May 2019’s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues

May 2019’s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues

June 17, 2019 Off By David

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd., a leading provider of cyber security solutions globally, has published its latest Global Threat Index for May 2019.  The Research team is warning organizations to check for and patch any systems vulnerable to the ‘BlueKeep’ Microsoft RDP flaw (CVE-2019-0708) in Windows 7 and Windows Server 2008 machines, to prevent the risk of it being exploited for ransomware and cryptomining attacks. 

The BlueKeep flaw affects nearly 1 million machines accessible to the public internet, with many more within organizations’ networks.  The vulnerability is critical because it requires no user interaction in order to be exploited.  RDP is already an established, popular attack vector which has been used to install ransomware such as SamSam and Dharma.  The Check Point Research team is currently seeing many scanning attempts for the flaw, originating from several different countries globally, which could be the initial reconnaissance phase of an attack. In addition to the relevant Microsoft patches, Check Point is providing both network and endpoint protections to this attack.

Maya Horowitz, Threat Intelligence and Research Director at Check Point said: “The biggest threat we’ve seen over the past month is BlueKeep. Even though no attacks have yet been seen exploiting it, several public proof-of-concept exploits have been developed. We agree with Microsoft and other cybersecurity industry observers that BlueKeep could be used to launch cyberattacks on the scale of 2017’s massive WannaCry and NotPetya campaigns. One single computer with this flaw can be used to deliver a malicious payload that infects an entire network. Then all infected computers with Internet access can infect other vulnerable devices worldwide – enabling the attack to spread exponentially, at an unstoppable pace. So it’s critical that organizations protect themselves – and others – by patching the flaw now, before it’s too late.”

Other significant malware news in May was the developers of the GandCrab Ransomware-as-a-Service affiliate program announcing on the last day of the month that they were ceasing operation, and asking their affiliates to stop distributing the ransomware within 20 days. The operation has been active since January 2018, and in just two months had infected over 50,000 victims. Total earnings for its developers and affiliates are claimed to be in the billions of dollars.  A regular in the Top 10 Most Wanted Index, GandCrab was frequently updated with new capabilities to evade detection tools.

May 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

The three most prominent Cryptominers – Cryptoloot, XMRig, and JSEcoin continue to top the malware index, each with a global impact of 4%.

1.   ↔ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.

2.   ↔ XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017. 

3.   ↔ JSEcoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

May’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent mobile malware, up from 2nd in April.  Triada drops from 1st to 3rd, while Hiddad climbs back up from 3rd to 2nd.

1.     Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

2.    ↑  Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

3.    ↓  Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

May’s Top 3 ‘Most Exploited’ vulnerabilities:

In May we saw a comeback of traditional attack techniques (probably caused by the decrease in Cryptominers’ profitability), with SQL Injections techniques leading the top exploits vulnerabilities list with a global impact of 49%. Web Server Exposed Git Repository Information Disclosure and OpenSSL TLS DTLS Heartbeat Information Disclosure ranked second and third, impacting 44% and 41% of organizations worldwide respectively.

1.      SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.

2.    ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

3.    ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.