Maya Horowitz

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., a provider of cyber security solutions globally, has published its latest Global Threat Index for August 2021. Researchers report that Formbook is the most prevalent malware, taking over Trickbot, which has fallen into second following a three-month-long reign. The banking trojan, Qbot, whose operators are known to take breaks during the summer, has dropped from the top 10 completely after a long stay on the list, while Remcos, a remote access trojan (RAT), has entered the index for the first time in 2021, ranking in sixth place. New strain targets macOS users First seen in 2016, Formbook is an info stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its command and control (C&C) orders. Recently, Formbook was distributed via COVID-19 themed campaigns and phishing emails, and in July 2021, CPR reported that a new strain of malware derived from Formbook, called XLoader, is now targeting macOS users. The best way to prevent a Formbook infection is by staying acutely aware of any emails that appear strange " “Formbook’s code is written in C with assembly inserts and contains several tricks to make it more evasive and harder for researchers to analyze,” said Maya Horowitz, VP of Research at Check Point Software. “As it is usually distributed via phishing emails and attachments, the best way to prevent a Formbook infection is by staying acutely aware of any emails that appear strange or come from unknown senders. As always, if it doesn’t look right, it probably isn’t.” Exploited Vulnerability list CPR also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 43% of organizations worldwide. “Dasan GPON Router Authentication Bypass” takes third place in the top exploited vulnerabilities list, with a global impact of 40%. Top malware families This month, Formbook is the most popular malware impacting 4.5% of organizations globally, followed by Trickbot and Agent Tesla, impacting 4% and 3% of organizations worldwide respectively. Formbook -Formbook is an info-stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders. Trickbot - Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features, and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns. Agent Tesla -Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input and system keyboard, taking screenshots, and exfiltrating credentials from a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox, and the Microsoft Outlook email client). Top exploited vulnerabilities This month “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 43% of organizations worldwide. “Dasan GPON Router Authentication Bypass” takes third place in the top exploited vulnerabilities list, with a global impact of 40%. Web Server Exposed Git Repository Information Disclosure - An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information. HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system. Top Mobile malware This month xHelper takes first place in the most prevalent mobile malware, followed by AlienBot and FluBot. xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and can even reinstall itself if it was uninstalled. AlienBot- AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. FluBot - FluBot is an Android botnet malware distributed via phishing SMS messages, most often impersonating logistics delivery brands. Once the user clicks the link inside the message, FluBot is installed and gets access to all sensitive information on the phone. Real-time threat Intelligence Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., a provider of cybersecurity solutions globally, has published its latest Global Threat Index for July 2021. Researchers report that while Trickbot is still the most prevalent malware, Snake Keylogger, which was first detected in November 2020, has surged into second place following an intense phishing campaign. Keylogger and credential stealer Snake Keylogger is a modular .NET keylogger and credential stealer. Its primary function is to record users’ keystrokes on computers or mobile devices and transmit the collected data to threat actors. In recent weeks, Snake has been growing fast via phishing emails with different themes across all countries and business sectors.  Snake infections pose a major threat to users' privacy and online safety, as the malware can steal virtually all kinds of sensitive information, and it is a particularly evasive and persistent keylogger. There are currently underground hacking forums where the Snake Keylogger is available for purchase, ranging from 25 to 500 dollars, depending on the level of service offered. Keylogger attacks can be dangerous because individuals tend to use the same password and username for different accounts Keylogger attacks can be particularly dangerous because individuals tend to use the same password and username for different accounts, and once one login credential is breached, the cybercriminal gains access to all those that have the same password. To stop them, it is essential to use a unique option for each of the different profiles. To do this, a password manager can be used, which allows both managing and generating different robust access combinations for each service based on the guidelines decided upon. Choosing unique passwords “Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” said Maya Horowitz, VP Research at Check Point Software. “Also, when it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services. Keyloggers such as Snake are often distributed via phishing emails so users must know to look out for small discrepancies such as misspellings in links and email addresses, and be educated to never click on suspicious links or open any unfamiliar attachments.” CPR also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” takes third place in the top exploited vulnerabilities list, with a global impact of 42%. Top malware families Trickbot is a flexible and customizable malware that can be distributed as part of multi-purpose campaigns This month, Trickbot is the most popular malware impacting 4% of organizations globally, followed by Snake Keylogger and XMRig, each with a global impact of 3%.  Trickbot - Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features, and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns. Snake Keylogger- Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; its primary function is to record users’ keystrokes and transmit collected data to threat actors. XMRig - XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and was first seen in the wild in May 2017. Top exploited vulnerabilities July's “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” is in third place in the top exploited vulnerabilities list, with a global impact of 42%. Web Server Exposed Git Repository Information Disclosure - Information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information. HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine. MVPower DVR Remote Code Execution – Remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request. Top Cellphone malware In July, xHelper takes first place in the most prevalent mobile malware, followed by AlienBot and Hiddad. xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and can even reinstall itself if it was uninstalled. AlienBot - AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device. Hiddad - Hiddad is an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 3 billion websites and 600 million files daily and identifies more than 250 million malware activities every day.

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., a pioneering provider of cyber security solutions globally, has published its latest Global Threat Index for March 2021. Researchers report that the IcedID banking trojan has entered the Index for the first time, taking second place, while the established Dridex trojan was the most prevalent malware during March, up from seventh in February. First seen in 2017, IcedID has been spreading rapidly in March via several spam campaigns, affecting 11% of organizations globally. One widespread campaign used a COVID-19 theme to entice new victims into opening malicious email attachments; the majority of these attachments are Microsoft Word documents with a malicious macro used to insert an installer for IcedID. Once installed, the trojan then attempts to steal account details, payment credentials, and other sensitive information from users’ PCs. IcedID also uses other malware to proliferate and has been used as the initial infection stage in ransomware operations. Evasive trojan “IcedID has been around for a few years now but has recently been used widely, showing that cyber-criminals are continuing to adapt their techniques to exploit organizations, using the pandemic as a guise,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “IcedID is a particularly evasive trojan that uses a range of techniques to steal financial data, so organizations must ensure they have robust security systems in place to prevent their networks being compromised and minimize risks. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails that spread IcedID and other malware.” CPR also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impact 44% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is on third place in the top exploited vulnerabilities list, with a global impact of 44%. Top malware families *The arrows relate to the change in rank compared to the previous month. Recently, Dridex is the most popular malware with a global impact of 16% of organizations, followed by IcedID and Lokibot affecting 11% and 9% of organizations worldwide respectively. ↑ Dridex - Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server. ↑ IcedID - IcedID is a banking Trojan spread by email spam campaigns and uses evasive techniques such as process injection and steganography to steal user financial data. ↑ Lokibot - Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers. Top exploited vulnerabilities Currently, “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impacts 44% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place with a global impact of 44%. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) - HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine. ↑ MVPower DVR Remote Code Execution - remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) - authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system. Top mobile malwares Hiddad took first place in the most prevalent mobile malware index, followed by xHelper and FurBall. Hiddad - Hiddad is an Android malware, which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display ads. The application is capable of hiding itself from the user, and can even reinstall itself after being uninstalled. FurBall - FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017 and is still active today. Among FurBall’s capabilities are; stealing SMS messages and mobile call logs, recording calls and surroundings, collecting media files, tracking locations, and more. Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 3 billion websites and 600 million files daily and identifies more than 250 million malware activities every day.

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd., a renowned provider of cybersecurity solutions globally, has published its latest Global Threat Index for October 2020. Researchers reported that the Trickbot and Emotet trojans continue to rank as the top two most prevalent malware in October, and that the trojans have been responsible for the sharp increase in ransomware attacks against hospitals and healthcare providers globally. File-encrypting ransomware The FBI and other U.S. government agencies recently issued a warning about ransomware attacks targeting the healthcare sector, warning that the estimated one million-plus Trickbot infections worldwide are being used to download and spread file-encrypting ransomware such as Ryuk. Ryuk is also distributed via the Emotet trojan, which remains in 1st place in the Top Malware Index for the fourth month in succession. Ransomware attacks against healthcare organizations and hospitals in October increased by 36% in EMEA Check Point threat intelligence data showed that the healthcare sector was the most targeted by ransomware in the U.S. in October, with attacks increasing by 71% compared with September 2020. Similarly, ransomware attacks against healthcare organizations and hospitals in October increased by 36% in EMEA and 33% in APAC. Support remote workforces “We’ve seen ransomware attacks increasing since the start of the coronavirus pandemic, to try and take advantage of security gaps as organizations scrambled to support remote workforces. These have surged alarmingly over the past three months, especially against the healthcare sector, and are driven by pre-existing TrickBot and Emotet infections." "We strongly urge healthcare organizations everywhere to be extra vigilant about this risk, and scan for these infections before they can cause real damage by being the gateway to a ransomware attack,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. Top malware families This month, Emotet remains the most popular malware with a global impact of 12% of organizations The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 43% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” and “HTTP Headers Remote Code Execution (CVE-2020-13756)” with both impacting 42% of organizations globally. (The arrows relate to the change in rank compared to the previous month.) This month, Emotet remains the most popular malware with a global impact of 12% of organizations, followed by Trickbot and Hiddad which both impacted 4% of organizations worldwide. ↔ Emotet - Emotet is an advanced self-propagating, and modular trojan. Emotet was once used as a banking trojan, and recently has been used as a distributer of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links. ↔ Trickbot - Trickbot is a dominant banking trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns. ↑ Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.  Top exploited vulnerabilities This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 43% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” and “HTTP Headers Remote Code Execution (CVE-2020-13756)” with both impacting 42% of organizations globally. ↔ MVPower DVR Remote Code Execution - Remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561) - An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) - HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine. Top cellphone malwares This month Hiddad is the most prevalent cellphone malware, followed by xHelper and Lotoor. Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. xHelper - xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself in case it is uninstalled. Lotoor - Lotoor is a hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices. Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day. The complete list of the top 10 malware families in October can be found on the Check Point Blog.

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd., a renowned provider of cybersecurity solutions globally, has published its new Brand Phishing Report for Q3 2020. The report highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September. In Q3, Microsoft was the brand most frequently targeted brand by cybercriminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalize on large numbers of employees still working remotely during the COVID-19 pandemic. Remote working technology In this past quarter, we saw the highest increase in email phishing attacks of all platforms compared to Q2" For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. The most likely industry to be targeted by brand phishing was technology, followed by banking and then social network. This illustrates a broad spread of some of the best-known and most used consumer sectors, particularly during the coronavirus pandemic, whereby individuals are grappling with remote working technology, potential changes to finances, and an increased use of social media. Email phishing attacks Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point said: “In this past quarter, we saw the highest increase in email phishing attacks of all platforms compared to Q2, with Microsoft being the most impersonated brand. This has been driven by threat actors taking advantage of the mass migration to remote working forced by the COVID-19 pandemic, to target employees with fake emails asking them to reset their Microsoft Office 365 credentials." "As always, we encourage users to be cautious when divulging personal data and credentials to business applications, and to think twice before opening email attachments or links, especially emails that claim to from companies, such as Microsoft or Google, who are most likely to be impersonated.” Fraudulent cellphone application The fake website often contains a form intended to steal users’ credentials, payment details or other personal information In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and web-page design to the genuine site. The link to the fake website can be sent to targeted individuals by email or text message, a user can be redirected during web browsing, or it may be triggered from a fraudulent cellphone application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information. The top brands are ranked by their overall appearance in brand phishing attempts: Microsoft (related to 19% of all brand phishing attempts globally) DHL (9%) Google (9%) PayPal (6%) Netflix (6%) Facebook (5%) Apple (5%) Whatsapp (5%) Amazon (4%) Instagram (4%) Top phishing brands by platform During Q3 2020, email phishing was the most prominent type of brand phishing platform, accounting for 44% of attacks, closely followed by web phishing, which was the second most attacked platform compared to Q2, where it ranked first. The top phishing brands exploited by email phishing attacks were Microsoft, DHL and Apple, in that order. Email (44% of all phishing attacks during Q3) Microsoft DHL Apple Web (43% of all phishing attacks during Q3) Microsoft Google PayPal Cellphone (12% of all phishing attacks during Q3) Whatsapp PayPal Facebook Enter billing information Example A: Microsoft Phishing Email Aims to Steal Credentials During mid-August, Check Point researchers witnessed a malicious phishing email trying to steal credentials of Microsoft accounts. The attacker was trying to lure the victim to click on a malicious link which redirects the user to a fraudulent Microsoft login page. Example B: Amazon Phishing Email Attempts Credential Information Theft During September, Check Point researchers noticed a malicious phishing email which was allegedly sent by Amazon and was trying to steal user’s credit information. The email said that the user’s account was disabled due to too many login failures and pointed the user to a fraudulent Amazon billing center website in which the user is instructed to enter billing information. Threat sensors Check Point’s Brand Phishing Report is powered by Check Point’s ThreatCloud intelligence, one of the largest collaborative networks to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites and identifies millions of malware types daily.

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd, a provider of cyber security solutions globally, publishes its latest Global Threat Index for August 2020. Researchers found that the Qbot trojan, also known as Qakbot and Pinkslipbot, has entered the top ten malware index for the first time, ranking as the 10th most prevalent malware in August, while the Emotet trojan remains in 1st place for a second month, impacting 14% of organizations globally. Ransomware installation techniques First seen in 2008, Qbot has been continually developed and now uses sophisticated credentials theft and ransomware installation techniques, making it the malware equivalent of a Swiss Army knife according to researchers. Qbot now also has a dangerous new feature: a specialized email collector module which extracts email threads from the victim’s Outlook client and uploads them to an external remote server. This enables Qbot to hijack legitimate email conversations from infected users This enables Qbot to hijack legitimate email conversations from infected users, and then spam itself out using those hijacked emails to increase its chances of tricking other users into getting infected. Qbot can also enable unauthorized banking transactions, by allowing its controller to connect to the victim's computer. Active malspam campaigns Check Point’s researchers found several campaigns using Qbot’s new strain between March and August 2020, which included Qbot being distributed by the Emotet trojan. This campaign impacted 5% of organizations globally in July 2020. “Threat actors are always looking at ways to update existing, proven forms of malware and they have clearly been investing heavily in Qbot’s development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet's to spread the threat even further.” Anti-Malware solutions This month Emotet remains the most popular malware with a global impact of 14% of organizations “Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users and advise employees to be cautious when opening emails, even when they appear to be from a trusted source,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. The research team also warns that ‘Web Server Exposed Git Repository Information Disclosure’ is the most common exploited vulnerability, impacting 47% of organizations globally, followed by ‘MVPower DVR Remote Code Execution’ which impacted 43% of organizations worldwide. ‘Dasan GPON Router Authentication Bypass (CVE-2018-10561)’ is in third place, with a global impact of 37%. This month Emotet remains the most popular malware with a global impact of 14% of organizations, closely followed by Agent Tesla and Formbook affecting 3% of organizations each. Maintaining persistence and evasion techniques ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links. ↑ Agent Tesla - Agent Tesla is an advanced RAT functioning as a key logger and information stealer, capable of monitoring and collecting the victim's keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). ↑ Formbook - Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders. Information disclosure vulnerability A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request This month ‘Web Server Exposed Git Repository Information Disclosure’ is the most common exploited vulnerability, impacting 47% of organizations globally, followed by ‘MVPower DVR Remote Code Execution’ which impacted 43% of organizations worldwide. ‘Dasan GPON Router Authentication Bypass (CVE-2018-10561)’ is in third place, with a global impact of 37%. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information. ↓MVPower DVR Remote Code Execution - A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system. Popular mobile malware This month xHelper is the most popular mobile malware, followed by Necro and Hiddad. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled. Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions. Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.

Check Point Research has published its latest Global Threat Index for July 2020. Researchers found that after a five-month absence, Emotet has surged back to 1st place in the Index, impacting 5% of organizations globally. Since February 2020, Emotet’s activities – primarily sending waves of malspam campaigns – started to slow down and eventually stopped, until re-emerging in July. This pattern was observed in 2019 when the Emotet botnet ceased activity during the summer months but resumed in September. In July, Emotet was spreading malspam campaigns, infecting its victims with TrickBot and Qbot, which are used to steal banking credentials and spread inside networks. Some of the malspam campaigns contained malicious doc file with names like “form.doc” or “invoice.doc”. According to researchers, the malicious document launches a PowerShell to pull the Emotet binary from remote websites and infect machines, adding them to the botnet. The resumption of Emotet’s activities highlights the scale and power of the botnet globally. Emotet botnet active again Emotet is the most popular malware with a global impact of 5% of organizations, closely followed by Dridex and Agent Tesla “It’s interesting that Emotet was dormant for several months earlier this year, repeating a pattern we first observed in 2019. We can assume that the developers behind the botnet were updating its features and capabilities. But as it is active again, organizations should educate employees about how to identify the types of malspam that carry these threats and warn about the risks of opening email attachments or clicking on links from external sources. Businesses should also look at deploying anti-malware solutions that can prevent such content reaching end-users,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 44% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” which impacts 42% of organizations worldwide. “Command Injection Over HTTP Payload” is in third place, with a global impact of 38%. Emotet and Dridex Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns Emotet is the most popular malware with a global impact of 5% of organizations, closely followed by Dridex and Agent Tesla affecting 4% of organizations each. Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links. Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server. Agent Tesla Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting the victim's keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). Top exploited vulnerabilities “MVPower DVR Remote Code Execution” is the most commonly exploited vulnerability, impacting 44% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” which impacts 42% of organizations worldwide. “Command Injection Over HTTP Payload” is in third place, with a global impact of 38%. MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability that exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server. Command Injection Over HTTP Payload – A command injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine. Top Cellphone malware families xHelper is the most popular malware, followed by Necro and PreAMo. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled. Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions. PreAMo – PreAmo is an Android Malware imitates the user by clicking on banners retrieved from three ad agencies – Presage, Admob, and Mopub. Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.