Check Point: Attackers executing commands remotely with latest malware
Check Point Research has published its latest Global Threat Index for July 2019.
The research team is warning organisations of a new vulnerability discovered in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organisations globally in the last month.
The vulnerability, ranked the eighth-most exploited vulnerability, enables attackers to execute commands remotely on target machines.
The exploit was triggered alongside other attacks targeting IoT devices – in particular with the MVPower DVR Remote Code Execution (the third most popular exploited vulnerability in July) which is also known to be related to the notorious Mirai botnet.
July also saw a major decrease in the use of Cryptoloot, as it fell to tenth in the top malware list, from third in June 2019.
Threat actors are quick to try and exploit new vulnerabilities when they emerge before organisations have had the chance to patch them, and the OpenDreamBox flaw is no exception.
Even so, it's surprising that nearly a third of organisations have been impacted.
"This highlights how important it is that organisations protect themselves by patching such vulnerabilities quickly," says Check Point threat intelligence and research, products director Maya Horowitz.
The sharp decline in the use of Cryptoloot is also interesting.
It has dominated the top malware list for the past year and a half and was ranked the second most common malware variant seen in the first half of 2019, impacting 7.2% of organisations worldwide.
We believe the decline is linked to its main competitor, Coinhive, closing its operations earlier in 2019.
Threat actors are relying on alternative crypto-mining malware such as XMRig and Jsecoin.
July 2019's Top 3 most wanted malware:
XMRig is leading the top malware list, impacting 7% of organisations around the world.
Jsecoin and Dorkbot had a global impact of 6% respectively.
1. XMRig – XMRig is an open source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
2. Jsecoin – Jsecoin is a JavaScript miner that can be embedded in websites. With JSEcoin, users can run the miner directly in their browser in exchange for an ad-free experience, in-game currency and other incentives.
3. Dorkbot - Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
July's Top 3 most wanted mobile malware:
In July, Lotoor was the most prevalent Mobile malware, followed by AndroidBauts and Piom – two new malware families in the top mobile malware list.
1. Lotoor – Hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
3. Piom – Adware which monitors the users browsing behaviour and delivers unwanted advertisements based on the users' web activities.
July's most exploited vulnerabilities:
SQL Injection techniques continue to lead the top exploited vulnerabilities list, impacting 46% of organisations around the world.
In second place is the OpenSSL TLS DTLS Heartbeat Information Disclosure with a global impact of 41%, closely followed by the MVPower DVR Remote Code Execution, which impacted 40% of organisation worldwide.
1. SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application's software.
2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Points ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.
The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.