iPhones see 400% increase in cryptomining malware

Researchers at Check Point detected a near-400% increase in crypto-mining malware attacks against iPhones. The surge was seen in the last two weeks of September, when attacks against users of the Safari browser also rose significantly. These attacks used the Coinhive mining malware, which has been at the number one position in the Index since December 2017, having emerged one year ago in September 2017.

Crypto-mining continues to be the dominant threat facing organisations across the world. The attacks on Apple devices are not using any new functionalities. The reason behind the increase is not yet known, but serves to remind us that mobile devices are an often-overlooked element of an organisation’s attack surface. It’s critical that mobile devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.

Coinhive now impacts 19% of organisations worldwide, and once again crypto miners dominated the threat index. Meanwhile, Dorkbot – the trojan that steals sensitive information and launches denial-of-service attacks, remained in second place with a global impact of 7%.

September 2018’s Top 10 ‘Most Wanted’:

(The arrows relate to the change in rank compared to the previous month.)

↔ Coinhive – Crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses a great deal of the computational resources of end users’ machines to mine coins, and may crash the system.

↔ Dorkbot- the worm designed to allow remote code execution as well as downloading an additional malware to the infected system.

↑ Cryptoloot – Crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a lower percentage of revenue from websites.

↔ Andromeda – A modular bot used mainly as a backdoor to deliver additional malware on infected hosts that can be modified to create different types of botnets.

↔ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

↑ Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilises ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.

↓ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild on May 2017.

↔ Conficker – A worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

↑ Emotet – Emotet is a Trojan that targets the Windows platform. This malware sends out system information to multiple control servers and can download configuration files and other components. It, reportedly, targets customers of certain banks and hooks various APIs to monitor and log network traffic. The malware creates a Run key registry entry in order to get started after system reboots.

Once again, Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organi sations’ mobile estates followed by the Lotoor and Triada.

September’s Top 3 ‘Most Wanted’ mobile malware:

Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.

Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point researchers also analysed the most exploited cyber vulnerabilities. CVE-2017-7269 is the most popular exploited vulnerability for the 7th consecutive with global impact of 48% of organisations. In second place w CVE-2016-6309 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organisations.

September’s Top 3 ‘Most Exploited’ vulnerabilities:

↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.

↑ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.