Government and military industry sectors in Africa remain the most impacted by malware attacks, followed by communications and utilities. Education remained the most impacted industry worldwide, according to the Global Threat Index for January 2024 by Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading AI-powered, cloud-delivered cyber security platform provider.
The researchers identified a new pervasive traffic distribution system (TDS) named VexTrio, which has aided over 60 affiliates through a network of more than 70,000 compromised sites.
African countries under attack
Meanwhile, LockBit3 was named the most prevalent ransomware group in a newly introduced ranking in the Index. Both Rwanda and Ghana were targeted by this group.
Ethiopia was the third most targeted African country for malware attacks in the world, followed by Uganda (10), Nigeria (12), Kenya (16), Angola (17), Morocco (18) and Mauritius (24). South Africa ranks 68th among the most targeted countries in the world.
Active since at least 2017, VexTrio collaborates with dozens of associates to spread malicious content through a sophisticated TDS. Using a system similar to legitimate marketing affiliate networks, VexTrio’s activities are often hard to detect and, despite being active for more than six years, the scale of its operations has gone largely unnoticed. This is because there is little to tie it to specific threat actors or attack chains, making it a considerable cybersecurity risk due to an extensive network and advanced operations.
“Cybercriminals have evolved from mere hackers to architects of deception, and VexTrio is yet another reminder of how commercially-minded the industry has become,” said Maya Horowitz, VP Research at Check Point Software. “To stay safe, individuals and organisations should prioritise regular cybersecurity updates, employ robust endpoint protection, and foster a culture of vigilant online practices. By staying informed and proactive, we can collectively fortify our defences against the evolving dangers posed by emerging cyber threats.”
For the first time, Check Point’s Index now includes a ranking of the most prevalent ransomware groups based on activity from more than 200 shame sites. Last month, LockBit3 was the most prevalent ransomware group, responsible for 20% of the published attacks. They took responsibility for some notable incidents in January, including an attack on sandwich chain Subway and Saint Anthony Hospital in Chicago.
Additionally, CPR revealed that the most exploited vulnerability globally is “Command Injection Over HTTP,” affecting 44% of organisations, followed by “Web Servers Malicious URL Directory Traversal” impacting 41%, and “HTTP Headers Remote Code Execution” with a global impact of 40%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates was the most prevalent malware last month with an impact of 4% worldwide organisations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%.
- ↑ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors, and logs keystrokes, and can download and execute files according to orders from its C&C.
Top exploited vulnerabilities
Last month, “Command Injection Over HTTP” was the most exploited vulnerability, impacting 44% of organisations globally, followed by “Web Servers Malicious URL Directory Traversal” with 41% and “HTTP Headers Remote Code Execution” with a global impact of 40%.
- ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitise the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↑ HTTP Headers Remote Code Execution – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
Top Mobile Malwares
Last month Anubis remained in first place as the most prevalent Mobile malware, followed by AhMyth and Hiddad.
- Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
- Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
Top-Attacked Industries Globally
Last month, Education/Research remained in first place in the attacked industries globally, followed by Government/Military and Healthcare.
Top Ransomware Groups
This section features information derived from almost 200 ransomware “shame sites” operated by double-extortion ransomware groups, 68 of which posted the names and information of victims this year. Cybercriminals use these sites to add pressure on victims who do not pay the ransom immediately. The data from these shame sites carries its own biases but still provides valuable insights into the ransomware ecosystem, which is currently the number one risk to businesses.
Last month, LockBit3 was the most prevalent ransomware group, responsible for 20% of the published attacks, followed by 8Base with 10%, and Akira with 9%”.
- LockBit3 – LockBit3 is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit3 targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
- 8base – The 8Base threat group is a ransomware gang that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using a variety of ransomware variants, with Phobos being a common element. 8Base operates with a level of sophistication, evidenced by their use of advanced techniques in their ransomware. The group’s methods include double extortion tactics.
- Akira – Akira Ransomware, first reported at the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “. akira” extension to file names, then presents a ransom note demanding payment for decryption.
The complete list of the top ten malware families in January can be found on the Check Point blog.