Exploit Kits Continue Attacks, While Slammer Worm Resurfaces in Check Point’s ‘Most Wanted’ Malware
May 2017 by Check Point
Check Point® Software Technologies Ltd. has detected a continued increase in the number of cyber-attacks using Exploit Kits globally, as Rig EK became the most prevalent form of attack in the company’s April Global Threat Impact Index.
Exploit Kits are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code. Until last month their usage had been in decline globally, but March 2017 saw a surge in attacks using the Rig and Terror Exploit Kits.
During the month Check Point also revealed a sudden resurgence in use of the Slammer worm, which has seen it jump back into the top three most prevalent malware families after a long hiatus. The Slammer worm first emerged in 2003 and spread extremely rapidly. It was developed to target Microsoft SQL 2000, and propagated so quickly that it was able to cause a denial-of-service condition on some affected targets. This is the second time the worm has entered Check Point’s Global Threat Impact Index top ten in recent months, showing how even decades-old malware can successfully resurface.
The top three global malware families reveal a wide range of attack vectors and targets, which impact all stages of the infection chain. The most common malware in April were Rig EK and HackerDefender, impacting 5% and 4.5% of organizations worldwide respectively, while the Slammer worm came in third impacting 4% of organizations.
April 2017’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
1. Rig EK – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains java-script that checks for vulnerable plug-ins and delivers the exploit.
2. HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
3. Slammer – Memory resistant worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
In mobile malware, the top two families remained the same as in March, while Lotoor climbed back into the top three.
Top 3 ‘Most Wanted’ mobile malware:
1. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
3. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
“Last month we saw how attacks using Exploit Kits suddenly surged, underlining the fact old but effective cyberthreats don’t vanish – they often re-emerge, retooled with tweaks and updates making them dangerous all over again. The fact the Slammer worm has now joined two Exploit Kits in the top three underlines that point even further,” said Nathan Shuchami, VP of Emerging Products at Check Point. “Cybercriminals will always choose to adapt the tools they already have at their disposal if possible, rather than developing brand new ones, simply because it’s faster and more cost-effective. It’s a vital warning to organizations in multiple sectors – you must remain vigilant and deploy sophisticated security systems that protect against a wide range of attack types.”
The ThreatCloud Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.