Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/14/2019
07:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cryptomining Continues to Be Top Malware Threat

Tools for illegally mining Coinhive, Monero, and other cryptocurrency dominate list of most prevalent malware in December 2018.

Enterprise organizations appear unlikely to get respite from cryptomining attacks anytime soon if new threat data from Check Point Software is any indication.

For the thirteenth month in a row, attacks involving the use of cryptomining malware topped the security vendor's list of most active threats worldwide in December. Malware for mining the Coinhive cryptocurrency once again emerged as the most prevalent malware sample impacting 12% of the organizations worldwide in Check Point's report.

Out of the top 10 most prevalent malware samples in Check Point's latest monthly threat summary, the four most active tools—and five in total—were cryptominers.

The persisting attacker interest in crypto malware—despite the overall decline in the value of major cryptocurrencies—is not entirely surprising.

"The main advantage of cryptomining malware for the attacker is its ability to create direct profit without any user interaction and without elaborate mechanisms such as in the cases of ransomware and banking Trojans," says Omer Dembinsky, data research team leader at Check Point.

In many cases, users with systems infected with cryptocurrency malware don't even realize they have a problem until hardware performance gets severely degraded. Crypto tools running on higher-end enterprise servers and endpoint systems can be hard to spot for the same reason.

"It works in the background on personal computers, mobile phones, servers, and basically any machine with computing power—so anyone and everyone is a potential target," Dembinsky says.

Not surprisingly, many of the most exploited vulnerabilities in December 2018 were also related to illegal cryptomining activity. Topping the list was CVE-2017-7269, a buffer-overflow vulnerability in a Microsoft IIS component that was first disclosed nearly two years ago and long ago patched as well.

The reason the vulnerability remains a popular exploit target is because it gives attackers a way to infiltrate high-end servers with lots of processing power for cryptomining, Dembinsky said. "Organizations should make sure they apply the most recent updates and patches on their systems in order to not be susceptible to attacks by known vulnerabilities."

Crypto tools are the most prolific, but not the only threat that Check Point observed last month. Also noteworthy was the sudden reemergence of SmokeLoader, a malware downloader tool that attackers have previously used to distribute especially pernicious malware tools, such as Trickbot and Panda banking Trojan and the AZORult information-stealer. Security researchers have been tracking the threat since at least 2011 but it has never broken into Check Point's list of the 10 most active threats.

A surge of activity involving SmokeLoader in Ukraine and Japan propelled the malware from 20th spot just last month to the ninth spot in Check Point's list. But Dembinsky says Check Point researchers have not been able to figure the specific reason for the renewed interest in the malware.

For businesses, the sudden re-emergence of a malware tool last seen some eight years ago highlights the need for constant vigilance. "This means that organizations should have the most up to date and advanced security measures applied as the next surge could come from any of the numerous threats out there—or from something brand new," Dembinsky notes.

The remaining malware samples on Check Point's top 10 list are all multi-purpose code being distributed in multiple ways. They include Emotet, a Trojan that is being used for malware distribution, and Ramnit, a banking Trojan that has been around for some time.

While malware on Check Point's list fall out of the top 10 spot over a period of time, there is surprisingly little churn over short periods. The same threats tend to remain on the list month after month, though occasionally there are sudden surges of specific threats, Dembinsky says.

"We see there is a very wide range of threats, coming from multiple attack vectors—Web, emails, vulnerabilities," he notes. "Organizations must use a multi-layered and advanced cybersecurity strategy, both on the technical side and on the educational side."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.