Check Point Research, the Check Point Software Technologies Ltd. research division, published the latest World Threat Index for 2019 in May.
The research team warns organizations to control and update systems vulnerable to BlueKeep Microsoft RDP vulnerability (CVE-2019-0708) to machines running Windows 7 and Windows Server 2008, to avoid the risk of exploitation for ransomware and cryptomining attacks.
BlueKeep's vulnerability affects about 1 million machines that have Internet access, and even more that are within organizations networks.
Vulnerability is critical because it does not require interaction with the user to be exploited for malicious purposes. RDP is an established, popular attacker that has been used to install ransomware such as SamSam and Dharma.
The Check Point Research team has identified in recent weeks multiple attempts to scan for this flaw coming from different countries worldwide, which could be the initial phase of identifying an attack. In addition to of relevant Microsoft updates, Check Point provides protection both in the network and in the endpoint for this attack.
Maya Horowitz, Check Point's Information and Research Director, commented:
The biggest threat we saw last month was BlueKeep. Although there have still been no exploitative attacks, there is plenty of evidence publicly demonstrating that the project is under way.
We agree with Microsoft and other cybersecurity observers that BlueKeep could be used to carry out similar scale attacks with the WannaCry and NotPetya campaigns that were implemented by 2017. A single computer with this defect can be used to infect an entire network.
Then all infected computers with Internet access can infect other vulnerable devices around the world - allowing the attack to spread exponentially, at an unstoppable rate. It is therefore crucial that organizations protect themselves - and others - by repairing the defect now, before it is too late.
In another important news from the cybersecurity industry in May, its developers affiliate program GandCrab Ransomware-as-a-Service, during the last day of May, announced that they shut down and asked their partners to stop distributing ransomware within 20 days.
The business was active from January of 2018 and in just two months it infected more than 50.000 victims. Total profits for developers and partners amount to billions of dollars.
Being one of the malware that was very common on the 10 list, GandCrab was often updated with new features to avoid detection tools.
3 most widespread malware threats in May 2019:
* The arrows indicate the change in rank relative to the previous month.
- ↔ Cryptoloot - Encryption software that uses the power of the central processing unit (CPU) or graphics processor (GPU) and the victim's existing resources for cryptomining - adding transactions to the blockchain and generating new currencies. It competes with Coinhive, trying to oust it by demanding a lower percentage of revenue from the sites.
- ↔ XMRig - XMRig is an open source CPU mining software for the production process of Monero cryptography that was first released in May 2017.
3 most widespread malware malware for mobile devices in May 2019:
For May, Lotoor was the most widespread mobile malware, and in April it was second. The Triada falls from first place in the third, while Hiddad rises from third place to second.
- ↑ Lotoor- A hacker tool that exploits vulnerabilities in the Android operating system to gain full root access to infringing mobile devices.
- ↑ Hiddad - Malicious Android software that repackages legitimate applications and then makes them available in a third-party store. Its main function is to show ads, however, it is also capable of accessing important security features embedded in the operating system, allowing an attacker to gain sensitive user data.
- ↓ Triada - Modular backdoor for Android that grants super user rights to downloaded malware, helping it integrate into system processes. Triada has also been observed to mislead URLs loaded into the browser.
Check Point researchers also analyzed cyber-vulnerabilities that are most often exploited. The OpenSSL TLS DTLS Heartbeat Information Disclosure is at the top, affecting 44% of organizations worldwide.
For the first time after 12 months the vulnerability CVE-2017-7269 was in second place, affecting 40% of organizations worldwide while the third place is occupied by vulnerability CVE-2017-5638 affecting 38% of organizations worldwide.
3 vulnerabilities "most likely to be exploited" for May 2019:
In May there was a return to traditional attack techniques (probably due to the decrease in profitability of cryptominers), with SQL Injections being at the top of the relevant list affecting 49% of organizations worldwide. Web Server Exposed Git Repository Disclosure Information and OpenSSL TLS DTLS Heartbeat Information Disclosure are in second and third place, affecting 44% and 41% of global organizations respectively.
- ↑ SQL Injection - The attack lies in crafted SQL queries in forms to trick the application that processes them, bypassing any control and executing them thus allowing the attacker to give commands to the database to leak data from it
- ↑ Web Server & Hosting Exposed Go Repository Information Disclosure - There are reports of information disclosure vulnerability in the Git Repository. Successful exploitation of this vulnerability could allow unauthorized disclosure of user account information.
- ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - A vulnerability to information disclosure that exists in OpenSSL. Vulnerability is due to an error handling TLS / DTLS heartbeat packets. An attacker could exploit this vulnerability to reveal the contents of a logged-in client or server memory.