Check Point Research:Trickbot肆虐香港 攻擊Windows平台
網絡安全解決方案供應商 Check Point軟件技術有限公司的威脅情報部門Check Point Research發布了2021年2月最新版《全球威脅指數》報告。研究人員報告稱,Trickbot木馬從1月份指數排行榜的第三位首次升上至榜首。
加上,Check Point Research發現有數百次針對全球組織所利用漏洞的嘗試與影響 Microsoft Exchange Server 的四個零日漏洞有關。 僅在過去的 72 小時內,CPR 觀察到利用漏洞而進行嘗試的次數便增加了 5 倍以上。
香港2月份主要惡意軟件
以下是香港2月份首10個惡意軟件。
- Emotet是本月份最活躍的惡意軟件,影響了全球3%的組織,緊隨其後的是XMRig和Qbot,它們亦影響了全球3%的組織。
- 「Web Server Exposed Git 儲存庫訊息洩露」是本月份最常被利用的漏洞,影響全球 48% 的組織,其次是「HTTP 標頭遠程代碼執行 (CVE-2020-13756)」,影響全球 46% 的組織。「MVPower DVR遠端代碼執行」在最常被利用的漏洞排行榜中位列第三,全球影響了45%。
- Hiddad 在本月的最普遍流動惡意軟件中位第一,緊隨其後的是xHelper和FurBall。
Check Point產品威脅情報與研究總監Maya Horowitz表示:「犯罪分子將繼續使用現有的威脅手段和工具,Trickbot是因它的多功能性及以往的攻擊戰果而變得流行。正如我們估計,即便有一個重大的威脅被消除,亦會有很多其他威脅繼續對全球網絡構成高風險,因此組織必須確保採用強大的安全系統來防止其網絡遭到入侵,並將風險降至最低。對所有員工進行全面培訓是非常重要,這樣他們才能夠掌握所需技能,從而準確識別傳播Trickbot 及其他惡意軟件的惡意電子郵件類型。」
Microsoft Exchange Server漏洞
繼披露了目前影響Microsoft Exchange Server的四個零日漏洞後,Check Point Research (CPR) 公佈了對這些利用漏洞而進行嘗試的最新全球觀察結果。
- CPR發現有數百次針對全球組織所利用漏洞的嘗試。僅在過去的72小時內,CPR 觀察到利用漏洞而進行嘗試的次數便增加了5倍以上。
- 遭受攻擊最多的國家是美國 (17%),其次是德國 (6%) 和英國 (5%)。
- 首當其衝的行業部門是政府/軍事部門 (27%),其次是製造業 (22%) 和軟件廠商 (9%)。
Check Point建議用戶進行補丁程序以預防攻擊和保障安全,將所有Microsoft Exchange伺服器更新為Microsoft提供的最新補丁版本。此更新不會自動進行,需要手動執行。
| 香港2月份主要惡意軟件 | |||
| 惡意軟件 | 簡介 | 影響全球機構百份比 | 影響香港機構百份比 |
| Trickbot | Trickbot is a modular Banking Trojan that targets the Windows platform, mostly delivered via spam campaigns or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules: from a VNC module for remote control, to an SMB module for spreading within a compromised network. Once a machine is infected, the Trickbot gang, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack. | 3.17% | 7.65% |
| XMRig | First seen in the wild in May 2017, XMRig is an open-source CPU mining software used to mine Monero cryptocurrency. | 3.08% | 3.21% |
| Ramnit | Ramnit is a banking Trojan which incorporates lateral movement capabilities. Ramnit steals web session information, enabling the worm operators to steal account credentials for all services used by the victim, including bank accounts, corporate and social networks accounts. | 1.50% | 2.96% |
| Formbook | First detected in 2016, FormBook is an InfoStealer that targets the Windows OS. It is marketed as MaaS in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. | 2.33% | 2.22% |
| Dridex | Dridex is a Banking Trojan that targets the Windows platform, observed delivered by spam campaigns and Exploit Kits, which relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control. | 1.59% | 1.98% |
| Parite | Parite is a polymorphic virus which infects executable files (EXE and SCR) on the infected host and on network drive. It drops a malicious DLL file into the Windows temporary directory which is injected into the explorer.exe process when an infected file is executed. | 0.56% | 1.98% |
| Turla | Turla is a Backdoor type malicious program that targets the Windows platform. The malware is designed to give malicious users remote control over an infected computer. | 0.83% | 1.48% |
| FurBall | FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017, and still active today. Among FurBall’s capabilities are stealing SMS messages, call logs, surround recording, call recording, media files collection, location tracking, and more. | 0.73% | 1.48% |
| Wannamine | WannaMine is a sophisticated Monero crypto-mining worm that spreads via the EternalBlue exploit. WannaMine implements its spreading mechanism and persistence techniques by leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. | 0.35% | 1.48% |
| Vtflooder | Vtflooder is a Bot agent that targets the Windows platform. The malware contacts a remote server to report its infection. It conducts DoS attack against VirusTotal by continuously uploading itself to it. | 0.27% | 1.23% |
