Post on 31-Aug-2019
2018
2019413
2018207961170173309386850376232531591397
201817017348966828
2018309384611449
2018685021808334.0%GlobeImposter22.0%GandCrab17.6%Crysis10.1%Satan7.5%WannaCry
2018149.2110.373.9%1230.423.115.5%217.0
201876.132.6945.8
2018SRC212381122729.7%40.8%29.5%
19.0%18.3%11.5%50.6%
2018IP 14003.93IP13.3107.6
2018626.2IP1064.3DDoSDDoS2.9
2011-2015CNVD20152016201619120173512018442
20183010354(32)53.6%36.4%
30.6%23.9%
20181-10280182001.5%12986.5
81.1%7.9%7.1%
20181-1171713018.1%
95.5%
201820613.1%12.1%IT11.7%49%47.1%1007.1%1
2018100023.1%16.3%1046.0%1010023.4%10050011.0%50010003.6%100050008.6%500011.4%15.8%
APT
2018478
2018APT517.1%16.0%15.5%11.6%10.5%
2018APTAPT
2018717
2017201820176
25.3%18.7%17.5%
20%13%10%
2018223189
APT
1
1
3
4
5
8
8
11
13
17
DDoS20
26
26
27
30
32
32
34
38
40
43
APT45
45
APT49
APT52
57
57
58
59
60
60
61
63
63
63
64
CC65
DDoS65
66
66
67
APT68
170
271
372
473
574
1
2
2018360
1
1
2018207961170173309386850
1PE23
2
2018376232531591397
979790384
2
80600020175WannaCry
2018170173489662401118303
828740338
3
2018 30938461137852952
449194151
4
201868502180712612
834833
79.8%0.6%50
34.0%GlobeImposter22.0%GandCrab17.6%Crysis10.1%Satan7.5%WannaCry
GlobeImposter29.6%16.7%GandCrab28.6%11.4%Crysis25.0%21.4%Satan25.0%18.8%WannaCry
3
1
1
2018149.2110.373.9%1230.4
23.1201734.533%15.5%217.0
20142018
2
20181230.417.6 %4.6%77.8%
2014-2018
76.02018
217.059442018723.8
3
2018.com67.1%.cn22.4%.net5.2%.gov2.6%.edu1.5%
23.1.com81.9%.cn11.1%.net3.5%.gov1.3%.edu0.8%
4
SQLSQLphpweb20181-12TOP10
()
92.3
6.4
SQL
20.9
2.0
SQL
14.1
1.3
phpweb
9.4
8.9
()
4.7
1.8
PHPWEB myord sql injection
3.7
3.6
SVN
2.7
0.4
PHP
2.3
0.5
MS15-034 HTTP.sys
2.3
1.4
DedeCMS sql
1.3
0.9
20181-12TOP10
2
1
201876.132.6945.88985.9
201876.16.3616.9
2
102.998.4%
TOP10
1
SQL
41.1%
2
webshell
27.6%
3
13.7%
4
XSS
6.6%
5
2.9%
6
nginx
1.8%
7
1.6%
8
1.5%
9
1.1%
10
0.6%
Top10
41.1%SQLWebshell27.6%13.7%
3
2018
1
2018SRC2123811227105090
2
1.6%98.4%
29.7%40.8%29.5%
SQL29.4%16.7%13.4%9.4%9.1%
3
IT
19.0%18.3%11.5%
84.0%77.3%61.9%
50.6%40.3%
40.3%
36.6%
23.0%
21.5%
46.0%
32.5%
17.0%
46.8%
36.2%
IT
33.8%
39.4%
26.8%
31.8%
43.3%
24.8%
50.6%
21.5%
27.9%
24.4%
39.1%
36.5%
25.3%
49.0%
25.7%
27.0%
34.6%
38.4%
32.8%
40.2%
27.0%
SQL
SQL
31.3%
19.2%
11.0%
33.5%
20.9%
13.0%
29.3%
9.1%
16.9%
IT
31.8%
10.4%
13.6%
31.3%
13.5%
12.2%
8.9%
13.8%
14.0%
25.5%
25.1%
14.0%
32.9%
19.8%
12.8%
12.9%
25.7%
25.1%
22.8%
19.9%
10.7%
4
1
2018IP 14003.93IP13.3107.6
2
201823232347.3%2328.1%2323
2017MyKings1433DDoSProxyRATMinerMyKings*.mykings[.]pw143333061352244523803389
2018.1.17~2018.1.21 1433
2018WannaCry445WannaCry445201744544520172018445
2018100%
23
telnet
47.3%
2323
telnet
28.1%
1433
MicrosoftSQLServer
15.6%
5555
SoftEtherVPN
12.7%
445
SMB
8.6%
22
SSH
2.4%
80
HTTP
1.8%
3389
RDP
1.3%
6379
Redis
0.9%
3306
MySQLServer
0.4%
2018
3 IP
65.4%7.8%4.4%3.5%3.0%47.0%IP12.1%IP4.9%3.8%3.0%2017IP
IPIP3.7%3.5%2.9%2.9%2.5%
IP6.6%6.0%4.7%4.5%3.8%
5 DDoS
DDoSDDosMonhttps://ddosmon.net/insight/?last=3652DDoSDDoSDDoS
1 DDoS
DDoS20181120181231626.2IP1064.3DDoSDDoS2.9
2018DDoS80DDoS39.6%2331.3%4439.6%
DDoS
80
HTTP
23
telnet
443
HTTPS
53
DNS
3074
xboxgame
2018DDoS
2018DDoS60.4%.com.net.cn15.0%14.0%
2018DDoSamp_flood57.3%syn_floodplain_flood12.8%11.2%
DDoS10103016.5%3015.3%113.4%DDoSDDoS
2 DDoS
Botnet bot
DDoS gafgytDDoS39.8%xor20.3%mirai16.8%2018
gafgytQbotmiraiIoT botnet201482014 LizardSquardDDoSgafgytIRCC&CHTTP/TCP20151Gafgytgafgyttelnet 23UDP
xor.ddos2014DDoS botnetTCP SYN FLOODDNS FLOODC&CXORmiraigafgytIoTbotnetXOR.DDOSx86linux XOR.DDOStcp syn floodbotnet
Mirai20162017miraiIoTmiraimirai201681miraiIoT201724miraiIoT194.8
Elknotddos botnet2014elknotmaydayelknotC&CGatesDDoSBillBillGatesTCP SYN FLOOD/DNS FLOODelknotDNSPRSD DNS, Pesudo-random subdomain
8039%3074,10%537%
20182018DDoSsyn_flood15.1udp_flood 14.9STD8.5
DDoS2018DDoS65.4%7.8%4.4%3.5%
4
1
ITOTITOTOT
Positive technologies Positive technologiesGoogleShodanshodan. io Censyscensys. ioShodan Censys
Positive Technologies201817.640%642871324277596223
2018PLCDCSDTUSCADA
20182018201820184
2
IT
Common Vulnerabilities & ExposuresCVENational Vulnerability DatabaseNVDCNVDCNNVD
1
CNVD2000-2009 CNVD2010321902010StuxnetStuxnet
2011-2015CNVD20152016201619120173512018442
2
20183010354(32)
3
201853.6%36.4%90%
4
2018SiemensSchneiderAdvantechRockwellOmronMoxaFuji ElectricCisco
5
201830.6%23.9%
3
1 OT
ITOTITITOTOT
2 ITOT
OTOTITITOTOT
3 ITOT
OTITOT ITITOTPLC
OTOTITITOTITOT
4 OT
ITOTOTOTOTOTOTOT
5
OTPCITOT
6 ITOT
ITOTITOT
OT
5
1
20181102018
1
20181-10280182001.5%12986.5
2018280201725111.6%
20152018201828086.5201751.169.2%201660.543.0%201555.356.4%
20183089.2
201881.1%7.9%7.1%
PHPsystemexecshell_exec
2
201811028086.51601014.0
2018
280305000111
2018
2
1
20181-1171713018.1%
2
25106
3
95.5%20176
4.5%
54%11.5%PC6.2%webshell4.4%
4
27.0%23.6%18.0%16.9%12.4%
5
201813052.2%
25.7%17.7%6.2%Web1.8%
2018
1. 111111123456abc123
1. iloveyoupasswordadmin
1.
1. 360@1234taobao@1234
3
2018206206
1
201813.1%12.1%IT11.7%
2018
2
201816%10.2%
3
1
2
3
4
5
201859.2%13.1%7.8%4.4%1.9%
4
20674%15313
201847.1%1007.1%12018
4
DarknetDarkWeb
20189-121000
1
1.
1.
1.
1.
1000368588.8%5-106.3%10-203.8%20-500.8%5010.3%
2
23.1%16.3%6.1%8.5%
3
1
2
3
4
5
6QQ
7
45.2%
1046.0%1010023.4%10050011.0%50010003.6%100050008.6%500011.4%15.8%
5
1
36052.2%
2
201816%U
3
201811.1%GitHubDjangoAPIAWS
4
IDC201620164.78%3.7%1.8%
6 APT
1
2018
APTAPTAPTAPT
"Actor / Group / Gang"APT
2018
1
2018478
2018
APT Palo Alto NetworksAPT
2
2018517.1%16.0%15.5%11.6%10.5%
MageCartCobalt Group
2018APT
2018APT
3
20182018APT28LazarusGroup 1232018
201810APT
2 APT
APT DarkhotelGroup 1232018 APT APT
1 APT-C-00
APT APT APT
2018Cobalt Strike
2018CIA Vault7
2017
2018
McAfee mcods.exe
mcvsocfg.dll
Flash.exe
UxTheme.dll
goopdate.dll
Word
wwlib.dll
tray.exe
dbghelp.dll
CVE-2017-11882
PowerShell
dll
nbt.exe
net.exeIPC
MsBuild.exedll
2 APT-C-01
APT-C-01200711
Poison IvyZxShellXRAT
3 APT-C-12
APT-C-1220112018
RLOLNK
IDC IPAWS S3Poison IvyBfnetPowerShell
TTP
2007
2011
RLOLNK
Poison IvyZxShellXRAT
Poison IvyBfnet
PowerShell
IDC IP
AWS S3
TTP
4 DarkhotelAPT-C-06
20187VBScript Engine 0day CVE-2018-8373 Darkhotel 2018VBScript Engine0day
3 APT
1
1
APTBECOfficedocdocxxlsxlsx
HWPInPageAutoCAD
Office.iqyAPT
2
APTLNKLNK260LNKLNK
LNKLNK
APT29PowerShell
3
20186Windows 10.SettingContent-msPOCAPTOfficePDF
2018814CVE-2018-8414Darkhydrus
4
2018Excel 4.02018106OutflankExcel 4.0ShellCodeExcel 4.0VBA
2 0day
0dayAPT20180dayAPT0day
APT
CVE-2018-8453
Windows
FruityArmor[29]
CVE-2018-8242
VBS Engine
[30]
CVE-2018-8611
Windows
[31]
FruityArmorSandCat
CVE-2018-8373
VBS Engine
[32]
Darkhotel
HWP
[12]
Group 123
CVE-2018-15982
Flash
[28]
CVE-2018-8440
ALPC
ESET[33]
PowerPool
ActiveX
IssueMakersLab
Andariel Group[34][35]
10 2018APT0day
Flash 0dayAdobe[28]Flash 0day
3 APT
APTAPTAPT
1. APT
1. APTpDNSwhois
1. APTTTP
1. APT
1.
APTfalse flagHades
4 APT
2018APTAPT
1. APT
1. APT
1. APT
1. APT0dayPC
7
2018717
1
20187172018
6663569.0%8.0%8.0%25%IT18%
IT
2
201631.5%68.5%
2017201820176
201892%8%
92%61%31%
3
2018
25.3%18.7%17.5%6.3%
4
2018
/PC
48%PC14%webshell8%/
/
5
20%CPU13%10%Web7%5%
6
APTAPT
8
201818263010CPU
1.
1.
20181/
/MS17-010445
1.
1.
1.
1. ACLIP
1.
1.
1.
1.
20184Officepdfsage
sage2.2.zip
1.
1. ;
1.
1. PC
1.
1. Adobe ReaderAdobe FlashSun Java
1.
1.
201811
CPUpowershell135139445
SMB
1.
1.
1. IP
1.
1.
1.
1.
1.
1.
1. CC
1.
20183WAFDDoS
WAFDDoSWeb12
XXXHTTPCC
1.
1.
1. SQL
1. IP
1. POST
1. WebIP
1. CDN
1.
1. DDoS
1.
20186107:00-8:001GDDoS11T
Top10 IPDDoSNTPIP
1.
1.
1. DDoSWeb
1.
1.
20185IP
JSDOTNETCMS 1.0
SQLJSSEO
1.
1.
1.
1.
1. .
1.
1.
1.
1.
20185
aspxgifIP
webshellSEO
1.
1.
1.
1.
1.
1.
1.
1.
201811
WebIPhosts
1.
1.
1. ACLIPFTP139445
1.
1.
1.
1.
1.
1. APT
1.
201812APTAPT
APTlazarusBrambul Joanap
APTBrambul Joanap ssh
1.
1.
1.
1.
1.
1.
1.
1.
1.
1. IP
1.
1.
1
4000
2
WEBDNSDDoSCDNWAFDDNS/
IPv6
1
SaaSDNS
2
DDoSWEBIPv6
3
APP
3
20133201412110
20133/360ShopExDiscuzECShopShopEXPHPWindPHPCMSIT
201406GETSHELL
SRC
SRCSecurity Response Center
2014SRC20164
201794
2018141,000258,226CNCERT
4
APT75
7*244008 136 360 2 4
5
2017APT
16