網絡安全解決方案供應商 Check Point 發佈其最新 9 月份網絡威脅指數。Check Point Research 指出,在肆虐三個月後,本於 8 月跌至第二位的 Trickbot,現已重返榜首。
Trickbot 是一種銀行木馬,可竊取財務資訊、帳戶登錄憑證及個人身份資訊,並在網路中傳播和投放勒索軟件。自 1 月份 Emotet 遭到打擊以來,Trickbot 木馬便變流行起來。同時,遠端存取木馬 njRAT 首次躋身榜單前十位,取代了不再活躍的 Phorpiex。
早前,本港一間營銷公司遭受勒索軟件攻擊。調查發現是 REvil 勒索軟件衝擊了該公司的數據庫,並取得客戶資料。
Check Point 香港及台灣技術總監 Kev Hau 表示:「雖然 REvil 網站運作已中斷,但勒索軟件的犯罪份子可能正在計劃更創新的技術及策略,如「三重勒索」,不單向機構中索取贖金,更會威脅其客戶、用家及其他業務合作夥伴。由於每次攻擊都涉令更多受害者,因此必須以特別的保安策略應對。」
以下是有關 9 月份的重點簡介。列表上提供了香港9月份首10個惡意軟件,如欲查看全球的排名列表,請瀏覽Check Point網誌。
- Trickbot 是最猖獗的惡意軟件,波及到全球 4 %的機構,其次是 Formbook 和 XMRig,兩者均影響了全球 3% 的機構。
- 「Web Server Exposed Git儲存庫資訊洩露」是最常被利用的漏洞,全球 44% 的機構因此受害,其次是「HTTP載荷命令列注入」,影響了全球 43% 的機構。「HTTP 標頭遠端代碼執行」在最常被利用的漏洞排行榜中位列第三,全球影響範圍同為 43%。
- xHelper 仍位列最猖獗的移動惡意軟體榜首,其次是 AlienBot 和 FluBot。
| 香港 9 月份主要惡意軟件 | |||
| 惡意軟件 | 簡介 | 影響全球機構百份比 | 影響香港機構百份比 |
| Trickbot | Trickbot is a modular Botnet and Banking Trojan that targets the Windows platform, mostly delivered via spam campaigns or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules: from a VNC module for remote control, to an SMB module for spreading within a compromised network. Once a machine is infected, the Trickbot gang, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack. | 4.09% | 9.44% |
| Ramnit | Ramnit is a banking Trojan which incorporates lateral movement capabilities. Ramnit steals web session information, enabling the worm operators to steal account credentials for all services used by the victim, including bank accounts, corporate and social networks accounts. | 1.62% | 3.86% |
| AgentTesla | AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses. | 2.59% | 2.79% |
| Formbook | First detected in 2016, FormBook is an InfoStealer that targets the Windows OS. It is marketed as MaaS in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C. | 3.14% | 2.58% |
| Tofsee | Tofsee is a backdoor Trojan, operating since at least 2013. Tofsee serves as a multipurpose tool that can conduct DDoS attacks, send spam emails, mine cryptocurrencies, and more. | 2.01% | 2.36% |
| XMRig | First seen in the wild in May 2017, XMRig is an open-source CPU mining software used to mine Monero cryptocurrency. | 2.87% | 1.93% |
| WannaMine | WannaMine is a sophisticated Monero crypto-mining worm that spreads via the EternalBlue exploit. WannaMine implements its spreading mechanism and persistence techniques by leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. | 0.31% | 1.29% |
| Mirai | Mirai is a well-known Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distribute Denial of Service (DDoS) attacks. The Mirai botnet first appeared in September 2016 and quickly made headlines, due to large-scale attacks which included a massive DDoS attack that knocked the entire country of Liberia offline, and a DDoS attack against the internet firm Dyn, which provides a significant portion of the US internet infrastructure. | 0.60% | 1.07% |
| Njrat | NJRat is a remote access Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. njRAT infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software. | 1.00% | 1.07% |
| Antavmu | Antavmu is a Trojan that targets the Windows platform. This malware communicates with remote servers to receive instructions or download other malware. | ||
