安全事件响应观察报告绿盟科技© 绿盟科技关于绿盟科技北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于2000年4月，总部位于北京。在国内外设有30多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及专业安全服务。北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市交易。股票简称：绿盟科技 股票代码：300369特别声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。安全事件响应观察报告A目录1. 前言 ······································································································································································ 22. 网络安全形势分析 ················································································································································ 52.1 勒索软件仍是安全事件重点，并呈现家族化趋势 ················································································································ 82.1.1 勒索病毒家族类型增多，变种更新更加频繁 ········································································································································ 92.1.2 Windows 服务器需重点关注，跨平台勒索病毒开始出现 ·················································································································· 92.1.3 RDP 弱口令暴力破解成为主流攻击方式 ············································································································································· 102.1.4 病毒制作门槛降低，传播方式蠕虫化 ·················································································································································· 112.2 挖矿病毒利用多种漏洞传播 ··················································································································································· 122.2.1 WannaMine 挖矿病毒依然流行 ·····························································································································································122.2.2 门罗币成为挖矿病毒的首选币种 ·························································································································································· 122.3 网络威胁行业特征显著 ··························································································································································· 132.3.1 政府部门 Web 服务器成为攻击重点 ···················································································································································· 142.3.2 运营商需着重关注勒索软件、流量异常类安全事件 ·························································································································· 142.3.3 金融机构已成为网络犯罪的主要目标 ·················································································································································· 152.3.4 企业的勒索事件占据绝对比重 ······························································································································································ 162.4 脆弱系统将面临越来越多的攻击 ··········································································································································· 182.4.1 1Day 漏洞抢占肉鸡资源 ········································································································································································· 182.4.2 NDay 漏洞持续威胁用户安全 ································································································································································ 192.4.3 弱口令仍是安全事件“高发地” ·························································································································································· 203. 安全处置建议 ···················································································································································· 214. 典型安全事件应急处置案例分析 ······················································································································ 234.1 勒索软件典型案例 ··································································································································································· 244.1.1 GlobeImposter 家族 ················································································································································································ 244.1.1.1 背景介绍 ································································································································································································ 244.1.1.2 事件分析 ································································································································································································ 244.1.2 GandCrab 家族 ························································································································································································ 274.1.3 Satan 家族 ································································································································································································ 304.2 挖矿事件典型案例 ··································································································································································· 354.2.1 利用 WebLogic 组件漏洞挖矿 ······························································································································································· 354.2.2 WannaMine 及其变种 ············································································································································································· 384.3 入侵事件典型案例 ··································································································································································· 424.3.1 某网站博彩暗链事件 ··············································································································································································· 42附录A:绿盟应急响应服务介绍 ····························································································································· 47附录B:绿盟安全预警公众号介绍 ························································································································· 49安全事件响应观察报告2前言1. 前言1前言安全事件响应观察报告3前言2019 年 2 月中国互联网络信息中心发布的中国互联网络发展状况统计报告1显示，截止 2018年 12 月，中国网民规模达到 8.29 亿人，互联网普及率为 59.6%，互联网已经渗透到各行各业，直接影响着国家发展和人们的生产生活。随着互联网技术的发展，网络安全事件种类越来越多，攻击手段层出不穷，严重危及政府和企业的运转，极大影响了公众的社会生活。绿盟科技应急响应团队 2018 年共处理来自全国各地的安全应急事件 338 起，涉及政府、运营商、金融、企业等行业，覆盖 30 个省份。安全事件地区分布如下图所示：图表 1 安全事件地区分布高低30+20-3010-205-201-50据统计，2018 年年初和年末发生的安全事件数量最多，远高于 2017 年同期处理事件数量。1 中国互联网络发展状况统计报告 .cac.gov/wxb_pdf/0228043.pdf1前言安全事件响应观察报告4前言图表2 每月事件数量趋势2017 2018发生月份事件数量（起）160504030201002 3 4 5 6 7 8 9 10 11 12在对 2018 年处理的安全事件进行深入分析和整理的基础上，绿盟科技应急响应团队输出此报告。期盼更多的人能够关注安全事件现状，进一步提高安全意识；同时也希望各安全厂商齐心协力，共同为用户建设更加安全的网络环境。适用性此报告适用于政府、运营商、金融、企业等行业客户。局限性此报告基于绿盟科技应急响应服务数据，具有一定局限性。特别声明本次报告中涉及的所有数据，均来源于绿盟科技的自有产品和合作伙伴产品，所有数据在进行分析前都已经过脱敏处理，不会在中间环节出现泄露，且任何与客户有关的具体信息，也均不会出现在报告中。安全事件响应观察报告5网络安全形势分析2. 网络安全形势分析2网络安全形势分析安全事件响应观察报告6网络安全形势分析随着网络安全形势的发展，越来越多的攻击者不再以炫耀技术能力为目的，而是以获取经济利益为行动向导。这些攻击运用的并非都是新技术，更多的是将现有的攻击工具、手法稍加改变，以突破企业防线。比起 2017 年， 2018 年是相对平静的一年，如 MS17-010 等核弹级漏洞带来的阴影正渐渐淡去，但在这平静的表面下，黑色产业链也在默默壮大。从整体上看：在绿盟科技 2018 年处理的安全事件中，勒索软件、挖矿和入侵类事件占比最高，分别为 20%、17% 和 15%。黑客的攻击目标和攻击手段一直在变，唯一不变的是攻击者对利益的追求。而虚拟货币因其不可追溯性成为攻击事件中资源套现的最好载体，黑客通过勒索和挖矿可以获得大量虚拟币，攫取高额的非法收入。典型的攻击场景主要有：虚拟币勒索、虚拟币盗窃、“挖矿”、诈骗等。安全事件占比如下图：图表3 事件类型分布5%4%4%7%8%10%15%17%20%3%2%1%1%1%1%1%勒索软件挖矿入侵事件蠕虫病毒主机异常流量异常拒绝服务漏洞验证信息泄露访问异常业务逻辑钓鱼其他样本分析数据异常网络中断与去年相比，勒索软件的种类和数量成倍增涨， 2017 年处理勒索病毒类安全事件 25 起，2018 年处理 69 起。安全事件响应观察报告7网络安全形势分析图表4 勒索病毒安全事件数量对比2017 2018事件数量（起）60708050403020100病毒种类由 2017 年的几种，发展到 2018 年的几十种；病毒在更新迭代速度上也是突飞猛进，并且呈现家族特征。其中 GandCrab、 Cerber 等病毒已经超过五代， GlobeImposter 病毒也出现了第三代。表 1 2017、2018年活跃勒索病毒名称年份 勒索病毒名称2017 年 Wannacry、Petya、Crysis 、数据库勒索、HDDCryptor、CRBR2018 年Wannacry、Petya、Crysis 、数据库勒索、HDDCryptor、GlobeImposter 、WannaMine、Rapid 、lucky、GandCrab、.Wallet、Crysis 、princess Locker、Cerber 挖矿类安全事件由去年的 14 起增长到 56 起。在 2018 年中，挖矿病毒更多以蠕虫形式出现。图表5 挖矿类安全事件数量对比2017 2018事件数量（起）6050403020100安全事件响应观察报告8网络安全形势分析从行业上来看：政府单位服务器、网站一直很受黑客青睐，受到的攻击以 web 攻击为主。运营商与网络应用服务和终端服务有着紧密的联系，这一特点使得运营商行业备受黑客瞩目。金融行业由于其业务复杂、数据资产价值高等特点，安全事件的类型众多，容易成为境外黑客的攻击目标。企业是受攻击的重灾区，其中尤以中小企业与中小互联网企业最为突出。中小型企业在网络安全方面投入不足，而产品销售维护又严重依赖互联网信息系统，网上公开的漏洞不能及时修补，导致大量的黑客攻击。2.1 勒索软件仍是安全事件重点，并呈现家族化趋势勒索病毒攻击早已不是什么新鲜手段，但勒索病毒和虚拟货币结合，就成了“黄金搭档”。 2017年 WannaCry 勒索病毒全球 “大屠杀”，让攻击者们意识到，这种“抢钱”方式安全且可靠。由此，利用勒索病毒谋取非法利益的安全事件愈演愈烈。2018 年应急事件中，勒索软件类事件占比 20%，为众多事件类型之冠，可见勒索软件仍是网络攻击的重点。通过对今年勒索事件的处理及分析，发现勒索病毒在攻击目标、传播方式、技术门槛、新家族 / 变种、赎金支付方式等方面均呈现出新的特点。图表6 事件类型分布32%44%勒索软件其它