July 2019’s Most Wanted Malware: Vulnerability in OpenDreamBox 2.0.0 WebAdmin Plugin Enables Attackers to Execute Commands Remotely

In July, a new vulnerability in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organizations globally in the last month, was discovered.

The vulnerability, ranked the 8th most exploited, enables attackers to execute commands remotely on target machines. It was often triggered along with other IoT attacks – most commonly the MVPower DVR Remote Code Execution (the third most popular exploited vulnerability in July), which is also known to be related to the notorious Mirai botnet. The fact that so many organizations have been impacted by a newly-discovered flaw shows how important it is that organizations protect themselves with regular patching cycles.

July also saw a major decrease in the use of Cryptoloot, as it fell to tenth in the top malware list, from third in June 2019.  Cryptoloot has dominated the top malware list for the past year and a half, and was ranked the second most common malware variant seen in the first half of 2019, impacting 7.2% of organizations worldwide.  We believe the decline is linked to its main competitor, Coinhive, closing its operations earlier in 2019.  Threat actors are simply turning to alternative crypto-mining malware such as XMRig and Jsecoin.

July 2019’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

XMRig is leading the top malware list, impacting 7% of organizations globally.  Jsecoin and Dorkbot had a global impact of 6% respectively.

  1. ↔ XMRig – XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  2. ↔ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  3. ↑ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  4. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and  Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  5. ↑ Nanocore – NanoCore is a Remote Access Trojan, which feature base plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
  6. ↑ Agentesla – AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  1. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  2. ↓Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  3. ↔ Formbook – Formbook is infoStealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  4. ↓ Cryptoloot – Cryptoloot is crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new  currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.

July’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent mobile malware, followed by AndroidBauts and Piom – two new malware families which have entered the top mobile malware list for the first time.

  1. Lotoor – Hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
  1. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
  1. Piom – Adware which monitors the user’s browsing behaviour and delivers unwanted advertisements based on the user’s web activities.

June’s ‘Most Exploited’ vulnerabilities:

SQL Injection techniques continue to lead the top exploited vulnerabilities list, impacting 46% of organizations around the world. In second place is the OpenSSL TLS DTLS Heartbeat Information Disclosure with a global impact of 41%, closely followed by MVPower DVR Remote Code Execution, which impacted 40% of organization worldwide.

  1. SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  1. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  1. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  2. Joomla Object Injection Remote Command Execution) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
  1. ↓ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  1. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  1. OpenDreamBox WebAdmin Plugin Remote Code Execution – A remote code execution vulnerability exists in OpenDreamBox WebAdmin Plugin . Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  1. D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
  1. ↑ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

The map below displays the risk index globally demonstrating the main risk areas and malware hotspots around the world.

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html