BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools

 
Background Rarely does the release of an exploit have such a large impact across the world. With the recent leak of the NSA exploit methods, we saw the effects of powerful tools in the wrong hands. On April 14, 2017, a group known as the Shadow Brokers released a large portion of the stolen cyber weapons in a leak titled, “Lost in Translation.” This leak contained many exploits, some of which were already patched a month earlier in the Microsoft SMB critical security update (MS17-010). However, many users were unable to update their systems. Even before WannaCry hit, more than 400,000 computers in approximately 150 countries were infected with one of the tools, called DoublePulsar. ...

The Judy Malware: Possibly the largest malware campaign found on Google Play

 
Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware ...

Hacked in Translation – from Subtitles to Complete Takeover

 
Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.     What is it? Perpetrators use various ...

Check Point R80.10 Maximizes Security and Minimizes Operational Overhead for CCI Nice Côte D’Azur, Creating a “WOW” Effect

 
Security threats and attackers continue to adapt their techniques, making it more difficult than ever for organizations to protect themselves. When the CCI Nice Côte D’Azur upgraded to Check Point’s R80.10 Security Management, it increased threat prevention performance, efficiency, and visibility while reducing operational overhead.   In a recent chat with Frédéric Achache, IT Projects Manager of CCI Nice Côte D’Azur, I gained some interesting behind-the-scenes perspectives on its security challenges. The CCI is a metropolitan and regional agency charged with promoting economic development across the Alpes-Maritimes Côte D’Azur region. In addition to headquarters, ...

Security Brief for Connected Automotives

 
Introduction       The question of which companies will dominate the automotive industry in coming years is being decided in the contest to produce Internet-connected cars. Intel predicts 120 million vehicles with varying degrees of automation will be on our roads by 2030. (Shot, 2016).The development and popular adoption of automotive data connectivity and autonomous navigation will have major consequences for IT professionals in many industries who will be expected to provide a variety of IT services to consumers and employees through cars that in themselves are mobile computing platforms. Automotive Security Issues Because connected cars intersect the categories of ...

April’s Most Wanted Malware: Exploit Kit Attacks Continue, While Slammer Worm Resurfaces Again

 
Check Point’s latest Global Threat Impact Index detected a continued increase in the number of organizations being targeted with Exploit Kits, as Rig EK became the most prevalent form of attack, while there was also a resurgence in the Slammer worm detected, with 4% of businesses impacted.   Slammer resurfaced following a short hiatus, jumping back into the top three most popular malware families. The Slammer worm first emerged in 2003 and spread extremely rapidly.  It was developed to target Microsoft SQL 2000, and propagated so quickly that it was able to cause a denial of service condition on some affected targets. This is the second time the worm has entered the malware ...

Check Point Reveals Global WannaCry Ransomware Infection Map at CPX Europe 2017

 
Check Point researchers have been investigating the ransomware campaign in detail since it was first reported. With a new Check Point WannaCry Ransomware Infection Map, the researchers were able to track 34,300 attack attempts in 97 countries. The average pace as of today is one attempt in every three second – indicating a slight decline since the original pace registered two days ago, of one attempt per second. The top country from where attack attempts were registered is India, followed by the USA and Russia.   Maya Horowitz, Threat Intelligence Group Manager at Check Point said, “Although we see it slightly slowing down, WannaCry still spreads fast, targeting organizations ...

CRYING IS FUTILE: SandBlast Forensic Analysis of WannaCry

 
Using the NSA exploit EternalBlue released by the Shadow Brokers, the WannaCry ransomware developers have added their names to malware lore. Given the number of institutions hit and the amount of media generated, it seemed appropriate to show what the ransomware actually does on a system through our SandBlast Agent Forensics product. The WannaCry outbreak has been a good test case for the recently launched SandBlast Anti-Ransomware. AR and Forensics work together as part of our SandBlast Agent product. As we had expected, Anti-Ransomware was up to the task and has successfully blocked all WannaCry samples we’ve thrown at it, without requiring any signatures or updates. For this ...

The mobile banker threat – from end to end

 
One of the most dangerous threats targeting mobile users is the banking malware. These malicious pieces of code are designed to steal financial information and transfer funds to their own accounts. Over the years, perpetrators successfully managed to overcome all obstacles set before them, such as the 2-Factor-Authentication security mechanism and defenses set in different Android versions. Surprisingly enough, mobile banking malware require relatively little technical knowledge to develop, and even less to operate. All the malware does is search for a banking app on the infected device and pop-up a fake overlay page once the user opens it. The user enters his credentials, which are sent ...

WannaCry – New Kill-Switch, New Sinkhole

 
Check Point Threat Intelligence and Research team has just registered a brand new kill-switch domain used by a fresh sample of the WannaCry Ransomware. In the last few hours we witnessed a stunning hit rate of 1 connection per second. Registering the domain activated the kill-switch, and these thousands of to-be victims are safe from the ransomware’s damage. Our research shows that the kill-switch works the same as in earlier versions, and the rest of the code is similar to the older versions. New kill-switch: ...