Cryptominers in opmars in tweede helft 2017

Check Point Software Technologies Ltd. (NASDAQ: CHKP) onthult in zijn H2 2017 Global Threat Intelligence Trends rapport dat cybercriminelen in toenemende mate gebruik maken van cryptominers om illegale inkomstenstromen te genereren. Ransomware en ‘malvertising’ adware daarentegen blijven een doorn in het oog van organisaties wereldwijd.

Van juli tot en met december 2017 werd een op de vijf organisaties getroffen door cryptomining malware. Dit zijn tools die cybercriminelen in staat stellen om de CPU- of GPU-kracht en bestaande resources van hun slachtoffers te kapen om cryptocurrency te mijnen. Hierbij kunnen ze tot wel 65% van de CPU-kracht van de eindgebruiker misbruiken.

Het H2 2017 Global Threat Intelligence Trends Report belicht de belangrijkste methoden die cybercriminelen gebruiken om organisaties aan te vallen en geeft daarnaast een gedetailleerd overzicht van het dreigingslandschap in de belangrijkste malware-categorieën – ransomware, banking en mobile. Het rapport is gebaseerd op data van Check Point’s ThreatCloud Intelligence tussen juli en december 2017.

Bekijk hieronder de highlights van het rapport:

########################

Check Point researchers detected a number of key malware trends during the period, including:

●     Cryptocurrency Miners Frenzy – While crypto-miners are commonly used by individuals to mine their own coins, the rising public interest in virtual currencies has slowed the mining process, which depends directly on the number of currency holders. This slowdown has increased the computational power needed to mine crypto-coins, which led cybercriminals to think of new ways to harness the computation resources of an unsuspecting public.

●     Decrease in Exploit Kits – Up until a year ago, Exploit Kits used to be a prime attack vector. During 2017 however, the use of Exploit Kits has significantly decreased as once exploited platforms have become more secure. The rapid response to new vulnerabilities exposed in these products by security vendors and leading browser developers, along with automatic updates of newer versions, have also significantly shortened the shelf life of new exploits.

●     Increase in Scam Operations and Malspam – Throughout 2017, the ratio between infections based on HTTP and STMP shifted in favor of SMTP, from 55% in the first half of 2017 to 62% in the second. The increase in the popularity of these distribution methods attracted skilled threat actors who brought with them an advanced practice that included various exploitations of vulnerabilities in documents, especially in Microsoft Office.

●     Mobile malware reaches enterprise level – In the last year, we have witnessed several attacks directed at enterprises originating from mobile devices. This includes mobile devices acting as a proxy, triggered by the MilkyDoor malware, andused to collect internal data from the enterprise network.. Another type is mobile malware, such as the Switcher malware, that attempts to attack network elements (e.g. routers) to redirect network traffic to a malicious server under the attacker’s control.

Maya Horowitz, Threat Intelligence Group Manager at Check Point commented: “The second half of 2017 has seen crypto-miners take the world by storm to become a favorite monetizing attack vector. While this is not an entirely new malware type, the increasing popularity and value of cryptocurrency has led to a significant increase in the distribution of crypto-mining malware. Also, there has been a continuation of trends, such as ransomware, that date back to 2016, which is still a leading attack vector, used for both global attacks and targeted attacks against specific organizations. 25% of the attacks we saw in this period exploit vulnerabilities discovered over a decade ago, and less than 20% use ones from the last couple of years. So it’s clear that there is still a lot that organizations need to do to fully protect themselves against attacks.”

1.    Roughted (15.3%) – A purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits, and malware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.

2.    Coinhive (8.3%) – A crypto-miner designed to perform online mining of the Monero cryptocurrency without the user’s approval when a user visits a web page. Coinhive only emerged in September 2017 but has hit 12% of organizations worldwide hit by it.

3.    Locky (7.9%) – Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files.

1.    Locky (30%) – Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files.

2.    Globeimposter (26%) – Distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.

3.    WannaCry (15%)  – Ransomware that was spread in a large scale attack in May 2017, utilizing a Windows SMB exploit called EternalBlue, in order to propagate within and between networks.

1.    Hidad (55%) – Android malware which repackages legitimate apps and then releases them to a third-party store. It is able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

2.    Triada (8%) – A Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

3.    Lotoor (8%) – A hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges.

1.    Ramnit (34%) – A banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

2.    Zeus (22%) – A Trojan that targets Windows platforms and often uses them to steal banking information by man-in-the-browser keystroke logging and form grabbing.

3.    Tinba (16%) – A banking Trojan which steals the victim’s credentials using web-injects, activated as the user tries to login to their banking website.

The statistics in this report are based on data drawn from the Check Point’s ThreatCloud intelligence between July and December 2017. Check Point’s ThreatCloud intelligence is the largest collaborative network to fight cybercrime and delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

################

Check Point Software Technologies Ltd, de grootste pure-play security leverancier wereldwijd, biedt toonaangevende oplossingen en beschermt klanten tegen cyberaanvallen met een ongeëvenaarde vangst ratio van malware en andere soorten aanvallen. Check Point biedt een complete security-architectuur met zeer uitgebreide en intuïtieve beheeroplossingen, die de netwerken tot en met de mobiele toestellen van bedrijven beschermt. Check Point beschermt meer dan 100.000 organisaties van elke omvang.