· Web viewnginx攻击 . 1.8%. 7. 本地文件包含 ... Word白利用 . wwlib.dll....

2018

2019413

2018207961170173309386850376232531591397

201817017348966828

2018309384611449

2018685021808334.0%GlobeImposter22.0%GandCrab17.6%Crysis10.1%Satan7.5%WannaCry

2018149.2110.373.9%1230.423.115.5%217.0

201876.132.6945.8

2018SRC212381122729.7%40.8%29.5%

19.0%18.3%11.5%50.6%

2018IP 14003.93IP13.3107.6

2018626.2IP1064.3DDoSDDoS2.9

2011-2015CNVD20152016201619120173512018442

20183010354(32)53.6%36.4%

30.6%23.9%

20181-10280182001.5%12986.5

81.1%7.9%7.1%

20181-1171713018.1%

95.5%

201820613.1%12.1%IT11.7%49%47.1%1007.1%1

2018100023.1%16.3%1046.0%1010023.4%10050011.0%50010003.6%100050008.6%500011.4%15.8%

APT

2018478

2018APT517.1%16.0%15.5%11.6%10.5%

2018APTAPT

2018717

2017201820176

25.3%18.7%17.5%

20%13%10%

2018223189

APT

1

1

3

4

5

8

8

11

13

17

DDoS20

26

26

27

30

32

32

34

38

40

43

APT45

45

APT49

APT52

57

57

58

59

60

60

61

63

63

63

64

CC65

DDoS65

66

66

67

APT68

170

271

372

473

574

1

2

2018360

1

1

2018207961170173309386850

1PE23

2

2018376232531591397

979790384

2

80600020175WannaCry

2018170173489662401118303

828740338

3

2018 30938461137852952

449194151

4

201868502180712612

834833

79.8%0.6%50

34.0%GlobeImposter22.0%GandCrab17.6%Crysis10.1%Satan7.5%WannaCry

GlobeImposter29.6%16.7%GandCrab28.6%11.4%Crysis25.0%21.4%Satan25.0%18.8%WannaCry

3

1

1

2018149.2110.373.9%1230.4

23.1201734.533%15.5%217.0

20142018

2

20181230.417.6 %4.6%77.8%

2014-2018

76.02018

217.059442018723.8

3

2018.com67.1%.cn22.4%.net5.2%.gov2.6%.edu1.5%

23.1.com81.9%.cn11.1%.net3.5%.gov1.3%.edu0.8%

4

SQLSQLphpweb20181-12TOP10

()

92.3

6.4

SQL

20.9

2.0

SQL

14.1

1.3

phpweb

9.4

8.9

()

4.7

1.8

PHPWEB myord sql injection

3.7

3.6

SVN

2.7

0.4

PHP

2.3

0.5

MS15-034 HTTP.sys

2.3

1.4

DedeCMS sql

1.3

0.9

20181-12TOP10

2

1

201876.132.6945.88985.9

201876.16.3616.9

2

102.998.4%

TOP10

1

SQL

41.1%

2

webshell

27.6%

3

13.7%

4

XSS

6.6%

5

2.9%

6

nginx

1.8%

7

1.6%

8

1.5%

9

1.1%

10

0.6%

Top10

41.1%SQLWebshell27.6%13.7%

3

2018

1

2018SRC2123811227105090

2

1.6%98.4%

29.7%40.8%29.5%

SQL29.4%16.7%13.4%9.4%9.1%

3

IT

19.0%18.3%11.5%

84.0%77.3%61.9%

50.6%40.3%

40.3%

36.6%

23.0%

21.5%

46.0%

32.5%

17.0%

46.8%

36.2%

IT

33.8%

39.4%

26.8%

31.8%

43.3%

24.8%

50.6%

21.5%

27.9%

24.4%

39.1%

36.5%

25.3%

49.0%

25.7%

27.0%

34.6%

38.4%

32.8%

40.2%

27.0%

SQL

SQL

31.3%

19.2%

11.0%

33.5%

20.9%

13.0%

29.3%

9.1%

16.9%

IT

31.8%

10.4%

13.6%

31.3%

13.5%

12.2%

8.9%

13.8%

14.0%

25.5%

25.1%

14.0%

32.9%

19.8%

12.8%

12.9%

25.7%

25.1%

22.8%

19.9%

10.7%

4

1

2018IP 14003.93IP13.3107.6

2

201823232347.3%2328.1%2323

2017MyKings1433DDoSProxyRATMinerMyKings*.mykings[.]pw143333061352244523803389

2018.1.17~2018.1.21 1433

2018WannaCry445WannaCry445201744544520172018445

2018100%

23

telnet

47.3%

2323

telnet

28.1%

1433

MicrosoftSQLServer

15.6%

5555

SoftEtherVPN

12.7%

445

SMB

8.6%

22

SSH

2.4%

80

HTTP

1.8%

3389

RDP

1.3%

6379

Redis

0.9%

3306

MySQLServer

0.4%

2018

3 IP

65.4%7.8%4.4%3.5%3.0%47.0%IP12.1%IP4.9%3.8%3.0%2017IP

IPIP3.7%3.5%2.9%2.9%2.5%

IP6.6%6.0%4.7%4.5%3.8%

5 DDoS

DDoSDDosMonhttps://ddosmon.net/insight/?last=3652DDoSDDoSDDoS

1 DDoS

DDoS20181120181231626.2IP1064.3DDoSDDoS2.9

2018DDoS80DDoS39.6%2331.3%4439.6%

DDoS

80

HTTP

23

telnet

443

HTTPS

53

DNS

3074

xboxgame

2018DDoS

2018DDoS60.4%.com.net.cn15.0%14.0%

2018DDoSamp_flood57.3%syn_floodplain_flood12.8%11.2%

DDoS10103016.5%3015.3%113.4%DDoSDDoS

2 DDoS

Botnet bot

DDoS gafgytDDoS39.8%xor20.3%mirai16.8%2018

gafgytQbotmiraiIoT botnet201482014 LizardSquardDDoSgafgytIRCC&CHTTP/TCP20151Gafgytgafgyttelnet 23UDP

xor.ddos2014DDoS botnetTCP SYN FLOODDNS FLOODC&CXORmiraigafgytIoTbotnetXOR.DDOSx86linux XOR.DDOStcp syn floodbotnet

Mirai20162017miraiIoTmiraimirai201681miraiIoT201724miraiIoT194.8

Elknotddos botnet2014elknotmaydayelknotC&CGatesDDoSBillBillGatesTCP SYN FLOOD/DNS FLOODelknotDNSPRSD DNS, Pesudo-random subdomain

8039%3074,10%537%

20182018DDoSsyn_flood15.1udp_flood 14.9STD8.5

DDoS2018DDoS65.4%7.8%4.4%3.5%

4

1

ITOTITOTOT

Positive technologies Positive technologiesGoogleShodanshodan. io Censyscensys. ioShodan Censys

Positive Technologies201817.640%642871324277596223

2018PLCDCSDTUSCADA

20182018201820184

2

IT

Common Vulnerabilities & ExposuresCVENational Vulnerability DatabaseNVDCNVDCNNVD

1

CNVD2000-2009 CNVD2010321902010StuxnetStuxnet

2011-2015CNVD20152016201619120173512018442

2

20183010354(32)

3

201853.6%36.4%90%

4

2018SiemensSchneiderAdvantechRockwellOmronMoxaFuji ElectricCisco

5

201830.6%23.9%

3

1 OT

ITOTITITOTOT

2 ITOT

OTOTITITOTOT

3 ITOT

OTITOT ITITOTPLC

OTOTITITOTITOT

4 OT

ITOTOTOTOTOTOTOT

5

OTPCITOT

6 ITOT

ITOTITOT

OT

5

1

20181102018

1

20181-10280182001.5%12986.5

2018280201725111.6%

20152018201828086.5201751.169.2%201660.543.0%201555.356.4%

20183089.2

201881.1%7.9%7.1%

PHPsystemexecshell_exec

2

201811028086.51601014.0

2018

280305000111

2018

2

1

20181-1171713018.1%

2

25106

3

95.5%20176

4.5%

54%11.5%PC6.2%webshell4.4%

4

27.0%23.6%18.0%16.9%12.4%

5

201813052.2%

25.7%17.7%6.2%Web1.8%

2018

1. 111111123456abc123

1. iloveyoupasswordadmin

1.

1. 360@1234taobao@1234

3

2018206206

1

201813.1%12.1%IT11.7%

2018

2

201816%10.2%

3

1

2

3

4

5

201859.2%13.1%7.8%4.4%1.9%

4

20674%15313

201847.1%1007.1%12018

4

DarknetDarkWeb

20189-121000

1

1.

1.

1.

1.

1000368588.8%5-106.3%10-203.8%20-500.8%5010.3%

2

23.1%16.3%6.1%8.5%

3

1

2

3

4

5

6QQ

7

45.2%

1046.0%1010023.4%10050011.0%50010003.6%100050008.6%500011.4%15.8%

5

1

36052.2%

2

201816%U

3

201811.1%GitHubDjangoAPIAWS

4

IDC201620164.78%3.7%1.8%

6 APT

1

2018

APTAPTAPTAPT

"Actor / Group / Gang"APT

2018

1

2018478

2018

APT Palo Alto NetworksAPT

2

2018517.1%16.0%15.5%11.6%10.5%

MageCartCobalt Group

2018APT

2018APT

3

20182018APT28LazarusGroup 1232018

201810APT

2 APT

APT DarkhotelGroup 1232018 APT APT

1 APT-C-00

APT APT APT

2018Cobalt Strike

2018CIA Vault7

2017

2018

McAfee mcods.exe

mcvsocfg.dll

Flash.exe

UxTheme.dll

Google

goopdate.dll

Word

wwlib.dll

tray.exe

dbghelp.dll

CVE-2017-11882

PowerShell

dll

nbt.exe

net.exeIPC

MsBuild.exedll

2 APT-C-01

APT-C-01200711

Poison IvyZxShellXRAT

3 APT-C-12

APT-C-1220112018

RLOLNK

IDC IPAWS S3Poison IvyBfnetPowerShell

TTP

2007

2011

RLOLNK

Poison IvyZxShellXRAT

Poison IvyBfnet

PowerShell

IDC IP

AWS S3

TTP

4 DarkhotelAPT-C-06

20187VBScript Engine 0day CVE-2018-8373 Darkhotel 2018VBScript Engine0day

3 APT

1

1

APTBECOfficedocdocxxlsxlsx

HWPInPageAutoCAD

Office.iqyAPT

2

APTLNKLNK260LNKLNK

LNKLNK

APT29PowerShell

3

20186Windows 10.SettingContent-msPOCAPTOfficePDF

2018814CVE-2018-8414Darkhydrus

4

2018Excel 4.02018106OutflankExcel 4.0ShellCodeExcel 4.0VBA

2 0day

0dayAPT20180dayAPT0day

APT

CVE-2018-8453

Windows

FruityArmor[29]

CVE-2018-8242

VBS Engine

[30]

CVE-2018-8611

Windows

[31]

FruityArmorSandCat

CVE-2018-8373

VBS Engine

[32]

Darkhotel

HWP

[12]

Group 123

CVE-2018-15982

Flash

[28]

CVE-2018-8440

ALPC

ESET[33]

PowerPool

ActiveX

IssueMakersLab

Andariel Group[34][35]

10 2018APT0day

Flash 0dayAdobe[28]Flash 0day

3 APT

APTAPTAPT

1. APT

1. APTpDNSwhois

1. APTTTP

1. APT

1.

APTfalse flagHades

4 APT

2018APTAPT

1. APT

1. APT

1. APT

1. APT0dayPC

7

2018717

1

20187172018

6663569.0%8.0%8.0%25%IT18%

IT

2

201631.5%68.5%

2017201820176

201892%8%

92%61%31%

3

2018

25.3%18.7%17.5%6.3%

4

2018

/PC

48%PC14%webshell8%/

/

5

20%CPU13%10%Web7%5%

6

APTAPT

8

201818263010CPU

1.

1.

20181/

/MS17-010445

1.

1.

1.

1. ACLIP

1.

1.

1.

1.

20184Officepdfsage

sage2.2.zip

1.

1. ;

1.

1. PC

1.

1. Adobe ReaderAdobe FlashSun Java

1.

1.

201811

CPUpowershell135139445

SMB

1.

1.

1. IP

1.

1.

1.

1.

1.

1.

1. CC

1.

20183WAFDDoS

WAFDDoSWeb12

XXXHTTPCC

1.

1.

1. SQL

1. IP

1. POST

1. WebIP

1. CDN

1.

1. DDoS

1.

20186107:00-8:001GDDoS11T

Top10 IPDDoSNTPIP

1.

1.

1. DDoSWeb

1.

1.

20185IP

JSDOTNETCMS 1.0

SQLJSSEO

1.

1.

1.

1.

1. .

1.

1.

1.

1.

20185

aspxgifIP

webshellSEO

1.

1.

1.

1.

1.

1.

1.

1.

201811

WebIPhosts

1.

1.

1. ACLIPFTP139445

1.

1.

1.

1.

1.

1. APT

1.

201812APTAPT

APTlazarusBrambul Joanap

APTBrambul Joanap ssh

1.

1.

1.

1.

1.

1.

1.

1.

1.

1. IP

1.

1.

1

4000

2

WEBDNSDDoSCDNWAFDDNS/

IPv6

1

SaaSDNS

2

DDoSWEBIPv6

3

APP

3

20133201412110

20133/360ShopExDiscuzECShopShopEXPHPWindPHPCMSIT

201406GETSHELL

SRC

SRCSecurity Response Center

2014SRC20164

201794

2018141,000258,226CNCERT

4

APT75

7*244008 136 360 2 4

5

2017APT

16

· Web viewnginx攻击 . 1.8%. 7. 本地文件包含 ... Word白利用 . wwlib.dll....

Documents

Transcript of · Web viewnginx攻击 . 1.8%. 7. 本地文件包含 ... Word白利用 . wwlib.dll....