Check Point has announced insights from its Global Threat Index for February 2024, shedding light on the cybersecurity landscape across Africa, with a particular focus on South Africa. The report reveals a concerning surge in cyber threats targeting websites and key industries, underlining the critical need for heightened cybersecurity measures. The top three African industries targeted in February were utilities, manufacturing and consultancies respectively.
FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems. Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data. This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetizes the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.
“Websites are the digital storefronts of our world, crucial for communication, commerce, and connection,” stated Maya Horowitz, VP of Research at Check Point Software. “Defending them from cyberthreats isn’t just about safeguarding code; it is about protecting our online presence and the essential functions of our interconnected society. If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organization. It is vital to put preventative measures in and adopt a culture of zero tolerance to ensure absolute protection from threats”.
Key Findings from South Africa
Top Malware Families:
- FakeUpdates (SocGholish): A JavaScript downloader responsible for 7.30% of cyber threats in South Africa. This malware leads to further system compromise by deploying additional malware such as GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- Qbot (Qakbot): This multipurpose malware, detected in 3.51% of cases, first appeared in 2008. Qbot steals user credentials, records keystrokes, spies on banking activities, and deploys additional malware.
- AsyncRat: Targeting the Windows platform, AsyncRat sends system information to a remote server and executes commands, accounting for 2.16% of threats.
- Formbook: Detected in 1.89% of cases, Formbook is an Infostealer targeting Windows OS. It harvests credentials, collects screenshots, logs keystrokes, and executes commands from its C&C.
- Nanocore: Responsible for 1.35% of threats, Nanocore is a Remote Access Trojan targeting Windows users, offering functionalities such as screen capture and remote desktop control.
Emerging Threats
- Tepfer: A highly invasive trojan, Tepfer steals credentials and essential data, distributed through spam and phishing emails, representing 1.08% of threats.
- Glupteba: Known since 2011, Glupteba has evolved into a botnet with browser stealing capabilities, affecting 1.08% of cases.
- Injuke: Spread through phishing emails, Injuke encrypts information on victims’ PCs, demanding ransom for decryption (1.08%).
Noteworthy Trends
The report highlights the persistence of ransomware groups like Lockbit3 and the emergence of Play ransomware in the top three most sought-after ransomware groups.
Vulnerabilities in web servers, including directory traversal and command injection, remain highly exploitable, affecting 51% of organisations globally.
Also Read: Check Point Introduces Harmony SaaS for Prevention Against SaaS-Based Threats
Insights from Other African Countries
- In Kenya, FakeUpdates and Qbot emerged as prevalent threats, accounting for 20.81% and 22.15%, respectively.
- Ethiopia faced a significant threat from Floxif and Phorpiex, with infection rates reaching 32.26% and 29.03%, respectively.
- Nigeria experienced a surge in Qbot and FakeUpdates attacks, impacting 17.74% and 17.74% of cases, respectively.
- Botswana saw a rise in Zloader and Ursnif infections, with rates of 15.79% and 15.79%, respectively.
- Zimbabwe faced a high prevalence of Qbot and FakeUpdates, affecting 50.00% and 25.00% of cases, respectively.
- Mozambique grappled with FakeUpdates and Tofsee, responsible for 11.11% and 3.70% of threats, respectively.
Top exploited vulnerabilities globally
Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 51% of organizations globally, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” with a global impact of 50% respectively.
- ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There is a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↓ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
Top Mobile Malwares Globally
Last month Anubis remained in first place as the most prevalent Mobile malware, followed by AhMyth and Hiddad.
- Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
- Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
Top-Attacked Industries Globally
Last month, Education/Research remained in first place in the attacked industries globally, followed by Government/Military and Healthcare.
- Education/Research
- Government/Military
- Healthcare
Maya Horowitz, VP of Research at Check Point Software, emphasized the urgent need for organizations to bolster their cybersecurity posture, given the evolving threat landscape. She urged proactive measures to safeguard against emerging threats and protect critical digital assets.
Also Read: A Look into Kenya’s Cyber Security Landscape with Check Point