MENU

Echobot launches widespread attack against IoT devices

September 27, 2019 • Security, Top Stories

Echobot launches widespread attack against IoT devices

Check Point’s researchers also report the Emotet botnet has been reactivated.

Check Point Research has published its latest Global Threat Index for August 2019. The Research team is warning organisations of a new variant of the Mirai IoT Botnet, Echobot, which has launched widespread attacks against a range of IoT devices.

First seen in May 2019, Echobot has exploited over 50 different vulnerabilities, causing a sharp rise in the ‘Command Injection Over HTTP’ vulnerability which has impacted 34 per cent of organisations globally.

August has also seen the Emotet botnet’s offensive infrastructure becoming active again, after it shut down its services two months ago. Emotet was the biggest botnet operating in the first half of 2019. Although no major campaigns have been observed as yet, it is likely that it will be used to start spam campaigns soon.

“Echobot was first seen in mid-May, and as a new variant of the notorious Mirai IoT Botnet it’s important to note the sharp increase in exploitations, as it is now targeting over 50 different vulnerabilities. Echobot has impacted 34 per cent of companies around the world, which shows how vital it is for organisations to ensure all patches and updates for their networks, software and IoT devices are applied,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

August Risk Ranking

Check Point’s Global Threat Index ranks countries based on monthly data. According to the report, Nigeria has a risk ranking on 31, with Kenya not far behind at 35, followed by South Africa with a risk ranking of 56.

The Global Threat Index also provides the normalised risk index for each of the selected countries, with Nigeria’s risk sitting at 65 per cent, followed by Kenya at 64 per cent, and South Africa with a normalised risk index of 52 per cent.

August 2019’s Top 3 ‘Most Wanted’ Malware:
The arrows relate to the change in rank compared to the previous month.
This month XMRig keeps leading the top malware list, followed by Jsecoin, both with a global impact of 7 per cent. Dorkbot is in third place, impacting 6 per cent of organisations worldwide.
In Kenya, XMRig had a country impact of 26 per cent, followed by Nigeria with an impact of 20 per cent, and lastly South Africa sitting at 10 per cent. Jsecoin had a country impact of 23 per cent in South Africa, with Kenya close behind at 21 per cent and Nigeria 17 per cent, As for Dorkbot, Nigeria had an impact of 26 per cent, followed by Kenya at 24 per cent and South Africa 18 per cent.

1. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild in May 2017.
2. ↔ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. Jsecoin can run directly in users’ browsers in exchange for an ad-free experience, in-game currency and other incentives.
3. ↔ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

August’s Top 3 ‘Most Wanted’ Mobile Malware:
This month Lotoor is the most prevalence Mobile malware, followed by AndroidBauts and Triada.

Kenya felt the effects of Lotoor, with a country impact of 13 per cent, followed by Nigeria with an impact of 12 per cent and South Africa 5 per cent. AndroidBauts had a country impact of 4 per cent in South Africa and did not feature on Nigeria or Kenya’s ‘most wanted’ list

1. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information, and allows the installation of third-party apps and shortcuts on mobile devices.
3. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, helping them to embed into system processes. Triada has also been seen spoofing URLs in the browser.

August’s ‘Most Exploited’ vulnerabilities:
This month, SQL Injection techniques retain first place in the top exploited vulnerabilities list, closely followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, both impacting 39 per cent of organisations globally. In third place was MVPower DVR Remote Code Execution vulnerability with a global impact of 38 per cent of organisations worldwide.

1. SQL Injection (several techniques) – Inserts an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.

2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability that exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3. MVPower DVR Remote Code Execution – A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites and identifies millions of malware types daily.

Edited by Fundisiwe Maseko
Follow Fundisiwe Maseko on Twitter
Follow IT News Africa on Twitter

Comments

comments


Comments are closed.

« »