts remain infected to this day, and Conficker scan traffic routinely is detected as par

26、t of the internets background radiation.2009 - StuxnetStuxnet was one of the first digital weapons to target a physical system: Nuclear refinement centrifuges used by Iran to enrich uranium. Stuxnets enduring legacy is that it permanently opened the door to nation-states use of malware as a tool of

27、war.2010 - Blackhole exploit kitExploit kits - toolkits targeting software vulnerabilities - bound different parts of the cybercrime ecosystem together. Crimeware- as-a-Service was born when the creators of the Blackhole Exploit Kit began offering their services.2011 - Malvertising2013-Present - The

28、 Ransomware eraRansomware has had the most profound impact on this era. While worms, banking trojans, malvertising and spam persist, nothing has come close to rivaling ransomwares destructive force. Damage estimates from ransomware attacks over the past seven years are in the trillions of dollars. R

29、ansomware is also most likely the first form of malware linked to a human death. Moreover, many of todays threats ultimately deliver ransomware and, like exploit kits, it has provided a nitro-fueled boost to an already thriving cybercrime ecosystem.2013 - Snowden leaks2013 - CryptoLockerDuring its s

30、hort existence, CryptoLocker provided future criminals with a winning formula by mating two existing technologies: encryption and cryptocurrencies. The threat landscape was forever changed by CryptoLocker and its aftershocks are still being felt today. Three months after launch, the bitcoin wallet u

31、sed by CryptoLocker contained nearly $30 million.2014 - Point-of-sale (POS) malware2016-MiraiMay 2017 - WannaCryWannaCry, the most widespread ransomware-worm hybrid seen, demonstrated (again) how a lapse in patching can have dire consequences. It relied on exploits stolen from the NSA and publicly r

32、eleased by The Shadow Brokers. The attacks forced Microsoft to release out-of-band updates for unsupported products.June 2017 - Not PetyaNotPetya crippled some of the worlds largest shipping and logistics companies, reportedly causing over $10 billion in damages. Some of the affected companies have

33、yet to fully recover.2018 - Magecart attacks2019 - Extortion ransomwareIn an attack against the city of Johannesburg, South Africa, the criminals behind Maze ransomware pioneered the use of extortion. They not only encrypted and stole data, but also threatened to publish the stolen data if companies

34、 didnt pay. This tactic has been copied by many other ransomware crews as a hedge against the targets having good backups.2020 - APT tactics by threat actorsThe adoption of nation-state tools and tactics, which began in the past couple of years, went mainstream in 2020. Professional cybercrime gangs

35、 use sophisticated tools like Cobalt Strike to devastating effect, while some groups (Dharma) are baking it into point and shoot toolkits for novices to use.19November 2020THE POWER OF SHARINGJoe Levy, CTO, SophosuIf you want to go quickly, go alone, but if you want to go far, go together JThis Afri

36、can proverb couldnt ring truer for the cybersecurity industry. By working collectively, with a strong sense of teamwork, we can achieve far more than fighting cybercrime as individual vendors.But, only by improving our approach and sharing threat intelligence more comprehensively, and by expanding t

37、he pool of participants who contribute to (and benefit from) this sharing and collaboration, will cybersecurity vendors continue to drive up costs for attackers, and make lasting, impactful change.In the spirit of that approach to working together, in 2017 Sophos joined the Cyber Threat Alliance, an

38、 organization dedicated to breaking down the barriers that, for years, stymied any chance for competitors in the information security industry to collaborate with one another. The CTA has succeeded far beyond its initial mandate to serve as a repository of shared threat intelligence and a place to resolve differences, and has become a