网络安全应急响应典型案例集（2021）

CYBER SECURITY INCIDENT RESPONSE网络安全应急响应典型案例集奇安信安服团队 ◎著奇安信集团官网奇安信微信公众号奇安信客服电话客服热线：4009-303-1207×24应急响应：4009-727-120奇安信安服团队 ◎著50个典型应急响应案例300+位安全服务专家实战总结3200+次应急响应事件处置经验积累奇安信集团安服团队奇安信是北京2022年冬奥会和冬残奥会官方网络安全服务和杀毒软件赞助商，作为中国领先的网络安全品牌，奇安信多次承担国家级的重大活动网络安全保障工作，创建了稳定可靠的网络安全服务体系⸺全维度管控、全网络防护、全天候运行、全领域覆盖、全兵种协同、全线索闭环。奇安信安全服务以攻防技术为核心，聚焦威胁检测和响应，通过提供咨询规划、威胁检测、攻防演习、持续响应、预警通告、安全运营等一系列实战化的服务，在云端安全大数据的支撑下，为客户提供全周期的安全保障服务。应急响应服务致力于成为“网络安全120”。自2016年以来，奇安信已积累了丰富的应急响应实践经验，应急响应业务覆盖了全国31个省（自治区、直辖市），2个特别行政区，处置政企机构网络安全应急响应事件超过三千起，累计投入工时37000多个小时，为全国超过两千家政企机构解决网络安全问题。奇安信还推出了应急响应训练营服务，将一线积累的丰富应急响应实践经验面向广大政企机构进行网络安全培训和赋能，帮助政企机构的安全管理者、安全运营人员、工程师等不同层级的人群提高网络安全应急响应的能力和技术水平。奇安信正在用专业的技术能力保障着企业用户的网络安全，最大程度地减少了网络安全事件所带来的经济损失，并降低了网络安全事件造成的社会负面影响。典型案例集（2021）CYBER SECURITY INCIDENT RESPONSE网络安全应急响应典型案例集（2021）CYBER SECURITY INCIDENT RESPONSE网络安全应急响应 目录CONTENTS网络安全应急响应形势综述· ···························6一、应急响应事件受害者分析················································7二、应急响应事件攻击者分析···············································10勒索类事件典型案例· ·······························14一、服务器存漏洞感染勒索病毒············································15二、终端电脑遭遇钓鱼邮件感染勒索病毒································16三、工业生产网与办公网边界模糊，感染勒索病毒····················16四、服务器配置不当感染勒索病毒·········································17五、专网被攻击，58家医院连锁感染勒索病毒··························18六、OA服务器远程桌面映射公网，感染勒索病毒······················20七、内网主机使用弱口令致感染勒索病毒································21八、8003端口映射在公网感染勒索病毒···································22九、私自下载破解软件致服务器感染勒索病毒··························23十、服务器补丁安装不及时感染勒索病毒································24十一、擅自修改网络配置致服务器感染勒索病毒·······················25十二、用户名口令被暴力破解感染勒索病毒·····························26挖矿类事件典型案例· ·······························28一、官网存在上传漏洞感染挖矿木马······································29二、误点恶意链接感染挖矿木马············································30三、·软件升级包携带“永恒之蓝下载器”致专网感染挖矿木马·····31四、“永恒之蓝下载器”致内网挖矿木马································34五、安全防护不到位致终端和服务器感染挖矿木马····················35六、SSH私钥本地保存致虚拟机感染挖矿木马··························36七、网站存漏洞致服务器感染挖矿木马···································37八、服务器使用弱口令导致感染挖矿木马································38九、应用服务平台使用弱口令导致感染挖矿木马·······················39十、U盘未管控导致主机感染挖矿木马····································40蠕虫类事件典型案例· ·······························42一、服务器弱口令导致感染蠕虫病毒······································43二、浏览恶意链接感染蠕虫病毒············································44三、U盘未合理管控导致感染蠕虫病毒····································45篡改类事件典型案例· ·······························47一、Redis未授权访问漏洞致官网被植入黑链···························48二、网站WEB漏洞致网站被挂马···········································49三、网站后台程序漏洞致网站被植入黑链································50四、Tomcat中间件漏洞致官网被上传博彩页面························51五、Weblogic·WLS组件漏洞致网页被篡改·····························52六、weblogic反序列化漏洞致网页被篡改·······························53七、官网存在SQL注入漏洞致网页被篡改································54八、编辑器漏洞致网站被挂黑页············································55APT 类事件典型案例································57 一、APT组织利用弱口令进行攻击·········································58二、APT组织利用"白+黑"技术进行攻击··································59三、APT组织利用外泄的账号密码进行攻击·····························60四、APT组织利用钓鱼邮件进行攻击······································61DDOS 类事件典型案例······························63一、某部委遭遇CC攻击·······················································64二、某证券公司遭遇DDoS攻击·············································65漏洞利用类事件典型案例·····························66一、内网防护不到位致大量主机失陷······································67二、网站存在任意文件上传漏洞，致多台主机沦陷····················68三、服务器因SQL注入漏洞被攻陷·········································69四、机顶盒配置不当致堡垒机被攻陷······································70五、公网应用平台因Shiro反序列化漏洞被攻击························71钓鱼邮件类事件典型案例·····························73一、利用钓鱼邮件，伪造打款信息·········································74二、破解管理员弱密码，发起钓鱼邮件攻击·····························75三、下载破解软件，导致内网终端自动发送恶意邮件·················76数据泄露类事件典型案例·····························78一、账号信息上传公网，致内网20多台机器受感染····················79二、系统漏洞造成数据泄露··················································80僵尸网络类事件典型案例·····························82一、安全设备弱口令致内网被僵尸网络控制·····························83附录 1···········································85附录 2···········································86 典型案例集（2021）网络安全应急响应67緸絞㸝Ⰼ䎾䚉ᆄ䎾䕎⸷絾鶣网络安全应急响应形势综述2021年1—6月，奇安信集团安服团队共参与和处置了全国范围内590起网络安全应急响应事件，第一时间协助政企机构处理安全事故，确保了政企机构门户网站、数据库和重要业务系统的持续安全稳定运行。2021 年上半年应急响应服务月度统计情况具体如下：2021 年上半年，奇安信安服共处置应急响应事件 590 起，投入工时为3964.5 小时，折合 495.6 人天。（2021 年 4 月为全国实战攻防演习期间，应急数量大幅增加。）图 1-1：大中型政企机构应急响应服务走势第一章CYBER SECURITY INCIDENT RESPONSE图 1-2：大中型政企机构应急响应行业分布一、应急响应事件受害者分析为进一步提高大中型政企机构对突发安全事件的认识和处置能力，增强政企机构安全防护意识，对2021年上半年处置的所有应急响应事件从被攻击角度、受害者行业分布、攻击事件发现方式、影响范围以及攻击行为造成的影响几方面进行统计分析，呈现上半年政企机构内部网络安全现状。（一）行业现状分析2021年上半年应急响应处置事件排名靠前的行业分别为，政府部门（140起）、医疗卫生行业（58 起）以及金融行业（49 起）和事业单位（49 起），事件处置数分别占上半年应急处置事件的 23.7%、9.8%、8.3% 和 8.3%。大中型政企机构应急响应行业分布 TOP10 详见下图： 典型案例集（2021）网络安全应急响应89緸絞㸝Ⰼ䎾䚉ᆄ䎾䕎⸷絾鶣从行业排名可知，2021年上半年攻击者的攻击对象主要分布于政府机构、医疗卫生行业、金融行业和事业单位。（二）事件发现分析2021年上半年奇安信安服团队参与处置的所有政企机构网络安全应急响应事件中，由行业单位自行发现的攻击事件占95.2%，其中发现入侵迹象的事件占比39.6%，被攻击者勒索后发现的攻击占35.1%，安全运