CYBER SECURITY INCIDENT RESPONSE 网络安全应急响应典型案例集 奇安信安服团队 ◎著 奇安信集团官网奇安信微信公众号奇安信客服电话 客服热线： 4009-303-1207×24应急响应： 4009-727-120奇安信安服团队 ◎著 50个典型应急响应案例300+位安全服务专家实战总结3200+次应急响应事件处置经验积累 奇安信集团安服团队 奇安信是北京2022年冬奥会和冬残奥会官方网络安全服务和杀毒软件赞助商， 作为中国领先的网络安全品牌， 奇安信多次承担国家级的重大活动网络安全保障工作， 创建了稳定可靠的网络安全服务体系⸺全维度管控、 全网络防护、 全天候运行、 全领域覆盖、 全兵种协同、 全线索闭环。奇安信安全服务以攻防技术为核心， 聚焦威胁检测和响应， 通过提供咨询规划、 威胁检测、攻防演习、 持续响应、 预警通告、 安全运营等一系列实战化的服务， 在云端安全大数据的支撑下， 为客户提供全周期的安全保障服务。应急响应服务致力于成为 “网络安全120” 。 自2016年以来， 奇安信已积累了丰富的应急响应实践经验， 应急响应业务覆盖了全国31个省 （自治区、 直辖市） ， 2个特别行政区， 处置政企机构网络安全应急响应事件超过三千起， 累计投入工时37000多个小时， 为全国超过两千家政企机构解决网络安全问题。奇安信还推出了应急响应训练营服务， 将一线积累的丰富应急响应实践经验面向广大政企机构进行网络安全培训和赋能， 帮助政企机构的安全管理者、 安全运营人员、 工程师等不同层级的人群提高网络安全应急响应的能力和技术水平。 奇安信正在用专业的技术能力保障着企业用户的网络安全， 最大程度地减少了网络安全事件所带来的经济损失， 并降低了网络安全事件造成的社会负面影响。 典型案例集（2021） CYBER SECURITY INCIDENT RESPONSE网络安全应急响应 典型案例集（2021） CYBER SECURITY INCIDENT RESPONSE 网络安全应急响应目录 CONTENTS 网络安全应急响应形势综述····························6 一、应急响应事件受害者分析················································7二、应急响应事件攻击者分析···············································10 勒索类事件典型案例································14 一、服务器存漏洞感染勒索病毒············································15二、终端电脑遭遇钓鱼邮件感染勒索病毒································16三、工业生产网与办公网边界模糊，感染勒索病毒····················16四、服务器配置不当感染勒索病毒·········································17五、专网被攻击，58家医院连锁感染勒索病毒··························18六、OA服务器远程桌面映射公网，感染勒索病毒······················20七、内网主机使用弱口令致感染勒索病毒································21八、8003端口映射在公网感染勒索病毒· ··································22九、私自下载破解软件致服务器感染勒索病毒··························23十、服务器补丁安装不及时感染勒索病毒································24十一、擅自修改网络配置致服务器感染勒索病毒·······················25十二、用户名口令被暴力破解感染勒索病毒·····························26 挖矿类事件典型案例································28 一、官网存在上传漏洞感染挖矿木马······································29二、误点恶意链接感染挖矿木马············································30三、·软件升级包携带“永恒之蓝下载器”致专网感染挖矿木马·····31四、“永恒之蓝下载器”致内网挖矿木马································34五、安全防护不到位致终端和服务器感染挖矿木马····················35六、SSH私钥本地保存致虚拟机感染挖矿木马··························36七、网站存漏洞致服务器感染挖矿木马···································37八、服务器使用弱口令导致感染挖矿木马································38九、应用服务平台使用弱口令导致感染挖矿木马·······················39十、U盘未管控导致主机感染挖矿木马····································40蠕虫类事件典型案例································42 一、服务器弱口令导致感染蠕虫病毒······································43二、浏览恶意链接感染蠕虫病毒············································44三、U盘未合理管控导致感染蠕虫病毒····································45 篡改类事件典型案例································47 一、Redis未授权访问漏洞致官网被植入黑链···························48二、网站WEB漏洞致网站被挂马···········································49三、网站后台程序漏洞致网站被植入黑链································50四、Tomcat中间件漏洞致官网被上传博彩页面························51五、Weblogic·WLS组件漏洞致网页被篡改·····························52六、weblogic反序列化漏洞致网页被篡改·······························53七、官网存在SQL注入漏洞致网页被篡改································54八、编辑器漏洞致网站被挂黑页············································55 APT 类事件典型案例································57一、APT组织利用弱口令进行攻击·········································58二、APT组织利用"白+黑"技术进行攻击··································59三、APT组织利用外泄的账号密码进行攻击·····························60四、APT组织利用钓鱼邮件进行攻击······································61 DDOS 类事件典型案例······························63 一、某部委遭遇CC攻击·······················································64二、某证券公司遭遇DDoS攻击·············································65 漏洞利用类事件典型案例·····························66 一、内网防护不到位致大量主机失陷······································67二、网站存在任意文件上传漏洞，致多台主机沦陷····················68三、服务器因SQL注入漏洞被攻陷·········································69四、机顶盒配置不当致堡垒机被攻陷······································70五、公网应用平台因Shiro反序列化漏洞被攻击························71 钓鱼邮件类事件典型案例·····························73 一、利用钓鱼邮件，伪造打款信息·········································74二、破解管理员弱密码，发起钓鱼邮件攻击·····························75三、下载破解软件，导致内网终端自动发送恶意邮件·················76 数据泄露类事件典型案例·····························78 一、账号信息上传公网，致内网20多台机器受感染····················79二、系统漏洞造成数据泄露···