Check Point® Software Technologies Ltd.(NASDAQ: CHKP), an AI-powered, cloud-delivered cyber security platform provider, has published its Global Threat Index for January 2024.

Last month, researchers identified a new pervasive traffic distribution system (TDS) named VexTrio, which has aided over 60 affiliates through a network of more than 70,000 compromised sites. Meanwhile, LockBit3 was named the most prevalent ransomware group in a newly introduced ranking in the Index.

“Cybercriminals have evolved from mere hackers to architects of deception, and VexTrio is yet another reminder of how commercially-minded the industry has become,” said Maya Horowitz, VP of Research at Check Point Software. “To stay safe, individuals and organizations should prioritize regular cybersecurity updates, employ robust endpoint protection, and foster a culture of vigilant online practices. By staying informed and proactive, we can collectively fortify our defenses against the evolving dangers posed by emerging cyber threats.”

For the first time, Check Point’s Index now includes a ranking of the most prevalent ransomware groups based on activity from more than 200 shame sites. Last month, LockBit3 was the most prevalent ransomware group, responsible for 20% of the published attacks. They took responsibility for some notable incidents in January, including an attack on the sandwich chain Subway and Saint Anthony Hospital in Chicago.

Both Rwanda and Ghana were targeted by this group.  In Africa, Government and military industry sectors remain the most impacted, followed by communications and utilities.  Education remained the most impacted industry worldwide.

Ethiopia was the third most targeted African country for malware attacks in the world, followed by Uganda (10), Nigeria (12), Kenya (16), Angola (17), Morocco (18) and Mauritius (24).  South Africa ranks 68th among the most targeted countries in the world.

Active since at least 2017, VexTrio collaborates with dozens of associates to spread malicious content through a sophisticated TDS. Using a system similar to legitimate marketing affiliate networks, VexTrio’s activities are often hard to detect and, despite being active for more than six years, the scale of its operations has gone largely unnoticed. This is because there is little to tie it to specific threat actors or attack chains, making it a considerable cybersecurity risk due to an extensive network and advanced operations.

Additionally, CPR revealed that the most exploited vulnerability globally is “Command Injection Over HTTP,” affecting 44% of organisations, followed by “Web Servers Malicious URL Directory Traversal” impacting 41%, and “HTTP Headers Remote Code Execution” with a global impact of 40%

The report indicates that FakeUpdates was the most prevalent malware last month with an impact of 4% worldwide organisations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%.

The report further revealed that  Command Injection Over HTTP was the most exploited vulnerability, impacting 44% of organisations globally, followed by “Web Servers Malicious URL Directory Traversal” with 41% and “HTTP Headers Remote Code Execution” with a global impact of 40%.

According to the report, Anubis, a banking Trojan malware designed for Android mobile phones remained in first place as the most prevalent Mobile malware, followed by AhMyth, a Remote Access Trojan (RAT) discovered in 2017 Hiddad, an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

The top-attacked industries globally include  Education/Research followed by Government/Military and Healthcare

Regarding top ransomware groups, the report features information derived from almost 200 ransomware “shame sites” operated by double-extortion ransomware groups, 68 of which posted the names and information of victims this year. Cybercriminals use these sites to add pressure on victims who do not pay the ransom immediately. The data from these shame sites carries its own biases but still provides valuable insights into the ransomware ecosystem, which is currently the number one risk to businesses.

Last month, LockBit3 was the most prevalent ransomware group, responsible for 20% of the published attacks, followed by 8Base with 10%, and Akira with 9%”.

1. LockBit3– LockBit3 is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit3 targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
2. 8base– The 8Base threat group is a ransomware gang that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using a variety of ransomware variants, with Phobos being a common element. 8Base operates with a level of sophistication, evidenced by their use of advanced techniques in their ransomware. The group’s methods include double extortion tactics.
3. Akira– Akira Ransomware, first reported at the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “. Akira” extension to file names, then presents a ransom note demanding payment for decryption.

 

 

- Ad -