Download PDF version Contact company

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd., a provider of cyber security solutions globally, has published its latest Global Threat Index for September 2020. Researchers found that an updated version of Valak malware has entered the Index for the first time, ranking as the 9th most prevalent malware in September.

First observed in late 2019, Valak is a sophisticated threat which was previously classified as a malware loader. In recent months, new variants were discovered with significant functional changes which enable Valak to operate as an information-stealer capable of targeting both individuals and enterprises. This new version of Valak is able to steal sensitive information from Microsoft Exchange mail systems, as well as users’ credentials and domain certificates. During September, Valak was spread widely by malspam campaigns containing malicious .doc files.

Emotet Trojan impact

The Emotet trojan remains in 1st place in the Index for the third month in succession

The Emotet trojan remains in 1st place in the Index for the third month in succession, impacting 14% of organisations globally. The Qbot trojan, which entered the listing for the first time in August, was also widely used in September, rising from 10th to 6th in the index.

These new campaigns spreading Valak are another example of how threat actors look to maximise their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August, Valak is intended to enable data and credentials theft at scale from organisations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

Common exploited vulnerability

The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organisations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organisations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” had a global impact of 36%.

Top malware families

In September. Emotet remains the most popular malware with a global impact of 14% of organisations, followed by Trickbot and Dridex impacting 4% and 3% or organisations worldwide respectively.

  • Emotet - Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  • Trickbot - Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns.
  • Dridex - Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.

Top exploited vulnerabilities

In September, “MVPower DVR Remote Code Execution” is the most common exploited vulnerability

In September, “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organisations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organisations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” is in third place, with a global impact of 36%.

MVPower DVR Remote Code Execution - A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Authentication Bypass and information disclosure vulnerability

Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorised access into the affected system

OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Top mobile malware families

In September xHelper is the most popular mobile malware, followed by Xafecopy and Hiddad.

  • xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
  • Xafekopy - Xafecopy Trojan is disguised as useful apps like Battery Master. The Trojan secretly loads malicious code onto the device. Once the app is activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing - a form of mobile payment that charges costs directly to the user's mobile phone bill.
  • Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

Cybercrime

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.

Download PDF version Download PDF version

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?