VMworld 2018: Possible begins with agile and automated security

It’s August in Vegas and things are really starting to heat up, especially now that VMworld 2018 (#VMworld) is right around the corner! Taking place on August 26 – 30, VMWorld is shaping up to be quite a showcase of all things virtual networking and beyond! We are thrilled to be returning as a Gold Sponsor for this year conference, and we’re excited to showcase our latest capabilities for helping organizations keep their virtual environments and mobile workforces protected from the latest fifth generation (GenV) cyber-attacks.

 

We’ve been a long-standing partner of VMware for many years; jointly developing leading solutions to help organizations securely transform their businesses to fully realize the benefits of the cloud and enterprise mobility. Over the past year, we’ve been hard at work enhancing our CloudGuard capabilities for VMware NSX as well as VMware Cloud on AWS and will be showcasing it all at our booth #1256. Our cloud and mobile security teams will be on hand and ready demo how we’re seamlessly extending our industry-leading cyber-security protections to safeguard cloud infrastructure, apps and mobile devices.

 

For an even deeper dive into our flagship CloudGuard for NSX solution, be sure to register for our session: Practical Guide for Delivering Advanced Security at Scale & Speed in SDDCs (#HYP3736BUS). The session is scheduled for Monday, August 27 at 11:30am, and will provide a best-practices approach as well as common use cases for deploying advanced and automated security that’s as dynamic and agile as the SDDC. Space is limited, so sign up quickly before the session fills us! Also don’t miss your opportunity to try it out for yourself at our Hands-On-Labs environment (#SPL192401NETU) to see for yourself the completeness of the joint solution for securing even the most demanding environments.

 

We look forward to seeing you down there and keeping things cool with our cloud and mobile security suites!

The post VMworld 2018: Possible begins with agile and automated security appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2ORypPo

VMworld 2018: Possible begins with agile and automated security

It’s August in Vegas and things are really starting to heat up, especially now that VMworld 2018 (#VMworld) is right around the corner! Taking place on August 26 – 30, VMWorld is shaping up to be quite a showcase of all things virtual networking and beyond! We are thrilled to be returning as a Gold Sponsor for this year conference, and we’re excited to showcase our latest capabilities for helping organizations keep their virtual environments and mobile workforces protected from the latest fifth generation (GenV) cyber-attacks.

 

We’ve been a long-standing partner of VMware for many years; jointly developing leading solutions to help organizations securely transform their businesses to fully realize the benefits of the cloud and enterprise mobility. Over the past year, we’ve been hard at work enhancing our CloudGuard capabilities for VMware NSX as well as VMware Cloud on AWS and will be showcasing it all at our booth #1256. Our cloud and mobile security teams will be on hand and ready demo how we’re seamlessly extending our industry-leading cyber-security protections to safeguard cloud infrastructure, apps and mobile devices.

 

For an even deeper dive into our flagship CloudGuard for NSX solution, be sure to register for our session: Practical Guide for Delivering Advanced Security at Scale & Speed in SDDCs (#HYP3736BUS). The session is scheduled for Monday, August 27 at 11:30am, and will provide a best-practices approach as well as common use cases for deploying advanced and automated security that’s as dynamic and agile as the SDDC. Space is limited, so sign up quickly before the session fills us! Also don’t miss your opportunity to try it out for yourself at our Hands-On-Labs environment (#SPL192401NETU) to see for yourself the completeness of the joint solution for securing even the most demanding environments.

 

We look forward to seeing you down there and keeping things cool with our cloud and mobile security suites!

The post VMworld 2018: Possible begins with agile and automated security appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2ORypPo

VMworld 2018: Possible begins with agile and automated security

It’s August in Vegas and things are really starting to heat up, especially now that VMworld 2018 (#VMworld) is right around the corner! Taking place on August 26 – 30, VMWorld is shaping up to be quite a showcase of all things virtual networking and beyond! We are thrilled to be returning as a Gold Sponsor for this year conference, and we’re excited to showcase our latest capabilities for helping organizations keep their virtual environments and mobile workforces protected from the latest fifth generation (GenV) cyber-attacks.

 

We’ve been a long-standing partner of VMware for many years; jointly developing leading solutions to help organizations securely transform their businesses to fully realize the benefits of the cloud and enterprise mobility. Over the past year, we’ve been hard at work enhancing our CloudGuard capabilities for VMware NSX as well as VMware Cloud on AWS and will be showcasing it all at our booth #1256. Our cloud and mobile security teams will be on hand and ready demo how we’re seamlessly extending our industry-leading cyber-security protections to safeguard cloud infrastructure, apps and mobile devices.

 

For an even deeper dive into our flagship CloudGuard for NSX solution, be sure to register for our session: Practical Guide for Delivering Advanced Security at Scale & Speed in SDDCs (#HYP3736BUS). The session is scheduled for Monday, August 27 at 11:30am, and will provide a best-practices approach as well as common use cases for deploying advanced and automated security that’s as dynamic and agile as the SDDC. Space is limited, so sign up quickly before the session fills us! Also don’t miss your opportunity to try it out for yourself at our Hands-On-Labs environment (#SPL192401NETU) to see for yourself the completeness of the joint solution for securing even the most demanding environments.

 

We look forward to seeing you down there and keeping things cool with our cloud and mobile security suites!

The post VMworld 2018: Possible begins with agile and automated security appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2ORypPo

Quickly Gauge Your Security’s Generation With This 5-Question Quiz

by Bob Matlow, Cyber Security Advocate

 

The cyber-security world entered a new day and age when WannaCry and NotPetya wrecked havoc across hundreds of countries, causing billions of dollars of damage. Cyber criminals have adapted to this new reality by launching multi-vector, polymorphic, globally-scaled attacks – but IT professionals are lagging behind. Only 3 percent of companies  have translated the new information into best practices that make their organizations more secure.

 

To bridge the gap between the visionary and the practical, Check Point has developed a five question security quiz –  an easy way for IT professionals to discover which of the five generations best describes their security. In addition, our experts offer advice on how to bring cyber security in each generation up to today’s standard of fifth- generation cyber security. It only takes moments to take the quiz and receive insightful feedback from world-class cyber security experts.

 

Take the security quiz

The post Quickly Gauge Your Security’s Generation With This 5-Question Quiz appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MqOiij

Who You Gonna Call? Stories From the Front Line of Cyber Defense

By Check Point’s Incident Response Team

 

In our industry, we tell our stories with an eye toward the hackers. While the antagonists take up all the spotlight, the heroes that stop the attacks are relegated to cameo roles.

 

Nowadays, thought leaders in the security industry are shifting their views on sharing information after cyber attacks – instead of just shaming the victim, there’s an oppurtinity to safely share knowledge and intelligence for the greater good.

 

From the trenches of cyber-warfare, this blog is the first part of a regular series telling the Check Point incident response teams’ war stories. We hope that our experiences and insights can help the security community while educating the public on handling cyber attacks.

 

In the middle of April 2018, Check Point’s Managed Security Services (MSS) team and Check Point Incident Response noticed that something was amiss at a particular university in the Asia-Pacific region.

 

A PC in their trusted network was displaying some signs of malicious activity – in this case, a known malicious command and control communication pattern – while connected to medical research equipment. The Check Point teams notified the university, and they engaged the Check Point Incident Reponse team to investigate the incident.

 

The Dangers Of Lateral Movement

 

On arrival, we identified server message block (SMB) scanning activity, and got to work on conducting a forensic analysis. We found three suspicious files and three suspicious drivers, and further reverse engineering analysis by our research team, revealed our culprit: a new variant of the sophisticated and virulent dropper, Glupteba.

 

SMB is an application layer network protocol mainly used to share files – for example, \\directory, commonly found in offices, runs on SMB protocol. In this particular case, once the malware infects the computer, they’ll start scanning both internal and external network (as in, the Internet) for open SMB ports, in order to try to “hop” to other parts of the network and infect the entire organization.

 

That means an organization only needs one vulnerability, in only one machine, for one infection to hit the entire network. One employee connecting their phone to an unsecured wi-fi network, or one user giving up his credentials to a phishing email scam… just one momentary lapse and the whole organization is at risk.

 

WannaCry spread through hundreds of countries and caused billions of dollars of damage by using EternalBlue – the military-grade hacking weapon stolen from the NSA – and exploiting a known Microsoft SMB vulnerability. This allowed WannaCry to move laterally across networks, which is a core reason why WannaCry and NotPetya are often considered the turning point between fourth and fifth generation cyber-attacks.

 

Once the Check Point incident response team saw the lateral movement between the SMB ports and identified the malware, we set out to figure out how a PC – connected only to medical research network – got infected with this malware.

 

Finding Patient Zero

 

The network was properly segmented, meaning that the different networks with different security needs had effective barriers to prevent cross-contamination.

 

But somehow, the malware managed to move laterally from the open, public student network onto the private, sensitive research network. Thankfully, the university’s IT team was on top of their game and consolidated their management far in advance.

 

Across all IT teams, there’s a clear best practice: consolidate the system’s management across all networks onto a single pane of glass, and you’ll be much more effective against cyber attacks. And because the university was already practicing this advice, we were able to retrieve logs from both the research lab network and the public student network, giving the clue our forensics team needed.

 

As we turned to the public student network, we quickly saw exactly what we needed to see: several students had the same malware on the laptop. A few questions to the faculty later, we found our patient zero.

 

One particular student, an occasional volunteer at the lab, had accessed the machine the day the suspicious activity began. The logs confirmed that for a few minutes, the student logged onto the medical device and connected it to the open student wireless network.

 

Those few minutes were all it took for the machine to get infected.

 

Main Takeaways

 

That momentary lapse in cyber hygiene was the only way the malware could get into the sensitive research network, which is all thanks to the university’s IT team staying on top of their game and properly segmenting the networks ahead of time. If the university didn’t segment the two networks, then the second the Glubepta malware enters the easy-to-access public network… it’d have a much easier time getting into the research network.

 

The best security strategy and practice is no match to human error, but it can greatly minimize the risks. In this case, the university did segment the two networks and did consolidate the system’s management, allowing for a quick and effective response on our part.

 

The university avoided disaster, but this case highlighted several important lessons:

 

1. Proper network segmentation is still one of the most critical security controls – if the university didn’t segment their research network, the infected machine would have enabled the host malware to spread laterally, quickly attacking the entire organization even without the cross contamination.
2. Improperly connecting to an unsecured network can get your machine infected in a blink of an eye – so organizations should monitor devices that connect to multiple wireless networks.
3. Patching is equally critical, and it is vital that vendors providing PCs for medical research provide/approve patches in a timely fashion.
4. Most medical devices and research tools are mission critical and not designed with security in mind, and so updating them takes down time – in lieue of patching, isolation and micro-segmenting works in a pinch.

 

In The Fifth-Generation of Cyber Attacks, Prevention Is The Best Cure

 

Our intelligence shows that many malware families are incorporating the fifth-gen sophisticated, laterally moving-tools that we saw in this incident, and organizations need to be prepared for a breach. From the response perspective, micro-segmentation and inspecting internal traffic for lateral movement along with Endpoint Detection and Response were all critical toward swiftly resolving the issue.

 

But more than anything, the main takeaway, as we say time and time again: investing in prevention is much cheaper than having the best tools to detect a breach.

 

Stay tuned for more cyber-war stories from the Incident Response Team by following us on:

Twitter: http://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: http://blog.checkpoint.com

YouTube: http://www.youtube.com/user/CPGlobal

LinkedIn: https://ift.tt/1WDCNPt

 

The post Who You Gonna Call? Stories From the Front Line of Cyber Defense appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2whUPBV

Who You Gonna Call? Stories From the Front Line of Cyber Defense

By Check Point’s Incident Response Team

 

In our industry, we tell our stories with an eye toward the hackers. While the antagonists take up all the spotlight, the heroes that stop the attacks are relegated to cameo roles.

 

Nowadays, thought leaders in the security industry are shifting their views on sharing information after cyber attacks – instead of just shaming the victim, there’s an oppurtinity to safely share knowledge and intelligence for the greater good.

 

From the trenches of cyber-warfare, this blog is the first part of a regular series telling the Check Point incident response teams’ war stories. We hope that our experiences and insights can help the security community while educating the public on handling cyber attacks.

 

In the middle of April 2018, Check Point’s Managed Security Services (MSS) team and Check Point Incident Response noticed that something was amiss at a particular university in the Asia-Pacific region.

 

A PC in their trusted network was displaying some signs of malicious activity – in this case, a known malicious command and control communication pattern – while connected to medical research equipment. The Check Point teams notified the university, and they engaged the Check Point Incident Reponse team to investigate the incident.

 

The Dangers Of Lateral Movement

 

On arrival, we identified server message block (SMB) scanning activity, and got to work on conducting a forensic analysis. We found three suspicious files and three suspicious drivers, and further reverse engineering analysis by our research team, revealed our culprit: a new variant of the sophisticated and virulent dropper, Glupteba.

 

SMB is an application layer network protocol mainly used to share files – for example, \\directory, commonly found in offices, runs on SMB protocol. In this particular case, once the malware infects the computer, they’ll start scanning both internal and external network (as in, the Internet) for open SMB ports, in order to try to “hop” to other parts of the network and infect the entire organization.

 

That means an organization only needs one vulnerability, in only one machine, for one infection to hit the entire network. One employee connecting their phone to an unsecured wi-fi network, or one user giving up his credentials to a phishing email scam… just one momentary lapse and the whole organization is at risk.

 

WannaCry spread through hundreds of countries and caused billions of dollars of damage by using EternalBlue – the military-grade hacking weapon stolen from the NSA – and exploiting a known Microsoft SMB vulnerability. This allowed WannaCry to move laterally across networks, which is a core reason why WannaCry and NotPetya are often considered the turning point between fourth and fifth generation cyber-attacks.

 

Once the Check Point incident response team saw the lateral movement between the SMB ports and identified the malware, we set out to figure out how a PC – connected only to medical research network – got infected with this malware.

 

Finding Patient Zero

 

The network was properly segmented, meaning that the different networks with different security needs had effective barriers to prevent cross-contamination.

 

But somehow, the malware managed to move laterally from the open, public student network onto the private, sensitive research network. Thankfully, the university’s IT team was on top of their game and consolidated their management far in advance.

 

Across all IT teams, there’s a clear best practice: consolidate the system’s management across all networks onto a single pane of glass, and you’ll be much more effective against cyber attacks. And because the university was already practicing this advice, we were able to retrieve logs from both the research lab network and the public student network, giving the clue our forensics team needed.

 

As we turned to the public student network, we quickly saw exactly what we needed to see: several students had the same malware on the laptop. A few questions to the faculty later, we found our patient zero.

 

One particular student, an occasional volunteer at the lab, had accessed the machine the day the suspicious activity began. The logs confirmed that for a few minutes, the student logged onto the medical device and connected it to the open student wireless network.

 

Those few minutes were all it took for the machine to get infected.

 

Main Takeaways

 

That momentary lapse in cyber hygiene was the only way the malware could get into the sensitive research network, which is all thanks to the university’s IT team staying on top of their game and properly segmenting the networks ahead of time. If the university didn’t segment the two networks, then the second the Glubepta malware enters the easy-to-access public network… it’d have a much easier time getting into the research network.

 

The best security strategy and practice is no match to human error, but it can greatly minimize the risks. In this case, the university did segment the two networks and did consolidate the system’s management, allowing for a quick and effective response on our part.

 

The university avoided disaster, but this case highlighted several important lessons:

 

1. Proper network segmentation is still one of the most critical security controls – if the university didn’t segment their research network, the infected machine would have enabled the host malware to spread laterally, quickly attacking the entire organization even without the cross contamination.
2. Improperly connecting to an unsecured network can get your machine infected in a blink of an eye – so organizations should monitor devices that connect to multiple wireless networks.
3. Patching is equally critical, and it is vital that vendors providing PCs for medical research provide/approve patches in a timely fashion.
4. Most medical devices and research tools are mission critical and not designed with security in mind, and so updating them takes down time – in lieue of patching, isolation and micro-segmenting works in a pinch.

 

In The Fifth-Generation of Cyber Attacks, Prevention Is The Best Cure

 

Our intelligence shows that many malware families are incorporating the fifth-gen sophisticated, laterally moving-tools that we saw in this incident, and organizations need to be prepared for a breach. From the response perspective, micro-segmentation and inspecting internal traffic for lateral movement along with Endpoint Detection and Response were all critical toward swiftly resolving the issue.

 

But more than anything, the main takeaway, as we say time and time again: investing in prevention is much cheaper than having the best tools to detect a breach.

 

Stay tuned for more cyber-war stories from the Incident Response Team by following us on:

Twitter: http://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: http://blog.checkpoint.com

YouTube: http://www.youtube.com/user/CPGlobal

LinkedIn: https://ift.tt/1WDCNPt

 

The post Who You Gonna Call? Stories From the Front Line of Cyber Defense appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2whUPBV

July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018

Three IoT vulnerabilities entered July’s top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018.

 

During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution at #7; and Dasan GPON router Authentication Bypass at #10. Together, 45% of all organizations across the world were impacted by attacks targeting these vulnerabilities, compared with 35% in June 2018 and 21% in May.  These vulnerabilities all enable attackers to execute malicious code and gain remote control of the target devices.

 

Known vulnerabilities offer cyber-criminals an easy and relatively frictionless entry point into corporate networks, enabling them to propagate a wide range of attacks. IoT vulnerabilities, in particular, are often ‘the path of least resistance’, as once one device is compromised, it can be straightforward to infiltrate further connected devices.  As such, organizations must apply patches as soon as they’re available in order to secure their networks from known vulnerabilities.

 

But in order to protect from both known and unknown vulnerabilities, enterprises must employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.

 

Coinhive remained the most prevalent malware, with impact on 19% of organization worldwide. Cryptoloot and Dorkbot were ranked in second and third place respectively, each with a global impact of 7%.

 

July’s 2018’s Top 10 ‘Most Wanted’ Malware:

 

*The arrows relate to the change in rank compared to the previous month.

 

1. Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
4. Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
5. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
9. Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
10. Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 

Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Guerilla.

 

July’s Top 3 ‘Most Wanted’ mobile malware:

 

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

 

Check Point researchers also analysed the most exploited cyber vulnerabilities. In first was CVE-2017-7269, with a global impact of 47%. In second place was CVE-2017-5638 with a global impact of 42%, closely followed by OpenSSL TLS DTLS Heartbeat Information Disclosure, impacting 41% of organizations around the world.

 

July’s Top 10 ‘Most Wanted’ Vulnerabilities:

 

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
4. ↓ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
5. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
7. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
8. ↓ Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
9. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
10. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

 

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

The post July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MKVmmD

July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018

Three IoT vulnerabilities entered July’s top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018.

 

During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution at #7; and Dasan GPON router Authentication Bypass at #10. Together, 45% of all organizations across the world were impacted by attacks targeting these vulnerabilities, compared with 35% in June 2018 and 21% in May.  These vulnerabilities all enable attackers to execute malicious code and gain remote control of the target devices.

 

Known vulnerabilities offer cyber-criminals an easy and relatively frictionless entry point into corporate networks, enabling them to propagate a wide range of attacks. IoT vulnerabilities, in particular, are often ‘the path of least resistance’, as once one device is compromised, it can be straightforward to infiltrate further connected devices.  As such, organizations must apply patches as soon as they’re available in order to secure their networks from known vulnerabilities.

 

But in order to protect from both known and unknown vulnerabilities, enterprises must employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.

 

Coinhive remained the most prevalent malware, with impact on 19% of organization worldwide. Cryptoloot and Dorkbot were ranked in second and third place respectively, each with a global impact of 7%.

 

July’s 2018’s Top 10 ‘Most Wanted’ Malware:

 

*The arrows relate to the change in rank compared to the previous month.

 

1. Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
4. Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
5. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
9. Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
10. Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 

Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Guerilla.

 

July’s Top 3 ‘Most Wanted’ mobile malware:

 

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

 

Check Point researchers also analysed the most exploited cyber vulnerabilities. In first was CVE-2017-7269, with a global impact of 47%. In second place was CVE-2017-5638 with a global impact of 42%, closely followed by OpenSSL TLS DTLS Heartbeat Information Disclosure, impacting 41% of organizations around the world.

 

July’s Top 10 ‘Most Wanted’ Vulnerabilities:

 

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
4. ↓ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
5. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
7. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
8. ↓ Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
9. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
10. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

 

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

The post July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MKVmmD

July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018

Three IoT vulnerabilities entered July’s top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018.

 

During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution at #7; and Dasan GPON router Authentication Bypass at #10. Together, 45% of all organizations across the world were impacted by attacks targeting these vulnerabilities, compared with 35% in June 2018 and 21% in May.  These vulnerabilities all enable attackers to execute malicious code and gain remote control of the target devices.

 

Known vulnerabilities offer cyber-criminals an easy and relatively frictionless entry point into corporate networks, enabling them to propagate a wide range of attacks. IoT vulnerabilities, in particular, are often ‘the path of least resistance’, as once one device is compromised, it can be straightforward to infiltrate further connected devices.  As such, organizations must apply patches as soon as they’re available in order to secure their networks from known vulnerabilities.

 

But in order to protect from both known and unknown vulnerabilities, enterprises must employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.

 

Coinhive remained the most prevalent malware, with impact on 19% of organization worldwide. Cryptoloot and Dorkbot were ranked in second and third place respectively, each with a global impact of 7%.

 

July’s 2018’s Top 10 ‘Most Wanted’ Malware:

 

*The arrows relate to the change in rank compared to the previous month.

 

1. Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
4. Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
5. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
9. Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
10. Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 

Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Guerilla.

 

July’s Top 3 ‘Most Wanted’ mobile malware:

 

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

 

Check Point researchers also analysed the most exploited cyber vulnerabilities. In first was CVE-2017-7269, with a global impact of 47%. In second place was CVE-2017-5638 with a global impact of 42%, closely followed by OpenSSL TLS DTLS Heartbeat Information Disclosure, impacting 41% of organizations around the world.

 

July’s Top 10 ‘Most Wanted’ Vulnerabilities:

 

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
4. ↓ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
5. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
7. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
8. ↓ Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
9. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
10. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

 

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

The post July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MKVmmD

July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018

Three IoT vulnerabilities entered July’s top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018.

 

During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution at #7; and Dasan GPON router Authentication Bypass at #10. Together, 45% of all organizations across the world were impacted by attacks targeting these vulnerabilities, compared with 35% in June 2018 and 21% in May.  These vulnerabilities all enable attackers to execute malicious code and gain remote control of the target devices.

 

Known vulnerabilities offer cyber-criminals an easy and relatively frictionless entry point into corporate networks, enabling them to propagate a wide range of attacks. IoT vulnerabilities, in particular, are often ‘the path of least resistance’, as once one device is compromised, it can be straightforward to infiltrate further connected devices.  As such, organizations must apply patches as soon as they’re available in order to secure their networks from known vulnerabilities.

 

But in order to protect from both known and unknown vulnerabilities, enterprises must employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.

 

Coinhive remained the most prevalent malware, with impact on 19% of organization worldwide. Cryptoloot and Dorkbot were ranked in second and third place respectively, each with a global impact of 7%.

 

July’s 2018’s Top 10 ‘Most Wanted’ Malware:

 

*The arrows relate to the change in rank compared to the previous month.

 

1. Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
4. Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
5. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
9. Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
10. Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 

Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Guerilla.

 

July’s Top 3 ‘Most Wanted’ mobile malware:

 

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

 

Check Point researchers also analysed the most exploited cyber vulnerabilities. In first was CVE-2017-7269, with a global impact of 47%. In second place was CVE-2017-5638 with a global impact of 42%, closely followed by OpenSSL TLS DTLS Heartbeat Information Disclosure, impacting 41% of organizations around the world.

 

July’s Top 10 ‘Most Wanted’ Vulnerabilities:

 

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
4. ↓ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
5. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
7. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
8. ↓ Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
9. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
10. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

 

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

The post July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MKVmmD

July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018

Three IoT vulnerabilities entered July’s top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018.

 

During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution at #7; and Dasan GPON router Authentication Bypass at #10. Together, 45% of all organizations across the world were impacted by attacks targeting these vulnerabilities, compared with 35% in June 2018 and 21% in May.  These vulnerabilities all enable attackers to execute malicious code and gain remote control of the target devices.

 

Known vulnerabilities offer cyber-criminals an easy and relatively frictionless entry point into corporate networks, enabling them to propagate a wide range of attacks. IoT vulnerabilities, in particular, are often ‘the path of least resistance’, as once one device is compromised, it can be straightforward to infiltrate further connected devices.  As such, organizations must apply patches as soon as they’re available in order to secure their networks from known vulnerabilities.

 

But in order to protect from both known and unknown vulnerabilities, enterprises must employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.

 

Coinhive remained the most prevalent malware, with impact on 19% of organization worldwide. Cryptoloot and Dorkbot were ranked in second and third place respectively, each with a global impact of 7%.

 

July’s 2018’s Top 10 ‘Most Wanted’ Malware:

 

*The arrows relate to the change in rank compared to the previous month.

 

1. Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
4. Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
5. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
9. Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
10. Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 

Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Guerilla.

 

July’s Top 3 ‘Most Wanted’ mobile malware:

 

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

 

Check Point researchers also analysed the most exploited cyber vulnerabilities. In first was CVE-2017-7269, with a global impact of 47%. In second place was CVE-2017-5638 with a global impact of 42%, closely followed by OpenSSL TLS DTLS Heartbeat Information Disclosure, impacting 41% of organizations around the world.

 

July’s Top 10 ‘Most Wanted’ Vulnerabilities:

 

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
4. ↓ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
5. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
7. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
8. ↓ Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
9. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
10. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

 

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html

The post July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 appeared first on Check Point Blog.

from Check Point Blog https://ift.tt/2MKVmmD