Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/14/2019
07:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cryptomining Continues to Be Top Malware Threat

Tools for illegally mining Coinhive, Monero, and other cryptocurrency dominate list of most prevalent malware in December 2018.

Enterprise organizations appear unlikely to get respite from cryptomining attacks anytime soon if new threat data from Check Point Software is any indication.

For the thirteenth month in a row, attacks involving the use of cryptomining malware topped the security vendor's list of most active threats worldwide in December. Malware for mining the Coinhive cryptocurrency once again emerged as the most prevalent malware sample impacting 12% of the organizations worldwide in Check Point's report.

Out of the top 10 most prevalent malware samples in Check Point's latest monthly threat summary, the four most active tools—and five in total—were cryptominers.

The persisting attacker interest in crypto malware—despite the overall decline in the value of major cryptocurrencies—is not entirely surprising.

"The main advantage of cryptomining malware for the attacker is its ability to create direct profit without any user interaction and without elaborate mechanisms such as in the cases of ransomware and banking Trojans," says Omer Dembinsky, data research team leader at Check Point.

In many cases, users with systems infected with cryptocurrency malware don't even realize they have a problem until hardware performance gets severely degraded. Crypto tools running on higher-end enterprise servers and endpoint systems can be hard to spot for the same reason.

"It works in the background on personal computers, mobile phones, servers, and basically any machine with computing power—so anyone and everyone is a potential target," Dembinsky says.

Not surprisingly, many of the most exploited vulnerabilities in December 2018 were also related to illegal cryptomining activity. Topping the list was CVE-2017-7269, a buffer-overflow vulnerability in a Microsoft IIS component that was first disclosed nearly two years ago and long ago patched as well.

The reason the vulnerability remains a popular exploit target is because it gives attackers a way to infiltrate high-end servers with lots of processing power for cryptomining, Dembinsky said. "Organizations should make sure they apply the most recent updates and patches on their systems in order to not be susceptible to attacks by known vulnerabilities."

Crypto tools are the most prolific, but not the only threat that Check Point observed last month. Also noteworthy was the sudden reemergence of SmokeLoader, a malware downloader tool that attackers have previously used to distribute especially pernicious malware tools, such as Trickbot and Panda banking Trojan and the AZORult information-stealer. Security researchers have been tracking the threat since at least 2011 but it has never broken into Check Point's list of the 10 most active threats.

A surge of activity involving SmokeLoader in Ukraine and Japan propelled the malware from 20th spot just last month to the ninth spot in Check Point's list. But Dembinsky says Check Point researchers have not been able to figure the specific reason for the renewed interest in the malware.

For businesses, the sudden re-emergence of a malware tool last seen some eight years ago highlights the need for constant vigilance. "This means that organizations should have the most up to date and advanced security measures applied as the next surge could come from any of the numerous threats out there—or from something brand new," Dembinsky notes.

The remaining malware samples on Check Point's top 10 list are all multi-purpose code being distributed in multiple ways. They include Emotet, a Trojan that is being used for malware distribution, and Ramnit, a banking Trojan that has been around for some time.

While malware on Check Point's list fall out of the top 10 spot over a period of time, there is surprisingly little churn over short periods. The same threats tend to remain on the list month after month, though occasionally there are sudden surges of specific threats, Dembinsky says.

"We see there is a very wide range of threats, coming from multiple attack vectors—Web, emails, vulnerabilities," he notes. "Organizations must use a multi-layered and advanced cybersecurity strategy, both on the technical side and on the educational side."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.