Fortinet’s weekly cyber threat round up

Fortinet’s threat intelligence team, FortiGuard Labs has used its global infrastructure of threat sensors, honeypots, and collectors to provide the largest source of data of any pure play network security vendor (up to 50 billion threats a day) in order to offer a recap on this weeks biggest cyber threats.

Data is collected from all of these sources on a continual basis and analysed by Fortinet’s worldwide team of analysts to provide a weekly recap of the incidents and threats that are plaguing the world.

Threat research and insights

BankBot, the prequel – For the past several weeks, FortiGuard Labs has been monitoring a new banking malware targeted at the Android platform, known as BankBot.

>See also: The cyber threat to UK businesses – NCSC and NCA report

Given the pervasiveness of mobile devices, and the fact that Android is the most popular OS for those devices, it is no surprise that mobile malware targeting Android is on the rise. Most of this malware is distributed through unofficial channels. What surprised us here, however, is that BankBot is being spread even on secured platforms like Google Play.

The current BankBot malware was developed on top of an existing malware that was first seen in December 2016, and provided to the public as a DIY tutorial. It is currently online and available for anyone to download making it more widespread.

Malware Activity

The Return of Locky  – After several weeks of inactivity, Locky ransomware was back with a fresh wave of SPAM emails containing malicious docs. Its current SPAM campaign comes in the form of emails with a PDF attachment that pretends to be payment receipts for a variety of goods and services.

>See also: The cyber threat landscape is looking more and more dangerous

The PDF file attachment contains an embedded malicious Word document that, when activated, downloads an encrypted txt file that is then transformed into the Locky ransomware file.

Upon executing the ransomware, Locky begins the encryption process, appends the .OSIRIS extension to encrypted files, and then sends routine status updates to its Command & Control servers. Unfortunately, as with previous variants, there is still no way to decrypt files encrypted by Locky.

Application Vulnerabilities / IPS

NTP Vulnerability Holds Steady – FortiGuard Labs has seen this IPS attack consistently among our top detections over the last few months.

Network Time Protocol (NTP) continues to confirm its fundamental role in DDoS attacks. NTP is a UDP-based protocol that can persuade devices to return a large reply to a small request, thereby allowing an attacker to create a simple Denial of Service attack.

>See also: 10 questions you should ask to ensure cyber threat prevention

TheNTP.Monlist.Command.DoS attack exploits this feature in older versions of NTP, effectively sending the requestor a list of the last several hundred hosts that have connected to the server. If you are running an NTP server, we strongly encourage you to verify that it has been updated to the latest version.

This is a brief summary of the threats analysed from the past week. For a more detailed and technical analysis, check out FortiGuard Labs.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics