Check Point Research (CPR) has published its latest Global Threat Index for September 2022 which indicates that while Formbook is still the most prevalent malware – impacting 3% of organisations worldwide – Vidar is now in eighth position, up seven places from August.
Vidar is an infostealer designed to give threat actors backdoor access, enabling them to steal sensitive banking information, login credentials, IP addresses, browser history and crypto wallets from infected devices. The increase in its prevalence follows a malicious campaign whereby fake Zoom websites, such as zoomus[.]website and zoom-download[.]space, were used to lure innocent users into downloading the malware. Formbook, an infostealer targeting Windows OS, remains in first place.
Since the onset of the Russia-Ukraine war, CPR has continued to monitor the impact on cyberattacks in both countries. While the conflict intensifies, CPR’s Global Threat Index for September notes a significant change in the “threat rank” of many Eastern European countries. The threat rank represents how much an organisation is being attacked in a specific country compared to the rest of the world. During September, Ukraine had jumped 26 places, Poland and Russia moved up 18 places each, and both Lithuania and Romania moved up 17 places, among others. All these countries are now among the top 25, with the biggest degradation in their ranking occurring in the past month.
“As the war on the ground continues, so too does the war in cyberspace. It’s likely no coincidence that the threat ranks of many Eastern European countries have increased this last month. All organisations are at risk and must shift to a prevent-first cybersecurity strategy before it’s too late,” says Maya Horowitz, VP Research at Check Point. “In terms of the most prevalent malwares in September, it’s interesting to see Vidar leap into the top 10 after a long absence. Users of Zoom need to stay alert to fraudulent links as this is how the Vidar malware has been distributed lately. Always keep an eye out for inconsistencies or misspelled words in URLs. If it looks suspicious, it probably is.”
CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 43% of organisations worldwide, closely followed by “Apache Log4j Remote Code Execution” which dropped from first place to second, with an impact of 42%. September also saw Education/Research remain in first place as the most attacked industry globally.
Top Malware Families
This month, Formbook is still the most prevalent malware impacting 3% of organisations worldwide, followed by XMRig and AgentTesla which both impact 2% of organisations globally.
In South Africa, XLoader is the most prevalent malware impacting 7,85% of organisations in the country, followed by XMRig and Ramnit both with a country impact of 3,41%.
1. Formbook – FormBook is an Infostealer targeting Windows OS and was first detected in 2016. It is marketed as a Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various Web browsers, collects screenshots, monitors and logs keystrokes and can download and execute files according to orders from its C&C.
2. XMRig – is open-source CPU software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victim’s devices.
3. Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
Top Attacked Industries
In Africa, this month the ISP/MSP sector remains in first place as the most attacked industry globally, followed by Government/Military and Communications
1. ISP/MSP
2. Government/Military
3. Communications
Top Exploited Vulnerabilities
This month, “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 43% of organisations globally. It is followed by “Apache Log4j Remote Code Execution” which dropped from first place to second and impacts 42% of organisations. “Command Injection Over HTTP Linux System Files Information Disclosure” jumps into third place, with a global impact of 40%.
1. Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.
2. Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
3. Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
Top Mobile Malwares
This month, Anubis jumped into first place as the most widespread Mobile malware, followed by Hydra and Joker.
1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger and audio recording capabilities as well as various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. Hydra – Hydra is a banking Trojan designed to steal finance credentials by requesting victims to enable dangerous permissions.
3. Joker – An Android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware can also sign the victim up for paid premium services without their consent or knowledge.