SandBlast Protects Customers from Widespread Cerber Ransomware Attack

 
Starting at 6:44am UTC on June 22nd, Avanan, a partner of Check Point, detected a large-scale ransomware attack against its Cloud Security Platform customers across multiple companies. We believe this attack was only detected by SandBlast – Check Point’s Zero Day Protection solution. The attack included a very nasty ransomware called Cerber, which spreads through phishing emails and encrypts users’ files with the AES-265 and RSA encryption method. Once encrypted, Cerber demands a ransom of 1.24 bitcoins or ~500 USD be paid in order to regain access of the user’s documents, photos and files. While it’s difficult to precisely measure how many users were infected, Avanan ...

The Malware-as-a-Service Industry

 
Several recent developments have brought the malware infrastructure-as-a-service industry into the spotlight, reminding everyone how prominent it is in the cybercrime arena. The infrastructures that create malware exploit kits are so immense that the global threat landscape can be completely altered when one of them is downed. According to Kafeine, a leading exploit kit researcher, the Angler exploit kit has vanished completely since June 7th. We too have detected a major decrease in Angler’s traffic, as seen in figure 1 below. Angler was the most prominent exploit kit in use, however it was soon replaced by the Neutrino exploit kit, which began to spread the same payloads Angler was ...

Effective Security Management in a Software Defined World

 
Software defined infrastructure (SDx) along with use of private and public clouds completely transforms the way IT departments manage enterprise data centers and workloads. Automation is a key component of software defined networking (SDN), bringing network, server, security management and other IT functions or teams together. In the past when organizations deployed new applications, the application owner needed to collaborate with several teams. For example: one team installed the required servers HW and OS, a separate team connected servers to the network, and yet another team provisioned the security and firewall rules. It was as if the stars (or functional teams) had to align in ...

The Infamous Nuclear Exploit Kit Shuts Down

 
In a seeming response to the recent Check Point investigative report, the Nuclear Exploit Kit shut down its entire infrastructure and ceased operation. Background The Nuclear Exploit Kit, one of the largest attack infrastructures observed in the wild today, was recently the subject of a thorough investigation conducted by the Check Point Threat Intelligence and Research team as part of our ongoing research into the Malware-as-a-Service industry. In part I of our report, Inside Nuclear’s Core: Analyzing the Nuclear Exploit Kit Infrastructure, we reviewed in depth the various capabilities, exploits, and techniques employed by the exploit kit. We analyzed Nuclear’s operation ...

Intel Spot On with CET

 
Intel has recently published a specification for a new technology meant to detect and block malware at the processor level. The technology, developed with the help of Microsoft, is called Control-flow Enforcement Technology (CET), and its main purpose is to prevent any attempt to use Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP) for exploits. This type of exploit is used by hackers to bypass current controls that prevent non-executable code from running on the processor. Instead, the attack uses components of legitimate executable code, tying together small code sequences to perform a new function, and allowing attacker controlled data to be executed. ROP-based ...

Top 10 Most Wanted Malware

 
Today Check Point published its Threat Index for May, revealing the number of active global malware families increased by 15 percent. Last month Check Point detected 2,300 unique and active malware families attacking business networks. It was the second month running Check Point observed an increase in the number of unique malware families, having previously reported a 50 percent increase from March to April. The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information. In May, Conficker was the most prominent family accounting for 14 percent of ...

Cerber Ransomware Targets U.S., Turkey and the UK in Two Waves

 
New ransomware families appear on a regular basis, each with a different method of operation. The Cerber ransomware, which has a sophisticated implementation process, uses a very interesting tactic in its attacks. It operates in surges with relatively low activity in between them. We have detected two such spikes in Cerber’s activity, the first in April and the second in May, each accumulating a substantial amount of victims, as seen in figure 1 below. Figure 1: Cerber Attacks per Day   Cerber targeted users in large numbers mainly in the U.S., Turkey and Great Britain, but also a wide array of other countries in smaller amounts.   Figure 2: Cerber ...

Tales from the Trenches: Modern Malware Requires Modern Investigation Techniques

 
The Check Point Incidence Response team was called in to assist a company who suffered a severe breach in their network, which was not previously protected by Check Point’s advanced protections. The team began to investigate and was extremely impressed by the malware’s tactics and sophisticated evasion techniques. The malware’s evasive nature required the team to use state-of-the-art investigation techniques to successfully remediate the network.   How it all began – inviting the malware in The breach originated in a keygen downloaded by one of the employees. While the keygen did actually work, it also contained a malicious component – the malware called ...

In The Wild: Mobile Malware Implements New Features

 
Malware developers just won’t stand still. They continue developing malware as they go, sometimes to adapt to the changing threat landscape, and sometimes simply to improve their capabilities. Recently, two examples of such advancements presented themselves, one in Triada’s code and one in Viking Horde’s. Triada’s Trident is Getting Stronger As if the original malware wasn’t bad enough, Triada has now received a dangerous update. Triada’s main purpose is to steal money transferred over SMS messages as part of in-app purchases. The malware does so by leveraging its system level malicious compromise to highjack the raw SMS data (PDU) and send it directly to its C&C ...

Trust No One – A Cyberworld Survival Guide

 
Cybercriminals are professional scammers; their specialty is tricking users into helping them achieve their malicious goals. Attackers use many different tactics, including spam, phishing emails, and fake ads. In each case, the unsuspecting user plays an active role in his own victimization when he clicks a link or opens an attachment. Recently, an unconventional campaign emerged in the wild which exploits its victims via live phone interaction. The campaign targets users who make a typo when entering a URL,   wwwcnbccom instead of wwwcnbccom, for example) or click what turns out to be a malicious link. The users are redirected to a malicious site containing a JavaScript that activates ...