Communication Threats H  Top Attack  Top Port Attack  Infiltration  Communication  Blacklist

March  2020

Source: Checkpoint

Top malware families
*The arrows relate to the change in rank compared to the previous month.

This month XMRig remains in 1st place, impacting 5% of organizations globally, followed by Jsecoin and Dridex impacting 4% and 3% of organizations worldwide respectively.

XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild on May 2017.
↑Jsecoin – Jsecoin is a web-based cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user’s computational resources to mine coins, thus impacting the system performance.
↑ Dridex – Dridex is a Banking Trojan that targets the Windows platform, and is delivered by spam campaigns and exploit kits, which rely on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control.
Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purposed campaigns.
↓ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet was once employed as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malware.
Agent Tesla – Agent Tesla is an advanced RAT, functioning as a keylogger and a password stealer. Agent Tesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating
credentials from a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
↓ Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
↓ Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
↑ RigEK– RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
Top exploited vulnerabilities
This month the “MVPower DVR Remote Code Execution” remains the most common exploited vulnerability, impacting 30% of organizations globally, closely followed by “PHP php-cgi Query String Parameter Code Execution” with a global impact of 29%. In 3rd place “OpenSSL TLS DTLS Heartbeat Information Disclosure” is impacting 27% of organizations worldwide.

MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ PHP php-cgi Query String Parameter Code Execution – A remote code execution vulnerability that has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation allows an attacker to execute arbitrary code on the target.
↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
↓ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
↑Huawei HG532 Router Remote Code Execution – A remote code execution vulnerability exists in Huawei HG532 Routers. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ D-Link DSL-2750B Remote Command Execution – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
↓PHP DIESCAN information disclosure – An information disclosure vulnerability that has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
↓SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
↑ OpenSSL Padding Oracle Information Disclosure – An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.
Top malware families – Mobile
This month xHelper retained the 1st place in the most prevalent mobile malware, followed by AndroidBauts and Lotoor.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstall itself in case if uninstalled.
AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
Lotoor – A hacking tool that exploits vulnerabilities on Android operating systems to gain root privileges on compromised mobile devices.

List

Name

Communication

Risk

Total

Wifi

Wi-Fi (nebo také Wi-fi, WiFi, Wifi, wi-fi, wifi) je v informatice označení pro několik standardů IEEE 802.11 popisujících bezdrátovou komunikaci v počítačových sítích (též Wireless LAN, WLAN). Samotný název WiFi vytvořilo Wireless Ethernet Compatibility Aliance. Tato technologie využívá tak zvaného „bezlicenčního frekvenčního pásma“, proto je ideální pro budování levné, ale výkonné sítě bez nutnosti pokládky kabelů.

 

 

 

36

LAN

Local Area Network (též LAN, lokální síť, místní síť) označuje počítačovou síť, která pokrývá malé geografické území (např. domácnosti, malé firmy).

 

 

 

500

Bluetooth

Bluetooth je v informatice proprietární otevřený standard pro bezdrátovou komunikaci propojující dvě a více elektronických zařízení, jako například mobilní telefon, PDA, osobní počítač nebo bezdrátová sluchátka. Vytvořen byl v roce 1994 firmou Ericsson jako bezdrátová náhrada za sériové drátové rozhraní RS-232.

 

 

 

6

InfraPort

Infračervený port je rozhraní pro přenos dat prostřednictvím infračerveného záření. K posílání dat je nutné, aby na sebe obě zařízení navzájem „mířila“ portem a aby od sebe byla vzdálena maximálně desítky centimetrů.

 

 

 

4

UMTS

UMTS - Universal Mobile Telecommunication System – je další stupeň (3G) vývoje GSM sítí v rámci 3GPP. Účastník v síti GSM, který má aktivovaný datový tarif a telefon s podporou UMTS, bude v místech, kde je dostupný UMTS signál, automaticky UMTS používat. V budoucnosti může UMTS sloužit i pro přenos telefonních hovorů.

 

 

 

?

3G

3G (též „třetí generace mobilních telekomunikačních technologií“) je zkratka označující mobilní zařízení a mobilní sítě podle vyhovující standardu International Mobile Telecommunications-2000 (IMT-2000) vydaného unií ITU. Standard 3G nabízí možnost bezdrátového přenosu hlasu (telefonní hovor) a dat (přístup k Internetu, e-mail), videotelefonii a mobilní televizi s rychlostí alespoň 200 kbps. Pozdější vydání standardu 3G je občas označováno jako 3.5G nebo 3.75G (HSPA) s rychlostí jednotek Mbps.

 

 

 

?

4G

4G is the fourth generation of broadband cellular network technology, succeeding 3G. A 4G system must provide capabilities defined by ITU in IMT Advanced. Potential and current applications include amended mobile web access, IP telephony, gaming services, high-definition mobile TV, video conferencing, and 3D television.

 

 

 

10

5G

5th generation mobile networks or 5th generation wireless systems, abbreviated 5G, are the proposed next telecommunications standards beyond the current 4G/IMT-Advanced standards.

 

 

 

0

LTE

LTE je technologie určená pro vysokorychlostní Internet v mobilních sítích. Formálně jde o technologii spadající do standardu 3G. Následovník LTE Advanced již bude plnohodnotné 4G řešení

 

 

 

50