TomLancaster-自上次边缘设备安全事件以来已经是零日ZeroDays

© Volexity Inc. | Proprietary & ConfidentialIt Has Been[0]Days Since the Last Edge-Device Security Incident1Tom LancasterCyberThreat | December 2024TLP: WHITE© Volexity Inc. | Proprietary & ConfidentialWhat are we talking about?• Edge-Devices• In the case of this talk – those intended to help protect networks• What do these attacks look like?• What might you do to identify or stop these attacks on your network?2© Volexity Inc. | Proprietary & Confidential3Case 1: Ivanti Connect Secure – Dec 23© Volexity Inc. | Proprietary & ConfidentialHow it started•Signature designed to detect webshells on Exchange4© Volexity Inc. | Proprietary & ConfidentialWebshell Discovery5© Volexity Inc. | Proprietary & ConfidentialThe Investigation Begins6•We acquire memory (RAM) and key files from the webserver•Logons to the Exchange Server came from 192.168.x.x -- ICS VPN device starting on December 6, 2023© Volexity Inc. | Proprietary & ConfidentialAll roads lead to….the ICS VPN Device7© Volexity Inc. | Prop