February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices
March 2020 by Check Point
Check Point Research has published its latest Global Threat Index for February 2020. February saw a large increase in exploits targeting a vulnerability to spread the Mirai botnet, which is notorious for infecting IoT devices and conducting massive DDoS attacks. The vulnerability, known as the “PHP php-cgi Query String Parameter Code Execution” exploit, ranked 6th in the top exploited vulnerabilities and impacted 20% of organizations worldwide, compared to just 2% in January 2020.
The research team is also warning organizations that Emotet, the second most popular malware this month and the most widespread botnet operating currently, has been spreading using two new vectors during February. The first vector was an SMS Phishing (smishing) campaign targeting users in the U.S.: the SMS impersonates messages from popular banks, luring victims to click a malicious link which downloads Emotet to their device. The second vector is Emotet detecting and leveraging nearby Wi-Fi networks to spread via brute force attacks using a range of commonly-used Wi-Fi passwords. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.
Emotet impacted 7% of organizations globally in February, down from 13% in January, when it was being spread via spam campaigns including Coronavirus-themed campaigns. This highlights how quickly cyber-criminals change the themes of their attacks to try and maximise infection rates.
“As we saw in January, the most impactful threats and exploits during February were versatile malware such as XMRig and Emotet. Criminals seem to be aiming to build the largest possible networks of infected devices, which they can then exploit and monetize in a range of different ways, from ransomware delivery to launching DDoS attacks,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “As the main infection vectors are emails and SMS messages, organizations should ensure their employees are educated about how to identify different types of malicious spam, and deploy security that actively prevents these threats from infecting their networks.”
Top exploited vulnerabilities This month, the “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, impacting 31% of organizations globally, closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 28%. In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 27% of organizations worldwide.
1. ↔ MVPower DVR Remote Code Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↔ PHP DIESCAN information disclosure- An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
Top malware families- Mobile
This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.
1. ↔ xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
2. ↑ Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
3. ↓ Guerrilla- Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.