July 2019’s Most Wanted Malware: Vulnerability In OpenDreamBox 2.0.0 WebAdmin Plugin Enables Attackers To Execute Commands Remotely

1340 0

Check Point’s researchers confirm that the vulnerability has impacted 32% of organizations globally in the last month 

Check Point Research has published its latest Global Threat Index for July 2019. The Research team is warning organizations of a new vulnerability discovered in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organizations globally in the last month.

The vulnerability, ranked the 8th most exploited vulnerability, enables attackers to execute commands remotely on target machines. The exploit was triggered alongside other attacks targeting IoT devices – in particular with the MVPower DVR Remote Code Execution (the third most popular exploited vulnerability in July) which is also known to be related to the notorious Mirai botnet.

July also saw a major decrease in the use of Cryptoloot, as it fell to tenth in the top malware list, from third in June 2019.

“Threat actors are quick to try and exploit new vulnerabilities when they emerge, before organizations have had the chance to patch them, and the OpenDreamBox flaw is no exception.  Even so, it’s surprising that nearly a third of organizations have been impacted.  This highlights how important it is that organizations protect themselves by patching such vulnerabilities quickly,” saidMaya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

“The sharp decline in the use of Cryptoloot is also interesting.  It has dominated the top malware list for the past year and a half, and was ranked the second most common malware variant seen in the first half of 2019, impacting 7.2% of organizations worldwide.  We believe the decline is linked to its main competitor, Coinhive, closing its operations earlier in 2019.  Threat actors are relying on alternative crypto-mining malware such as XMRig and Jsecoin.”

July 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

XMRig is leading the top malware list, impacting 7% of organizations around the world. Jsecoin and Dorkbot had a global impact of 6% respectively.

  1. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
  2. ↔ Jsecoin – Jsecoin is a JavaScript miner that can be embedded in websites. With JSEcoin, users can run the miner directly in their browser in exchange for an ad-free experience, in-game currency and other incentives.
  3.  ↑ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

July’s Top 3 ‘Most Wanted’ Mobile Malware:

In July, Lotoor was the most prevalent Mobile malware, followed by AndroidBauts and Piom – two new malware families in the top mobile malware list.

  1. Lotoor– Hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
  2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
  3. Piom – Adware which monitors the user’s browsing behaviour and delivers unwanted advertisements based on the users web activities.

July’s ‘Most Exploited’ vulnerabilities:

SQL Injection techniques continue to lead the top exploited vulnerabilities list, impacting 46% of organizations around the world. In second place is the OpenSSL TLS DTLS Heartbeat Information Disclosure with a global impact of 41%, closely followed by the MVPower DVR Remote Code Execution, which impacted 40% of organization worldwide.

  1.  SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  2. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3. ↑ MVPower DVR Remote Code Execution– A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.


In this article