Check Point Software Technologies has looked into the most sought after malware families, the most targeted vulnerabilities, the most prevalent mobile malwares, the most targeted industries and the leading ransomware groups on a global scale.
Main Ransomware Groups:
FakeUpdates. A downloader written in JavaScript, has emerged as the most prevalent malware. It writes payloads to disk before executing them, facilitating the spread of other malware like GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult. In Spain, it has affected 9.8% of businesses.
Androxgh0st. A botnet operating on Windows, Mac, and Linux platforms. It exploits multiple vulnerabilities for initial infection, specifically targeting PHPUnit, Laravel Framework, and Apache Web Server. This malware steals sensitive information such as Twilio accounts, SMTP credentials, and AWS keys, affecting 6% of businesses in Spain.
AgentTesla. An advanced RAT that works as a keylogger and information stealer, monitoring keystrokes, taking screenshots, and exfiltrating credentials from various installed software like Google Chrome, Mozilla Firefox, and Microsoft Outlook. This malware has impacted 4% of Spanish businesses.
Most Exploited Vulnerabilities:
VPN Information Disclosure (CVE-2024-24919). A vulnerability was discovered in Check Point VPN that allows attackers to potentially read information on gateways connected to the internet with remote or mobile access enabled.
Web Servers Malicious URL Directory Traversal (CVE-2010-4598, etc.). A directory traversal vulnerability in various web servers allows unauthenticated remote attackers to access arbitrary files on the vulnerable server.
HTTP Headers Remote Code Execution (CVE-2020-10826, etc.). Vulnerable HTTP headers allow a remote attacker to execute arbitrary code on the victim's machine.
Top Mobile Malware:
Joker. This Android spyware on Google Play is designed to steal SMS messages, contact lists, and device information. Additionally, it silently registers victims for premium services.
Anubis. An Android banking trojan, has evolved to include RAT capabilities, keylogging, and ransomware features. It has been detected in hundreds of applications available on Google Store.
AhMyth. An RAT discovered in 2017, spreads through Android applications, allowing the collection of sensitive information and performing actions like keylogging and screen captures.
The Education and Research sector received the most attacks last month, trailed by Government/Military and Healthcare.
Most sought after Ransomware Groups:
RansomHub. RansomHub, a ransomware-as-a-service (RaaS) operation, emerged as a renewed version of the Knight ransomware. This group has quickly gained notoriety for its aggressive campaigns, targeting systems like Windows, macOS, Linux, and VMware ESXi environments.
Play. Also known as PlayCrypt, this ransomware appeared in June 2022 and affected around 300 entities in October 2023. It typically gains network access through compromised accounts or unpatched vulnerabilities, using advanced techniques for data exfiltration and credential theft.
Akira. Emerging in early 2023, Akira targets Windows and Linux systems, encrypting files with CryptGenRandom and Chacha 2008. It spreads through infected email attachments and VPN exploits, appending the ".akira" extension to encrypted files and demanding a ransom for decryption.
Comments