Check Point Threat Alert: Web Shells

 
Web shells can be used to obtain unauthorized access and can lead to wider network compromise. Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to a significant number of cyber incidents. This alert describes the frequent use of web shells as an exploitation vector and Check Point’s IPS guidance and relevant IPS protections addressing these threats. A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. It can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, ...

CyberDay 2015 Recap: A Day of Ideas and Insights

 
CyberDay 2015 Recap: A Day of Ideas and Insights When CSO and Check Point partnered up to create a security thought leadership event for c-level executives, we had high hopes. Yesterday, November 18, those hopes were exceeded as about 200 people gathered in New York City. The purpose: to help today’s security leaders share the most current thinking and learnings to stay one step ahead of cyber attackers. We heard from Joel Brenner, former head of US Counterintelligence, who set the stage for what the threat landscape looks like. Check Point President Amnon Bar-Lev shined a light on how the common practice of investing in reactive threat solutions over proactive solutions actually ...

In The Wild: Mobile Security Observations from the Check Point Research Team

 
As security researchers, we see worrisome vulnerabilities on both iOS and Android every day. Cybercriminals know that smartphones and tablets hold massive amounts of data, so they’re using creative techniques to hack into mobile devices and access sensitive information. In fact, two of the more interesting areas where we’ve seen some threat activity over the last few weeks are in the increasing use of advertising SDKs to attack devices and a new trend towards the irremovability of malware. These tactics expose vulnerabilities and introduce malicious threats that often allow cybercriminals to launch full-scale attacks, putting both personal and enterprise data at risk.   Even ...

Vulnerabilities Continue to Put Mobile Devices at Risk

 
Smartphones and tablets have become the most important possessions we carry every day, and everyone should be able to take advantage of the benefits these devices bring without worrying about cybercrime. The convenience and versatility of mobility has also led more organizations to allow employees to use their own devices at work. In fact, according to Check Point’s 2015 Security Report, 91 percent of surveyed organizations have seen an increase in the number of personal mobile devices connecting to corporate networks over the last two years. But even though these devices are being used to access and store sensitive business information, mobile security is often not top of ...

Advanced Security For The SDDC That’s Really Advanced

 
Data center virtualization has come a long way – from concept to a reality in a few short years. The latest evolution, virtualizing the network, lets data center operators treat the underlying infrastructure as a pool of resources – compute, storage and network capacity – that can be called upon to dynamically bring up new applications and services or expand existing ones. Essentially, network virtualization transforms the data center from a hardware-focused to application-focused environment, enabling businesses to be more efficient and agile. As an added bonus, VMware NSX – the network virtualization pillar of the Software-Defined Data Center (SDDC) – delivers inherently ...

Rocket Kitten: A Campaign With 9 Lives

 
The customized malware and creative phishing techniques of cyber-espionage groups prove that there is a recurring industry problem. Cyber criminals can evade detection by making minimal changes to bypass most current protection solutions. Since early 2014, the attacker group dubbed ‘Rocket Kitten’ has been actively targeting organizations through malware infections and spear phishing campaigns. After an attack incident against a customer, Check Point researchers joined the investigations and released a report detailing the operations of the cyber-espionage campaign. The Rocket Kitten group has been studied and analyzed on multiple occasions by different vendors, and these attacks ...

Why it’s a Smart Idea to Use Threat Intelligence

 
When It Comes to Security, Do You Have ‘Evidence-Based Knowledge’? Recently, I participated in an interesting Twitter chat. One of the questions posed: What keeps you up at night? The responses varied, but the one common thread was that malware is constantly evolving, making things scarily unpredictable. It’s the reason why intelligence is key to protecting your corporate data and assets, as well as staying one step ahead. Gartner describes threat intelligence as “the product of a process, rather than a series of individual data points.” Their definition: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an ...

Check Point Discovers Critical vBulletin 0-Day

 
vBulletin is a commercial forum and blog platform developed by vBulletin Solutions, Inc. It was created over 10 years ago and is written in PHP. It is the world’s most popular forum platform, powering ~78% out of the forums in the top 100K web-sites. Currently there are estimated to be over 40,000 live sites using vBulletin. A month ago, Check Point privately reported a critical unauthenticated RCE vulnerability to vBulletin support. This vulnerability was independently discovered by Netanel Rubin, and assigned CVE-2015-7808. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It does not require any ...

“Offline” Ransomware Encrypts Your Data without C&C Communication

 
Early in September, Check Point obtained a sample of a ransomware. When the sample was run, the following message, written in Russian, appeared:   Translation: "Your files are encrypted, if you wish to retrieve them, send 1 encrypted file to the following mail address: Seven_Legion2@aol.com ATTENTION!!! You have 1 week to mail me, after which the decryption will become impossible!!!!"   All personal files were indeed encrypted, with each file renamed to the following format: email-.ver-.id--.randomname-.cbf Example: email-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19 ...

Phishing for Employees in Russia

 
During the period August 27-30, 2015, Check Point sensors recorded a large amount of logs generated by the IPS protection “PHP Print Remote Shell Command Execution.” This was an interesting anomaly, as we do not usually see high volume of logs from this protection. We started investigating the logs received from all sources, and noticed that they were all similar. The resources in all logs contained the following suspicious command: roskomnadzor=print-439573653*57; Looking at “roskomnadzor,” we found that this is the name of the Russian Federal Service for Supervision of Communications, Information Technology and Mass Communications (and that Russian people seem to be ...