安全事件响应观察报告Cybersecurity Incident Response Insights2019关于绿盟科技北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于2000年4月，总部位于北京。在国内外设有30多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及专业安全服务。北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市交易。股票简称：绿盟科技 股票代码：300369特别声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。2019年安全事件响应观察报告A目录 CONTENTS目录1. 前言 ······································································································································································ 12. 网络安全形势分析 ················································································································································ 42.1 国家级安全演练效果明显 ·························································································································································· 52.2 关键基础设施成为黑客攻击的重点目标 ·································································································································· 72.3 经济利益是黑客攻击主要驱动力 ············································································································································ 102.4 勒索软件即服务势头迅猛 ························································································································································ 112.4.1 完善的产业链 ···························································································································································································· 112.4.2 低风险高收益 ···························································································································································································· 142.4.3 建议 ············································································································································································································ 152.5 黑链暗链事件的爆发式增长 ···················································································································································· 152.5.1 现状 ············································································································································································································ 162.5.2 利益链 ········································································································································································································ 172.5.3 建议 ············································································································································································································ 182.6 恶意程序隐藏技术在革新发展 ················································································································································ 192.7 入侵事件平均潜伏时间高达 359 天 ······································································································································· 202.8 人和管理成为主要入侵突破口 ················································································································································ 233. 安全漏洞变化趋势 ·············································································································································· 273.1 高危漏洞 PoC 公开数量增多 ··················································································································································· 283.1.1 微软远程桌面服务远程代码执行漏洞（CVE-2019-0708 ） ··············································································································· 293.1.2 Confluence SSRF 及远程代码执行漏洞 ················································································································································ 303.1.3 WinRAR 代码执行漏洞 ············································································································································································ 313.2 0day 漏洞频繁爆发 ··································································································································································· 323.2.1 SandboxEscaper 再爆 0day 漏洞 ·························································································································································· 323.2.2 Chrome PDF 文件解析 0day 漏洞 ··························································································································································333.2.3 Fastjson 0day ···························································································································································································343.3 国内商用软件安全状况堪忧 ···················································································································································· 343.4 WebLogic Java 反序列化漏洞补丁绕过 ······························································································································· 353.5 结语 ····························································································································································································· 372019年安全事件响应观察报告B目录 CONTENTS4. 网络安全大事件拾遗 ·········································································································································· 384.1 美国对伊朗发起网络战，网络攻击正式成为军事工具 ······································································································· 394.2 世界铝业巨头被攻击，基础设施应急能力待提升 ··············································································································· 394.3 委内瑞拉大规模停电，关注工控和物联网安全 ···················································································································· 404.4 APT28 针对东欧和中亚国家的攻击活动，政治意味明显 ·································································································· 404.5 涉嫌泄露亿条公民信息，考拉征信被查 ································································································································ 414.6 韩国加密货币交易所 4900 万美元以太币被窃 ····················································································································· 414.7 phpStudy 后门植入攻击事件 ·················································································································································· 424.8 微软停止为 Windows7 提供支持 ············································································································································ 425. 典型安全事件专题 ·············································································································································· 445.1 GandCrab 勒索病毒应急案例 ·················································································································································· 455.1.1 背景介绍 ···································································································································································································· 455.1.2 处置过程 ···································································································································································································· 455.1.3 结论建议 ···································································································································································································· 585.2 KingMiner 挖矿木马病毒应急案例 ········································································································································ 585.2.1 背景介绍 ···································································································································································································· 585.2.2 处置过程 ···································································································································································································· 595.2.3 结论建议 ···································································································································································································· 615.3 网页篡改事件应急案例 ···························································································································································· 625.3.2 处置过程 ···································································································································································································· 625.3.3 结论建议 ···································································································································································································· 665.4 入侵事件应急案例 ···································································································································································· 675.4.1 背景介绍 ···································································································································································································· 675.4.2 处置过程 ···································································································································································································· 675.4.3 结论建议 ···································································································································································································· 706. 安全建议 ····························································································································································· 72前言12019年安全事件响应观察报告1前言1. 前言前言12019年安全事件响应观察报告2前言报告概述绿盟科技应急响应团队对 2019 年处理的安全事件进行深入整理与分析，并综合国内外重要安全事件，编制 绿盟科技 2019 安全事件响应观察报告，希望从安全事件的角度分析 2019 年的安全现状，与安全行业从业者交流发展趋势，共同探讨网络安全建设的发展方向。2019 年，绿盟科技应急响应团队共处理应急事件 351 起，同比去年增长 4%，发生安全事件数量排名前三的区域分别是：北京 80 起， 广东 59 起，上海 31 起。高低12+9-126-93-61-30图 1.1 2019年安全事件地区分布图从行业上看，事件主要分布在金融，运营商，企业和政府行业，与去年相比金融行业事件数量有所下降，而运营商行业安全事件数量则明显增加。2019年安全事件响应观察报告3前言1401201008060402002018行业分布 2019行业分布金融 运营商 企业 政府 能源 教育 卫生 烟草 交通 互联网 其他图1.2 2019年安全事件行业分布图报告认为，经济利益仍然是黑客们投身黑产的主要驱动力，黑链利益链产业化套路升级，黑客们的技术不断革新，勒索、挖矿依然是安全事件的重头戏；安全意识不足（如：弱口令）是安全建设的薄弱环节，也是黑客入侵主要的突破口；漏洞依旧是安全行业最关注的热门话题。而安全演练，常态化威胁情报的分析，安全运维中的运维监控、漏洞修复都是防御日益严峻的安全形势的有效手段。适用性此报告适用于政府、运营商、金融、企业等行业客户。局限性此报告基于绿盟科技应急响应服务数据，具有一定局限性。2019年安全事件响应观察报告4网络安全形势分析2. 网络安全形势分析2网络安全形势分析2019年安全事件响应观察报告5网络安全形势分析2网络安全形势分析2.1 国家级安全演练效果明显2019 年安全事件整体趋势与 2018 年相比变化较大。从月度事件数量分布来看， 2018 年呈现平缓增长趋势； 2019年上半年整体安全事件增长迅速，并在 6月达到全年峰值，占全年安全事件总量 16.8%（是月平均安全事件的 2 倍）；下半年整体呈下降趋势，与 2018 年同期环比下降 39%。 2天移动平均（2018） 2天移动平均（2019）7060504030201001 2 3 4 5 6 7 8 9 10 11 1220182017 2019图 2.1 近三年安全事件趋势图从安全事件类型分析， 2019 年利用系统漏洞进行攻击和传播的事件如暗链、挖矿、入侵、蠕虫和勒索主要集中在上半年发生，同样在 6 月达到峰值后迅速下降，到 12 月才稍有回升，而其他类型安全事件则没有显现出这种规律。60504030201001 2 3 4 5 6 7 8 9 10 11 122天移动平均（漏洞利用相关事件） 2天移动平均（其他事件）其他事件漏洞利用相关事件图 2.2 2019安全事件月度趋势2019年安全事件响应观察报告6网络安全形势分析从安全事件发生原因进一步分析，多数安全事件是由于用户安全意识不足用户或系统漏洞未及时修复引发。 2019 年上半年因为安全意识造成的事件在全年占比 19.09%，利用系统漏洞的事件占17.09%，而下半年安全意识造成的事件占比下降到 13.68%，利用系统漏洞的事件也下降到 8.26%。上半年下半年19.09%安全意识17.09%漏洞利用23.36%综合利用4.56%其他13.68%安全意识8.26%漏洞利用10.26%综合利用3.70%其他上半年下半年图 2.3 2019安全事件风险原因分布通过上述分析发现 2019 下半年的安全事件和往年相比有较大不同， 6 月之后安全意识和漏洞利用相关的事件有明显的下降趋势。结合今年 6 月举办的国家级安全演练的范围和影响面，我们认为：下半年安全事件数量下降的原因与 2019 举行的国家级安全演练密不可分，可以说 6 月的安全演练起到了安全漏洞大扫除的作用。安全演练前，各单位对自身资产进行全面资产梳理和脆弱性排查，如下线弃用系统、扫描隐藏后门、关闭高危端口、及时修复漏洞等，同时注重培养和提升员工安全技能，降低因安全意识而导致的风险。安全演练期间，进一步加强资产防护与漏洞修复，进一步将安全漏洞一网打尽，这也成为 2019 年下半年安全事件数量大幅下降的“催化剂”。国家级安全演练，就是要模拟黑客真实的网络攻击场景，考察政府机构、能源、通信、金融等关键信息基础设施单位遭受网络攻击的情况下的应急保障及协调能力。安全演练不仅能增强演练组织单位、参与单位和人员等对应急流程的熟悉程度，提高应急处置能力；还能检查各个单位对突发事件所需应急队伍、物资、装备、技术等方面的准备情况，发现应急预案中存在的问题。这也是对日常安全运维工作中的安全保障成果的一种检验，为后续单位、企业安全建设提供新的思路与方向。