Check Point 5月網絡威脅指數
網絡安全一直是我们最關注的問題,網絡安全解決方案提供商Check Point 的威脅情報部門Check Point Research(CPR)發佈5月網絡威脅指數。報告稱,作為一種能夠自我傳播的高級模組化木馬,Emotet因大量大規模攻擊活動冒起而仍然是最猖獗的惡意軟件。本月,Snake鍵盤記錄器在長時間跌出指數排行榜後躍居第八位。Snake的主要功能是記錄用戶的點擊次數並將收集到的數據傳送給攻擊者。
Snake鍵盤記錄器往往通過隨附docx或xlsx附件(帶有惡意巨集命令)的電郵進行傳播,但報告稱,SnakeKey Logger通過PDF文件散播。這某程度上可能是由於網絡犯罪分子不得不另覓出路,探索PDF等新檔案類型。事實證明,這種罕見的惡意軟件傳播方式非常奏效,因為有些人認為PDF本身比其他檔案類型更安全。
研究人員還披露了Microsoft Office的一個零日漏洞,如果以惡意的Word文檔加以利用該漏洞,有機會在受害者的機器上實現代碼執行。該漏洞現在被稱為 「Follina」,惡意的Word文檔使用遙距模板功能從遙距伺服器檢索HTML檔,並通過使用ms-msdt MSProtocol URI方案,從而執行PowerShell。
Emotet正影響著全球8%的機構,比上個月略有增加。該惡意軟件能夠設法逃避檢測,所以是一種非常靈活且有利可圖的惡意軟件。Emotet的持久性也令設備遭到感染後很難將其刪除,因此它成為了網絡犯罪分子的絕佳攻擊武器。Emotet最初是一種銀行木馬,常通過網絡釣魚電郵傳播,能夠提供其他惡意軟件,進而增強其破壞力。
Check Point香港及澳門總經理周秀雲表示:「從最近Snake Keylogger和『Follina』的威脅活動中可以發現,你在網上所做的一切都會使你面臨網絡攻擊的風險,而打開任何類型的文檔也不例外。病毒和惡意可執行代碼可能潛伏在多媒體內容和連結中,一旦用戶打開PDF,惡意軟件的攻擊(在此案例中為Snake Keylogger)就會準備就緒。因此,就像你會質疑docx或xlsx電郵附件的合法性一樣,你也必須對PDF檔採取同樣謹慎的態度。另一方面,在『Follina』案例中,該漏洞理論上也需要打開一個惡意檔,然而,如果攻擊者使用富文本格式(Rich Text Format)並結合Windows預覽功能,該攻擊仍然有效。在今天的情況下,對於企業而言,擁有一個強大的電郵安全解決方案變得前所未見的重要,可以隔離和檢查附件,在一開始便防止任何惡意檔案進入網絡。」
香港排名前9的惡意軟件名單
以下列表提供香港5月份的主要威脅,以及香港排名前9的惡意軟件名單。
- 本月,Emotet仍是第一大惡意軟件,全球8%的機構因此遭殃,其次是Formbook和Agent Tesla,兩者均影響了全球2%的機構。
- 本月,教育/研究行業是全球首要攻擊目標,其次是政府/軍事部門和互聯網服務供應商/託管服務供應商(ISP/MSP)。
- 本月,「Web伺服器惡意URL目錄遍歷漏洞」是最常被利用的漏洞,全球46%的機構受到波及,緊隨其後的是「Apache Log4j遠距代碼執行」,全球影響範圍為46%。「Web Server Exposed Git儲存庫資訊洩露」位居第三,全球影響範圍為45%。
- AlienBot是本月最猖獗的手機惡意軟件,其次是FluBot和xHelper。
香港5月份主要惡意軟件
| 簡 介 | 影響全球機構百份比 | 影響香港機構百份比 |
| Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan, and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links. | 8.38% | 12.53% |
| Fujacks is a Worm that is capable of infecting other machines via Internet downloads, Instant Messaging software, or removable drives such as USB keys. | 0.96% | 6.26% |
| First identified in February 2016, LokiBot is a commodity infostealer with versions for both the Windows and Android OS. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY and more. LokiBot is sold on hacking forums and it is believed that its source code was leaked, thus allowing numerous variants to appear. Since late 2017, some Android versions of LokiBot include ransomware functionality in addition to their infostealing capabilities. | 2.18% | 3.02% |
| Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules. | 1.46% | 2.81% |
| Lamer is a Trojan malware, it enters and penetrates your PC’s defenses for malicious purposes such as stealing information while it remains unnoticed. Lamer spreads via malicious email spam or via a set of infection tools. | 0.46% | 2.59% |
| FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. | 2.25% | 1.73% |
| njRAT is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. njRAT infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software. | 1.17% | 1.08% |
| XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices. | 1.85% | 1.08% |
| Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload. | 0.77% | 1.08% |