Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/11/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cryptominers Remain Top Threat but Coinhive's Exit Could Change That

Coinhive has remained on top of Check Point Software's global threat index for 15 straight months.

Cryptominers continue to dominate the malware landscape, just as they did all of 2018. But a decision by cryptocurrency mining service Coinhive to shut down last week could change that soon, security vendor Check Point Software said in its latest malware threat report, released Monday.

Coinhive has topped Check Point's global threat index for 15 straight months, including this February.

Coinhive's software is designed to give website owners a way to earn revenue by using the browsers of site visitors to mine for Monero cryptocurrency. The software itself — like many other cryptominers — is not malicious. However, cybercriminals have been using Coinhive extensively to surreptitiously mine for Monero on hacked websites, making it a top threat to website operators globally in the process. Many websites that have installed Coinhive also have done so without explicitly informing site visitors about it.

"For now, I assume that Coinhive's shutdown will only cause its disappearance from the top 10 list," says Maya Horowitz, threat intelligence and research director at Check Point. Other coin-mining tools will likely remain a threat or become more widely distributed as criminals start using those tools instead of Coinhive, she says. Check Point's report shows that at least two other coin miners — Cryptoloot and Authedmine — moved up in the top 10 malware rankings last month, compared with January 2019.

However, the declining values overall of major cryptocurrencies (such as Monero and bitcoin) could soon begin affecting the will of threat actors to use miners, Horowitz notes. This could result in fewer cryptomining attacks overall and a greater focus by threat actors on more lucrative targets such as scalable cloud environments. Attackers could also start "finding new, yet unknown, paths to monetize on their attacks," Horowitz says.

In a blog post last Friday, security vendor Avast said Coinhive's decision to discontinue its service is not entirely surprising given the declining value of cryptocurrencies and the fact that security vendors were routinely blocking the software because of misuse.

The big question now is whether or not browser-based cryptojacking will decline altogether or whether some other crypto tool will rise to replace Coinhive. "Ultimately, Coinhive going out of business is a good thing for security, privacy, and transparency," according to the Avast blog post.

Totally, five of top threats in Check Point's global index currently are cryptomining-related. The other threats in the index include the GandCrab ransomware tool and two banking Trojans that have been around for some time — Ramnit and Emotet.

According to Check Point, its researchers have observed several campaigns distributing a new version of GandCrab widely in Canada, Germany, Japan, and Australia. The new version incorporates a key encryption change that renders ineffective a decryption tool that was developed for previous versions of the malware, Check Point said. One reason for GandCrab's growing popularity is the fact that the ransomware is offered as a service and is thus easily available to attackers, Horowitz says.

Check Point's report also shows that the most actively targeted vulnerabilities last month were once again issues that were disclosed and patched some time ago. One of the vulnerabilities in February, for instance, was an information disclosure flaw in Open SSL (CVE-2014-0160; CVE-2014-0346) that was first disclosed and patched in 2014.

"Threat actors often use the least sophisticated solution that would work," Horowitz says. So as long as many users do not patch their servers for these vulnerabilities, they would keep exploiting them. "Our yearly security report demonstrates that only a third of the attacks during 2018 exploited vulnerabilities disclosed in 2017–2018," she says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
CVE-2019-9228
PUBLISHED: 2019-07-19
** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot e...
CVE-2019-12725
PUBLISHED: 2019-07-19
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
CVE-2019-11989
PUBLISHED: 2019-07-19
A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Agent Option modules that are impacted are as follows: 10.0 for Apache 2.2 on RHEL 5 and 6, 10.0 for Apache 2.4 on RHEL 7, ...