Researchers have discovered a new campaign by FakeUpdates, also known as SocGolish, that targets and compromises WordPress sites with compromised admin accounts. Meanwhile, Play entered the top three most wanted ransomware groups and education remained the most attacked sector globally
H Check Point® Software Technologies Ltd., provider of a cloud-delivered AI-powered cyber security platform, released its Global Threat Index for February 2024. Last month researchers uncovered a new FakeUpdates campaign that compromises WordPress websites. These sites were infected using compromised wp-admin accounts, with the malware adapting its tactics to infiltrate sites using modified versions of genuine WordPress plugins and tricking people into downloading a remote access Trojan.
Meanwhile, even after it was taken down in late February, Lockbit3 remained the most prevalent ransomware group, responsible for 20% of published attacks, and education continued to be the most affected industry globally.
FakeUpdates, also known as SocGholish, has been operating since at least 2017 and uses JavaScript malware to target websites, especially those with content management systems. Often ranked as the most widespread malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malware, and despite efforts to stop it, it remains a significant threat to website security and user data.
This sophisticated variant of the malware has previously been associated with the Russian cybercrime group known as Evil Corp. Due to the functionality of the downloader, it is believed that the group monetizes the malware by selling access to the systems it infects, leading to other malware infections if the group provides access to multiple clients.
"Websites are the digital gateways to our world, vital to communication, commerce and networking," said Maya Horowitz, Vice President of Research at Check Point Software. “Defending them against cyber threats is not just about protecting code, it's about protecting our online presence and the core functions of our interconnected society. If cybercriminals choose to use them as a vehicle to covertly spread malware, it could affect an organization's future revenue generation and reputation. It is vital to take proactive measures and adopt a zero-tolerance culture to ensure absolute protection against threats.”
Check Point's threat index also includes information from about 200 "shame" sites run by double-extortion ransomware groups, 68 of which released victim information this year to pressure non-paying targets.
Lockbit3 again took the lead last month, accounting for 20% of reported incidents, followed by Play with 8% and 8base with 7%. Entering the top three for the first time, Play claimed responsibility for a recent cyber attack on city of auckland.
Last month, the most exploited vulnerability was “Web Servers Malicious URL Directory Traversal”, affecting 51% of organizations worldwide, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” with 50% respectively.
Table of Contents
Top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
FakeUpdates was the most prevalent malware last month with a 5% impact on global organizations, followed by Qbot with a 3% global impact and Formbook with a 2% global impact.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a program written in JavaScript. Writes payloads to disk before launching them. FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult. FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before launching them. FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
- ↔ Qbot - Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to prevent analysis and avoid detection. Starting in 2022, it emerged as one of the most widespread Trojans.
- ↔ Formbook – Formbook is an Infostealer that targets the Windows operating system and was first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums for its powerful evasion techniques and relatively low price of. Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from its C&C.
Top Exploited Vulnerabilities
Last month, the “Web Servers Malicious URL Directory Traversal” vulnerability was the most exploited vulnerability, affecting 51% of organizations worldwide, followed by the globally impactful “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” vulnerabilities 50% respectively.
- ↑ Web Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error on a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or gain access to arbitrary files on the vulnerable server.
- ↓ Command Injection About HTTP (CVE-2021-43936, CVE-2022-24086) – An HTTP Command Injection vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) - A command injection vulnerability exists in the Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system.
Top Malicious Mobile Apps
Last month Anubis remained in first place as the most prevalent mobile malware, followed by AhMyth and Hiddad.
- Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional features such as Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been spotted in hundreds of different apps available in the Google Store.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .
- Hiddad – Hiddad is an Android malware that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
The industries that receive the most attacks worldwide
Last month, Education/Research remained the number one attacked industry globally, followed by Government/Military and Healthcare.
- Education / Research
- Government / Army
- Health
Top Ransomware Groups
This section includes information from nearly 200 ransomware “shame sites” run by double-extortion ransomware groups. Cybercriminals use these sites to increase pressure on victims who do not immediately pay the ransom. Data from these sites of shame carries its own biases, but still provides valuable insight into the ransomware ecosystem, which is today's number one threat to businesses.
LockBit3 was the most prevalent ransomware group last month, responsible for 20% of published attacks, followed by Play with 8% and 8base with 7%.
- lock bit3 – LockBit3 is a ransomware, which operates on a RaaS model and was first reported in September 2019. LockBit targets large businesses and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
- Play - Play is the name of a ransomware type program. Malware categorized as such works by encrypting data and demanding a ransom for decryption.
- 8base – The 8Base threat group is a ransomware group that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using various variants of ransomware, with Phobos as a common element. 8Base operates with a level of sophistication, which is evidenced by the use of advanced techniques in its ransomware. The group's methods include double blackmail tactics.
The full list of the top ten malware families in February can be found at Check Point blog.