Global XMPP Android Ransomware Campaign Hits Tens of Thousands of Devices

 
Introduction Ransomware has been a well-known method of attack in the PC world for quite some time. Many PC-based ransomware variants have been thoroughly covered and their malicious payloads described by security researchers. In the past few years, however, a new breed of ransomware has appeared. This time, the target platforms are no longer workstations, but mobile devices. With some famous examples like the Simplocker and Koler variants, this new breed seems to be here to stay. A typical mobile ransomware infection begins when a user downloads a legitimate-looking application from a third-party application store and tries to install it on his Android device. Suddenly, his ...

Leadership, Validation, Innovation and Continuous Improvement

 
From 1,300 known viruses in 1997 to over 100,000 new malware variants created each day in today’s world, the business of threats has become an industry operating at a dizzying velocity. Combatting today’s industrial production of threats requires a unified, multi-layer threat prevention solution with an integrated sandbox.  A multilayer solution makes it more difficult for attackers to get through, because there are more mechanisms and means to catch malicious content at different stages of the malware’s operation.  The essential layer against the unknown and zero-day attacks is the sandbox, like Check Point’s Threat Emulation.  Threat Emulation inspects files in a safe, virtual ...

Certifi-gate Found in the Wild on Google Play

 
New Insights on the Extent, Exploitation, and Mitigation of This New Threat Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point uncovered some startling new information: An instance of Certifi-gate was found running in the wild in an app on Google Play At least 3 devices sending anonymous scan results were actively being exploited 15.84% of devices anonymously reported having a vulnerable plugin installed Devices made by LG were the most vulnerable, followed by Samsung and HTC In this blog, the research ...

JavaScript Hooking as a Malicious Website Research Tool

 
One of the top Internet threats today is drive-by download attacks which originate from exploits kits, hacked websites, spam campaigns and more. As browsers are the main tool for navigating the web, the main attack vectors are browser vulnerabilities, plugin and extension vulnerabilities, as well as some OS vulnerabilities.   We have been playing with the idea of using JavaScript hooking as a research tool with the goal of identifying hacked websites, exploit-kits, and CVEs, and of profiling websites for research purposes.   Why JavaScript hooking? A web page is constructed from static and dynamic components. The static components are declared as part of the HTML ...

What You Can (and Can’t) Do Against Ransomware

 
It happens very quickly: one moment your files are there, and the next they're not. All you did was download some “useful” software, or run an email attachment that you got from a colleague. The next thing you know, all your files have had their extensions changed to something nonsensical, and their contents have been replaced with what appears to be random noise. Naturally, you had a backup, but the exact same thing happened to that, too. A warning soon arrives, either in a pop-up message or plastered all over your desktop: If you ever want to see your files again, you will have to pay a hefty ransom. This type of malware is called ransomware, and it’s a type of cryptoviral ...

SSH Decryption Opens Door to Very Old Security Vectors

 
Secure Shell, or SSH, is a cryptographic (encrypted) network protocol for initiating text-based shell sessions on remote machines in a secure way. SSH uses the client-server model with public host key fingerprints in order to prevent MiTM (Man in The Middle) attacks.   Cybercriminal usage It’s very common for hackers to use SSH in order to stay under the radar of security products. SSH can be exploited for hacking in many ways: SSH is a very common and is usually accepted by most security devices. SSH Tunneling allows an attacker to transfer any traffic he desires over the standard SSH connection – Hackers Are Using SSH Tunnels to Send Spam SSH doesn’t have ...

Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part II – Supremacy

 
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web. “Part II – Supremacy” will describe and analyze CVE-2015-2213, a SQL injection vulnerability recently patched in WordPress 4.2.4.   In “Part I – Identity”, we showed how any Subscriber user could bypass multiple permission checks and access code to create and edit posts, ...

An Update on the Stagefright Vulnerability

 
What is Stagefright? Stagefright is a vulnerability in the Android media library that allows attackers to send a multimedia text messages that enable them to steal information off of a device. How can an attacker use Stagefright? Using a victim’s phone number, an attacker only has to send the malware-infected multimedia file to a device via MMS. Who is at risk? Smartphones and tablets running versions of Android prior to version 4.1 (ICS) are at risk. The introduction of ASLR in Android 4.1 made it significantly more difficult to exploit this vulnerability because a device would need to receive hundreds of messages for this to work. What can I do to protect myself? Check ...

Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned

 
(This post was edited to include additional remediation advice on August 10, 2015.) Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider. The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, NV this morning. What is Certifi-gate? Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device. mRSTs allow remote personnel to offer customers ...

Introducing Check Point Mobile Threat Prevention

 
Introducing Check Point Mobile Threat Prevention We’re more mobile than we’ve ever been, so it’s no surprise that smartphones and tablets aren’t our second screens, they’re our first. These devices move massive amounts of data around the clock and around the world, and while some data may be trivial, the increasing trend is that most of it isn’t. We use mobile devices to manage everything from our health records and banking information to confidential work documents and other critical business content with little concern over its security. But without the right protection, cyber thieves know the information on our smartphones and tablets is theirs for the ...