从身份管理员到云端入侵.pdf

《从身份管理员到云端入侵.pdf》由会员分享，可在线阅读，更多相关《从身份管理员到云端入侵.pdf（18页珍藏版）》请在三个皮匠报告上搜索。

1、From Identity Admins to Cloud Compromise:Detecting Modern Ransomware Attacks in the Financial SectorArda BykkayaSenior Cyber Threat Intelligence Analyst,EclecticIQArda Bykkaya About me Senior Cyber Threat Intelligence Analyst at EclecticIQ Delivering actionable intelligence to Fortune 500 and Govern

2、mental bodies Background in Malware Analysis and Incident Response Uncovering nation-state APT operations and tracking financially motivated threat actorsWhichbufferArdaardabuyukkaya From Privileged User Accounts to Cloud Access Post Compromise Tactics and Tooling Key Takeaways and Final ThoughtsAge

3、ndaFrom Privileged User Accounts to Cloud AccessFrom Privileged User Accounts to Cloud AccessSocial Engineering for Business Email Compromise(BEC)Phishing attacks for credential theft:o Mimicking Cloud Service Providers(Azure,AWS,GCP)o Single Sign-On platformsAdversary-in-the-Middle(AiTM)phishing to

4、 get 2FA TokensRansomware affiliates are targeting Help Desk personal to reset MFA Tokens or Password2 Microsoft Azure Phishing Leverage signals from multiple sources:o Office 365,Cloud Apps,Defender,3-rd party network detection Look for Risky sign-in:o non-compliant deviceo Impossible Travelo from

5、VPS providers Enable“Web Browser Logging”for visibilityDetecting AiTM Phishing AttacksIdentifying Adversary-in-the-Middle(AiTM)Phishing Attacks through 3rd-Party Network Detection Office 365 applications are connected to Microsoft Accounts Ransomware affiliates dump memory of Office 365 application

6、to scrap Cloud Tokenso Looking for JWT tokeno Re-use Cloud Token for Identity Compromiseo Access to sensitive data:mailboxes,files in OneDrive or SharePoint,Teams chats,and more.Stealing Access Tokens From Office Desktop Applications3 Extracting Access Tokens From A Memory Dump Stolen Privileged Clo