Retreat to rest or take advantage of others: the focus of the industry under epidemic threat analysis network

Retreat to rest or take advantage of others: the focus of the industry under epidemic threat analysis network

During the new crown pneumonia epidemic, health care and online education has become the focus of people's livelihood. In this special period, *** are doing? What are the main objectives aimed at? How to prevent this business? Security platform Tencent Tencent joint team of the Ministry of Atrium desktop security products, cloud Ding lab safety expert advice, cloud security team, choose Tencent cloud on health care and education are two focal sectors, combined with hands-on experience to make security analysis team, and I hope each remote office security threats enterprises to cope with the special period of some help.

First, the overall trend ***: *** in the eyes of days, geography, and

1, years ago, the day January 19, January 22 and so is the company's "close up" period, is *** of "commotion period." Enterprise "close up" the security policy updates timeliness poor than usual, so try to take advantage attracted *** *** reached a peak node.

2, years later, remote office environments, an (dictionary) Manley (authority) certification violence guess solution become the most commonly used technique ***. 31 January (the first month, seventh day) last year started the first day, *** for the medical industry reached a peak of 800,000 in a single day. Windows ecosystem in Remote Desktop Services RDP and database services SQL Server become the absolute bulk of "any punches."

3, during the Spring Festival, but outside *** years, the medical industry for the cloud customer certification violence guess *** more than 70% from 125 foreign countries. US regional tighter control room, making the United States the "unpopular Area" *** sources, India, Russia leapt to the forefront.

4, compared to overseas or domestic *** more inclined to take advantage of high-risk vulnerabilities Nday education sector initiated ***. Because such practices "movement" is small, with the status of domestic resources on the IP dial, dial seconds *** tend to use dynamic IP technologies attempt to deceive, to circumvent the ban.

5, compared with the traditional medical industry, online education industry in business R & D is relatively "aggressive" development of small and medium enterprises to quickly landed bring third-party components abuse, and therefore frequent high-risk vulnerabilities of ThinkPHP, Struts2, RDP become recently *** *** education sector "breakthrough."

6, during the epidemic, a large number of companies relying on the cloud to achieve a remote office, on-line and rapid iteration and information dissemination procedures and other types of small businesses. Enterprises in the cloud enjoy elastic and efficient service delivery to bring the same time, the use of cloud services during improper security configuration, for example, object storage barrels permission, cloud host security group configuration, cloud SSL certificate is valid, cloud load balancing port exposed , but also became *** Key "*** face" for cloud services.

The following are the detailed analysis of threat scenarios for the two sectors health care, education:
1, the medical industry: RDP, SQL Server into any punches

Business during the epidemic in order to facilitate telecommuting employees, often opening up remote service, direct access to sensitive information systems and even the office network. *** So in addition to the most commonly used Web positive breakthrough class ***, certification violence guess solution should be focused.

From the point of view the goals and tactics, *** *** spurt service for Windows, Windows Remote Desktop Services RDP and ecological service database Microsoft SQL Server as the enterprise system privileges and sensitive data entry, naturally became a popular target for 2 a "soft touch" in the amount of *** both peaked.

Certification violence guess objectives: rdp \ sqlserver into a popular target, with the sudden increase in the year to rework tide

Here Insert Picture Description
*** from the source distribution point of view, the United States VPS VPS vendors or manufacturers tighter control room area in the United States, the constraints of "action" large *** behavior of such a network, so that more resources weapons *** gradual migration to other "unpopular Area."

Certification violence guess that more than half from outside, even during the Tet offensive is not particularly clear downward trend, but can also see some people in the territory of the suspended *** the hands of offshore resources. Correspondingly, conventional Web *** from the source of most of the territory, offensive declined rapidly during the Spring Festival reached a low point.

Certification violence guess *** Source: Foreign hyperactive, into the United States upset Area

Here Insert Picture Description
Team-based long-term experience in security analysis and threat intelligence tracking area, as sensitive data entry and system privileges under Windows ecosystem, the recent series of outbreaks WannaCry level of vulnerability (BlueKeep, CVE-2020-0618), predictable from warning notices to PoC and then to spread the opposition EXP accelerate the pace of business 0day / 1day response window if more vulnerabilities in hours to calculate the losses.

2, the education sector: popular target ThinkPHP, Struts2, RDP into

New education industry is relatively traditional and conservative medical profession, in business R & D tend to be more "aggressive" rapid iterative development of small and medium-paced, difficult to avoid bringing large-scale use of 3rd party open source components. It collected a large number of opponents 1Day, *** Nday vulnerabilities, likely after an asset fingerprinting, to launch a large-scale spying even use.

From the point of view the goals and tactics, ThinkPHP as a framework to quickly build a popular website, Struts2 MVC framework as popular in the ecological Java Web, are the next two languages ​​ecological frequent high-risk vulnerabilities on behalf of the framework is very easy to become a *** break goal, the absence of timely patching, using its education industry will face greater threats.

The recent outbreak ago Windows RDP BlueKeep still many loopholes to be exploited spying, especially in the move that is likely to soon open the service in the remote office, was quickly get the server permissions ***.

High-risk Nday exploit: ThinkPHP, Struts2, RDP into a popular target

Here Insert Picture Description
*** from the source distribution point of view, there are high-risk Nday exploits mostly from the territory, a few from the United States and India and other regions, guess due to the "movement" of such practices to be issued by smaller, often only issued once a request target to verify or use.

Nday high-risk vulnerabilities *** Source: Domestic active, relatively few foreign

Here Insert Picture Description
In addition, due to the focus on domestic seconds dial, *** tend to use such technology to spy on Whole fast service, while taking advantage of the random transformation contracting client characteristics (such as User-Agent, unrelated parameters, etc.) IP pool resources to circumvent the traditional ban policy.

Second, during the remote office to enterprise security recommendations






6, for the relevant service deployment on the cloud, build cloud-native "CMDB" , doing business infrastructure assets in real-time automated inventory , and cloud offerings native security configuration automation of regular inspection and timely reinforcement , narrow cloud. " ***surface". For the cloud frequently changing environment, to establish the threat of incident response automation platform to improve the response to the threat of disposal. Enterprises should establish a cloud-native security operations platform , open up the isolation of data and processes, to achieve "beforehand - something in the - after the" safety and security of the whole process, and by the security visualization capabilities to enhance the threat perception, response handling and safety management efficiency.

7, special period three companies need to focus on security issues online digital services: unauthorized access to classes, class information leakage and data encryption class, particular need to focus on the latest security threat intelligence, timely repair of common components recently disclosed vulnerabilities, such as Apache Tomcat, etc., and upgrade IDS, IPS product rule base, while the component update to the latest version.

Guess you like