1、2020 SONICWALL CYBER THREAT REPORT I sonicwall 2 A NOTE FROM BILL CYBERCRIMINAL INC. 201��������9 GLOBAL CYBERATTACK TRENDS INSIDE THE SONICWALL CAPTURE LABS THREAT NETWORK KEY FINDINGS FROM 2019 SECURITY ADVANCES CRIMINAL ADVANCES FASTER IDENTIFICATION OF NEVER-BEFORE-SEEN MALWARE TOP 10 CVE�����S EXPLOITED IN
2、2019 ADVANCEMENTS IN DEEP MEMORY INSPECTION MOMENTUM OF PERIMETER-LESS SECURITY PHISHING DOWN������� FOR THIRD STRAIGHT YEAR CRYPTOJACKING CRUMBLES RANSOMWARE TARGETS STATE, PROVINCIAL malicious Offi ce fi les were then leveraged later in the year. 21 ADVANCEMENTS IN DEEP MEMORY INSPEC�����TION The above timeli
3、ne highlights changes SonicWall observed to GandCrab Version 5 in 2019, including alte�������rations to payloads, malicious URLs, etc., even if the version number remained the same. (i.e., Version 5.2 could have different download URLs). In this snapshot, SonicWall identifi ed and logged different versions
4、 of GandCrab through the fi rst half of the year, but didnt record any attacks after May 2019 as the malware authors terminated the illegal affi liate program. Side-channel attacks continue to be ripe for security r��������esearch In November 2019, four researchers from three universities Worcester ������Polytech
5、nic Institute (U.S.), University of Lbeck (Germany) and the University of �������California (U.S.) published new fi ndings that side������-channel timing and lattice attacks could be executed against Trusted Platform Module (TPM) chips, specifi cally Intel fTPM and STMicroelectronics TPM chips. Dubbed TPM-FAIL,
6、this group of vulnerabilities are the next variation of�������� side-channel attacks following Meltdown/Spectre, Foreshadow, PortSmash, MDS, etc. The details of the TPM-FAIL vulnerabilities are outlined in CVE-2019-11090. Tracking the evolution of malware strains The collective power of Capture ATP and RTDM
7、I also ���helps SonicWall Capture Labs threat researchers track the evolution of malware varian��������ts even when authors obfuscate their payloads, such as using scripts inside of archives. In this example, SonicWall tracked the evolution of GandCrab as it spread in the wild. The authors of the GandCrab rans
8、omware eventually announced they were shuttering the project in June 2019������ after a “successful” 16-month run. 1-Jan-19 v5.0.4 17-Jan-19 v5.1 28-Jan-19 24-Feb-19 v5.1 10-Mar-19 v5.2 11-Mar-19 v5.2 12-Mar-19 v5.2 7-Apr-19 v5.2 30-May-19 v5.2 GANDCRAB RAN�����SOMWARE V5.X TIMELINE v5.1 22 ADVANCEMENTS IN DEE
9、P MEMORY INSPECTION The latest attacks on the TPM chip shows an evolution of side-channel attacks. Unlike the fi rst-generation side-channel threats that would ������result in damage to the “immediate” tar������get (i.e., the targeted data centers, cloud providers, etc.), TPM-FAIL could impact unpatched devices
10、 “down the line” everything from security appliances to end- user laptops. This explo�����it could be leveraged to����� forge digital signatures. If an operating system or the application use TPM to issue digital signatures, the private signing key used for signature generation can be compromised. With compro
11、mised signing keys, forged signatures can help criminals bypass authe������ntication protocols, tamper with operating systems, sign malicious software, etc. SonicWall stands by its position that while these types of side-channel attacks have yet to be publicly weaponized, they continue to present a signif
12、i cant potential threat to organizations, such as cloud������� providers and hosting companies, running virtualized or multi-tenant environments that allow execution of arbitrary payloads. SonicWall continues to test and refi ne detection tech���niques in preparation for when side- channel attacks evolve from
13、 theo�������retical to practical. SonicWall has confi rmed that Capture Advanced Threat Protection (ATP) sandbox������� customers are protected from certain TPM- FAIL side-channel attacks via the solutions patent-pending Real-Time Deep Memory InspectionTM (RTDMI) technology. Vulnerability Meltdown Spectre Foresha
14、dow PortSmash Spoiler MDS (�������ZombieLoad, RIDL, Fallout) (CVE-2019-11090) TPM-FAIL Publicly Announced 1/3/2018 1/3/2018 8/14/2018 11/2/2018 3/5/2019 5/14/2019 11/12/2019 RTDMI Detection Confi rmed 1/30/2018 6/13/2018 8/15/2018 11/15/2018 3/5/2019 5/15/2019 1/7/2020 23 MOMENTUM OF PERIMETER-LESS SECURIT
15、Y For decades, protecting netw�������orks was entirely focused on defi ning perimeters and setting up defense layers to keep threats out. And for years, this approach served businesses well, with fi nite exposure points and attack vectors that were guarded with some investment and adherence to established
16、best practices and frameworks. Today, its a different story. The boundari�������es of organizations networks are borderless and expanding to limitless end������points. Simultaneously, the threat landscape is becoming increasingly evasive. These evolving and persistent cyberattacks create boundless points of expo
17、sure to organizations. But new momentum toward pe������rimeter-less architecture is helping redefi ne the future of cybersecurity a safer future not restrained by undefendable perimeters. Much of this new thinking was fi rst based on a zero-trust security model, which requires organizations to verify and
18、authenticate any device, user or applicatio������n, regardless if it is inside or outside the network perimeter. From there, organizations could segment data across different trust zones and further vet access depending on the sensitivity of the data. But more guidance was needed to bring this theory into
19、 reality. Introduction of SASE The cybersecuri�����ty and network security solution spaces are highly segmented with an endless number offerings and vendors. This creates a massive headache for organizations trying to smoothly integrate these solutions into their network environment. Instead, the entire
20、cybersecurity space needs ��������to converge to provide a more holistic cybersecurity approach. This is where secure access service edge (SASE), a new network security model coined by Gartner in 2019, comes into play. SASE may help shape how organizations secure their networks and data in the������� coming years.
21、 SASE platforms combine software�����- and service-based networks, which will provide a unifi cation of different security solutions. “With an endless fi eld of e�������xposure points, the traditional network security model is outdated. With the adoption of many different cloud services, we need a more holistic
22、 approach,” said Sagi Gidali, co-founder of Perimeter 81, a SonicWall technology partner. “Designing a new way forward a fut����ure without network perime����ters was the only way to properly manage and mitigate tomorrows most innovative cyberattacks.” A modern SASE platform will empower organizations to si
23、mply connect to a single platform for access to a secure network while gaining access to physical and cloud������ resources, regardless of their location. Some of these new solutions have a range of overlapping benefi ts, so the naming conventions do vary: zero-trust network access, secure network as a se
24、rvice, fi rewall as a service, secure SD-WAN as a service and so on. The new perimeter-less security movement could also replace the need for traditional virtual private networks (VPN) that so many employees have (begrudgingly) learned to adopt. Unlike hardwa���re-based legacy VPN and fi rewall technol
25、ogy, the more advanced and secure zero-trust network as a service offerings use the �����software-defi ned perimeter (SDP) model to offer greater network visibility, seamless onboarding and full compatibility with all major cloud providers. With an endless fi eld of exposure points, the traditional netwo
26、rk security model is outdated Designing a new way forward a future without network perimeters was the only way to properly manage and mitigate tomorrows most innovative cyberattacks. Sagi Gidali Co-Founder Perimeter 81 “ ” 24 PHISHING������ DOWN FOR THIRD STRAIGHT YEAR Mirroring how malware is being lever
27、aged, cybercriminals are being more targeted with phishing than ever before, too. So much so, SonicWall Capture Labs threat��� re������searchers recorded a 42% decline in overall phishing volume, the third straight year the attack vector declined. Also like malware, volume is only part of the story. Phishers
28、 are being measured, pragmatic a�����nd patient. Besides the usual phishing campaigns that attempt to steal login credentials�������, SonicWall observed new practices using old tricks. One such example is the use of HTML fi les leveraging legacy data uniform resource identifi er (URI) methods other than JavaScr
29、ipt, which upon rendition displays �����a fraudulent webpage or f�����orm to the victim to illegally obtain usernames and/or passwords from unsuspecting victims. Employees across a range of organizations, including educational, banking, computer, government, airlines, agriculture, travel, machinery, construct
30、ion, among others, are often the target of this prevalent phishing tactic. As was covered in a previous section, PDFs and Microsoft Offi ce fi les are the delivery vehicles of choice for the modern cybercriminal. Unfortunately, these fi les are universally trusted and abundant in the modern workpla������c
31、e. Threat actors are hoping this trust, coupled with busy work schedules, is enough to trick unsuspecting v������ictims into clicking links or downloading a�������ttachments included within phishing emails. In many situations, this click is the only barrier preventing the delivery of the cybercriminals payload.
32、Old tricks are new again. The example above, found in 2019, shows how data URI methods can be leveraged to present target victims with fraudulent web pages or forms to steal user credentials. 25 CRYPTOJACKING CRUMBLES The shuttering of the Coi������nhive mining operation in March 2019 dealt a devasting bl
33、ow to the nefarious cryptojacking racket that abused the servic�������e. Coinhive was not inherently malicious; it was an alternative method for websites to earn revenue instead of showing advertisements. Coinhive- enabled websites allocated a small portion of visitors processing power to legitimately mine
34、 cryptocurrency. Unfortunately, attackers misused this technology by infecting a large number of websites with Coinhive scripts and used the processing power of unsuspecting vic��������tims to mine cryptocurrency for themselves (without users knowledge). The cryptocurrency of choice was usually Monero. Whil
35、e the ebb and fl ow of cryptocurrency prices didnt help encourage authors to w�������rite new cryptojacking malware, the loss of Coinhive was too much for the malicious movement to overcome. In fact, bitcoin even made a surge halfway through 2019 to help cryptojacking stay relevant as a lucrative option fo
36、r cybercriminals. 78% After the shuttering of Coinhive, the volume of cryptojacki�����ng hits dropped 78% during the second half of 2019. 26 CRYPTOJACKING CRUMBLES But crypto prices slumped again in late 2019 and remnant Coinhive malware faded with it. XMRig and B������itminer were the primary cryptojacking ma
37、lware remaining, but t�����heir collective volume was a fraction of Coinhive. To put the decline in perspective, SonicWall reported that total cryptojacking hits reached 52.5 million for the fi rst six months of 2019. Despite a late surge in Decem������ber (expected seasonal attack spike), the malware fi nishe
38、d with 64.1 million total hits in 2019, a 78% drop since the start of July 2019. 27 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS In 2019, there was an increase in ransomware used in target������ed attacks toward state, provincial and local governments, as well as large corporations. Attacks ha
39、ve ranged from hospitals, police stations and educational institutions to aluminum factories (Norsk Hydro, Norway) and power grids (City Power, Johannesburg). “In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive,” SonicWall President and CEO Bil�������l Conner wrot
40、e for Forbes. “Networks from city hall, law enforcement agencies, sanitation, courthouses or the DMV could be compr�������omised in minutes and everyday operations held for ransom, often at exorbitant costs.” Following the same trend as global malware volume, ransomware attacks were down slightly in 2019.
41、SonicWall Capture Labs threat researchers recorded 187.9 million in total ransomware volume for the year, a 6% drop from the record- breaking 2018 volume. 28 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS B����ill Conner President & CEO SonicWall Schools under siege by ransomware K-12 district
42、s and higher education institutions across the world were also������� targeted with ransomware in 2019. And its very much a global epidemic. In the U.S., ransomware attacks took down schools across the country, from New York, New Jersey, Louisiana and Oklahoma to California and back again. In some cases, l
43、ike Livingston Public Schools in New Jersey, classes were delayed becau������se of ransomware infection. That attack even took down the districts payroll system. Sim�������ilar delays were felt by districts in Michigan, Alabama and New York. In the U.K., penetration testing conducted by JISC, the government agen
44、cy that provides many computerized services to U.K. academic bodies, tested the defenses of over 50 British universitie��s. The results were unfl attering: the pen testers scored a 100% success rate, gaining access to every single s����ystem they tested. Defense systems were bypassed in as little as an ho
45、ur in some c�������ases, with the ethical hackers easily able to gain access to information such as research data, fi nancial systems as well as staff and student personal information. But volume shouldnt be confused with effectiveness. Cybercriminal organizations that leverage ransomware contin����ue to focus
46、 on the quality of their attacks over sheer quantity. Its no longer the size of the organization, but rather their likeliness to pay. Unfortunately, in 2019 that meant a number of highprofi le attacks against various state, provincial and local governments. More than 140 state and lo�������cal governments
47、are reported to have been hit with ransomware in 2019, although the actual number is likely much higher. Another study stated that ransomware infected some 621 schools and hospitals through Sep�������tember 2019. The year saw ransomware attacks across the U.S. bring city services to a halt, including those
4������8、 in Arizona, Florida, Georgia, Indiana, Maryland, Nevada, New York, Texas and more. Larger organizations remain the most luc���rative targets as they are more likely to pay higher sums of money for data restoration compared to the average end-user. Bitcoin remains the dominant currency for ransom payme
49、nts because of its anonymity (when used correctly). In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive. Networks from city hall, law enforcement agencies, sanitation, courthouses or the DMV could be compromised in minute��������s and everyday operations held for ransom, often at exorbitant costs “ ” 29 RANSOMWARE T������ARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS In Australia, the head of the local intelligence agency was recruited to inform universities about
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
