Report | Cyber Security Report, 2020

Report | Cyber Security Report, 2020

Report | Cyber Security Report, 2020

C Y B E R

S E C U R I T Y R E P O R T

2 0 2 0

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

2

1 | E XECUTIVE SUMMARY: NAVIGATING THE E VER-CHANGING CONTOURS OF CY BER SECURIT Y .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 | TIMELINE OF 2019’S MA JOR CY BER E VENTS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 | 2020 VISION: CHECK POINT’S CY BER SECURIT Y PREDICTIONS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Targeted ransomware ............................................................. 14 The Tokyo 2020 Olympics as prime target ................................ 15 Phishing attacks go beyond email .......................................... 15 Mobile malware attacks step up ............................................. 16 More IoT devices, more risks ................................................... 17 Data volumes skyrocket with 5G .............................................. 18 AI will accelerate security responses ...................................... 18 Security at DevOps speed ........................................................ 19 Rethinking cloud approaches ................................................... 19

4 | 2019 CY BER SECURIT Y TRENDS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Introduction ........................................................................... 22 Shifting attacks to supply chain targets ................................... 24 Magecart becomes an epidemic ............................................... 25 Attacks against cloud environments ........................................ 27 Evolving mobile landscape ...................................................... 28 Targeted ransomware ............................................................. 30 Reemergence of exploit kits ................................................... 31

S E

C U

R IT

Y R

E P

O R

T 20

20 |

C H

E C

K P

O IN

T

3

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

S E

C U

R IT

Y R E

P O

R T 2020 | C

H E

C K

P O

IN T

5 | GLOBAL MALWARE STATISTICS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Cyber attack categories by region ........................................... 35 Global threat index map .......................................................... 36 Top malicious file types: web vs. email .................................... 37 Top malware families .............................................................. 38 Global analysis of top malware ................................................ 39

6 | HIGH-PROFILE GLOBAL V ULNER ABILITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Microsoft RDP Vulnerabilities: BlueKeep and DejaBlue (CVE-2019-0708, CVE-2019-1182) .......... 50

Oracle WebLogic Server Vulnerabilities (CVE-2017-10271, CVE-2019-2725) ............................................ 51

Exim Mail Server Remote Code Execution Vulnerability (CVE-2019-10149) ................................................ 51

7 | RE VIE W OF 2019 CY BER THRE AT PREDICTIONS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

8 | RECOMMENDATIONS TO PRE VENT THE NE X T CY BER AT TACK .. . . . . . . . . . . . . 59 Choose prevention over detection ............................................ 60 Leveraging a complete unified architecture ............................. 61 Keep your threat intelligence up to date .................................. 61

9 | ZERO TRUST NE T WORKS: BEST PR ACTICES .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

A PPENDIX : MALWARE FAMILY DESCRIPTIONS .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

4

CHAPTER 1

5

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

NAVIGATING THE E VER-CHANGING CONTOURS OF CYBER SECURIT Y

EXECUTIVE SUMMARY

Each year, Check Point Research (CPR) reviews previous year cyber incidents

to gather key insights about the global cyber threat landscape. In this 2020

Cyber Security Annual Report, we offer a review of 2019’s major cyber incidents,

suggest predictions for 2020, and recommend best practices to help keep your

organization safe from cyber attacks.

With the popularity of cloud computing and network-connected smartphones,

it’s no secret that there are more ways to invade an organization. A once

hardened network perimeter is now blurred and porous to cyber attacks, and

the bad actors are well aware.

If there’s one clear takeaway from 2019, it’s that no organization, big or small, is

immune from a devastating cyber attack. Cyber exploits are more sophisticated,

illusive, and targeted than ever before. With cybercrime rates estimated to have

generated US$1.5 trillion in 2018,1 navigating today’s complex cyber threat

landscape requires comprehensive cyber security.

1 “33 Alarming Cybercrime Statistics You Should Know in 2019,” by Casey Cane, Security Boulevard, November 15, 2019

6

In 2019, becoming an under protected, “sweet spot” for hacking was dangerous

for entire industries. A large number of state and local public sector agencies

were ravaged by ransomware attacks. In some cases, entire local governments

were forced to declare a state of emergency due to the massive leaks of

sensitive data and loss of services.

In this 2020 Cyber Security Annual Report, we provide you with a timeline of

2019’s significant cyber events, including their relevant facts and insights.

By analyzing our telemetric, product and vulnerability research, and our own

ThreatCloud threat intelligence, we offer a detailed analysis of the cyber trends

you need to consider. We then offer our 2020 vision which includes cyber

security predictions.

Finally, we offer recommendations on cyber protection strategies, using security

“hygiene” best practices, advanced technology, and the focus on prevention, not

detection or remediation. In order to adopt a winning strategy against zero-day,

unknown cyber attacks, prevention should be considered.

ENTIRE LOCAL GOVERNMENTS WERE FORCED

TO DECLARE A STATE OF EMERGENCY DUE TO

MASSIVE LEAKS OF SENSITIVE DATA AND THE

LOSS OF SERVICES.

7

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

TIMELINE OF 2019’S MA JOR CYBER E VENTS

CHAPTER 2

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

8

2 “The 773 Million Record “Collection #1” Data Breach,” by Troy Hunt, Troyhunt.com, January 17, 2019 3 “Airbus Suffers Data Breach, Some Employees’ Data Exposed,” by Mohit Kumar, The Hacker News, January 31, 2019 4 “Hacker Breaches Dozens of Sites, Puts 127 New Million Records Up for Sale,” by Swati Khandelwal, The Hacker News, February 15, 2019 5 “800+ Million Emails Leaked Online by Email Verification Service,” by Bob Diachenko, Security Discovery, March 7, 2019

Over 770 million email addresses and 21 million unique passwords were exposed in a popular hacking forum after hosted in the cloud service MEGA. It became the single largest collection of breached personal credentials in history, named “Collection #1”.2 Later in the year, Collection #1 was discovered as a minor slice of a bigger 1TB data leak, split into seven parts and distributed through a data-trading scheme. Airbus, the world’s second-largest manufacturer of commercial airplanes suffered a data breach, exposing personal data of some of its employees.3 Unauthorized attackers breached Airbus’ “Commercial Aircraft business” information systems.

01 JAN

The world’s largest email validation company, Verifications.io., fell victim to a major data breach due to an unprotected MongoDB database. Data from over 800 emails was exposed, containing sensitive information that included personally identifiable information (PII).5

03 MAR

620 million account details were stolen from 16 hacked websites, and offered for sale on the popular dark web marketplace, Dream Market.4 Later on, the same threat actor using the alias “Gnosticplayers,” published for sale an- other trove of 127 million accounts from 8 more hacked websites.

02 FEB

9

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

6 “Facebook Caught Asking Some Users Passwords for Their Email Accounts,” by Swati Khendelwal, The Hacker News, April 3, 2019 7 “Over 100 Million JustDial Users’ Personal Data Found Exposed On the Internet,” by Mohit Kumar, The Hacker News, April 17, 2019 8 “Fxmsp Chat Logs Reveal the Hacked Antivirus Vendors, AVs Respond,” by Ionut IIascu, Bleeping Computer, May 13, 2019 9 “Data Breach Forces Medical Debt Collector AMCA to File for Bankruptcy Protection,” by Charlie Osborne, ZDNet, June 19, 2019

More than half a billion Facebook users' records were found exposed on unprotected Amazon cloud servers.6 The exposed data sets were collected and insecurely stored online by third-party Facebook app developers.

Personal data of over 100 million users of the Indian search service JustDial was exposed after an unprotected database was found online.7 The leaked data contained was collected in real-time from every customer who accessed the service via its website, mobile app, or even by calling, and includes usernames, email addresses, mobile numbers, addresses, occupation and even photos.

04 APR

American Medical Collection Agency (AMCA) suffered a major data breach, exposing personal and payment information of almost 20 million patients after attackers infiltrated their web payment portal.9 The information included names, date of birth, address, phone, date of service, provider, balance information, and credit card or bank account. AMCA filed for bankruptcy as the breach led to both financial and legal consequences.

06 JUN

A Russian hacking group offered for sale access to networks of Anti-Virus companies and the source code of their software.8 The group, called Fxmsp, claimed to have breached the networks of McAfee, Symantec, and Trend Micro Anti-Virus firms, obtaining long-term remote access and stealing 30 terabytes of data which were offered for sale.

05 MAY

https://www.inforisktoday.com/amca-bankruptcy-filing-in-wake-breach-reveals-impact-a-12662

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

10

A second Florida city, Lake City, agreed to pay a $500,000 after a ransomware attack crippled the city’s computer systems for two weeks.10 The attack, dubbed “Triple Threat,” combined three different methods of attack to target network systems and locked phone and email systems.

City Power, the electricity provider in the city of Johannesburg, South Africa, suffered serious disruptions after a ransomware attack. The attack prevented prepaid customers from buying electricity units and accessing City Power’s official website, eventually leaving them without electricity power.

07 JUL

A broad campaign of iPhone hacking was revealed. For at least two years, attackers used compromised websites to exploit 14 separate vulnerabilities in Apples iOS, installing spyware on thousands of Apple devices that visited the malware-tainted websites. Attackers gained access to location data, photos, contacts, Keychain pass- words, WhatsApp and other communication and social media content.

09 SEP

Capital One, one of the largest banking institutions in the United States, suffered a massive data breach, exposing personal information of over 106 million credit card applicants between 2005 and 2019. The hacker allegedly exploited a misconfigured firewall on one of Capital One’s cloud servers and stole over 700 folders of data. Over 20 Texas government organizations have been hit with ransomware in what appears to be a pre-coordinated attack against the entities. The cybercriminals behind the attack demanded $2.5 million in ransom to decrypt the data.

08 AUG

10 “Second US Town Pays up to Ransomware Hackers,” BBC, June 26, 2019

11

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

Personal medical data of nearly one million people in New Zealand was exposed in an intrusion to the systems of Tu Ora Compass Health organization. A hacker under the name of “Vanda The God” threatened to sell the information. Investigations revealed the systems were hacked on four different occasions.

10 OCT

New Orleans mayor declares a state of emergency in wake of a cyber attack disrupting city’s services.

12 DEC

UniCredit, an Italian banking company, suffered a data breach that resulted in the leak of personal information belonging to 3 million customers, after an unknown attacker compromised an old file from 2015 containing records of Italian customers, including names, phone numbers and email addresses.

11 NOV

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

12

CHAPTER 3

3

13

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

2020 VISION: CHECK POINT’S CYBER SECURIT Y PREDICTIONS

Per the saying, “hindsight is 20/20 vision,” it’s easier to know the right course of action

after something has happened, while it’s much harder to predict the future. However,

we’ve analyzed security incidents over the past couple of years to forecast what’s

likely to happen in the cyber landscape over the next 12 months. Here are the

key security and related trends that we expect to see during 2020. We start with our

high-level geopolitical predictions and then to the technology-related trends.

IT’S CLEARLY EVIDENT THAT

ORGANIZATIONS MUST ADOPT A STRATEGY

OF PREVENTION AND NOT MERELY RELY

ON DETECTION OR REMEDIATION.

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

14

TARGETED RANSOMWARE In 2019, we saw an escalation of sophisticated and targeted

ransomware exploits. Specific industries were heavily victimized,

including state and local government and healthcare organizations.

The new, stark reality is that attackers are spending more time to

gather intelligence on their victims, achieving maximum disruption

and scaled-up ransoms. Attacks have become so damaging that

the FBI has softened its previous stance on paying ransoms.

They now acknowledge that in some cases, businesses may need

to evaluate their options in order to protect their shareholders,

employees, and customers.

Ransomware attacks were launched this year as a lethal mass weapon that can easily shut down large-scale organizations, cities, local governments and healthcare organizations. New Orleans mayor declared a state of emergency in the wake of massive cyber attack. This reflects a gradual escalation in what we expect will get even worse in upcoming years. In light of such events, it’s clearly evident that organizations must adopt a strategy of prevention and not merely rely on detection

or remediation.

Lotem Finkelstein Head of Threat Intelligence

CYBERCRIMINALS ARE

USING VARIOUS ATTACK

VECTORS TO TRICK THEIR

INTENDED VICTIMS.

https://blog.checkpoint.com/2019/09/11/we-hit-snooze-on-ransomware-in-2017-guess-what-theres-a-2019-wakeup-call/ https://www.theregister.co.uk/2019/10/03/fbi_softens_stance_on_ransomware/

15

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

THE TOKYO 2020 OLYMPICS AS PRIME TARGET High-profile global exposure events are always within a hacker’s

line of sight. Previous Olympiad organizers faced extensive cyber

incidents, with 500 million attacks estimated during the 2016 Rio

Games and 250 million during the 2012 London Games.11 We expect

that attackers won’t “discriminate” with the 2020 Olympiad and

they’ll invest as much effort, if not more, to disrupt this highly

anticipated (and lucrative) event.

PHISHING ATTACKS GO BEYOND EMAIL While email is the top attack vector, bad actors are using a variety

of tricks to give up sensitive information. Increasingly, phishing

involves SMS texting attacks against mobiles or the use of messaging

on social media and gaming platforms.

11 “State-Backed Cyber Attacks Expected at Tokyo 2020 Games,” by Scott Ikeda, CPO Magazine, January 7, 2020

While email remains

the #1 attack vector, cybercriminals are also using a variety of other attack vectors to trick their intended victims into giving up personal information, login credentials, or even sending money. We have seen attackers obtain credentials to email accounts, study the victim for weeks and when the time is right, craft a targeting attack against partners and customers to steal money. Over the last two years, this attack has spiked with the increased use of SaaS-based email solutions.”

Dan Wiley Head of Incident Response

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

16

MOBILE MALWARE ATTACKS STEP UP The first half of 2019 saw a 50% increase in attacks by mobile

banking malware12 compared to 2018. This malware can steal

payment data, credentials, and funds from victims’ bank accounts,

and latest versions are made available for widespread distribution

to anyone that’s willing to pay the malware’s developers. Like

many cyber attacks, phishing will become more sophisticated and

effective, luring mobile users to click on malicious web links.

12 “Check Point Research: From Supply Chain to Email, Mobile and the Cloud, No Environment is Immune to Cyber Attacks,” Check Point, July 25, 2019

Surprisingly, mobile banking malware requires little technical knowledge to develop, and even less to operate. The malware searches for a banking app on the infected device and creates a fake overlay page once the user opens it. The user will then enter the user’s credentials, sending it directly to the

attacker’s server.

Maya Horowitz Director, Threat Intelligence

& Research

FROM IP CAMERAS AND SMART ELEVATORS

TO MEDICAL DEVICES AND INDUSTRIAL

CONTROLLERS, IOT DEVICES ARE INHERENTLY

VULNERABLE AND EASY TO HACK. THE NEW

GENERATION OF SECURITY WILL BE BASED

ON NANO SECURITY AGENTS.

17

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

MORE IOT DEVICES, MORE RISKS As 5G networks roll out, the use of connected IoT devices will

accelerate dramatically. They will increase networks’ vulnerability

to large-scale, multi-vector Gen V cyber attacks. IoT devices

and their connections to networks and clouds, are a weak link in

security. It’s hard to get visibility of these devices that can have

complex security requirements. What’s needed is a more holistic

approach to IoT security, combining traditional and new controls

to protect these ever-growing networks across all industry and

business sectors. The new generation of security will be based on

nano security agents. These micro-plugins can work with any device

or operating system in any environment, controlling all data that

flows to and from the device, and giving always-on security.

From IP cameras and smart elevators to medical devices and industrial controllers, IoT devices are inherently vulnerable and easy to hack. Moreover, most of these connected devices are not at all protected, as they’re connected to corporate networks without anyone’s knowledge. This security gap increases the risk of a successful cyber attack where critical devices can be shut down, damaged, manipulated, or used to infect other systems on the network. Now is the time to take action and secure IoT

the same way we secure IT.

Itai Greenberg

VP Product Management

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

18

DATA VOLUMES SKYROCKET WITH 5G The bandwidths that 5G enables will drive an explosion in numbers

of connected devices and sensors. eHealth applications will collect

data about users’ well-being. Connected car services will monitor

users’ movements. Smart city applications will collect information

about how users live their lives. This ever-growing volume of

personal data will need to be protected against breaches and theft.

AI WILL ACCELERATE SECURITY RESPONSES Most security solutions are based on detection engines built on

human-made logic, but keeping this current against the latest

threats and across new technologies and devices is impossible

to do manually. AI dramatically accelerates the identification of

new threats and responses to them, helping to block attacks

before they can spread widely. However, cybercriminals are also

starting to take advantage of the same techniques to help them

probe networks, find vulnerabilities, and develop more ever

more evasive malware.

AI is only as sophisticated as it’s learning curve. Expose the machine to skewed data and suddenly the atypical can become the algorithms’ “normal.” When considering the dynamic world of cybercrime, AI detection can be manipulated by criminals who are savvy enough to understand this. Which is why a robust, future-proof fraud detection approach needs to include more than

just AI.

Neatsun Ziv – VP Threat Prevention

SECURITY SOLUTIONS NEED TO EVOLVE TO A

NEW PARADIGM OF FLEXIBLE, CLOUD-BASED,

RESILIENT ARCHITECTURES THAT DELIVER

SCALABLE SECURITY SERVICES AT THE SPEED

OF DEVOPS.

19

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

SECURITY AT DEVOPS SPEED Many organizations have shifted workloads to the cloud.13 However,

the level of understanding as to securing them remains dangerously

low. Security is often an afterthought as traditional security can

be perceived as inhibiting business agility. This is why security

solutions need to evolve to a new paradigm of flexible, cloud-based,

resilient architectures that deliver scalable security services at

the speed of DevOps.

RETHINKING CLOUD APPROACHES Increasing reliance on public cloud infrastructure increases

enterprises’ exposure to the risk of outages, such as the Google

Cloud outage in March 2019.14 This will drive organizations to look

at their existing data center and cloud deployments, and consider

hybrid environments comprising both private and public clouds.

13 “Cloud Computing Trends: 2019 State of the Cloud Survey,” Flexera Blog, February 27, 2019 14 “Google Cloud Outage Is Over, The Second One In Four Months,” by Antony Savvas,

Data | Economy, March 13, 2019

Cloud computing is fast-

moving and dynamic. As organizations adopt new and more efficient cloud-based services and technologies to meet their business needs, cloud attack vectors become more complex and diversified. An additional concern is that cloud has enabled the increase in the speed and agility of development teams to use new technologies, but security controls for these new technologies often lag behind new technology adoption. So developers are either frustrated while waiting for the security controls, or press forward without the required security, and this is precisely what threat actors in the cloud

are waiting for.

Zohar Alon

Head of Cloud Product Line

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

20

CONCLUSION

We don’t yet have the benefit of hindsight to show

exactly what security threats we will face in

2020. Today’s hyper-connected world creates

more opportunities for cybercriminals, and every

IT environment is a potential target: on-premise

networks, cloud, mobile, and IoT devices. But

forewarned is forearmed. By using advanced threat

intelligence to power unified security architectures,

businesses of all sizes can automatically protect

themselves from future attacks.

21

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

4

CHAPTER 4

22

2019 CYBER SECURIT Y TRENDS

INTRODUCTION

2019 presented a complex threat landscape where

nation states, cybercrime organizations, and private

contractors accelerated the cyber arms race,

elevating each other’s capabilities at an alarming

pace. According to our Incident Response team, 1 out

of every 5 calls to our hotline ends up with a targeted

ransomware attack that shuts down operations.

The catalyst to this global trend can be found in the

fact that 28% of all organizations worldwide were

subject to botnet infection during 2019. Successful

infection of such a botnet opens the door to much

more destructive attacks, like ransomware.

23

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

• Attacks against the cloud environment – The

magnitude of cloud attacks and breaches has

continued to grow in 2019. Misconfiguration of

cloud resources is still the number one cause

for cloud attacks, but now we also witness an

increasing number of attacks aimed directly at

the cloud services providers.

• Evolution in mobile landscape – 2019 proved

the mobile threat landscape is now fully

matured. More malware types being migrated

to the mobile arena and more vulnerabilities

in mobile devices, apps and operating systems

are being exploited in the wild.

• Targeted ransomware – 2019 has been the year

of targeted ransomware attacks, with software

services, health care and public sectors at the

top of the victims list.

Attacks on mobile and cloud platforms also

evolved this year, with more vulnerabilities

exposed and potent exploits released in the

wild. These advanced attacks on public cloud

services enabled the massive data breaches we

witnessed this year. And our data indicates that

27% of all organizations globally were impacted

by cyber attacks that involved mobile device.15

SOME OF THIS YEAR’S CYBER ATTACK TRENDS:

• One stop before the target – In their ongoing

search for potential entry points, threat actors

are now reaching victims through their trusted

service providers and business partners.

• The year Magecart became an epidemic –

During Black Friday 2019 alone, Americans

spent $7.4 billion in online shopping. Following

the money, threat actors are seeking ways to

exploit this e-commerce ecosystem, to steal

credit card details, and customers’ private data.

15 Check Point Research

27% OF ALL ORGANIZATIONS

GLOBALLY WERE IMPACTED

BY CYBER ATTACKS

THAT INVOLVED MOBILE DEVICE.

https://www.cnbc.com/2019/11/30/black-friday-shoppers-spend-record-7point4-billion.html

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

24

console to deploy the Sodinokibi (REvil) Ransom-

ware on their clients’ systems.19 MSPs became a

popular target in 2019.20

In the Sea Turtle attack, the threat actor’s

ultimate objectives were security organizations

and ministries in the Middle East.21 However,

they targeted secondary victims such as DNS

registries, telecommunication companies and

ISPs to get to their primary victims.

Some campaigns manage to fully achieve

their objectives without even tackling the final

targets. In Operation Softcell, the Chinese group

APT10 hacked into large telecommunication

providers and used them to monitor the geolocations

and communication records of their final targets.22

In the Messagetap campaign, attributed to APT41,

attackers monitored SMS traffic of specific

individuals and also used keyword monitoring to

surveil general clients’ communication content.23

Awareness to these threats resulted in the US

Department of Homeland Security establishing

the Information and Communications Technology

Supply Chain Risk Management Task Force.

The task force published its interim report in

September, amongst other recommendations,

19 “Customers of 3 MSPs Hit in Ransomware Attacks,” by Jai Vijayan, Dark Reading, June 20, 2019

20 “At Least 13 Managed Service Providers were Used to Push Ransomware This Year,” by Catalin Cimpanu, October 13, 2019

21 “DNS Hijacking Abuses Trust in Core Internet Service,” by Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney, and Paul Rascagneres, Talos Intelligence, April 17, 2019

22 “Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers,” Cybereason Nocturnus, Cybereason, June 25, 2019

23 “MESAGETAP: Who’s Reading Your Text Messages?” by Raymond Leong, Dan Perez, and Tyler Dean, Fireye, October 31, 2019

SHIFTING ATTACKS TO SUPPLY CHAIN TARGETS In search of potential attack entry points,

threat actors have shifted their strategies

to locate vulnerable organizations that are

single step away from their main target.

Now, service providers and business partners

of primary targets are also victimized.

The classic method is a supply chain attack.

In October, Avast reported a security breach

in which CCleaner was believed to be a target

of such an attack.16 If successful, this attack

would have exposed all the CCleaner clients

to the attackers. The ShadowHammer attack

used Asus’s update mechanism with millions

of clients to target a group of only a few hundred

users.17 In the mobile arena, Check Point Research

investigated and exposed a large-scale operation

called Operation Sheep.18 In this attack,

non-suspecting application developers used a

data analytics SDK which later turned out to be

malicious and harvested the contact information

of more than 110 million end users.

Other attacks use trusted service providers and

their system privileges to compromise targets.

In one such attack, threat actors used exposed

RDP to hack into three MSPs (Managed Service

Providers) and used their Webroot SecureAnywhere

16 “Avast Fights Off Cyber-Espionage Attempt, Abiss,” by Jaya Baloo, Avast Blog, October 21, 2019

17 “Operation ShadowHammer: a High Profile Supply Chain Attack,” Kaspersky, April 23, 2019

18 “Operation Sheep: Pilfer-Analytics SDK in Action,” by Fexiang He and Andrey Polkovnichenko, Check Point Research, March 13, 2019

25

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

MAGECART BECOMES AN EPIDEMIC This past Black Friday alone, Americans spent

$7.4 billion in online shopping. Following the money,

threat actors are seeking ways to exploit this

ever-growing e-commerce ecosystem.27 Magecart

style attacks do just that, injecting malicious

JavaScript code into e-commerce websites to

steal customers’ payment methods information.

While JavaScript skimmers have been used

for years to steal credit card information from

online-shopping platforms, this phenomenon

has been ramped up greatly in 2019 as multiple

threat groups conduct massive attacks on major

e-commerce websites.

The term Magecart first entered public

awareness following the 2018 attacks on British

Airways and Ticketmaster, referring to the name

of the threat group behind these attacks. The

original Magecart attacks targeted businesses

utilizing the Magento open source PHP e-commerce

platform, but today numerous unrelated groups

and attacks on a variety of platforms, all involving

credit card skimming, are jointly referred to

as Magecart.28,29

27 “Black Friday Shoppers Spend Record $7.4 Billion in Second Largest Online Sales Day Ever,” by Alex Sherman, CNBC, November 30, 2019

28 “Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims,” by Yonathan Klijnsma, RISKIQ, September 11, 2018

29 “Inside and Beyond Ticketmaster: The Many Breaches of Magecart,” by Yonathan Klijnsma and Jordan Herman, RISKIQ, July 9, 2019

assessing the feasibility of Qualified Bidder &

Qualified Manufacturer Lists as a means of

prevention.24 In May 2019, President Trump

signed an Executive Order authorizing the

Commerce Secretary to regulate the acquisition

and use of information and communications

technology as well as services from foreign

adversaries, which later led to a ban of the

technology giant Huawei.25,26

Extending the circle of targets to include victims

outside of the organization makes it far harder to

protect assets. Maintaining a healthy suspicion

of previously trusted partners and their security

mechanisms has become an imperative in 2019.

24 “Information and Communications Technology Supply Chain Risk Management Task Force: Interim Report,” Cybersecurity and Infrastructure Security Agency (CISA), September 2019

25 “Executive Order on Securing the Information and Communications Technology and Services Supply Chain,” Whitehouse.gov, May 15, 2019

26 “US Bans Huawei from Selling Telecom Gear and Threatens its Supply Chain,” by Brian Fung, CNN Business, May 16, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

26

During this past year, Magecart attacks hit

hundreds of regular shopping sites, hotel chains

and other organizations, from commerce giants

like Procter & Gamble to small and medium

businesses.33, 34,35 Desktop and mobile platforms

alike were affected. Unsecured cloud services

provide an ideal entry point, as seen in a campaign

involving misconfigured AWS S3 buckets.36

One of the reasons for the surge in Magecart

attacks is that each element of this criminal

process can be separately purchased in

underground forums. The available services

include lists of websites using specific content

management systems, brute forcing services,

web shells, and a variety of JavaScript

skimmers to money mule chains leased to

convert the information into cash and goods.

All of these give access to Magecart operations

without requiring advanced offensive cyber skills.

33 “Ongoing Attack Stealing Credit Cards from Over a Hundred Shopping Sites,” Swati Khandelwal, The Hacker News, May 8, 2019

34 “Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites,” by Joseph C. Chen, Trend Micro, September 18, 2019

35 “P&G Online Beauty Store First Aid Beauty Hit by Magecart Attack,” by Pierluigi Paganini, Security Affairs, October 26, 2019

36 “Spray and Pray: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets,” by Yonathan Klijnsma, RISKIQ, July 10, 2019

A Magecart attack begins with gaining access

to the backend server of an online retailer

by exploiting known vulnerabilities, brute

forcing operators’ passwords or in some

cases by installing skimmers in third party’s

code or services in a Supply-Chain attack. One

such attack targeted PrismWeb, an e-commerce

platform.30 The attackers injected a skimming

script into the shared JavaScript libraries used

by online stores, thus affecting more than 200

online university campus stores in North America.

After gaining access to compromised websites,

attackers injected malicious JavaScript

skimmers into the targeted services. The

skimmers exfiltrate payment details to

designated drop servers. For online stores

that manage their own payments, such as

Forbes, skimmer code is injected directly

into the subscribers’ payment section.31 For

stores which use external payment services,

fake payment forms are injected into the

redirection page to convince customers to

enter payment details before being redirected

to the payment service.32

30 “Mirrorthief Group Uses Magecart Skimming Attacks to Hit Hundreds of Campus Online Stores in US and Canada,” by Joseph C. Chen, Trend Micro, May 3, 2019

31 “Magecart Hackers Inject Card Skimmer in Forbes Subscription Site,” by Pierluigi Paganini, Security Affairs, May 16, 2019

32 “Skimmer Acts as Payment Service Provider via Rogue iframe,” by Jerome Segura, Malware Bytes Labs, May 21, 2019

27

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

This year, we witnessed a record number of

data breaches with employees and clients

information stolen in enormous quantities.

A misconfigured cloud environment was the

main cause for the vast number of data theft

incidents. In April, unprotected Amazon

servers resulted in the exposure of more than

half a billion records of Facebook users, through

third-party apps.41 Misconfigured Box accounts

leaked terabytes of sensitive data, and in

another case, sensitive income information

of roughly 80 million Americans, hosted on

a Microsoft cloud server, had been exposed

online.42,43 Tens of millions of passenger records

owned by two airline companies stored on

unsecured Amazon buckets have been exfiltrated

and later exchanged in online forums.44

Misconfigured cloud accounts lead not only

to data exfiltration but also to active exploitation

of clients. By scanning for misconfigured

Amazon S3 buckets, a Magecart group located

and injected JavaScript skimmers to the code of

thousands of websites through exposed buckets,

using them to collect credit card information

from the websites’ customers.45

41 “Hundreds of Millions of Facebook User Records Were Exposed on Amazon Cloud Server,” by Jason Silverstein, CBS News, April 4, 2019

42 “Box Data Leak- Terabytes of Data Exposed from Companies Using Cloud Based Box Accounts,” by Balaji N., GB Hackers on Security, March, 12 2019

43 “Exposed Database Leaks Addresses, Income Info of Millions of Americans,” by Sergiu Gatalan, Bleeping Computer, April 29, 2019

44 “Millions of Lion Air Passenger Records Exposed and Exchanged on Forums,” by Ionut Ilascu, Bleeping Computer, September 17, 2019

45 “Spray and Pray: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets,” by Yonathan Klijnsma, RISKIQ, July 10, 2019

ATTACKS AGAINST CLOUD ENVIRONMENTS As we noted in our 2019 midyear report,

misconfiguration and mismanagement of cloud

resources are still the number one cause for

cloud attacks, but now we also witnessed an

increasing number of attacks aimed directly at

cloud services providers.37 With a growing public

cloud industry, the frequency and magnitude

of cloud attacks and breaches continued to

grow in 2019.

The cloud industry is growing exponentially and

is expected to rise from the current revenue of

$227 Billion in 2019 to $354 Billion by 2022.38

Currently, more than 90% of enterprises use

some type of cloud service.39 According to

Check Point’s 2019 Cloud Security Report most

of them use Software as a Service (SaaS)

products with Microsoft Office 365 being the

most popular service used by 66% of surveyed

organizations.40 And still, 67% of security teams

complained about lack of visibility into their

cloud infrastructure, security, and compliance.

37 “The Evolution of Cyber Attacks in 2019,” Check Point Software Technologies LTD, July 2019

38 “Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17% in 2020,” Gartner, November 13, 2019

39 “2019 State of the Cloud Report from Flexera,” Flexera, 2019 40 “Check Point’s 2019 Cloud Security Report Identifies Range

of Enterprise Security Challenges in Public Clouds,” Check Point Press Releases, July 16, 2019

MORE THAN 90%

OF ENTERPRISES

USE SOME TYPE

OF CLOUD SERVICE.

https://media.flexera.com/documents/rightscale-2019-state-of-the-cloud-report-from-flexera.pdf

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

28

EVOLVING MOBILE LANDSCAPE 2019 proved that the mobile threat landscape

is now fully matured. From nation-state cyber

operations, through private espionage and

intelligence companies to cybercrime organizations,

everyone adjusts their cyber weapons to evolving

mobile device technology.

Although threat actors did not exploit the

mobile ecosystem initially, this year we saw a

continual increase in mobile-related cyber

attacks. Hackers became more proficient as they

gained operational experience. More and more

malware types have been adjusted to mobile

devices, and instead of relying solely on phishing

campaigns to reach victims, we’re now seeing

an increasing number of vulnerabilities exploited

in the wild.

Current types of mobile malware now include

Remote Access Trojans (RAT), banking Trojans,

cryptominers, adware, and even ransomware.50,51,52

Adware is still the most common type of mobile

malware, and can be found on popular application

markets like Google Play and App Store.

One example is Agent Smith, which replaced

legitimate applications with a backdoor replica

on millions of devices, hijacking their ad

revenues. Banking Trojans and RATs like Gustuff

50 “iPhone Users Warned As Malware and the U.S. Supreme Court, Targets Apple,” by Davey Winder, Forbes, July 30, 2019

51 “Banking Trojans Are Top Financial Services Threat,” by Phil Muncaster, Infosecurity Magazine, December 6, 2019

52 “Android Ransomware is Back,” by Lukas Stefanko, WeLiveSecurity, July 29, 2019

One source cites that although cryptocurrencies

have declined in value, cloud infrastructures

are a huge target for cryptomining campaigns.

Container management platforms, cloud APIs,

and control panels were among the cloud

structures targeted by threat actors.46 In May,

Microsoft Azure cloud services were used to

store malware or implement command and

control servers.47

Not only misconfiguration leads to attacks on a

cloud infrastructure. The infrastructure itself

is prone to vulnerabilities. Vulnerability in

SoftNAS cloud platform discovered this March

could allow unauthorized attackers to bypass

authentication, gaining access to a company’s

web-based admin interface and to run arbitrary

commands as root.48 Other vulnerabilities,

exploiting hardware re-provisioning procedures

could allow attackers to gain a foothold and take

control of future provisioned IaaS servers.49

Threat actors follow close behind their intended

victims. As organizations increase their security

awareness, the threat actors adopt more

advanced ways to exploit cloud-based assets.

46 “Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks,” by Jai Vijayan, Dark Reading, March 13, 2019

47 “Threat Actors Abuse Microsoft Azure to Host Malware and C2 Servers,” by Pierluigi Paganini, Security Affairs, June 2, 2019

48 Untitled, by Digital Defense Inc., SoftNAS Cloud Zero-day Blog, March 20, 2019

49 “’Cloudborne’ IaaS Attack Allows Persistent Backdoors in the Cloud,” Threatpost, Tara Seals, February 26, 2019

https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

29

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

The details of a two-year long operation

published in August, revealed a large-scale

campaign using 14 iOS vulnerabilities. Some

of them zero-day attacks to hack into thousands

of iPhones.63

According to reports, vulnerabilities in

WhatsApp were exploited by the NSO Group and

allowed attackers to take over users’ phones.64

However, NSO is not the only private company

exploiting such weaknesses and offering

commercial exploitation services. DarkMatter

and Gamma Group offer similar utilities, mostly used

by nation-states for surveillance operations.65,66

Not just new and expensive vulnerabilities

threaten mobile platforms. Check Point Research

revealed that even popular mobile applications,

available on the Google Play, remain susceptible to

long-known vulnerabilities in their dependencies.67

Nation-states and professional corporations

are not the only ones to take part in this venture.

Smaller actors offer Malware as a Service

(MaaS) and their frequency in the malware

landscape is increasing.

63 “Mysterious iOS Attack Changes Everything We Know About iPhone Hacking,” by Andy Greenberg and Lily Hay Newman, Wired, August 30, 2019

64 “The NSO WhatsApp Vulnerability – This is How It Happened,” by Check Point Research, May 14, 2019

65 “Inside the UAE’s Secret Hacking Team of American Mercenaries,” by Christopher Bing and Joel Schectman, Reuters, January 30, 2019

66 “Powerful FinSpy Spyware Found Targeting iOS and Android Users in Myanmar,” Swati Khandelwal, The Hacker News, July 10, 2019

67 “Long-known Vulnerabilities in High-Profile Android Applications,” by Slava Makkaveev, Check Point Research, November 21, 2019

and Cerberus target users of large number of

financial mobile apps, and even exploit

vulnerabilities in mobile network protocols

to bypass 2FA schemes.53,54,55,56 Numerous

examples of spyware were also reported this

year, including the Egyptian government

monitoring dissidents activity, the Chinese

spying on Tibetans, Middle East campaigns,

attacks involving European residents, and

more.57,58, 59 Mobile cryptominers and ransomware

activity also continued in 2019.60

With a maturing mobile malware arena, more

threat actors relied on vulnerabilities for their

initial infection or secondary stage escalation,

as opposed to bad user practices. Such

vulnerabilities in Android OS were reported on

multiple occasions for exposing users to RATs

and other threats.61,62 iPhone vulnerabilities

were exposed and exploited as well.

53 “Gustuff: Weapon of Mass Infection,” by Ivan Pisarev, Group IB, April 4, 2019

54 “Cerberus: A New Android ‘Banking Malware for Rent’ Emerges, by Swati Khandelwal, The Hacker News, August 13, 2019

55 “New SIM Card Flaw Lets Hackers Hijack Any Phone Just by Sending SMS,” Mohit Kumar, The Hacker News, September 12, 2019

56 “Criminals are Tapping into the Phone Network Backbone to Empty Bank Accounts,” by Joseph Cox, Vice, January 31, 2019

57 “Tibetan Groups Targeted with 1-Click Mobile Exploits,” by Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Robert Diebert, Munk School, September 24, 2019

58 “Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East, by Ecular Xu and Grey Guo, Trend Micro, June 18, 2019

59 “Exodus: New Android Spyware Made in Italy,” Security Without Borders, March 20, 2019

60 “Android Ransomware is Back,” by Lukas Stefanko, WeLiveSecurity, July 29, 2019

61 “Attackers Exploit 0-day Vulnerability that Gives Full Control of Android Phones,” by Dan Goodin, Ars Technica, October 3, 2019

62 “Android: New StrandHogg Vulnerability is Being Exploited in the Wild,” by Catlin Cimpanu, ZDNet, December 2, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

30

The majority of successful targeted attacks

were fueled by the growing cooperation between

threat actors. One example is the massive

spam distribution of Emotet, which found a

foothold in many corporations worldwide,

opening the door to other threat actors willing

to pay for access. As a result, what started as

a “simple” Emotet infection often expanded into

a full-blown infection of the Ryuk or Bitpaymer

ransomwares, operated by the Trickbot and

Dridex gangs respectively.

Different threat actors have different methods

so the initial infection vector of such ransom-

ware attacks can vary. This can range from

spear-phishing to hacking into unsecured and

misconfigured RDP servers and to outsourcing

it to botnet operators. And in some cases, they

even used torrent uploaders and Managed

Service Providers to gain the initial foothold

inside big companies.71, 72

Rather than immediately deploy a ransomware,

offenders often spend weeks exploring the

compromised network to locate high-value

assets as well as backups, thus maximizing

their damage. Ironically, companies that try

to protect their data by using cloud services

occasionally find that their service provider

itself has been targeted.73,74

71 “Torrent Sites Ban Popular Uploader ‘CracksNow’ for Sharing Ransomware, by Ernesto, Torrent Freak, February 17, 2019

72 “Ransomware Gangs Hack MSPs to Deploy Ransomware on Customer Systems,” by Catalin Cimpanu, ZDNet, June 20, 2019

73 “Ransomware Bites Dental Data Backup Firm,” Krebs on Security, August 29, 2019

74 “Cloud Hosting Provider DataResolution.net hit by the Ryuk Ransomware,” Security Affairs, Pierluigi Paganini, January 2, 2019

This year, we witnessed the discontinuation

of the Anubis banking Trojan and the rise of

Cerberus with its integrated evasion techniques,

which are offered to paying-customers in

underground forums.68, 69

As we stated in our midyear report, the mobile

arena is gearing up with more vulnerabilities

exposed and exploited.70 New malware strains

are being migrated to the mobile arena, and

actors of all sizes are hacking into valuable

assets available through our mobile devices.

TARGETED RANSOMWARE Ransomware attacks have remained active,

but with one main difference in 2019: They’re

more targeted. Ransomware distribution has

shifted from a numbers game to a more targeted

approach of “big game hunting,” where advanced

threat actors find or buy their way into specific

target organizations. This has enabled them to

encrypt vital infrastructure and demand high

ransom payments.

The targeted approach almost entirely replaced

the mass distribution method for ransomware,

which peaked in 2017 through 2018. At its

highest, over 30 percent of all businesses, as

well as many home users, were impacted.

68 “Anubis Android Banking Malware Returns with Extensive Financial App Hit List,” by Charlie Osborne, ZDNet, July 9, 2019

69 “Cerberus- A New Banking Trojan from the Underworld,” Threat Fabric, August, 2019

70 “The Evolution of Cyber Attacks in 2019,” Check Point Software Technologies LTD, July 2019

31

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

threat actor’s unreliability or incompetence.84,85 The tendency to pay demands, sometimes encouraged by insurers, might be one of the major reasons behind this year’s explosion of

targeted ransomware attacks.

REEMERGENCE OF EXPLOIT KITS Exploit Kits belong to a small yet not very

exclusive club – Drive-By attacks. They allow

threat actors to infect unaware users just by

browsing to a compromised website from a

vulnerable browser, without any additional action

on the user’s part. This technique is effective.

It relies heavily on unpatched browsers and

plugins like Internet Explorer and Adobe Flash

for successful exploitation. As a direct result,

the popularity and effectiveness of such Exploit

Kits fluctuates according to the disclosure of

new browser vulnerabilities. When a new

vulnerability is disclosed, the attackers are

presented with a small window of opportunity,

where they can potentially exploit a large base

of end-users, until a patch is widely deployed.

In 2019 however, after a steady decline in their

popularity, we have witnessed a resurgence

of new exploit kits that are unrelated to the

release of new vulnerabilities. Overall, at least

six new exploit kits were observed in the wild,

which contradicted expected behavior, as no

new easy-to-implement high-risk vulnerabilities

were disclosed during 2019.

84 “Mayors Pass Resolution Against Paying Ransomware Ransoms,” by Colin Wood, Statescoop, July 10, 2019

85 “Payroll Provider Gives Extortionists a Payday,” Krebs on Security, February 23, 2019

At the top of the victims list, software services,

health care, and government are the most

targeted sectors. US municipalities were a

popular choice in the public sector in 2019,

including Orange County CA ($400K ransom),

Cleveland Hopkins International Airport,

City of Baltimore ($18M recovery cost), Riviera

Beach City ($600K ransom), Lake City, Florida

($500K ransom), La Porte County IN ($130K

ransom), New Bedford MA ($5.3M ransom)

and more.75,76,77,78,79, 80,81

Once their files are encrypted, victims face

the choice of paying ransomware or suffering high recovery costs or permanent loss of data. Many, like Norsk Hydro Aluminum, opt to not pay ransom demands and find the recovery costs extremely high ($50M).82,83 Others ignored public resolutions against paying but found their data was still inaccessible afterward, likely due to the

75 “Orange County Computer Network Hit by Ransomware Attack,” by Zachary Eanes, The News & Observer, March 18, 2019

76 “Cleveland Acknowledges for First Time Hopkins Airport Hack Involved Ransomware,” Cleveland.com, April 29, 2019

77 “Baltimore Estimates Cost of Ransomware Attack at $18.2 Million as Government Begins to Restore Email Accounts,” The Baltimore Sun, by Ian Duncan, May 29, 2019

78 “The Riviera Beach City Pays $600,000 in Ransom,” by Pierluigi Paganini, Security Affairs, June 20, 2019

79 “Two Florida Cities Paid $1.1 Million to Ransomware Hackers This Month,” by Mohit Kumar, The Hacker News, June 26, 2019

80 “La Porte County Pays $130,000 Ransom to Ryuk Ransom- ware,” by Ionut IIascu, Bleeping Computer, July 14, 2019

81 “Ransomware Gang Wanted $5.3 Million from US City, but They Only Offered $400,000,” by Catalin Cimpanu, ZDNet, September 4, 2019

82 “Norsk Hydro Will Not Pay Ransom Demand and Will Restore From Backups,” by Catalin Cimpanu, ZDNet, March 22, 2019

83 “Norsk Hydro Estimates March Cyber Attack Cost at $50 Million,” by Pierluigi Paganini, Security Affairs, April 30, 2019

32

Though these new exploit kits do not introduce

any new complexity or previously unseen

features to the ecosystem, and they’re often

just copy-pasted from known vulnerabilities,

POC code, and other exploit kits, they’re still

effective. A previous report by Check Point

Research shows the potential of exploit kits

as an infection source, as well as the market

they’re sold in.92 Overall, the sharp rise in the

popularity of exploit kits means that more

unprotected users are exposed to this threat.

92 “Inside the Hacking Community Market – Reselling RIG EK Services,” Check Point Research, October 24, 2019

We also witnessed the arrival of the SpelevoEK,

which exploits a flash vulnerability with

Virtual-Machine evasion functionality.86 In

July, RadioEK was observed using well-known

vulnerabilities to deliver AZORult stealer and

Nemty ransomware, mostly in Japan.87 This was

followed by LordEK delivering njRAT and Eris

ransomware.88 In September, we “welcomed”

Purple Fox, which was previously delivered

by RigEK, but matured into an independent

fileless exploit kit, as well as BottleEK which

targeted the Japanese market.89, 90 In October,

CapesandEK reshaped publicly shared source

code into a new stealthy product.91

86 “2019-03-16 – Spelevo Ek Examples,” Malware Traffic Analysis.Net

87 “Weak Drive-by Download attack with “Radio Exploit Kit,” nao_sec, July 15, 2019

88 “Virus Bulletin Researcher Discovers New Lord Exploit Kit,” by Martjin Grooten, Virus Bulletin, August 5, 2019

89 “Say hello to Bottle Exploit Kit targeting Japan,” nao_sec, December 12, 2019

90 “’Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell,” by Trend Micro, Trend Micro, September 9, 2019

91 “New Exploit Kit Capes and Reuses Old and New Public Exploits and Tools, Blockchain Ruse,” by Trend Micro, Trend Micro, November 5, 2019

33

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

5

CHAPTER 5

34

GLOBAL MALWARE STATISTICS

Data comparisons presented in the following

sections of this report are based on data drawn

from the Check Point ThreatCloud Cyber Threat

Map between January and December 201993

93 “Live Cyber Threat Map,” Check Point Software LTD

https://threatmap.checkpoint.com/ https://threatmap.checkpoint.com/

35

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

CYBER ATTACK CATEGORIES BY REGION

GLOBAL AMERICAS

EUROPE, MIDDLE EAST, AND AFRICA (EMEA)

APAC

BankingMobileBotnet RansomwareInfostealerCrypto miners

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

36

GLOBAL THRE AT INDE X MAP Check Point's Threat Index is based on the

probability that a machine in a certain country

will be attacked by malware. This is derived from

the ThreatCloud World Cyber Threat Map, which

tracks how and where cyberattacks are taking

place worldwide in real time.

37

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

TOP MALICIOUS FILE T YPES: WEB VS EMAIL

40%

35%

30%

25%

20%

15%

10%

5%

0% exe apkswf rtf htmlpdf msidoc js xls

Figure 1: Web – Top malicious file types

Figure 3: Distribution protocols – Email vs web attack vectors

50%

40%

30%

20%

10%

0% doc pdfrtf docx lnkexe xlsxlsx com jar

Figure 2: Email – Top malicious file types

e-mail 68%

web 32%

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

38

TOP MALWARE FAMILIES

Figure 4: Most Prevalent Malware Globally Percentage of corporate networks impacted by each malware family

25%

15%

10%

5%

0%

GLOBAL

Figure 5: Most Prevalent Malware in the Americas

AMERICAS 25%

15%

10%

5%

0%

Figure 6: Most Prevalent Malware in EMEA

EUROPE, MIDDLE EAST, AND AFRICA (EMEA) 30%

25%

15%

10%

5%

0%

Figure 7: Most Prevalent Malware in APAC

ASIA PACIFIC (APAC) 30%

25%

15%

10%

5%

0%

39

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

GLOBAL ANALYSIS OF TOP MALWARE Cryptominers remain the most prevalent malware type with a small decrease

in most regions. On the other hand, ransomware presented a slight increase

compared to 2018, though still remaining at the bottom of the malware

type list. While the number of impacted companies is relatively low, the

severity of the attack on each company is much higher. This is the result of

the year-old business model of targeted ransomware attacks. We measured a

surge in botnet activity, likely fueled by the increasing revenue they generate,

through malware distribution services, malspam, sextortion email activity,

and DDoS attacks.

EMOTET First identified in 2014 and classified as a Banking Trojan, Emotet was

designed to steal personal financial information. But like many other

malware families, it has since evolved to use its existing assets for additional

income sources and upgraded its evasion and propagation mechanisms. In

2019, Emotet had evolved into a botnet, mostly distributed via large-scale

spam campaigns. Emotet has established itself as a king amongst malware

distributors, capable of delivering infections to a large number of infected

hosts. It is also able to act as a launching platform for precise and coordinated

attacks against well-financed organization. Most notable is the cooperation of

Emotet with Trickbot and Dridex, which resulted in a number of devastating

ransomware attacks.94

94 “Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk,” by Noa Pinkas, Lior Rochberger and Matan Zatz, Cybereason, April 2, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

40

TOP CRYPTOMINING MALWARE

Figure 8: Top Cryptomining Malware Globally

Figure 10: Top Cryptomining Malware in EMEA

GLOBAL

Figure 9: Top Cryptomining Malware in the Americas

Figure 11: Top Cryptomining Malware in APAC

AMERICAS

EUROPE, MIDDLE EAST, AND AFRICA (EMEA) ASIA PACIFIC (APAC)

41

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

CRYPTOMINERS GLOBAL ANALYSIS Coinhive, the drive-by cryptominer, shut down its operations in March, ceasing

to exploit websites and online games for mining Monero.95 Thus, Coinhive

vacated its high place in the cryptominers arena to JSEcoin and Cryptoloot.

XMRig, an open source Monero mining software often abused by various

malware (like NRSMiner) for local exploitation of victim’s resources, especially

dominates the Asia pacific (APAC) area.

BANKING TROJANS GLOBAL ANALYSIS Trickbot and Ramnit populate the top places of the banking Trojans table. Their

popularity is due to fact that they not only serve as banking Trojans but also

offer additional services. This is definitely a trend as pure banking Trojans have

become rare once threat actors realized that a foothold on a victim’s machine

could be used for a lot more than just stealing sensitive banking information.

RAMNIT Ramnit, the prolific banking Trojan, has kept its place at the top of the 2019

banking Trojan list. Over the years, Ramnit has expanded its targets to include

online advertising, web services, social networking, and e-commerce sites. In

2019, Ramnit returned to its roots and was spotted largely targeting financial

services websites to coincide with tax return activity, primarily in Italy.96

95 “Coinhive Dead but Browser-Based Cryptomining Still a Threat,” by Ionut Ilascu, Bleeping Computer, May 2, 2019

96 “Ramnit Returns to its Banking Roots, Just in Time for Italian Tax Season,” by Remi Cohen and Roy Moshailov, F5 Application Threat Intelligence, April 23, 2019

<?> “Coinhive Dead but Browser-Based Cryptomining Still a Threat,” by Ionut Ilascu, Bleeping Computer, May 2, 2019

https://research.checkpoint.com/2018/new-ramnit-campaign-spreads-azorult-malware/

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

42

TOP BANKING TROJANS

Figure 12: Most Prevalent Banking Trojans Globally

GLOBAL

Trickbot

Ramnit

Ursnif

DanaBot

Dridex

Qbot

Other

Figure 13: Most Prevalent Banking Trojans in the Americas

AMERICAS

Trickbot

Ramnit

Dridex

DanaBot

Ursnif

Icedid

Other

Figure 14: Most Prevalent Banking Trojans in EMEA

EUROPE, MIDDLE EAST, AND AFRICA (EMEA)

Trickbot

Ramnit

Ursnif

DanaBot

Dridex

Qbot

Other

Figure 15: Most Prevalent Banking Trojans in APAC

ASIA PACIFIC (APAC)

Ramnit

Trickbot

Dridex

Ursnif

DanaBot

Qbot

Other

43

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

BOTNET GLOBAL ANALYSIS Many of today’s popular botnets were initially specialized to a single task.

Banking Trojans like Emotet and Trickbot make use of their resources and

infrastructure to spread other malware and have long become full featured

botnets. Cryptominers like KingMiner97 have upgraded their operation to fully

mature botnets. Other botnets like Phorpiex98 diversify their operations to

generate income from Sextortion operations in addition to regular malspam

campaigns and DDoS services.

TRICKBOT Trickbot is a notorious Banking Trojan known since 2016. Besides its

impressive capabilities in stealing banking information, Trickbot acts as a

botnet, with a modular architecture enabling agile functionality for the

gang behind it. Whether they’re selling installations for other threat actors,

stealing banking credentials, mining Cryptocurrency, or launching a

full-scale APT operation, the operators behind Trickbot have the platform

to do it all.99

97 “KingMiner: The New and Improved CryptoJacker,” by Ido Solomon and Adi Ikan, Check Point Research, November 29, 2018

98 “In the Footsteps of a Sextortion Campaign,” by Gil Mansharov and Alexey Bukhteyev, Check Point Research, October 16, 2019

99 “Anchor Project, The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT,” by Vitali Kremez, December 10, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

44

TOP BOTNE TS

ASIA PACIFIC (APAC)

Figure 19: Most Prevalent Botnets in APAC

Emotet

Trickbot

Glupteba

Phorpiex

Mylobot

Mirai

Other

EUROPE, MIDDLE EAST, AND AFRICA (EMEA)

Figure 18: Most Prevalent Botnets in EMEA

Emotet

Trickbot

DanaBot

Phorpiex

Mirai

Glupteba

Other

GLOBAL

Figure 16: Most Prevalent Botnets Globally

Emotet

Trickbot

DanaBot

Phorpiex

Mirai

Glupteba

Other

AMERICAS

Figure 17: Most Prevalent Botnets in the Americas

Emotet

Trickbot

DanaBot

Phorpiex

Mirai

Glupteba

Other

45

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

MOBILE MALWARE GLOBAL ANALYSIS NECRO

Necro, the Android Trojan, was an unexpected addition to our top charts. Responsible

for this quick rise to the top, is the CamScanner app - available on the Google Play

store. With more than 100 million installations, CamScanner is one of the most popular

document-to-pdf applications on the app store. This entire user base was instantly

exposed to a malicious backdoor once the developers of the application unknowingly

switched their ads library to a back-doored one infected with Necro.100

Adware continues to be one of the most lucrative business models for mobile malware

authors. This is substantiated by our top mobile malware, including Guerrilla,

AndroidBauts, and the newly discovered xHelper, being ads and click-fraud related.101

100 “Malicious Android app had More Than 100 Million Downloads in Google Play,” by Kaspersky Team, Kaspersky Daily, August 27, 2019

101 “Xhelper: Persistent Android Dropper App Infects 45K Devices in Past 6 Months,” by May Ying Tee and Tommy Dong, Symantec, October 29, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

46

TOP MOBILE MALWARE

GLOBAL AMERICAS

EUROPE, MIDDLE EAST, AND AFRICA (EMEA) ASIA PACIFIC (APAC)

Figure 20: Top Mobile Malware Globally Figure 21: Top Mobile Malware in the Americas

Hiddad

xHelper

Necro

AndroidBauts

Guerilla

Other

Figure 22: Top Mobile Malware in EMEA

xHelper

Hiddad

AndroidBauts

Guerilla

Necro

Other

Figure 23: Top Mobile Malware in APAC

xHelper

Hiddad

Necro

Guerilla

AndroidBauts

Other

Hiddad

xHelper

Necro

AndroidBauts

MobiDash

Other

47

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

INFOSTEALER GLOBAL ANALYSIS Not surprisingly, commodity malware dominates the infostealer arena. New

and non-proficient threat actors would download or buy off-the-shelf malware

from hacking forums and dark markets. These ready-to-launch kits often

come in an easy-to-install package, including a payload generator where you

can configure multiple functionality options and a C&C web panel to where

all the stolen information would be collected and displayed.

FORMBOOK Introduced in 2016, Formbook has immediately gained popularity among the

community of beginning threat actors. It’s a classic example of malware as a

service. For around $50, the authors provide a hosted instance of Formbook,

minimizing the infrastructure building overhead for the attackers who want

to launch a campaign. This simplicity brought it to the top of the malware list,

with new Formbook spam campaigns launched on a weekly basis.102

Formbook itself is relatively advanced for commodity malware. It’s coded in

Assembly with a number of built-in anti-analysis and anti-sandbox techniques

to evade detection. It possesses everything the attacker needs to successfully

spy on a target, including browser form grabbing, screenshots taking,

password theft, and additional payload execution.

102 “More Malspam Pushing Formbook,” SANS ISC InfoSec Forums, 2019

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

48

TOP INFOSTE ALER MALWARE

AMERICAS

Figure 25: Top Infostealer Malware in the Americas

Formbook

AgentTesla

Lokibot

Hawkeye

Nanocore

Pony

Other

GLOBAL

Figure 24: Top Infostealer Malware Globally

Lokibot

AgentTesla

Hawkeye

Formbook

Pony

Nanocore

Other

ASIA PACIFIC (APAC)

Figure 27: Top Infostealer Malware in APAC

Lokibot

AgentTesla

Hawkeye

Pony

Formbook

Nanocore

Other

EUROPE, MIDDLE EAST, AND AFRICA (EMEA)

Figure 26: Top Infostealer Malware in EMEA

Lokibot

AgentTesla

Hawkeye

Formbook

Pony

Nanocore

Other

CHAPTER 6

6

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

50

HIGH-PROFILE GLOBAL V ULNER ABILITIES

The following list of top attacks is based on data collected by the Check Point

Intrusion Prevention System (IPS) sensor-net and details some of the

most popular and interesting attack techniques and exploits observed by

Check Point researchers in 2019.

MICROSOFT RDP VULNERABILITIES: BLUEKEEP AND DEJABLUE

(CVE-2019-0708, CVE-2019-1182)

First reported in May 2019, BlueKeep was highlighted as critical security

vulnerability by Microsoft, followed by additional related vulnerabilities

months later, dubbed DejaBlue. The vulnerabilities exist in the Remote Desktop

Protocol (RDP), allowing Remote Code Execution (RCE), which is especially

dangerous due to its wormable nature that could lead to quick worldwide

epidemic. Soon after its publication, actors started scanning the internet for

vulnerable devices. By September, Metasploit released a BlueKeep exploit

and in November, the first campaign exploiting BlueKeep has been reported,

leveraging it to install cryptominers.103,104,105 To this point, no wormable variant

of malware using these RDP exploits has been detected in the wild, with a

WannaCry scale disaster still waiting to happen.

103 “Internet Scans Found Nearly One Million Systems Vulnerable to BlueKeep,” by Pierluigi Paganini, Security Affairs, May 28, 2019

104 “Exploit for Wormable BlueKeep Windows Bug Released Into the Wild,” by Dan Goodin, Ars Technica, September 6, 2019

105 “First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild,” by Pierluigi Paganini, Security Affairs, November 3, 2019

51

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

ORACLE WEBLOGIC SERVER VULNERABILITIES

(CVE-2017-10271, CVE-2019-2725)

The various critical remote code execution vulnerabilities that reside in

Oracle WebLogic Servers allow unauthorized attacker to remotely execute

arbitrary code, and affect numerous applications and web enterprise portals

using the servers. This year alone cyber criminals have exploited the Oracle

WebLogic Server vulnerabilities including the newly discovered one, which

has been patched this April, to deliver the Sodinokibi ransomware as well as

the Satan ransomware, and to install Monero Cryptomining malware.106,107,108

EXIM MAIL SERVER REMOTE CODE EXECUTION VULNERABILITY

(CVE-2019-10149)

A significant vulnerability disclosed this year targets the popular MTA soft

ware Exim. An attacker can easily exploit this vulnerability by sending a

crafted packet to the victim’s server, leveraging insufficient validation in

the recipient’s email address. Successful exploitation can result in the

execution of arbitrary commands. This year we have witnessed a significant

amount of exploitation attempts in the wild, as new malware strains have

abused this newly discovered vulnerability in order to install cryptomining

software on targeted servers.109

Interestingly, according to Check Point global attack sensors, throughout 2019,

85% of the attacks observed leveraged vulnerabilities registered in 2017 and earlier.

106 “Crooks Exploit Oracle WebLogic Flaw to Deliver Sodinokibi Ransomware,” by Pierluigi Paganini, Security Affairs, May 1 2019

107 “The Satan Ransomware Adds New Exploits to its Arsenal,” by Pierluigi Paganini, Security Affairs, May 22 2019

108 “CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner,” by Mark Vicente, Johnlery Triunfante, and Byron Gelera, Trend Micro, June 10 2019

109 “New Pervasive Worm Exploiting Linux Exim Server Vulnerability,” by Amit Serper and Mary Zhao, Cyber Reason, June 13, 2019

52

Figure 28: Exploited CVEs by Year

53

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

7

CHAPTER 7

54

RE VIE W OF 2019 CYBER THRE AT PREDICTIONS

CLOUD

We expected to see threat actors targeting

specific company departments and employees,

also known as spear phishing, in order to reap

more lucrative rewards. The growing popularity of

public cloud environments has led to an increase

of cyber attacks targeting resources and sensitive

data residing within these platforms. While more

organizations move to the cloud, awareness that

they are still responsible for the security of data held

there is still lagging.

Following the 2018 trend, practices such as

misconfiguration and poor management of cloud

resources remained the most prominent threat to the

cloud ecosystem in 2019 and, as a result, subjected

cloud assets to a wide array of attacks. This year,

misconfiguring cloud environments was one of the

main causes for a vast number of data theft incidents

experienced by organizations worldwide.

55

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

In April, more than half a billion records of Facebook’s users were exposed

by a third party on unprotected Amazon cloud servers. Misconfigured Box.com

accounts leaked terabytes of extremely sensitive data from many companies,

and in another case sensitive financial information of 80 million Americans

hosted on a Microsoft cloud server was exposed online. Besides information

theft, threat actors intentionally abused the different cloud technologies for

their computing power.

So far this year, cloud cryptomining campaigns stepped up, upgraded their

technique set and were capable of evading basic cloud security products,

abusing hundreds of vulnerable exposed Docker hosts and even shutting

down competitors’ cryptomining campaigns operating in the cloud.

In addition, in 2019 Check Point researchers witnessed an increasing number

of exploitations against public cloud infrastructures. A vulnerability in SoftNAS

Cloud platform discovered in March may have allowed attackers to bypass

authentication and gain access to a company’s web-based admin interface and

then run arbitrary commands.110 Furthermore, a new type of attack vector,

dubbed Cloudborne, demonstrated that hardware re-provisioned to new

customers could retain backdoors that can be used to attack future users of

the compromised system.

110 Untitled, by Digital Defense Inc., SoftNAS Cloud Zero-Day Blog

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

56

NETWORK

The infamous cryptominers remained a prevalent

malware type in 2019’s threat landscape. This is

despite the shutdown of the notorious drive-by

mining service ‘CoinHive’ this March, which led

to a decrease in the popularity of cryptominers

among threat actors. As a result, and in order

to remain prevalent in 2019, threat actors have

been adopting a new approach regarding

cryptominers, aiming at more rewarding

targets than consumer PC’s and designing more

robust operations. Among the new victims one

can find corporations, factories, powerful

servers and even cloud resources. And if

that was not enough, we have even seen them

integrating cryptominers as part of a DDoS

botnet for side-profits.

KEY FINDINGS OF THE 2019

CLOUD SECURITY REPORT111

• The top four public cloud vulnerabilities: the

leading vulnerabilities cited by respondents

were unauthorized cloud access (42%),

insecure interfaces (42%), misconfiguration

of the cloud platform (40%), and account

hijacking (39%).

• The leading operational cloud security

headaches: security teams struggle with a

lack of visibility into cloud infrastructure

security and compliance (67% in total).

Setting consistent security policies across

cloud and on premise environments and a

lack of qualified security staff tie for third

place (31% each).

• Legacy security tools are not designed for

public clouds: 66% of respondents said their

traditional security solutions either don’t work

at all, or only provide limited functionality in

cloud environments.

• Security challenges inhibit cloud adoption:

the biggest barriers to wider public cloud

adoption cited by respondents are data

security (29%), risk of compromise (28%),

compliance challenges (26%) and a lack of

experience and qualified security staff (26%).

111 “Cloud Security Challenges, Solutions, and Trends,” Check Point Software Technologies LTD, 2019

THREAT ACTORS HAVE

BEEN ADOPTING A NEW

APPROACH REGARDING

CRYPTOMINERS, AIMING AT

MORE REWARDING TARGETS

THAN CONSUMER PC’S AND

DESIGNING MORE ROBUST

OPERATIONS. AMONG THE

NEW VICTIMS ONE CAN FIND

CORPORATIONS, FACTORIES,

POWERFUL SERVERS AND

EVEN CLOUD RESOURCES.

57

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

IOT

For enterprises IoT devices will remain the

weakest link in security and we predict that

more attacks will make use of them as their

point of entry as well as being targets in and

of themselves. This is due to them being

harder to secure while being adopted into the

corporate infrastructure at an increasing rate,

thus enlarging the attack surface. A recent

industry study reveals: 67% of enterprises have

experienced an IoT security incident.112 From

smart TV’s, IP cameras, and smart elevators,

to hospital infusion pumps and industrial PLC

controllers, IoT and OT (Operational Technology)

devices are inherently vulnerable and easy

to hack. Many of these devices come with

out-of-the-box security flaws such as weak

or hardcoded passwords, misconfigurations in

the operating system, and known vulnerabilities

(CVEs). Their inherent security weaknesses

and the fact that they are poorly protected made

IoT devices an attractive target for bad actors.

112 “State of Enterprise IT Security in North America: Unmanaged and Secured,” Armis, 2019

DNS Attacks target one of the most important mechanisms that govern the internet – the

Domain Name System (DNS). The DNS is in

charge of resolving domain names into their

corresponding IP addresses and it is a crucial

part of the internet’s trust chain. Such attacks

target DNS providers, name registrars, and

local DNS servers belonging to the targeted

organization and are based on the manipulation

of DNS records. DNS takeovers can compromise

the whole network and enable multiple attack

vectors: control of email communications,

redirection of victims to a phishing site, and

more. One of the biggest advantages DNS

attacks provide is the option to issue legitimate

looking certificates by Certificate Authorities

which rely on DNS to verify that you are the

legitimate holder of the domain in question.

The growing popularity of DNS attacks pushed

the Department of Homeland Security and the

Internet Corporation for Assigned Names and

Numbers (ICANN) to issue official warnings of

a significant risk to this key component of the

Internet infrastructure. Large incidents involving

DNS attacks include attacks on government and

internet and telecommunications infrastructure,

as depicted in the recent DNSpionage and

SeaTurtle campaigns.

67% OF ENTERPRISES

HAVE EXPERIENCED

AN IOT SECURITY

INCIDENT

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

58

As seen in the recent cyber operations against

Iran,113 following attacks on Saudi Arabia’s oil

facilities, this prediction found reality and will

continue to do so moving forward. Another

angle can be seen back in March 2019, when

Amnesty International published a report that

uncovered a targeted attack against journalists

and human rights activists in Egypt.114 The

victims even received an e-mail from Google

warning them that government-backed attackers

attempted to steal their passwords. According

to the report, the attackers did not rely on

traditional phishing methods or credential-

stealing payloads, but rather utilized a stealthier

and more efficient way of accessing the victims’

inboxes: a technique known as “OAuth Phishing”.

By abusing third-party applications for popular

mailing services such as Gmail or Outlook, the

attackers manipulated victims into granting

them full access to their e-mails. Check Point

research traced these cyberattacks on Egyptian

activists to government.

113 “Exclusive: U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials,” by Idrees Ali, Reuters, October 15, 2019

114 “Phishing attacks using third-party applications against Egyptian civil society organizations,” by Amnesty International, March 6, 2019

Hackers are continually looking for ways to

exploit device vulnerabilities so they can

attack the devices themselves or better use

them as an entry point to the corporate net-

work. IP cameras can be used to spy on users,

medical devices can be shut down, and critical

infrastructure (such as power grid controllers)

can be taken over to generate colossal damage.

The risk is high and enterprises across different

industries are exposed.

NATION-STATE

In the last few years governments have become

highly concerned about cyber threats targeting

critical infrastructures, such as power grids.

As a result, many countries have formed

entities such as CERTs. While we have yet to

see non-state actors use cyber attacks to inflict

mass damage and even loss of life, nation-states

will most certainly continue and increase their

use of cyber warfare. Critical infrastructure

will continue to be a target of choice, though

international cyber espionage will offer greater

rewards for those who manage to successfully

carry it out and greater losses for those who fail

to protect against it.

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

CHAPTER 8

8

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

60

RECOMMENDATIONS TO PRE VENT THE NE X T CYBER AT TACK

CHOOSE PREVENTION OVER DETECTION

Organizations that stress the prevention of unknown,

zero-day threats can win the cyber security battle.

Attacks from unknown threats pose critical risks

to businesses, and unfortunately, they’re also the

hardest to prevent. That’s why many businesses

resort to detection-only protection. Some rely on

event monitoring and threat hunting by Security

Operations Center (SOC) teams to detect them

after breaching their systems. But this is a far

less effective strategy. The strategic imperative

for organizations is to prevent cyber attacks before

they breach enterprise systems.

Traditional cyber security vendors often claim that

attacks will happen, and that there’s no way to avoid

them. They claim the only thing left to do is to invest in

technologies that detect the attack once it has already

breached the network, and mitigate the damages as

soon as possible. This is untrue. Not only can attacks

be blocked, but they can be prevented, including

zero-day attacks and unknown malware. With the right

technologies in place, the majority of attacks, even

the most advanced ones can be prevented without

disrupting the normal business flow.

61

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

KEEP YOUR THREAT INTELLIGENCE UP TO DATE To prevent zero-day attacks, organizations first

need incisive, real-time threat intelligence that

provides up-to-minute information on the newest

attack vectors and hacking techniques. Threat

intelligence must cover all attack surfaces

including cloud, mobile, network, endpoint, and

IoT, because these vectors are commonplace in

an enterprise. Attack vectors continually evolve

to exploit vulnerabilities on these platforms.

In the constant fight against malware, threat

intelligence and rapid response are vital

capabilities. To maintain business operations,

you need comprehensive intelligence proactively

stop threats, management of security services

to monitor your network, and incident response to

quickly respond to and resolve attacks. Malware

is constantly evolving, making threat intelligence

an essential tool for almost every company to

consider. When an organization has financial,

personal, intellectual, or national assets, a more

comprehensive approach to security can protect

you against today’s sophisticated attacks. And

one of the most effective proactive security

solutions available today is threat intelligence.

LEVERAGING A COMPLETE UNIFIED ARCHITECTURE Without a consolidated solution, companies need

a long list of security tools to address all possible

attack vectors. This approach can be needlessly

complex, expensive, and ineffective. Building

security using a patchwork of single-purpose

products from multiple vendors usually fails.

It results in disjointed technologies that don’t

collaborate and create security gaps. It can also

introduce a huge overhead of working with multiple

systems and vendors. As a result, many attacks

are not prevented, forcing organizations to invest

more on post-infection and breach mitigation.

In order to achieve comprehensive security,

companies should adopt a unified multi-layer

approach that protects all IT elements – networks,

endpoint, cloud, and mobile. Sharing the same

prevention architecture, threat intelligence,

and management can more effectively protect

your organization.

ONE OF THE MOST EFFECTIVE

PROACTIVE SECURITY

SOLUTIONS AVAILABLE TODAY

IS THREAT INTELLIGENCE.

34% OF CYBER-ATTACKS

ARE PERPETRATED BY

INSIDERS, MAKING IT CLEAR

THAT LEGACY SECURITY

INFRASTRUCTURES,

CHARACTERIZED WITH

FLAT NETWORKS, ARE

DANGEROUSLY INEFFECTIVE.

CHAPTER 9

63

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

ZERO TRUST NE T WORKS: BEST PR ACTICES

TO “DIVIDE AND RULE” YOUR NETWORK

Zero Trust security is no longer just a concept.

It has become an essential security strategy that

helps organizations protect their valuable data in a

“perimeter-everywhere” world. Implementing Zero

Trust Networks, the key principle of the Zero Trust

security model, is crucial in preventing malicious

lateral movement within the network.

Today, 34% of cyber-attacks are perpetrated by

insiders115 making it clear that legacy security

infrastructures, characterized with flat networks, are

dangerously ineffective. Using stolen credentials and

compromised devices, hackers have managed to gain

privileged access, move laterally within enterprise

networks, and steal valuable data for months, without

being detected. As evidence of this, 1.76 billion records

were leaked in January 2019 alone.116

115 “Zero Trust Networks to the Rescue,” by Dana Katz, Check Point Blog

116 “Zero Trust Networks: Best Practices to ‘Divide and Rule’ Your Network,” by Dana Katz, Check Point Blog, 2019

https://www.checkpoint.com/solutions/zero-trust-security/ https://blog.checkpoint.com/2019/07/24/what-is-zero-trust-security-and-why-should-you-care/ https://blog.checkpoint.com/2019/07/24/what-is-zero-trust-security-and-why-should-you-care/

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

64

• Map data flows among all entities across your

network, including:

1. North-bound traffic, such as sales teams

accessing Salesforce.com via managed

devices on the corporate network only.

2. East-West traffic, such as from a frontend

web portal to backend servers.

3. South-bound traffic, such as from the

website backend server to Google Analytics

via the internet.

• Group assets with similar functionalities

and sensitivity levels into the same

micro-segment. For example, all R&D internal

assets, such as source code and ticket

management system.

• Deploy a segmentation gateway, whether

virtual or physical, to achieve control over

each segment.

• Define a “least privilege” access policy to each

of these assets, for example, allowing each

R&D group to access only their own team’s

source code.

Tip: Find the right balance between the granularity

of the segmentation and the number of perimeters

or micro-segments that can effectively and

efficiently be managed.

Zero Trust Networks is about having the ability

to “Divide and Rule” your network in order to

reduce the risk of lateral movement. The key

idea is to create a network segmentation by

placing multiple inspection points within the

network to block malicious or unauthorized

lateral movement; so in the event of a breach,

the threat is easily contained and isolated.

The best practice is to create a very granular

segmentation by defining “least privileged”

access control strategy; where user/system

can gain access only to the resources that they

are meant to use. For example, an access to

source code should be granted only to R&D team

members. This way only the absolute minimum,

legitimate traffic between segments is allowed,

while everything else is automatically denied.

BEST PRACTICES FOR ZERO TRUST NETWORKS

• Identify the data and assets that are valuable

to the organization, e.g. the customer database,

source code, smart building management

systems, etc.

• Classify the level of sensitivity of each asset –

such as ‘highly restricted,’ e.g. the customer

database, ‘restricted,’ e.g. the HR portal, which

is open to all employees, including the level

of sensitivity of public assets, such as the

corporate website.

https://www.checkpoint.com/solutions/zero-trust-security/

65

CHECK POINT SOF T WARE SECURIT Y REPORT 2020

COVER ALL ATTACK VECTORS

Mail or message

Send a mail or text message with a malicious

attachment or a malicious link.

Web browsing

Compromise the user’s browser (typically

through exploit kits) or trick a user to download

and open a malicious file.

Server and systems exploitation

Infect by exploiting unpatched vulnerabilities in

any online host.

Mobile apps

One of the most common sources for compromising

mobile devices is through mobile apps.

External storage

Physically mounted drives allow malicious files

to enter without even traversing the network.

PHISHING

A fraudulent attempt to obtain sensitive

information such as usernames, passwords

and credit card details by disguising oneself

as a trustworthy person. To achieve effective

coverage, organizations should seek a single

solution that can cover all attack surfaces

and vectors. One solution that provides broad

prevention across all attack surfaces, including

mail, web browsing, systems exploitation,

external storage, mobile apps and more.

MAINTAIN SECURITY HYGIENE PATCHING

All too often, attacks penetrate by leveraging

known vulnerabilities for which a patch exists

but has not been applied. Organizations should

strive to make sure up-to-date security patches

are maintained across all systems and software.

SEGMENTATION

Networks should be segmented, applying

strong firewall and IPS safeguards between the

network segments in order to contain infections

from propagating across the entire network.

REVIEW

Security products’ policies must be carefully

reviewed, and incident logs and alerts should

be continuously monitored.

AUDIT

Routine audits and penetration testing should

be conducted across all systems.

PRINCIPLE OF LEAST PRIVILEGE

User and software privileges should be kept to

a minimum – is there really a need for all users

to have local admin rights on their PCs?

S E

C U

R IT

Y R

E P

O R

T 20

20 |

C H

E C

K P

O IN

T

YOUR CYBER SECURIT Y BAT TLE IS WON

Or lost, depending on how well you can prevent

unknown, zero-day threats. Organizations need to

adopt a proactive battle plan to stay ahead of cyber-

criminals and prevent attacks, not merely detect and

remediate them. Relying on remediation can have

devastating consequences to any organization, as once

the malware was able to penetrate an IT surrounding –

in many occasions this means infection that will spread

in seconds and will be merely impossible to get rid

of. Organizations today should assume that they will

eventually be compromised at some point. Even if an

organization is equipped with the most comprehensive,

state-of-the-art security products, the risk of being

breached cannot be completely eliminated. Detecting

and automatically blocking the attack at an early stage

can prevent damage.

To win the cyber security battle, companies need strong

threat intelligence, threat prevention technology, and

a consolidated security architecture that protects all

attack vectors.

S E

C U

R IT

Y R

E P

O R

T 20

20 |

C H

E C

K P

O IN

T

APPENDIX MALWARE FAMILY DESCRIPTIONS

68

SECURIT Y REPORT 2020

AgentTesla

AgentTesla is an advanced RAT which functions as a keylogger and

password stealer and has been active since 2014. AgentTesla can monitor

and collect the victim’s keyboard input, system clipboard, and can record

screenshots and exfiltrate credentials belonging to a variety of software

installed on a victim’s machine (including Google Chrome, Mozilla Firefox

and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate

RAT with customers paying between $15 - $69 for user licenses.

AndroidBauts

AndroidBauts is an Adware targeting Android users that exfiltrates IMEI,

IMSI, GPS Location and other device information and allows the installation

of third party apps and shortcuts on mobile devices.

Anubis

Anubis is a banking Trojan malware designed for Android mobile phones.

Since its initial detection, it has gained additional functions including Remote

Access Trojan (RAT) functionality, keylogger, audio recording capabilities and

various ransomware features. It has been detected on hundreds of different

applications on the Google Store.

Azorult

AZORult is a Trojan that gathers and exfiltrates data from the infected system.

Once the malware is installed on a system (typically delivered by an exploit

kit such as RIG), it can send saved passwords, local files, crypto-wallets, and

computer profile information to a remote C&C server. The Gazorp builder,

available on the Dark Web, allows anyone to host an Azorult C&C server with

moderately low effort.

69

SECURIT Y REPORT 2020

Bitpaymer

Bitpaymer is a ransomware that was involved in high profile targeted

attacks. Usually delivered as the final stage after a successful intrusion and

reconnaissance by the Dridex gang. Targets mostly mid-large businesses,

demands high ransoms, and even after paying, it had a low data recovery

success rate due to errors in the decryption tool.

BottleEK

Named after the playful image presented to potential victims, the Bottle

Exploit Kit is specifically targeted at Japan. Using extensive browser and

environment enumeration, BottleEK makes sure the target is Japanese

before proceeding with an actual exploit attempt. Using CVE-2018-8174 and

CVE-2018-15982, it delivers custom malware, also specifically targeted at Japan.

Capesand EK

Capesand EK - Capesand exploit kit was first reported in October 2019.

It exploits vulnerabilities in Adobe Flash and Microsoft Internet Explorer

but is currently under development and new exploits are expected to be

added gradually.

Cerberus

Cerberus - Remote Access Trojan with specific banking screen overlay

functions for Android devices, first seen in the wild in June 2019. Cerberus is

operated in a Malware as a Service model, filling the void created following

the discontinuation of banking Trojans like Anubis and Exobot. Cerberus has

features like SMS control, key-logging, audio recording, location tracking

and more.

70

SECURIT Y REPORT 2020

Coinhive

Crypto Miner designed to perform online mining of Monero cryptocurrency

when a user visits a web page without the user’s approval. The implanted JS

uses great computational resources of the end users machines to mine coins,

thus impacting its performance.

Cryptoloot

A JavaScript cryptominer, designed to perform online mining of Monero

cryptocurrency when a user visits a web page without the user’s approval.

The implanted JS uses great computational resources of the end users

machines to mine coins, thus impacting its performance.

Danabot

Danabot is a banking Trojan written in Delphi that targets the Windows

platform. While originally targeting Australian users via spam, the targeting

has shifted to additional targets globally. Besides displaying fake banking

websites, it also capable of stealing browser passwords and cryptocurrency

wallets, as well as execution of additional malware like ransomware.

DarkGate

Darkgate is a multifunction malware active since December 2017 combining

ransomware, credential stealing, RAT and cryptomining abilities. Targeting

mostly windows OS, DarkGate employs a variety of evasion techniques.

Dridex

Dridex is a Trojan that targets the Windows platform. This malware is

reportedly downloaded by an attachment found in spam emails. This malware

identifies itself with a remote server by sending out information about the

infected system. Furthermore, it can download and execute arbitrary

modules received from the remote server.

71

SECURIT Y REPORT 2020

Emotet

Emotet is an advanced, self-propagate and modular Trojan. Emotet once

used to employ as a banking Trojan, and recently is used as a distributer

to other malware or malicious campaigns. It uses multiple methods for

maintaining persistence and evasion techniques to avoid detection. In

addition, it can also be spread through phishing spam emails containing

malicious attachments or links.

Eris Ransomware

Eris ransomware was first spotted in May 2019, being delivered by the

Rig exploit kit. It appends the .ERIS suffix to encrypted files on the system,

and victims are instructed to contact the ransomware’s operators via email

with their unique Victim ID in order to receive payment instructions.

Fallout EK

Fallout Exploit Kit was first reported in February 2019 delivering GandCrab

ransomware and AZORult infostealer. Uncommon with exploit kits, Fallout

has been using PowerShell to run its payloads.

FormBook

FormBook is an Infostealer targeting Windows OS, first detected in 2016.

It is marketed in underground hacking forums for its strong evasion

techniques and relatively low price. FormBook harvests credentials from

various web browsers, collects screenshots, monitors and logs keystrokes,

and can download and execute files according to orders from its C&C.

72

SECURIT Y REPORT 2020

GandCrab

GandCrab is a RaaS malware (Ransomware as a Service). First discovered in

January 2018 it operated an “affiliates” program, with those joining paying

30%-40% of the ransom revenue to GandCrab and in return get full-featured

web panel and technical support. Estimations are that it affected over 1.5

million windows users before retiring and halting its activities in mid-2019.

Decryption tools exist to all GandCrab versions.

Glupteba

Glupteba is a backdoor known since 2011 which gradually matured into a

botnet. By 2019 it included a C&C address update mechanism through public

bitcoin lists, an integral browser stealer capability and a router exploiter.

Guerrilla

Guerrilla is an Android Trojan found embedded in multiple legitimate

apps and is capable of downloading additional malicious payloads.

Guerrilla generates fraudulent ad revenue for the app developers.

Gustuff

Gustuff is an Android banking Trojan introduced in 2019, and capable of

targeting customers of over 100 leading international banks, users of

cryptocurrency services, and popular ecommerce websites and market-

places. In addition, Gustuff can also phish credentials for various other

Android payment and messaging apps, such as PayPal, Western Union, eBay,

Walmart, Skype and others. Gustuff employs various evasion techniques

including using the Android Accessibility Service mechanism to bypass

security measures used by banks to protect against older generation of

mobile Trojans.

73

SECURIT Y REPORT 2020

Hawkeye

Hawkeye is an infostealer malware, designed primarily to steal users’

credentials from infected Windows platforms and deliver them to a C&C

server. In the past years, Hawkeye has gained the ability to take screenshots,

spread via USB and more in addition to its original functions of email and

web browser password stealing and keylogging. Hawkeye is often sold as a

MaaS (Malware as a Service).

Hiddad

Android malware which repackages legitimate apps, and then release them

to a third-party store. Its main function is displaying ads, however it is also

able to gain access to key security details built into the OS.

IcedID

IcedID is a banking Trojan which first emerged in September 2017, and

usually uses other well-known banking Trojans to empower its spread

potential, including Emotet, Ursnif and Trickbot. IcedID steals user financial

data via both redirection attacks (installs local proxy to redirect users to

fake-clone sites) and web injection attacks (injects browser process to

present fake content overlaid on top of the original page).

Hummer

Hummer, also known as Hummingbad, is an Android adware generating

revenue through advertisement display and application downloading on to

infected mobile platforms. First identified in early 2016 it reached its peak

by the end of the year. The threat group behind the malware is the Yingmob

Chinese advertising analytics company.

JSEcoin

Web-based Crypto miner designed to perform online mining of Monero

cryptocurrency when a user visits a web page without the user’s approval.

The implanted JavaScript uses great computational resources of the end

users’ machines to mine coins, thus impacting the performance of the system.

74

SECURIT Y REPORT 2020

KingMiner

KingMiner is a Monero cryptomining malware which targets Windows servers

to exploit their resources. It was first reported in June 2018 and employs a

verity of evasion techniques to bypass emulators and detection methods.

LockerGoga

LockerGoga ransomware was first seen in the wild towards the end of

January 2018, while targeting heavy industry companies. It appears that the

threat actors behind the attack invest time and efforts in choosing the victims

and are working to launch the attack in perfect timing and against critical

assets. The attack usually involves encryption of Active Directory server and

endpoints, in order to leave no alternative other than paying the ransom.

Using a combination of AES-256 and RSA makes the encryption very solid,

however, a poor code design, makes the encryption process very slow.

Lokibot

LokiBot is an infostealer with versions for both Windows and Android OS.

It harvests credentials from a variety of applications, web browsers, email

clients, IT administration tools such as PuTTY and more. LokiBot has been

sold on hacking forums and believed to have had its source code leaked thus

allowing for a range of variants to appear. It has been first identified in

February 2016. Since late 2017 some Android versions of LokiBot include

ransomware functionality in addition to their infostealing capabilities.

Lord EK

LordEK is an Exploit Kit that was first discovered in August 2019. Only utilizing

one vulnerability, CVE-2018-15982, it’s not the most advanced Exploit Kit on

the market, but it still manages to take a bite of the bigger players’ market

MageCart

Magecart is a type of attack in which malicious JavaScript code is injected

into e-commerce websites and third-party suppliers of such systems in

order to steal payment details.

75

SECURIT Y REPORT 2020

Mirai

Mirai is a famous Internet-of-Things (IoT) malware that tracks vulnerable

IoT devices, such as web cameras, modems and routers, and turns them into

bots. The botnet is used by its operators to conduct massive Distribute Denial

of Service (DDoS). Mirai botnet first surfaced on September 2016 as quickly

made headlines due to some large-scale attacks among which are a massive

DDoS attack used to knock the entire country of Liberia offline, and a DDoS

attack against the Internet infrastructure firm Dyn, which provides a signifi-

cant portion of the United States internet’s backbone.

MobiDash

MobiDash is a stealthy Android Adware. Displays pop-up advertisements,

and is very hard find and uninstall from the device. Surfaced around 2015,

and continues to spread to date.

Usually waits three days before starting to show ads, and can be avoided by

not allowing apps from unknown sources.

NanoCore

NanoCore RAT, is a modular Remote Access Trojan targeting Windows

users, with features like keystrokes collection, password stealing and even

cryptocurrency mining. It is being sold on underground forums and observed

in large scale malspam campaigns.

Necro

Necro is an Android Trojan Dropper. It was found inside the CamScanner app

from Google Play and was installed more than 100 million times. Capable of

downloading other malware, showing intrusive ads and stealing money by

charging paid subscriptions. It is assumed that the Necro Dropper was added

by advertisers and not by the actual app developers, and was cleaned from

Google Play and from the following versions of CamScanner.

76

SECURIT Y REPORT 2020

njRAT

One of the oldest Remote Access Trojans on the market, njRat has been used

by many different threat actors. From state-sponsored Chinese hacking

groups to script-kiddies spying on their friends, the ease of access and ease

of use of this tool means we’ll most likely be seeing it for years to come.

Among its abilities you will find keylogging, remote code execution, password

stealing, and even spying via the infected machine’s webcam and microphone.

NRSMiner

NSRMiner is a cryptominer that surfaced around November 2018, and was

mainly spreading in Asia, specifically Vietnam, China, Japan and Ecuador.

After the initial infection, it uses the famous EternalBlue SMB exploit to

propagate to other vulnerable computers in internal networks and eventually

starts mining the Monero (XMR) Cryptocurrency.

Phorpiex

The Phorpiex (aka Trik) botnet has been active for almost a decade and is

currently comprised of more than 500,000 infected hosts. Known for

distributing other malware families via spam campaigns as well as fueling

large scale Sextortion campaigns.

PurpleFox

PurpleFox started its way as a file-less rootkit, being spread to thousands of

victims by Rig Exploit Kit. However, it seems the malware authors were not

keen on paying the middleman to infect new hosts. PurpleFox has evolved and

is now being spread using its own drive-by download platform.

77

SECURIT Y REPORT 2020

Radio EK Radio Exploit Kit is very simplistic. Using the tried-and-proven Proof-of-Concept

code for CVE-2016-0189, it is mostly observed in Japan, delivering AZORult.

Ramnit

Ramnit is a banking Trojan which incorporates lateral movement capabilities.

Ramnit steals web session information, giving the worm operators the ability

to steal account credentials for all services used by the victim, including bank

accounts, corporate and social networks accounts.

RigEK

The most veteran of currently operating exploit kits, RigEK has been around

since mid-2014. Its services being offered on hacking forums and the TOR

Network. Some “entrepreneurs” are even re-selling low-volume infections

for those malware developers not yet big enough to afford the full-fledged

service. Currently using CVE-2018-8174, but has gone through many changes

over the years to deliver anything from AZORult and Dridex to little-known

ransomwares and cryptominers.

RubyMiner

RubyMiner is a Cryptocurrency miner that targets Linux and Windows

servers. It was found exploiting old Ruby on Rails and PHP vulnerabilities

in unpatched websites to mine Monero (XMR), using the legitimate XMRig

crypto mining tool.

78

SECURIT Y REPORT 2020

Ryuk

A ransomware used in targeted and well-planned attacks against several

organizations worldwide. The ransomware’s technical capabilities are

relatively low, and include a basic dropper and a straight-forward encryption

scheme. Nevertheless, the ransomware was able to cause a severe damage the

attacked organizations, and led them to pay extremely high ransom payments

of up to 320,000 USD in Bitcoin. Unlike the common ransomware, systematically

distributed via massive spam campaigns and exploit kits, Ryuk is used

exclusively for tailored attacks. Its encryption scheme is intentionally built

for small-scale operations, such that only crucial assets and resources are

infected in each targeted network with its infection and distribution carried out

manually by the attackers. Indeed, the malware encrypts files store on PCs,

storage servers and data centers.

Sodinokibi

Sodinokibi is a ransomware-as-a-service which operate an “affiliates” program

and first spotted in the wild in 2019. Sodinokibi encrypts data in the user’s

directory and delete shadow copy backups in order to make data recovery more

difficult. Moreover, Sodinokibi affiliates use various tactics to spread it - through

spam and server exploits, as well as hacking into managed service providers (MSP)

back ends, and through malvertising campaigns redirect to the RIG exploit kit.

Spelevo EK

The Spelevo Exploit Kit started its operations in March 2019. Initially

leveraging CVE-2018-15982, it has evolved into using social engineering as

an additional vector of infection. Spelevo is being used to spread malware

such as IcedID, Dridex, and Ursnif. Also of note is Spelevo’s use of domain

shadowing as an additional layer of misdirection.

79

SECURIT Y REPORT 2020

Trickbot

Trickbot is a Dyre variant that emerged in October 2016. Since its first

appearance, it has been targeting banks mostly in Australia and the U.K,

and lately it has started appearing also in India, Singapore and Malesia.

Ursnif

Ursnif is banking Trojan that targets the Windows platform. It is usually

spread through exploit kits - Angler and Rig, each at its time. It has the

capability to steal information related to Verifone Point-of-Sale (POS)

payment software. It contacts a remote server to upload collected

information and receive instructions. Moreover, it downloads files on the

infected system and executes them.

Wannamine

WannaMine is a sophisticated Monero crypto-mining worm that spreads

exploiting the EternalBlue exploit. WannaMine implements a spreading

mechanism and persistence techniques by leveraging Windows Management

Instrumentation (WMI) permanent event subscriptions.

xHelper

xHelper is an Android malware, which mainly shows intrusive popup ads and

notification spam. Very hard to remove once installed due to its reinstallation

capabilities. First observed in March 2019, xHelper has now Infected more than

45,000 devices. The attackers used web-redirects to pages hosting android apps

containing xHelper, and explanations on how to install unofficial Android apps.

XMRig XMRig is open-source CPU mining software used for the mining process of

the Monero cryptocurrency, and first seen in-the-wild on May 2017.

Zeus

Zeus is a widely distributed Windows Trojan which is mostly used to steal banking

information. When a machine is compromised, the malware sends information

such as the account credentials to the attackers using a chain of C&C servers.

CONTACT US WORLDWIDE HEADQUARTERS

5 Ha’Solelim Street, Tel Aviv 67897, Israel Tel: 972-3-753-4555 | Fax: 972-3-624-1100

Email: info@checkpoint.com

U.S. HEADQUARTERS

959 Skyway Road, Suite 300, San Carlos, CA 94070 Tel: 800-429-4391 | 650-628-2000 | Fax: 650-654-4233

UNDER ATTACK? Contact our Incident Response Team:

emergency-response@checkpoint.com

CHECK POINT RESEARCH PODCAST Tune in to cp<radio> to get CPR’s latest research,

plus behind the scenes and other exclusive content. Visit us at https://research.checkpoint.com/category/cpradio/

WWW.CHECKPOINT.COM

©2020 Check Point Software Technologies Ltd. All rights reserved 2020.

OLE_LINK3 OLE_LINK4 OLE_LINK98 OLE_LINK99 OLE_LINK102 OLE_LINK101 OLE_LINK103 OLE_LINK313 OLE_LINK110 OLE_LINK44 OLE_LINK12 OLE_LINK13 OLE_LINK21 OLE_LINK36 OLE_LINK75 OLE_LINK85 OLE_LINK128 OLE_LINK87 OLE_LINK273 OLE_LINK88 OLE_LINK37 OLE_LINK107 OLE_LINK80 OLE_LINK84 OLE_LINK245 OLE_LINK2 OLE_LINK76 OLE_LINK91 OLE_LINK94 OLE_LINK78 OLE_LINK109 OLE_LINK39 OLE_LINK43 OLE_LINK55 OLE_LINK46 OLE_LINK69 OLE_LINK130 OLE_LINK131 OLE_LINK23 OLE_LINK113 OLE_LINK100 OLE_LINK70 OLE_LINK125 OLE_LINK47 OLE_LINK122 OLE_LINK48 OLE_LINK123 OLE_LINK120 OLE_LINK121 OLE_LINK112 _ftnref2 _ftnref1 _GoBack


Item Type: pdf