Vulnerability in OpenDreamBox 2

20160817_chkp_graphic

Singapore, @mcgallen #microwireinfo,  August 14, 2019 – Check Point Research, the Threat Intelligence arm ofCheck Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for July 2019. The Research team is warning organisations of a new vulnerability discovered in the OpenDreamBox 2.0.0 WebAdmin Plugin that has impacted 32% of organisations globally in the last month.

The vulnerability, ranked the 8th most exploited vulnerability, enables attackers to execute commands remotely on target machines. The exploit was triggered alongside other attacks targeting IoT devices – in particular with the MVPower DVR Remote Code Execution (the third most popular exploited vulnerability in July) which is also known to be related to the notorious Mirai botnet.

July also saw a major decrease in the use of Cryptoloot, as it fell to tenth in the top malware list, from third in June 2019.

“Threat actors are quick to try and exploit new vulnerabilities when they emerge, before organisations have had the chance to patch them, and the OpenDreamBox flaw is no exception.  Even so, it’s surprising that nearly a third of organisations have been impacted.  This highlights how important it is that organisations protect themselves by patching such vulnerabilities quickly,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

“The sharp decline in the use of Cryptoloot is also interesting.  It has dominated the top malware list for the past year and a half, and was ranked the second most common malware variant seen in the first half of 2019, impacting 7.2% of organisations worldwide.  We believe the decline is linked to its main competitor, Coinhive, closing its operations earlier in 2019.  Threat actors are relying on alternative crypto-mining malware such as XMRig and Jsecoin.”

July 2019’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
XMRig is leading the top malware list, impacting 7% of organisations around the world. Jsecoin and Dorkbot had a global impact of 6% respectively.

  1. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
  2.  ↔ Jsecoin – Jsecoin is a JavaScript miner that can be embedded in websites. With JSEcoin, users can run the miner directly in their browser in exchange for an ad-free experience, in-game currency and other incentives.
  3. ↑ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

July’s Top 3 ‘Most Wanted’ Mobile Malware:
In July, Lotoor was the most prevalent Mobile malware, followed by AndroidBauts and Piom – two new malware families in the top mobile malware list.

  1. Lotoor – Hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
  2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
  3. Piom – Adware which monitors the user’s browsing behaviour and delivers unwanted advertisements based on the users web activities.

July’s ‘Most Exploited’ vulnerabilities:
SQL Injection techniques continue to lead the top exploited vulnerabilities list, impacting 46% of organisations around the world. In second place is the OpenSSL TLS DTLS Heartbeat Information Disclosure with a global impact of 41%, closely followed by the MVPower DVR Remote Code Execution, which impacted 40% of organization worldwide.

  1.   SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  2. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server. 
  3. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

The complete list of the top 10 malware families in July can be found on the Check Point Blog:  https://blog.checkpoint.com/2019/08/08/july-2019s-most-wanted-malware-vulnerability-in-opendreambox-2-0-0-webadmin-plugin-enables-attackers-to-execute-commands-remotely/

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html
About Check Point Research 
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally.  Check Point’s solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and advanced targeted threats. Check Point offers a multilevel security architecture, “Infinity Total Protection with Gen V advanced threat prevention”, this combined product architecture defends an enterprises’ cloud, network and mobile devices. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organisations of all sizes.

###