Preventing Petya – stopping the next ransomware attack

 
Check Point’s Incident Response Team has been responding to multiple global infections caused by a new variant of the Petya malware, which first appeared in 2016 and is currently moving laterally within customer networks.  It appears to be using the ‘EternalBlue’ exploit which May’s WannaCry attack also exploited.  It was first signaled by attacks on financial institutions in the Ukraine, but soon started spreading more widely, particularly across Europe, the Americas and Asia. The ransomware is propagating fast across business networks in the same way WannaCry did last month.  However, unlike other ransomware types including WannaCry, Petya does not encrypt files on infected ...

Securing the Cloud: Ward Off Future Storms

 
A recent incident has left the voting records of 198 million Americans exposed. The data included the names, dates of birth, addresses, and phone numbers of voters from both parties. It also included voter’s positions on various political issues and their projected political preference. Although it is not unusual to collect this type of information, it should raise alarm bells that the platform hosting this data was not secured. This is the largest known data exposure in the United States, leaving the sensitive information of millions of Americans unprotected.   When it comes to protecting personal information and sensitive data, extensive measures should be taken to keep the ...

FIREBALL – The Chinese Malware of 250 Million Computers Infected

 
Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities:  the ability of running any code on victim computers--downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware. This operation is run by Rafotech, a ...

Hacked in Translation – from Subtitles to Complete Takeover

 
Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.     What is it? Perpetrators use various ...

Check Point R80.10 Maximizes Security and Minimizes Operational Overhead for CCI Nice Côte D’Azur, Creating a “WOW” Effect

 
Security threats and attackers continue to adapt their techniques, making it more difficult than ever for organizations to protect themselves. When the CCI Nice Côte D’Azur upgraded to Check Point’s R80.10 Security Management, it increased threat prevention performance, efficiency, and visibility while reducing operational overhead.   In a recent chat with Frédéric Achache, IT Projects Manager of CCI Nice Côte D’Azur, I gained some interesting behind-the-scenes perspectives on its security challenges. The CCI is a metropolitan and regional agency charged with promoting economic development across the Alpes-Maritimes Côte D’Azur region. In addition to headquarters, ...

WannaCry – New Kill-Switch, New Sinkhole

 
Check Point Threat Intelligence and Research team has just registered a brand new kill-switch domain used by a fresh sample of the WannaCry Ransomware. In the last few hours we witnessed a stunning hit rate of 1 connection per second. Registering the domain activated the kill-switch, and these thousands of to-be victims are safe from the ransomware’s damage. Our research shows that the kill-switch works the same as in earlier versions, and the rest of the code is similar to the older versions. New kill-switch: ...

JAFF – A New Ransomware is in town, and it’s widely spread by the infamous Necurs Botnet

 
Necurs, one of the largest botnets, went offline during the holiday period of 2016 and through the beginning of 2017. However it returned only to shortly peak late in April, spreading Locky using malicious PDF documents. Today, May 11, Necurs started spreading a new ransomware called JAFF. Check Point’s global sensors have spotted as many as 40,000 emails in the last few hours, at an infection rate of approximately 10,000 emails sent per hour. Image 1: The JAFF ransomware ransom note (courtesy of MalwareHunterTeam)   Necurs has the reputation for being one of the 'best' malware distributors. In the past, it helped Locky and Dridex reach millions of victims, making them ...

DiamondFox modular malware – a one-stop shop

 
Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full DiamondFox report click here. Check Point Threat Intelligence teams constantly track the latest attack trends, campaigns and attack methods to maintain an up-to-date and  accurate view of the cyber threat landscape. In recent years, an effective new business method has penetrated the thriving malware and attack tools market and led to the establishment ...

Android Permission Security Flaw

 
Check Point researchers spotted a flaw in one of Android’s security mechanisms. Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks, including ransomware, banking malware and adware. Check Point reported this flaw to Google, which responded that this issue  is already being dealt with in the upcoming version of Android, currently dubbed "Android O".   Technical Background: In Android version 6.0.0, dubbed “Marshmallow”, Google introduced a new permission model for apps. The new model consists of several groups of permissions, with permissions considered as ...

Debug Instrumentation via Flash ActionScript

 
Browser plug-ins have always been an attractive target for attackers to exploit. In the last couple of years, the most prevalent attack platform was undoubtedly – Flash. With 250+ CVEs in 2016 alone, and incorporation in practically every exploit kit, Flash exploits are everywhere and deserve our attention. As researchers, we stumble upon many cases where we are required to analyze exploits found in the wild and collect as much information as possible regarding the exploit`s internal workings. This process quite often proves to be tedious and very time consuming, making the research task far from optimal. As most of an exploit’s juicy parts (such as ROP chains, Shellcodes and ...