There was a concerning surge in cyber threats targeting websites and key industries during February, underlining the critical need for heightened cybersecurity measures.
The top three African industries targeted last month were utilities, manufacturing and consultancies respectively, according to the Check Point Software Technologies Global Threat Index for February 2024, shedding light on the cybersecurity landscape across Africa, with a particular focus on South Africa.
FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems.
Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data.
This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetises the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.
“Websites are the digital storefronts of our world, crucial for communication, commerce, and connection,” says Maya Horowitz, vice-president: research at Check Point Software. “Defending them from cyberthreats isn’t just about safeguarding code; it is about protecting our online presence and the essential functions of our interconnected society.
“If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organisation. It is vital to put preventative measures in and adopt a culture of zero tolerance to ensure absolute protection from threats.”
South Africa moves up 12 places on Threat Index from 68 to 56, while Ethiopia risk ranks at number one with a normalised risk index of 99,4%.
Africa finds itself at the forefront of global cyber threats as new research reveals a surge in cyberattacks, notably targeting WordPress websites through FakeUpdates/SocGolish and the rise of Play ransomware, propelling it into the top three globally.
In South Africa, the top malware families were:
* FakeUpdates (SocGholish): A JavaScript downloader responsible for 7,3% of cyber threats in South Africa. This malware leads to further system compromise by deploying additional malware such as GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
* Qbot (Qakbot): This multipurpose malware, detected in 3,51% of cases, first appeared in 2008. Qbot steals user credentials, records keystrokes, spies on banking activities, and deploys additional malware.
* AsyncRat: Targeting the Windows platform, AsyncRat sends system information to a remote server and executes commands, accounting for 2,16% of threats.
* Formbook: Detected in 1,89% of cases, Formbook is an Infostealer targeting Windows OS. It harvests credentials, collects screenshots, logs keystrokes, and executes commands from its C&C.
* Nanocore: Responsible for 1,35% of threats, Nanocore is a Remote Access Trojan targeting Windows users, offering functionalities such as screen capture and remote desktop control.
Emerging threats include:
* Tepfer: A highly invasive trojan, Tepfer steals credentials and essential data, distributed through spam and phishing emails, representing 1,08% of threats.
* Glupteba: Known since 2011, Glupteba has evolved into a botnet with browser stealing capabilities, affecting 1,08% of cases.
* Injuke: Spread through phishing emails, Injuke encrypts information on victims’ PCs, demanding ransom for decryption (1,08%).
Noteworthy Trends
The report highlights the persistence of ransomware groups like Lockbit3 and the emergence of Play ransomware in the top three most sought-after ransomware groups.
Vulnerabilities in web servers, including directory traversal and command injection, remain highly exploitable, affecting 51% of organisations globally.
The top exploited vulnerabilities globally were:
Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 51% of organisations globally, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” with a global impact of 50% respectively.
* ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There is a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
* ↓ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
* ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
The top mobile malwares globally were:
* Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
* AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
* Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
The top-attacked industries globally were Education/Research, Government/Military and Healthcare.