当前位置:首页 > 报告详情

从身份管理员到云端入侵.pdf

上传人: 可*** 编号:991815 2025-12-07 18页 1.43MB

1、From Identity Admins to Cloud Compromise:Detecting Modern Ransomware Attacks in the Financial SectorArda BykkayaSenior Cyber Threat Intelligence Analyst,EclecticIQArda Bykkaya About me Senior Cyber Threat Intelligence Analyst at EclecticIQ Delivering actionable intelligence to Fortune 500 and Govern

2、mental bodies Background in Malware Analysis and Incident Response Uncovering nation-state APT operations and tracking financially motivated threat actorsWhichbufferArdaardabuyukkaya From Privileged User Accounts to Cloud Access Post Compromise Tactics and Tooling Key Takeaways and Final ThoughtsAge

3、ndaFrom Privileged User Accounts to Cloud AccessFrom Privileged User Accounts to Cloud AccessSocial Engineering for Business Email Compromise(BEC)Phishing attacks for credential theft:o Mimicking Cloud Service Providers(Azure,AWS,GCP)o Single Sign-On platformsAdversary-in-the-Middle(AiTM)phishing to

4、 get 2FA TokensRansomware affiliates are targeting Help Desk personal to reset MFA Tokens or Password2 Microsoft Azure Phishing Leverage signals from multiple sources:o Office 365,Cloud Apps,Defender,3-rd party network detection Look for Risky sign-in:o non-compliant deviceo Impossible Travelo from

5、VPS providers Enable“Web Browser Logging”for visibilityDetecting AiTM Phishing AttacksIdentifying Adversary-in-the-Middle(AiTM)Phishing Attacks through 3rd-Party Network Detection Office 365 applications are connected to Microsoft Accounts Ransomware affiliates dump memory of Office 365 application

6、to scrap Cloud Tokenso Looking for JWT tokeno Re-use Cloud Token for Identity Compromiseo Access to sensitive data:mailboxes,files in OneDrive or SharePoint,Teams chats,and more.Stealing Access Tokens From Office Desktop Applications3 Extracting Access Tokens From A Memory Dump Stolen Privileged Clo

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文关键点的概括: 1. **攻击手段多样化**:攻击者利用社会工程学进行钓鱼攻击,包括模仿云服务提供商和单点登录平台,以及中间人攻击获取双因素认证令牌。 2. **云服务滥用**:勒索软件分子利用被盗的云用户账户,并从公开的代码仓库中搜索云认证令牌。 3. **漏洞利用**:攻击者利用Ivanti Endpoint Manager Mobile的漏洞(CVE-2025-4428)获取Office 365令牌。 4. **身份风险检测**:通过Entra ID的AI驱动异常检测来分类用户风险,并启用令牌盗窃保护。 5. **后攻击策略**:使用Azure Run Command推送和运行勒索软件或工具,以及从SharePoint Online和S3进行大量数据泄露。 6. **检测机会**:通过审计日志、云控制台活动和云服务使用情况来检测攻击模式。 7. **关键结论**:可操作情报至关重要,IT操作的滥用使检测复杂化,金融服务是勒索软件的主要目标,云应用是攻击者的理想跳板。
"云服务如何被黑客利用?" "金融业如何应对现代勒索软件?" "如何检测异常的云应用访问?"
客服
商务合作
小程序
服务号
折叠