Check Point Software
Technologies Ltd., a leading provider of cyber-security
solutions globally, has published its latest Global
Threat Index for December 2018. The index reveals that SmokeLoader, a
second-stage downloader known to researchers since 2011, rose 11 places in
December to enter the Index's top 10 at ninth place. After a surge of activity
in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is
mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer
and Panda Banker.
Cryptomining
malware continues to lead the Index, with Coinhive retaining its number one
position for the 13th month in a row and impacting 12% of
organizations worldwide. XMRig was the second most prevalent malware with a
global reach of 8%, closely followed by the JSEcoin miner in third with a
global impact of 7%. Organizations continue to be
targeted by cryptominers, despite an overall drop in value across all
cryptocurrencies in 2018.
The report also showed banking Trojans
rising up the index, with Ramnit, a banking Trojan that steals login
credentials and other sensitive data, returned to the top 10 this month in 8th
place.
Maya Horowitz, Threat Intelligence and
Research Group Manager at Check Point commented: "December's report saw
SmokeLoader appearing in the top 10 for the first time. Its sudden surge in
prevalence reinforces the growing trend towards damaging, multi-purpose malware
in the Global Threat Index, with the top 10 divided equally between
cryptominers and malware that uses multiple methods to distribute numerous
threats. The diversity of the malware in the Index means that it is
critical that enterprises employ a multi-layered cybersecurity strategy that
protects against both established malware families and brand new threats."
December 2018's
Top 3 ‘Most Wanted' Malware:
*The arrows
relate to the change in rank compared to the previous month.
- Coinhive - Crypto Miner designed to perform
online mining of Monero cryptocurrency when a user visits a web page
without the user's knowledge or approval. The implanted JavaScript uses a
great deal of the computational resources of end users' machines to mine
coins, and may crash the system.
- XMRig- Open-source CPU mining
software used for the mining process of the Monero cryptocurrency, and
first seen in-the-wild on May 2017.
- Jsecoin - JavaScript miner that
can be embedded in websites. With JSEcoin, you can run the miner directly
in your browser in exchange for an ad-free experience, in-game currency
and other incentives.
Triada, the modular
backdoor for Android, has retained first place in the top mobile malware list.
Guerilla has climbed to second place, replacing Hiddad. Meanwhile, Lotoor has
replaced Android banking Trojan and info-stealer Lokibot in third place.
December's Top 3 ‘Most Wanted' Mobile Malware:
1. Triada - Modular Backdoor for Android which grants super user privileges to
downloaded malware, as helps it to get embedded into system processes. Triada
has also been seen spoofing URLs loaded in the browser.
2. Guerilla- Android ad-clicker which has the ability to communicate with a
remote command and control (C&C) server, download additional malicious
plugins and perform aggressive ad-clicking without the consent or knowledge of
the user.
3. Lotoor- Hack tool that exploits vulnerabilities on Android operating
system in order to gain root privileges on compromised mobile devices.
Check Point researchers also analyzed the most exploited
cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose
global impact also rose slightly to 49%, compared to 47% in November. In second
place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global
impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection
with an impact of 41%.
December's Top 3 ‘Most Exploited' vulnerabilities:
- Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows
Server 2003 R2 through Microsoft Internet Information Services 6.0, a
remote attacker could execute arbitrary code or cause a denial of service
conditions on the target server. That is mainly due to a buffer overflow
vulnerability resulted by improper validation of a long header in HTTP
request.
- OpenSSL TLS DTLS Heartbeat
Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information
disclosure vulnerability exists in OpenSSL. The vulnerability is due to an
error when handling TLS/DTLS heartbeat packets. An attacker can leverage
this vulnerability to disclose memory contents of a connected client or
server.
- Web servers PHPMyAdmin
Misconfiguration Code Injection - A code injection vulnerability has
been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin
misconfiguration. A remote attacker can exploit this vulnerability by
sending a specially crafted HTTP request to the
target.
Check Point's
Global Threat Impact Index and its ThreatCloud Map is powered by Check Point's
ThreatCloud intelligence, the largest collaborative network to fight cybercrime
which delivers threat data and attack trends from a global network of threat
sensors. The ThreatCloud database holds over 250 million addresses analyzed for
bot discovery, more than 11 million malware signatures and over 5.5 million
infected websites, and identifies millions of malware types daily.
* The complete list
of the top 10 malware families in December can be found on the Check Point
Blog:
http://blog.checkpoint.com/2019/01/14/december-2018-most-wanted-malware-smokeloader-crypto-malware-ransomware/