Crypto miners remain dominant in the latest instalment of CheckPoint’s global malware tracker having been consistently rated in the top 10 for several months. The persistent inclusion and furore surrounding crypto miners is questionable. Also evident in the monthly lists are the top three mobile malware threats and top three vulnerabilities.
The threats in these categories are not mutually exclusive as the top vulnerabilities, as rated by CheckPoint, are associated with the Crypto mining threat. In particular, the Microsoft Windows Server 2003 (CVE-2017-7269) and Oracle Web Logic (CVE-2017-10271) vulnerability. As noted in the report, 46% of organisations around the world were targeted using the Microsoft vulnerability, whilst the Oracle vulnerability was targeted 40% of the time.
The threat from these vulnerabilities is clear, but despite patches having been available for more than six months, many companies are evidently still susceptible to this threat vector.
Strategic assessment: The top 10 malware in April were:
• Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval.
• Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources to add transactions to the blockchain and release new currency.
• Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system and utilises ad-blocker bypassing and fingerprinting in order to ensure it delivers the most relevant attack.
• Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts and can be modified to create different types of botnets.
• Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to the dropping of additional malware.
• XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency and first seen in-the-wild on May 2017.
• Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system. The primary motivation being to steal sensitive information and launch denial-of-service attacks.
• Nivdort – Multipurpose bot, also known as Bayrob used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, making each file unique.
• Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
Interestingly, the more versatile and lethal malware is rated lower on the list than expected. This could reflect a lower infection rate than crypto miners. From a cybersecurity viewpoint, crypto mining is highly likely to pose less of a business threat compared to the more traditional malware listed. Infostealers, such as Andromeda, should be more of a concern to businesses, given the backdoor capabilities and use in cybercrime-as-a-service.
The top three mobile malware were:
• Lokibot – Android banking Trojan and info-stealer which can also turn into ransomware that locks the phone.
• Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.
• Hiddad – Android malware which repackages legitimate apps and releases them to a third-party store.
The top three vulnerabilities were:
• Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service condition on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in the HTTP request.
• Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles XML decodes. A successful attack could lead to a remote code execution.
• SQL Injection – Inserting an injection of SQL query in input from the client to the application, while exploiting a security vulnerability in an application’s software.