September 2018’s Most Wanted Malware: Cryptomining Attacks Against Apple Devices Increase Sharply
October 2018 by Check Point
Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017.
Coinhive now impacts 19% of organizations worldwide. Check Point’s researchers also observed a significant increase in Coinhive attacks against PCs and devices using the Safari browser, which is the primary browser used by Apple devices. The ‘Cryptoloot’ mining malware climbed to 3rdth place in the Threat Index, becoming the second most prevalent crypto-miner in the index. Cryptoloot aims to compete with Coinhive by asking a smaller revenue percentage from websites than Coinhive.
“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, Threat Intelligence Group Manager at Check Point commented. “What is most interesting is the four-fold increase in attacks against iPhones, and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development”.
“In the meantime, attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organization’s attack surface, so it’s critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.”
In September, Dorkbot – the trojan that steals sensitive information and launches denial-of-service attacks, remained in second place with a global impact of 7%.
September 2018’s Top 3 ‘Most Wanted’:
*The arrows relate to the change in rank compared to the previous month.
2. ↔ Dorkbot- the worm designed to allow remote code execution as well as downloading an additional malware to the infected system.
3. ↑ Cryptoloot - Crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a lower percentage of revenue from websites.
Once again, Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lotoor and Triada.
September’s Top 3 ‘Most Wanted’ mobile malware:
1. Lokibot - Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
2. Lotoor - Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
3. Triada - Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Check Point researchers also analyzed the most exploited cyber vulnerabilities. In first place was CVE-2017-7269, with a global impact of 48%. In the second place was CVE-2017-5638 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations.
September’s Top 3 ‘Most Exploited’ vulnerabilities:
1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
1. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) - A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
2. ↑ Web servers PHPMyAdmin Misconfiguration Code Injection - A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.