Check Point: Cryptominers Increasingly Exploit Server Vulnerabilities

Check Point: Cryptominers Increasingly Exploit Server Vulnerabilities

Check Point analysts have released their April Global Threat Impact Index report, revealing that cybercriminals are increasingly exploiting unpatched server vulnerabilities for illegal cryptocurrency mining. For the fourth consecutive month, malicious cryptominers have dominated the top threats, according to the Check Point Global Threat Index. The Coinhive miner remains the most widespread malware globally, affecting 16% of organizations. Another miner, Cryptoloot, follows closely at 14%, while the malicious adware Roughted ranks third at 11%.

In Russia, Coinhive and Cryptoloot have an even greater reach: in April, these malware strains targeted 46% and 45% of organizations, respectively. Jsecoin, another cryptominer that enables mining through websites, climbed to third place in Russia with a 25% share among the most active threats.

Check Point researchers also note that since the beginning of the year, cybercriminals have increasingly exploited unpatched application server vulnerabilities for illegal cryptocurrency mining. Attacks on 46% of organizations worldwide exploited a vulnerability in Microsoft Windows Server 2003 (CVE-2017-7269), while 40% were targeted via a vulnerability in Oracle WebLogic (CVE-2017-10271).

β€œToday, hackers are trying to infiltrate networks by exploiting unpatched server vulnerabilities, so organizations should pay close attention to the critical role that timely software updates and patch installations play in corporate security,” said Maya Horowitz, Head of Threat Intelligence at Check Point Software Technologies. β€œThe fact that a huge number of organizations have been attacked through already known vulnerabilities is alarming, especially since patches have been available for more than six months. Given that over 40% of organizations worldwide have been affected by these attacks, it is crucial for businesses to implement a multi-layered cybersecurity strategy that protects against both known cyberattack families and new threats.”

Most Active Threats in April 2018

  • CoinHive β€” A miner designed to mine Monero cryptocurrency without the user’s knowledge when they visit websites.
  • Cryptoloot β€” A miner that uses the victim’s CPU or GPU resources for cryptocurrency mining, adding transactions to the blockchain and generating new currency.
  • Roughted β€” A large-scale malvertising campaign used to distribute malicious websites, exploit kits, and ransomware. It can target any platform or operating system and is capable of bypassing ad blockers to maximize reach.

Most Exploited Vulnerabilities in April 2018

  1. Buffer Overflow in Microsoft IIS WebDAV ScStoragePathFromUrl (CVE-2017-7269) β€” Attackers send a specially crafted request over the network to Microsoft Windows Server 2003 R2 via Microsoft Internet Information Services 6.0, allowing remote code execution or denial of service on the target server. This is mainly due to a buffer overflow vulnerability caused by improper handling of long headers in HTTP requests. A patch has been available since March 2017.
  2. Remote Code Execution in Oracle WebLogic WLS (CVE-2017-10271) β€” This vulnerability is related to how Oracle WebLogic handles XML file decoding. A successful attack can lead to remote code execution. A patch has been available since October 2017.
  3. SQL Injection β€” Website or application compromise by injecting arbitrary code into SQL queries, exploiting security flaws in application software. This method affected 16% of organizations worldwide.

Researchers note that this list demonstrates how attackers successfully use both modern techniques (two vulnerabilities published in 2017) and classic attack vectors such as SQL injection.

Leave a Reply