Check Point:Emotet仍是最猖獗惡意軟件
網絡安全解決方案供應商Check Point發佈其最新2月份網絡威脅指數。研究人員指出Emotet依然是最猖獗的惡意軟件,而Trickbot的排名則由第二位跌至第六位。Apache Log4j已不再是最常被利用的漏洞,而教育 / 研究行業依然是首要攻擊目標。
2021年,Trickbot曾七次出現在最猖獗的惡意軟件排行榜的榜首。然而,在過去數星期,Check Point Research (CPR) 沒有發現任何新的Trickbot攻擊活動,這可能是由於一些Trickbot成員加入了Conti勒索軟件組織,正如最近的Conti資料洩露事件所暗示的那樣。
利用俄烏衝突引誘下載惡意附件
本月,CPR發現網絡犯罪分子正利用俄羅斯 / 烏克蘭衝突來引誘用戶下載惡意附件,而2月份最猖獗的惡意軟件Emotet確實一直在這樣做,利用電郵附上惡意附件,引誘用戶下載。
隨著本港重新實施在家工作的政策,電郵和雲端對企業來說變得至關重要。如果您的企業使用Gmail,或者它是大型Google Workspace,您應該注意到,您的 Gmail 並不如您想像般阻止網絡攻擊。根據最近被Check Point Software收購的Avanan所發佈的攻擊簡報,發現在防止網絡釣魚電郵進入收件箱方面,Google的表現只是中規中距。以一個擁有500人的企業,用戶平均每天會看到大約20封電郵計算,Avanan的Threat Miss Calculator發現每月每個用戶有近3次Gmail錯過了的攻擊。
同時,根據NTT’s 2021 Hybrid Cloud Report,雲端技術繼續在香港的商業環境中發揮關鍵作用,本港企業中已有65.3%採用了雲端技術。隨著企業繼續採用雲端,Check Point的《2022年雲端安全報告》報告顯示,基於對775名網絡安全專業人員的調查,全球雲端安全事件比去年增加了10%,27%的企業將錯誤配置列為首要原因,遠遠超過洩露數據或帳戶洩露等問題。企業正在努力將安全融入 DevOps 週期,但45%的公司遭遇技術短缺問題。只有16%的受訪者表示已全面實施DevSecOps,37%的受訪者剛剛開始在雲端應用開發過程中實施 DevSecOps。
Check Point香港及台灣技術總監侯嘉俊表示:「惡意軟件繼續對我們的企業造成負面影響。最近,我們發現好幾個惡意軟件包括Emotet,利用公眾對俄羅斯/烏克蘭衝突的關注發起有關該主題的電郵攻擊活動,引誘用戶下載惡意軟件。請務必仔細檢查寄件人的電郵地址是否真實,注意電郵中的任何拼寫錯誤,除非您確定電郵是安全的,否則不要打開附件或點擊連結。」
以下列表提供香港2月份首10個惡意軟件,如欲查看更多詳情,請瀏覽Check Point網誌:
- Emotet依然是最猖獗的惡意軟件,全球5%企業受到波及,其次是Formbook和Glupteba,分別影響了3%和2%的企業。
- 教育/研究行業是全球首要攻擊目標,其次是政府/軍事部門和網絡服務供應商/託管服務供應商。
- 「Web Server Exposed Git儲存資訊洩露」是最常被利用的漏洞,影響全球46%的企業。其次是「Apache Log4j 遙距執行代碼」,從第一位跌至第二位,影響全球44%的企業。「HTTP 標頭遙距代碼執行」在最常被利用的漏洞排行榜中位列第三,影響全球41%範圍。
- XLoader位列手機惡意軟件榜首,其次是xHelper和AlienBot。
| 香港2月份主要惡意軟件 | |||
| 惡意軟件 | 簡介 | 影響全球機構 百份比 | 影響香港機構百份比 |
| Trickbot | Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack. | 1.56% | 6.41% |
| Ramnit | Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules. | 1.52% | 2.56% |
| AgentTesla | AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums. | 1.81% | 2.14% |
| Emotet | Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan, and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links. | 5.16% | 2.14% |
| Formbook | FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. | 3.21% | 2.14% |
| Antavmu | Antavmu is a Trojan that targets the Windows platform. This malware communicates with remote servers to receive instructions or download other malware. | 0.18% | 1.28% |
| Vidar | Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload. | 0.88% | 1.07% |
| Mytob | Mytob is a worm for the Windows platform. It spreads by exploiting the LSASS vulnerability (CVE-2003-0533, MS04-011) and via email messages. It also connects to an IRC channel to receive commands from its controllers. In addition, it restricts users from accessing websites belonging to common anti-virus product vendors. | 0.15% | 1.07% |
| GhOst | Backdoor.Win32.Ghost is a Backdoor type malicious program that targets the Windows platform. The malware is designed to give malicious users remote control over an infected computer. | 0.37% | 0.85% |
| Wannamine | WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions. | 0.28% | 0.85% |
