Attacks/Breaches

1/14/2019
07:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cryptomining Continues to Be Top Malware Threat

Tools for illegally mining Coinhive, Monero, and other cryptocurrency dominate list of most prevalent malware in December 2018.

Enterprise organizations appear unlikely to get respite from cryptomining attacks anytime soon if new threat data from Check Point Software is any indication.

For the thirteenth month in a row, attacks involving the use of cryptomining malware topped the security vendor's list of most active threats worldwide in December. Malware for mining the Coinhive cryptocurrency once again emerged as the most prevalent malware sample impacting 12% of the organizations worldwide in Check Point's report.

Out of the top 10 most prevalent malware samples in Check Point's latest monthly threat summary, the four most active tools—and five in total—were cryptominers.

The persisting attacker interest in crypto malware—despite the overall decline in the value of major cryptocurrencies—is not entirely surprising.

"The main advantage of cryptomining malware for the attacker is its ability to create direct profit without any user interaction and without elaborate mechanisms such as in the cases of ransomware and banking Trojans," says Omer Dembinsky, data research team leader at Check Point.

In many cases, users with systems infected with cryptocurrency malware don't even realize they have a problem until hardware performance gets severely degraded. Crypto tools running on higher-end enterprise servers and endpoint systems can be hard to spot for the same reason.

"It works in the background on personal computers, mobile phones, servers, and basically any machine with computing power—so anyone and everyone is a potential target," Dembinsky says.

Not surprisingly, many of the most exploited vulnerabilities in December 2018 were also related to illegal cryptomining activity. Topping the list was CVE-2017-7269, a buffer-overflow vulnerability in a Microsoft IIS component that was first disclosed nearly two years ago and long ago patched as well.

The reason the vulnerability remains a popular exploit target is because it gives attackers a way to infiltrate high-end servers with lots of processing power for cryptomining, Dembinsky said. "Organizations should make sure they apply the most recent updates and patches on their systems in order to not be susceptible to attacks by known vulnerabilities."

Crypto tools are the most prolific, but not the only threat that Check Point observed last month. Also noteworthy was the sudden reemergence of SmokeLoader, a malware downloader tool that attackers have previously used to distribute especially pernicious malware tools, such as Trickbot and Panda banking Trojan and the AZORult information-stealer. Security researchers have been tracking the threat since at least 2011 but it has never broken into Check Point's list of the 10 most active threats.

A surge of activity involving SmokeLoader in Ukraine and Japan propelled the malware from 20th spot just last month to the ninth spot in Check Point's list. But Dembinsky says Check Point researchers have not been able to figure the specific reason for the renewed interest in the malware.

For businesses, the sudden re-emergence of a malware tool last seen some eight years ago highlights the need for constant vigilance. "This means that organizations should have the most up to date and advanced security measures applied as the next surge could come from any of the numerous threats out there—or from something brand new," Dembinsky notes.

The remaining malware samples on Check Point's top 10 list are all multi-purpose code being distributed in multiple ways. They include Emotet, a Trojan that is being used for malware distribution, and Ramnit, a banking Trojan that has been around for some time.

While malware on Check Point's list fall out of the top 10 spot over a period of time, there is surprisingly little churn over short periods. The same threats tend to remain on the list month after month, though occasionally there are sudden surges of specific threats, Dembinsky says.

"We see there is a very wide range of threats, coming from multiple attack vectors—Web, emails, vulnerabilities," he notes. "Organizations must use a multi-layered and advanced cybersecurity strategy, both on the technical side and on the educational side."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml
CVE-2019-11459
PUBLISHED: 2019-04-22
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
CVE-2019-11460
PUBLISHED: 2019-04-22
An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 prior to 3.30.2.2, and 3.32 prior to 3.32.1.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's control...
CVE-2019-8452
PUBLISHED: 2019-04-22
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission changed so that all users can access that linked file. Doing this on files with limited access gains t...