August 2019’s Most Wanted Malware: Echobot Launches Widespread Attack Against IoT Devices

SAN CARLOS, Calif., Sept. 12, 2019 (GLOBE NEWSWIRE) -- Check Point Research, the Threat Intelligence arm of (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for August 2019. The Research team is warning organizations of a new variant of the Mirai IoT Botnet, Echobot, which has launched widespread attacks against a range of IoT devices. First seen in May 2019, Echobot has exploited over 50 different vulnerabilities, causing a sharp rise in the ‘Command Injection Over HTTP’ vulnerability which has impacted 34% of organizations globally.

August has also seen the Emotet botnet’s offensive infrastructure becoming active again, after it shut down its services two months ago. Emotet was the biggest botnet operating in the first half of 2019. Although no major campaigns have been observed as yet, it is likely that it will be used to start spam campaigns soon.

“Echobot was first seen in mid-May, and as a new variant of the notorious Mirai IoT Botnet it’s important to note the sharp increase in exploitations, as it is now targeting over 50 different vulnerabilities. Echobot has impacted 34% of companies around the world, which shows how vital it is for organizations to ensure all patches and updates for their networks, software and IoT devices are applied,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. 

August 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

This month XMRig keeps leading the top malware list, followed by Jsecoin, both with a global impact of 7%. Dorkbot is in the third place, impacting 6% of organizations worldwide.

1.    ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild on May 2017.

2.    ↔ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. JSEcoin can run directly in users’ browsers in exchange for an ad-free experience, in-game currency and other incentives. 

3.    ↔ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

August’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent Mobile malware, followed by AndroidBauts and Triada.

1.    Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

2.    AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.

3.    Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, helping them to embed into system processes. Triada has also been seen spoofing URLs in the browser.

August’s ‘Most Exploited’ vulnerabilities:

This month, SQL Injection techniques retain first place in the top exploited vulnerabilities list, closely followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, both impacting 39% of organizations globally. On third place MVPower DVR Remote Code Execution vulnerability with a global impact of 38% of organizations worldwide.

1.   ↔ SQL Injection (several techniques) – Inserts an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application's software.

2.   ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability that exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3.   ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

The complete list of the top 10 malware families in August can be found on the .

Check Point’s Threat Prevention Resources are available at: 

Follow Check Point Research via:

Blog:

Twitter:

About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. () is a leading provider of cyber security solutions to governments and corporate enterprises globally. Check Point’s solutions protect customers from 5^th generation cyber-attacks with an industry leading catch rate of malware, ransomware and advanced targeted threats. Check Point offers a multilevel security architecture, “Infinity Total Protection with Gen V advanced threat prevention”, this combined product architecture defends an enterprises’ cloud, network and mobile devices. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.