Preventing Petya – stopping the next ransomware attack

 
Check Point’s Incident Response Team has been responding to multiple global infections caused by a new variant of the Petya malware, which first appeared in 2016 and is currently moving laterally within customer networks.  It appears to be using the ‘EternalBlue’ exploit which May’s WannaCry attack also exploited.  It was first signaled by attacks on financial institutions in the Ukraine, but soon started spreading more widely, particularly across Europe, the Americas and Asia. The ransomware is propagating fast across business networks in the same way WannaCry did last month.  However, unlike other ransomware types including WannaCry, Petya does not encrypt files on infected ...

Anatomy of the Jaff Ransomware Campaign

 
Last month, Check Point researchers were able to spot the distribution of Jaff Ransomware by the Necurs Botnet. The ransomware was spread using malicious PDF files that had an embedded docm file, which in its turn downloaded an encoded executable. After the downloaded file was decoded, the ransomware encrypted the user’s files. In the last weeks, however, we were able to detect a new spam campaign delivering the ransomware and altering the chain of infection to use malicious WSF files.  New Campaign On May 28, Check Point SandBlastZero-Day Protection solution caught 8,000 messages delivering the ransomware, titled “Scanned Image from a Xerox WorkCentre," a title which was in use ...

The Judy Malware: Possibly the largest malware campaign found on Google Play

 
Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware ...

Security Brief for Connected Automotives

 
Introduction       The question of which companies will dominate the automotive industry in coming years is being decided in the contest to produce Internet-connected cars. Intel predicts 120 million vehicles with varying degrees of automation will be on our roads by 2030. (Shot, 2016).The development and popular adoption of automotive data connectivity and autonomous navigation will have major consequences for IT professionals in many industries who will be expected to provide a variety of IT services to consumers and employees through cars that in themselves are mobile computing platforms. Automotive Security Issues Because connected cars intersect the categories of ...

Check Point Reveals Global WannaCry Ransomware Infection Map at CPX Europe 2017

 
Check Point researchers have been investigating the ransomware campaign in detail since it was first reported. With a new Check Point WannaCry Ransomware Infection Map, the researchers were able to track 34,300 attack attempts in 97 countries. The average pace as of today is one attempt in every three second – indicating a slight decline since the original pace registered two days ago, of one attempt per second. The top country from where attack attempts were registered is India, followed by the USA and Russia.   Maya Horowitz, Threat Intelligence Group Manager at Check Point said, “Although we see it slightly slowing down, WannaCry still spreads fast, targeting organizations ...

The mobile banker threat – from end to end

 
One of the most dangerous threats targeting mobile users is the banking malware. These malicious pieces of code are designed to steal financial information and transfer funds to their own accounts. Over the years, perpetrators successfully managed to overcome all obstacles set before them, such as the 2-Factor-Authentication security mechanism and defenses set in different Android versions. Surprisingly enough, mobile banking malware require relatively little technical knowledge to develop, and even less to operate. All the malware does is search for a banking app on the infected device and pop-up a fake overlay page once the user opens it. The user enters his credentials, which are sent ...

Global Outbreak of WannaCry

 
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks.  To complicate matters there are a number of different campaigns ongoing so identifying specific infection vectors has been a challenge. For WannaCry the infection vector appears to be direct infection utilizing SMB as delivery method. Samples have been identified by Check Point Research Teams that contain variant “killswitch” domains and bitcoin addresses. All tested samples have been detected and ...

JAFF – A New Ransomware is in town, and it’s widely spread by the infamous Necurs Botnet

 
Necurs, one of the largest botnets, went offline during the holiday period of 2016 and through the beginning of 2017. However it returned only to shortly peak late in April, spreading Locky using malicious PDF documents. Today, May 11, Necurs started spreading a new ransomware called JAFF. Check Point’s global sensors have spotted as many as 40,000 emails in the last few hours, at an infection rate of approximately 10,000 emails sent per hour. Image 1: The JAFF ransomware ransom note (courtesy of MalwareHunterTeam)   Necurs has the reputation for being one of the 'best' malware distributors. In the past, it helped Locky and Dridex reach millions of victims, making them ...

DiamondFox modular malware – a one-stop shop

 
Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full DiamondFox report click here. Check Point Threat Intelligence teams constantly track the latest attack trends, campaigns and attack methods to maintain an up-to-date and  accurate view of the cyber threat landscape. In recent years, an effective new business method has penetrated the thriving malware and attack tools market and led to the establishment ...

Android Permission Security Flaw

 
Check Point researchers spotted a flaw in one of Android’s security mechanisms. Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks, including ransomware, banking malware and adware. Check Point reported this flaw to Google, which responded that this issue  is already being dealt with in the upcoming version of Android, currently dubbed "Android O".   Technical Background: In Android version 6.0.0, dubbed “Marshmallow”, Google introduced a new permission model for apps. The new model consists of several groups of permissions, with permissions considered as ...