2016 H2 Global and Regional Threat Intelligence Trends

 
Introduction New, sophisticated threats continue to emerge on a daily basis across multiple platforms: social media, mobile platforms, email, and web pages. At the same time, prominent malware and attack methods continue to evolve, bypassing existing security solutions, and tailoring attacks against the largest companies in the world. The devices we use every day are now subject to compromise and can be leveraged for attacks. Even the recent U.S. elections were targeted with significant attacks. The Check Point 2016 H2 Global Threat Intelligence Trends report provides you with the best overview of the cyber landscape; threats, data breaches, trends, attacks and predictions, based on data ...

The SMISHING threat – unraveling the details of an attack

 
  On January 26, a new smishing attack targeted users in the Czech Republic. Smishing, or SMS phishing, is a vector attackers use to send SMS messages from supposedly legitimate organizations.  These messages persuade users to download a malicious app, to provide private information like bank account or credit card details, or to click on a malicious URL. In this campaign, the attackers masqueraded as Czech Post, the Czech postal service to get users to download a malicious app containing a full-scale Trojan horse. Once users click the link, they are led to a fake Czech Post web page with a seemingly legitimate address. From there the malware downloads and installs immediately ...

Hummingbad Overtaken as Leading Mobile Malware in January’s Global Threat Impact Index

 
 Hummingbad has been overtaken as the leading mobile malware for the first time since February 2016, according to the new January Global Threat Impact Index from our Threat Intelligence Research Team. Hummingbad was replaced at the top of the ‘most wanted mobile malware’ by Triada, a modular backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes.  In total, mobile malware accounted for 9% of all recognized attacks while the Index ranked Kelihos, a botnet used in bitcoin theft, as the most prevalent malware family overall, with 5% of organizations globally being impacted by it. Overall the top 10 malware ...

SQL Slammer Comeback

 
SQL Slammer is a computer worm that first appeared in the wild in January 2003, and caused a denial of service condition on tens of thousands of servers around the world. It did so by overloading Internet objects such as servers and routers with a massive number of network packets within 10 minutes of its first emergence.   The worm exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434. After the server is infected, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on its targets. This vulnerability was discovered by David Litchfield ...

Charger Malware Calls and Raises the Risk on Google Play

 
Several weeks ago, Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “Charger.” This incident demonstrates how malware can be a dangerous threat to your business, and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks.   Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user’s device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding ...

A Whale of a Tale: HummingBad Returns

 
  Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. The infected apps in this campaign were downloaded several million times by unsuspecting users. Check Point informed the Google Security team about the apps, which were then removed from Google Play. This new variant, dubbed ‘HummingWhale,’ includes new, cutting edge techniques that allow it to perform ad fraud better than ever before.   HummingBad is a malware first discovered by Check Point on customer’s devices in February 2016. HummingBad stands out as an extremely sophisticated and well-developed malware, which employed a ...

What’s the Proteus Botnet and how does it work?

 
  The Proteus botnet emerged toward the end of November 2016.  Only a few samples of it were found in the wild and, at the moment, it doesn’t seem to have a widespread campaign.  So, what does it do? It launches a multi-layered attack on an infected machine where it runs several processes aimed at coin mining, credential theft, and keylogging.  In addition, the bot can perform on its own; it offers the cybercriminal to send commands over HTTP to download malicious executables and execute them.   In some samples, the botnet disguises itself as a Google Chrome executable. The functionality of the botnet is highly reliant on its C&C (command and control) server, ...

Malware Takes a Christmas Break in December’s Global Threat Index

 
Global malware attacks decreased by 8% in December compared with the previous month, with the popular Locky ransomware recording a huge 81% decrease per week, according to the latest monthly Global Threat Index from Check Point’s Threat Intelligence Research Team. This isn’t an invitation to businesses to sit back and relax, however. Our team predicts that this lull really is due to malicious cybercriminals taking a Christmas break – and, following the same trends last year, when December recorded a 9% drop in the number of malware attacks worldwide, we expect attack volumes to bounce back in January.   The Global Threat Index tracks malware attacks against ...

Looking for a New Employee? Beware of a New Ransomware Campaign

 
Despite trying to brand itself as a new malware, GoldenEye, the latest Petya variant, is very similar to older versions and differs mostly in its “golden” motif. The most prominent change, however, is how the campaign spreads the ransomware. The current campaign used to distribute GoldenEye has a job application theme. It is therefore aimed at companies’ Human Resources departments, due to the fact they usually cannot avoid opening emails and attachments from strangers, a common malware infection method. HR-Targeted Ransomware The new campaign targets German speakers and mimics a job application. The email contains a brief message supposedly from a job applicant and ...

How We Found Two New Ransomware Families and Built Their Decryptors

 
Ransomware is one of the most common and effective attack methods today, and it seems this trend isn’t going to change anytime soon. This last November, we found that ransomware attacks are surging, with our Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%. Today, Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge. Check Point is an Associate Partner of the No More Ransom (NMR) project, which aims to fight back against the ransomware epidemic. As such, our new decryption ...