版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Malware
ThreatReport2021
BeyondTrustLabsAnalysisofRansomwareandPhishingTrends&HowtoMitigateThem
JamesMaude
LeadCybersecurityResearcher
BeyondTrust
TABLEOFCONTENTS
ExecutiveSummary
3
SecurityChallengesof2020-2021
4
TheIncreasedAttackSurface-BringingThreatsHom
e
4
TheNewPerimeter
7
MorePrivileges,MoreProblems
9
PrivilegedApplicationVulnerabilities
11
SummaryofSecurityChallenges
13
MaturityoftheMalwareEcosystem
14
Human-OperatedRansomware
16
B
eyondTrustMalwareLabs-AnalysisofMalwareThreats
21
OverviewofMalwareStrains
22
CommonDenominators
27
MostCommonTechniquesAfterInitialMalwareExecution
29
Lab-TestingBeyondTrustTrustedApplicationProtectionAgainstTopMalwareStrains
31
DivingIntoMITREATT&CK®FrameworkDefinitions&Mitigation
s
34
T1047WindowsManagementInstrumentation(WMI)
35
T1204.002UserExecution:MaliciousFile
36
T1059.001PowerShellusedforinitialexecution
37
T1059.003WindowsCommandShell(CMD)
38
OtherTechniques
39
The5CriticalStepstoCompleteEndpointSecurity
40
AdditionalResources
43
Appendix:ThreatSamplesTest
ed
44
Note:Thelab-basedresearchinthisreportpertainsonlytoWindowsdesktopsandservers.
2
MalwareThreatReport2021
>
ExecutiveSummary
Thisresearchreportprovidesinsightsandanalysis
intothreatsandprivilegedaccountmisuseon
Windowsdevicesacrosstheglobe.Thisresearchis
fromthesameBeyondTrustLabsteamthatpublishestheannual
MicrosoftVulnerabilitiesReport
.
Thisreportisbasedonreal-worldmonitoringand
analysisofattacksbetweenQ12020andQ12021
discoveredinthewildbytheBeyondTrustLabsteam,
withcollaborationfromcustomersandincident
responseteamsusingBeyondTrust’sproducts.In
additiontogeneralinsightsintothethreatlandscape,thereportalsodivesintoreoccurringthreatthemes
andmapsoutTools,Techniques,andProcedures(TTPs)againstthe
MITREATT&CK®EnterpriseFramework
.
BeyondTrustLabsexploredthe58techniquesinthe
MITREATT&CKFrameworklistsforCobaltStrike
(threatemulationsoftware),and66%ofthetechniqueseitherrecommendusingPrivilegedAccount
Management,UserAccountManagement,and
ApplicationControlasmitigationsorlistAdministrator
/SYSTEMaccountsasbeingaprerequisitefor
thetechniquetosucceed.Therefore,thecontrolof
privilegesandapplicationexecutionisakeydefensivemeasureinmitigatingCobaltStrikeandtools/malwarewithsimilarcapabilities,byreducingtheattacksurfaceanddenyingcodeexecutionandprivilegedrights.
KEYFINDINGS
1Absenttherightprotection,malwarewilldisableendpointsecuritycontrolsand
undermineyoursecurityinvestment.
2Weareobservingagrowing
trendintheuseofnativetoolstoperformfilelessattacksintheinitialstagesuntilastrongfootholdandpersistence
mechanismisestablishedandsecuritycontrolshavebeen
disabled.
3TheMITREATT&CKFrameworkprovidesaneffectivewayto
distillawiderangeofmalwarestrainsandcyberattacksintocomponenttechniques,whichcanthenbemitigated.
4BeyondTrust’sout-of-the-boxpoliciesproactivelydisruptedall150different,common
attackchainstestedinouranalysis.
5Removalofadminrightsandimplementationofpragmaticapplicationcontrolaretwoofthemosteffectivesecuritycontrolsforpreventingandmitigatingthemostcommonmalwarethreats.
3
MalwareThreatReport2021
SecurityChallengesof2020-2021
TheIncreasedAttackSurface:BringingThreatsHome
Securitystaplessuchasnetworkmonitoringandfirewall
technologiesarebecominglesseffectiveastheperimetershiftsfromthecorporateofficetothehomeoffice,or“workfromanywhere”forthatmatter.
Overthepasttwodecades,organizationsinvested
significantlyinshoringuptheircyberdefenses.Someoftheseinvestmentshavebeenrenderedfarlesseffective,evenobsolete,duetothechangesusheredinbythe
pandemic.
Emailfatigueisgreaterthanever.Thedailycommunicationsthatoncehappenedin-person,orovertheofficephone,
haveshiftedincreasinglytoemails,onlinemeetings,andothercommunicationtools.
Thismeansthatusersarenotonlyseeinghighervolumesofemails,butalsoreceivingemailsfromawiderrangeofsources,suchas:
IColleaguestheyhavenevermetIProspectivesuppliers
INewclients
IOtherdepartmentsaboutpolicies,tools,andinformationneededtosupporthomeworking
4
MalwareThreatReport2021
Despitetheriseofmoderncollaborationsoftware,most
officecommunicationstillrevolvesheavilyaroundsendingandreceivingemailswithdocuments,links,orother
attachments.Forexample,anHRteamexpectstoreceiveresumes,andafinancedepartmentexpectsinvoicesorcontracts.
Theexpectationofreceivinglegitimatecommunications
viaemail—oftenfromsourcesunknownorunanticipated—makesiteasyforanattackertotailoranemailphishing
campaignandachieveahighsuccessrate.Departmentswithaccesstothemostdocumentsanddataareoftenthemostlikelytofallvictimtophishingefforts,subsequentlyleadingtoaransomwareorothermalwareattack.
Figure1Exampleof
COVID-19themedphishingemail
linkingtomaliciousWorddocument
5
MalwareThreatReport2021
Consequently,threatactorslaunchedhighlysuccessfulcampaignsthatusetargetedphishingemailstosociallyengineertheoverwhelmedremoteworkerintoenteringtheircredentialsoropeninganinfecteddocument.
>InBeyondTrustLabs,
weobserveda200%increaseinphishingemailswiththemajoritybeingCOVID-19themed.
Thethreatactorssendingemailsimpersonatedavariety
ofgovernmentandnon-governmentorganizations,fromtheWorldHealthorganization(WHO)and
CenterforDiseaseControl(CDC)togovernmentdepartmentsandpharmaceuticalcompanies.
TheseemailcampaignspromptedtheDepartmentof
HomelandSecurity(DSH),Cybersecurity&InfrastructureSecurityAgency(CISA)andtheWorldHealthOrganization(WHO)toissuecommunicationswarningusersofthe
risks.TheUnitedKingdomNationalCyberSecurity
Centrealsolaunchedacampaigntobe“CyberAware”followingthetakedownof2,000scams,including471fakeonlineshopsforCOVID-19relatedservices.
WHOCommunicationWarningUsersof
PhishingTechniques
TheWorldHealth
Organizationwill:
INeveraskforyour
usernameandpasswordtoaccesssafety
information
INeveremailattachmentsyoudidn’taskfor
INeverchargemoneytoapplyforajob,registerforaconference,or
reserveahotel
INeverconductlotteriesorofferprizes,grants,certificatesorfundingthroughemail
6
MalwareThreatReport2021
>
TheNewPerimeter
“JustliketheicewallinGameofThrones,
organizationsspentyearsbuildinga
technologicalperimeterwalltokeepthreats
out.Despitecriesthat“theperimeterisdead,”theyhavecontinuedtoplacealotoffaith(andinvestment)init.Therapidtransitiontoremoteworking,andthesuddendissolutionofthe
perimeter,hasforcedanabruptshifttofocusonsecuringidentitiesandend-userdevices.ITdepartmentsareunderpressuretoupgrade
capacitiesfastandthisresultsinchangingorreplacingexistingsystemswithlittletimetodothoroughsecuritytests.Vulnerabilitiesintheremoteaccessinfrastructureandaccessprotocolsmayremainundetectedandcanbeexploitedincyberattacks.”
InternationalMonetaryFund:
CybersecurityofRemoteWorkDuringthePandemic
Toadapttosocialdistancinginitiativesorwork
fromhomepolicies,businesseswereforcedto
acceptunprecedentedrisksthatwouldhavebeeninconceivableafewmonthsprior,justtocontinueoperatingandkeepusersproductive.
Insomecases,olddesktopmachinesthatnooneever
imaginedleavingthecorporatenetwork,werebeing
loadedintocarsandtakenhometopotentiallyvulnerablenetworksthattheywereneverintendedtojoin.
Awiderangeofremote
accesstoolsandcloud
serviceswerehastilyspunup,sometimesovernightoroveralong,sleepless
weekend.
Inmanycases,duetothe
speedofthedeployments,userswereallgivenbroad
accesstodataandsystemsasbusinesserredonthesideoffreedomandflexibilitytoensurethatuserswereabletoworkremotely.
7
MalwareThreatReport2021
Attackersoverwhelminglyseekouttheeasytargets
thatwillyieldafastpayday.Thus,cybercriminalsquickly
capitalizedonthissuddenshift,rapidlyidentifyingthat
notonlyhadtheattacksurfacevastlyincreased,butso
didtheaccesstodataandsystems.Oneoftheoutcomesofthesefactorswasreflectedinthesurgeofsuccessful
ransomwarecampaigns,asattackerswereabletolandandexpandwithnewfoundease.Sincethepandemic,therehasbeenathirdmoreransomwarefamiliesand560,000new
piecesofmalwaredetectedeveryday(DataProt,2021).
>BeyondTrustLabshasalso
witnessedanincreasedin
specialistRansomware-as-a-Service(RaaS)operators,whichnotonly
provideservicesthatlowerthetechnicalbarriersforwould-becyber-criminalsbutarealsofarmorecapableoftakingdownlargeenterprises.
Inthisenvironment,
it’shardlysurprising
thatmultimillion
dollarransomsarenowcommonplace.These
ransomsarenotjust
quickcashpayouts,
butseedroundsforthe
ransomwareoperators,whocontinuetoinvestinbetterinfrastructureandleveragingzero-
dayexploits.
Manyorganizationswhopreviouslyhadrobustmonitoringinplaceontheinternalnetwork—helpingtoidentifymalwaretrafficandlateralmovement—havebeenblindtothenew
andevolvingattacktechniques.Thisisbecausesomany
endpointsnowoperatepartiallyorfullyoutsideofthe
network.Tocompoundthisproblem,therewasanearly
900%surgeinfilelessmalwareattacks(InternetSecurity
ReportforQ42020,WatchGuardTechnologies)which
ofteninvolveattackersexploitingnativeapplications,like
PowerShell,toperformtasks.Thisreducesthechanceof
detectionasmanysolutionsarelookingfornewapplicationsappearingratherthanexisting,legitimate,toolslaunching.
8
MalwareThreatReport2021
MorePrivileges,MoreProblems
Overthepastfewyears,mostorganizationshavebeenadvancingtowardaleastprivilegeapproach,where
usersareonlyallocatedtheprivileges/privilegeaccesstheyneedtodotheirrole.Inmanyindustries,thisis
nowmandatory(NIST,PCI,HIPAA,etc).Duetothe
effectivenessofthissecuritycontrol,itisexpectedthatcompaniesinotherindustrieswillfollow.
Supportingthenewlyremoteworkforcepresented
organizationswithmanychallengesaroundprivileged
access.Forinstance,seeminglytrivialtasks,like
installingprinterdriversforthedeviceinthehomeoffice,orthesoftwareneededforanewwirelessheadset,or
updatingthelocaltimeonalaptop,requiredlocaladminrightsthatusersdidn’thave.Tocontinuefunctioning
withoutoverwhelmingsupportdeskswithcallsand
tickets,manyorganizationsgaveusersaccesstolocaladminrightsonatemporaryorpermanentbasis,vastlyincreasingthesecurityrisk.
TheInternationalMonetaryFund(IMF)addressedthis
topicinaspecialseriesofnoteswarningofthepotentialcybersecurityrisksbroughtaboutbyremoteworking
duringthepandemic.ThisincreasedpervasivenessoflocaladminrightshasmadeitsignificantlyeasierforcommonmalwarestrainstousesimpleElevationofPrivilege(EoP)techniquestonotonlygainaccesstoprivilegesonthesystem,butalsousetheseprivilegestodisableorbypassexistingsecuritycontrols.
Thus,it’scriticaltoremovelocaladminrightsandapplymoregranularityaroundprivilegedaccesssecuritycontrols.
Wewereupagainstthe
clockonthisoneand
endedupissuingwork
fromhomelaptopswith
localadminrightsfortheolddesktopusergroups.
Wealsohadtoreactto
aninfluxofsupportcalls
bygrantingtemporary
adminprivilegestoour
existinglaptopusergroups.Thiswasallbecausewe
didn’thaveasolutioninplaceatthetime.PrivilegeManagementhasquickly
becomeourtoppriority.
HeadofITOps,EngineeringFirm
9
MalwareThreatReport2021
>“Employeesshouldnothaveadministration
rightsonfirm-ownednotebooks,security
hardenedconfigurationsandup-to-date
endpointsecuritysolutionsshouldbeinplace,
connectionsecurityparametersshouldbesetaccordingtogoodpracticesandshouldbelocked,andthecorporateremoteaccessinfrastructureshouldbetightlycontrolled.”
InternationalMonetaryFund:
CybersecurityofRemoteWorkDuringthePandemi
c
10
MalwareThreatReport2021
PrivilegedApplicationVulnerabilities
Alongsidetheincreaseinuserswithadminrights,wehaveobservedarisingtrendinsoftwarethatdoesnotproperlymanageprivileges.
The2021editionoftheBeyondTrustLabsannual
MicrosoftVulnerabilitiesReport
foundthefollowing:
IElevationofPrivilege(EoP)vulnerabilitiesincreased3xfrom2019to2020
ITheseaccountedfor44%ofthe1,268criticalMicrosoftvulnerabilitiessurveyedin2020
IRemoteCodeExecution(RCE)wasthenexthighestcategory(27%ofthecriticalvulnerabilities)
Theissueofimproperprivilegemanagementhas
beenhighlightedbyMITRE,whoincludedCWE-269–ImproperPrivilegeManagementintheir“2020CWETop25MostDangerousSoftwareWeaknesses.”
3X
INCREASE
EoPvulnerabilitiesYoY2019-2020
44%
EoPYoYincrease2019-2020
CWE-269:
ImproperPrivilegeManagement
Thesoftwaredoesnot
properlyassign,modify,track,orcheckprivilegesforanactor,creatinganunintendedsphereof
controlforthatactor.
MITREATT&CKFramework
11
MalwareThreatReport2021
Asshowninthechartbelowthisweaknesshasbeentrendingupwardsalmostexponentiallysince2016.
Thus,itismoreimportantthanevertocontrolthe
privilegesgranted,notonlyattheuserlevel,butattheapplicationlevel,topreventthatsphereofcontrolbeingcreatedforathreatactor.
VulnerabilityTypeChangebyYear
However,theissuesofimproperprivilegemanagementarenotjustaWindowsproblem,asthedatashown
abovetrackscommonweaknessesagainstavarietyofsoftwareandoperatingsystems.Whileitisnotalwayspossibletocontrolhowthesoftwareitselfhandlesprivileges,theprincipleofleastprivilege(POLP)canbedirectlyappliedtotheapplicationtocontrolrisk.
Fromrestrictedtokens,tocontrollingchildprocess
inheritance,thereareavarietyofwaysarobustendpointprivilegemanagementsolutioncanmitigatetherisk
ofimproperprivilegemanagementbyapplications.
Figure2CWE-269
ImproperPrivilegeManagement
hasbeenvastly
increasingsince2016
Source:
NIST
Thisvisualizationisa
slightlydifferentview
thatemphasizeshowtheassignmentofCWEshaschangedfromyeartoyear.
12
MalwareThreatReport2021
Summaryof
SecurityChallenges
In2020,theattacksurfaceexpandedmassivelydueto:
ITheexpansioninusecasesforgrantingaccesstoprivileges
IAnincreaseinsoftwarebeingvulnerabletodangerousvulnerabilities
IThewidespreaduseofremoteaccessthatresultedfromamassiveshifttoremoteworking
Attackersshrewdlyexploitedthesenewcyberexposures,often
usingelevationofprivilegeattacksandsophisticatedmalware
campaigns,frequentlyplayingontheemotionsandfearsofusers.
Threatactorsworkceaselesslytoevolvetheiroperationsandhavematuredsignificantlyoverthepastyear.Inournextsection,wewillexplorethecontinuingevolutionofthecybercrimeindustry.
13
MalwareThreatReport2021
Maturityofthe
MalwareEcosystem
>Paralleltolegitimatesoftware
companiesandthetrendtowardsSaaS,threatactorsareshiftingtoMalware-as-Service(MaaS)
modelswithspecialistsemergingindifferentareas,including
enterprisecredentialsales,initialaccesstoatargetorganization,lateralmovementcapability,orpayloaddelivery.
Aswithanygrowthindustry,wehaveseenalotofchangesinmalwareecosystemsandtheireconomicmodels.
Today,thereareoftenmanydifferentpiecesofmalware
thatcometogetherinanattack.Amodernransomwareattackcouldbecomprisedofmultiplethreatactors,tools,andplatforms.
14
MalwareThreatReport2021
Forexample:
IThreatactorsrenttheNecursbotnetanduseittodistributemaliciousspam
ISpamcontainsmaliciousdocumentsthatlaunchesTrickbot
ITrickbotisusedtoharvestcredentials,accessemails,andforlateralmovementacross
thenetwork
IWithwidespreadcompromiseofthetarget
network,thethreatactorsellsbackdooraccesstothenetworktothehighestbidder
IThebuyerthendeploysRYUKransomware
viatheTrickbotcommandandcontrolservers
Thisspecializationnotonlydrivesinnovationthroughcompetition,butalsoreducesthethreatactor’srisk.Ifonepartofthechainistakendown,theotherpartscanquicklyshifttoanothersupplier.
Alternatively,ifyou’reathreatactorlookingtoavoidbeingblockedbyantivirus(AV)tools,thenyoucan
justbuyaccesstosystemswhereTrickbothasalreadybreachedthenetworkanddisabledtheAVsoftware.
Thisapproachmakesmodernmalwareconsiderablymoreresilienttotakedownattempts,whilealso
settingthetechnicalbarforillicitentrymuch
lower.Afterall,anattackernolongerhastobean
accomplisheddeveloper,socialengineer,orskilled
hacker.Theycannowbuy,ratherthanbuild,toolsandusetheMaaSplatformstoorchestratesophisticatedmalwarecampaigns.
Inthischainofevents,
wecanseeseveral
malwareplayersandtheirtoolswithintheirown
specialties.Thismodularapproachallowsthe
malwareauthorstofocusonexcellenceinonearea.
15
MalwareThreatReport2021
Human-OperatedRansomware
Asthreatactorsseektomaximizethedisruptionto
organizationsandextractthehighestransompayments,theransomwaremodelisshiftingtowardshuman-driven,enterprise-wideattacks.
Ratherthancreateanautomatedwormthatself-
propagatesacrossthenetwork,thelatestgenerationofransomware-as-a-service(RaaS)willtreadlightly,
establishingafootholdinthenetworkofalargeorganization.
Usingcommonpenetrationtestingtools–suchas
CobaltStrikeorPowerShellEmpire–theythensurveythenetworkandspreadusingprivilegeescalationstogaincontrolofcriticalsystemsanddisablesecurity
controls,beforefinallyencryptingkeysystemsandexfiltratingdata.
Human-operated
ransomwarecampaignsposeasignificant
andgrowingthreat
tobusinessesand
representoneofthemostimpactfultrendsincyberattackstoday.
Inthesehands-on-
keyboardattacks,whicharedifferentfromauto-spreadingransomwarelikeWannaCryor
NotPetya,adversaries
employcredentialtheftandlateralmovement
methodstraditionally
associatedwithtargetedattackslikethosefromnation-stateactors.
Human-operated
RansomwareAttacks:
APreventableDisaster
16
MalwareThreatReport2021
TheEvolutionofRansomware
ArchievusRevetonCryptolockerWannacryREvilDarkside
200520122013201720192021
BasicRansomware:Automated,singleendpoint
BusinessRansomware:Automated,singleendpoint
EnterpriseRansomware:Automated,multipleendpoints
TailoredRansomware:Manuallyorchestrated
2005IndividualTargeting
Archievususesasymetric
encryptiontoencryptfilesin“Documents”folder,forcingusertobuydecryption
throughwebsitepurchases.
2013BusinessTargeting
Cryptolockerstartsusing
professionalemailstotargetbusinesses.Ransomsdataonasingleendpoint.
2017EnterpriseWorm
Wannacryexploits
CVE-2017-0145topropogate
acrossnetworks.Ransoms
dataacrosstheentirenetwork.
2019TailoredOperations
Maximizingbusinessdisruptionsandpressuretopayaransom,attacks
becomemoretailoredandless
automated.Humansusingpen-testingtoolssearchthenetworkfortargets.
Overthepast15years,ransomwareattackshave
shiftedfromtargetingafewfiletypesinasinglefolderononeendpoint,towidespreadencryptionofentirenetworksofsystems.Whiletakingdownabignetworkandmanysystemscanresultinamoredevastating
attackandgreaterbusinessimpact,italsolengthenstheattackchain,providingmoreopportunitiesto
detectandpreventtheattack.
Figure3Howransomwarehasevolvedasitseeksoutmore
criticaldataandsystemsashighervaluetargets
Fromadefensivepointofview,thislatestevolution
ofransomwaremakesitfarmoredifficulttoidentify
attacksbyusingtraditionaldetectiontools,astheyarelesslikelytouseagenericpayload.Instead,human-
operatedransomwareattacksinvolvearealpersonusingprofessionaltools.
17
MalwareThreatReport2021
Thishands-onapproachcanwageahighlytailoredattackonthetargetthatfrequentlyinvolves
obfuscatingcodeandleveragingfilelesstechniquestomaintainalightfootprintandtoavoidtriggeringalarmbellswhiletheyexplorethesystems.
FilelesstechniquesmayexploitnativeapplicationslikePowerShellor.NETdevelopertoolstorunscriptsandlaunchpayloads,avoidingintroducingnewapplicationstodiskthatmaybedetectedorblocked.
Figure4Below,exampleof
ahuman-operated
ransomwarecampaignobservedinthewild
AttackChainPhase
MITREFrameworkExample
>TheRoleof
PrivilegeManagementforWindows
PreventsPowershellfrombeinglaunchedfromaphishing
attachment
Preventsaccesstolocaladminrights,mitigatingcredentialaccess,
privilegeescalation
anddefensiveevasion
Preventsmalwarepayloadexecuting
HumanOperatedAttackChain
Access
Environment
T1566Phishing
InitialAccess
Trickbotviaphishingemail
T1548.002UACBypass
Execution&LocalElevation
CobaltStrikeorPowerShellEmpire
Persist,Recon,Traverse
andSpread
T1134AccessTokenManipulation
T1003&T1003.001CredentialDumping
CredentialAccess
UsingLaZange,Mimikatzorothertools
T1055ProcessInjection
PrivilegeEscalation
ControloverValidAdminAccounts
T1053ScheduledTask/Job
T1078ValidAccounts:DomainAccounts
Persistence
NewDomainAdmin(DA)Accounts
T1087AccountDiscovery
T1033SystemOwner/UserDiscovery
Discovery
ReconandenumerationusingBloodhound
T1035ServiceExecution
LateralMovement
PsExecorothertools
T1562ImpairDefenses
DefenseEvasion
TamperingwithA/V&securityservices
Execute
Objective
T1086DataEncryptforImpactImpact
InvokeRyukransomwarepayload
18
MalwareThreatReport2021
Asshowninthepreviouspageattackchainchart,therearemanystagesinahuman-operated
ransomwarecampaignastheattackerseeksdeeperaccessandcontrolofthenetwork.
>Startingfromthephishing
email,theattackwillexploit
privilegesandtheability
toexecuteapplicationslike
PowerShellto“landandexpand,”
eventuallyleadingtototal
compromiselargeenterprises.
Professionaltools,suchasCobaltStrike,offeranattacker
severaltechniquesforexecutingcode,capturingcredentials,andmovinglaterallywithinanetwork.Suchtoolsare
popularwiththreatactors.APT29,WizardSpider,and
ChimeraarejustafewofthecybercrimegroupsthathavebeenobservedusingCobaltStrikeaspartoftheirattacks.
MITREhas
mappedthefunctionality
ofCobaltStrikeandrecommendsPrivilegedAccountManagement
M1026andExecutionPreventionM1038asmitigationsagainstarangeofthetool’stechniques.
Infact,ifwetakeadeeperlookatthe58techniquesMITRElistsforCobaltStrike,66%ofthemeitherrecommend
usingPrivilegedAccountManagement,UserAccountManagement,andApplicationControlasamitigation,orlistAdministrator/Systemaccountsasbeinga
prerequisiteforthetechniquetosucceed.Therefore,
thecontrolofprivilegesandapplicationexecutionisakeydefensivemeasureinmitigatingthisspecifictool,
andonessimilartoit,throughareductionintheattack
surfaceanddenyingcodeexecutionandprivilegedrights.
Trickbot,andthe
Ryukoperators,alsotakeadvantageof
usersrunningaslocaladministratorsin
environmentsandusethesepermissionstodisablesecuritytoolsthatwouldotherwiseimpedetheiractions.
Human-operated
RansomwareAttacks:
APreventableDisaster
19
MalwareThreatReport2021
>Whileransomwarehasclearlyevolved,
thefundamentalneedstoexecutecode
andleverageprivilegeshavelargely
remainedconsistent.Whetheritisthebasicransomwarehittingasingleendpoint,orasophisticated,tailoredattack,thebenefitsofproactivelyreducingtheattacksurfacebyremovingadminaccountsandcontrollingapplicationexecutionareuniversal.
Whenitcomestohuman-operatedransomware,oneoftheattacker’skeyobjectivesistofindaccountswithlocaladminrights.Attackersexploittheseaccountstodisablesecuritycontrolsandstealcredentialsthatallowthemtomovelaterally,deeperanddeeperintoanenvironment.
TheexampleattackchainshowninFigure4couldhavebeenthwartedatanearlystagebysimplypreventingthephishingdocumentfromlaunchingPowerShellandeliminating
thelocaladminrightstopreventcredentialdumping.
Wealsowanttohighlighttheimportanceofmitigatingcredentialdumpingtechniquesastheseareoften
criticalstepsforanattackertoperformdiscovery,lateralmovement,persistence,anddefensiveevasion.
Theattacker’sgoalisto“landandexpand”—asimplepathtoprivilegedcredentialsmakesthisfareasier
toachieve.Whenyoumitigatetheattacker’sabilitytoexecuteandperformcredentialdumping,youdon’tjustmitigatethosetechniques,butalsoabroadrangeof
otheronesthathingeoncredentialaccesstosucceed.
20
MalwareThreatReport2021
BeyondTrustMalwareLabs
AnalysisofMalwareThreats
(May20
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 二零二五年度秸秆供应合同中的秸秆生物质能源项目可持续发展战略协议
- 二零二五年度私人车位出租与新能源汽车充电服务合同
- 文化活动中心翻新工程协议
- 乡村农庄托管合同范例
- 伐木协议合同范例
- 修路双方合同范例
- 冰冻品销售合同范例
- 供货框架式合同范例
- 共同经营股东合同范例
- 大面积地坪施工方案
- 四川省中小流域暴雨洪水计算表格(尾矿库洪水计算)
- 新视野大学英语(第三版)读写教程Book4-Unit7-Section-B-A-worldwide-food-crisis课件
- 毛笔字练习基本笔画及毛笔字基本笔画入门
- 《广东省建筑与装饰工程综合定额2023》
- Overture 4.0 中文版使用手册(V1.0)-IT计算机-专业资料
- 带括号的方程计算题100道
- 水库移民安置档案分类大纲与编号方案
- 仓库收货流程图快速指导仓库新入职人员熟悉收货流程
- 外径千分尺检定证书
- DB11T 1832.3-2021建筑工程施工工艺规程 第3部分:混凝土结构工程
- ICU轮转护士培训计划和手册
评论
0/150
提交评论