Check Point Research: A Year in Exploration

Part of being a great storyteller is to venture into the unknown. To step out of our comfort zone and explore worlds that are often hard to reach, overcoming challenges and obstacles along the way. The goal: to reach a final destination, though often that destination itself may be unknown.


In 2018, Check Point researchers dedicated themselves to exploring the unknown corners of cyber space and investigating what lurks there. In this post we look back on that journey, for while their discoveries not only made for great stories they are also one of the driving forces behind ensuring our customers are kept up to date and protected from today’s cyber threats.


Entering the Dark Web


You know you’re not in Kansas anymore when online chat rooms include discussions about how to carry out a cyber attack. Cyber criminals, though, were found to be taking the conversation beyond these more traditional forums. With encrypted and anonymous mobile messaging apps like Telegram, threat actors are able to advertise for and recruit hackers to carry out attacks on their behalf, or buy and sell their products and services to the highest bidder.


With such a low barrier to entry, it is not difficult for wannabe cyber criminals to get in on the act. The discovery of an advanced Phishing Kit in April last year revealed just how easy, and cheap, it is to buy these off-the-shelf products with very little technical know-how and quickly be on the path to tricking consumers into handing over their credit card details.


However, while security researchers explore the dark underbelly of the internet and publish their findings for the benefit of others, this transparency means that threat actors are also on the lookout to learn how they can improve their methods and update their malware in real time. A peak into this criminal mindset was visible in the development of GandCrab, proved how in today’s world even ransomware is agile.


Breaking New Ground


In August, Check Point researchers announced a brand new attack vector to the world, telling how an organization’s entire IT network could be attacked using nothing more than a fax number. Considering that hundreds of thousands of fax machines are still in use worldwide, the discovery was deeply concerning. So much so that the UK’s number largest purchaser of fax machines, the NHS, now plans to ban them in the future as a result of this discovery.


Fake news was in full swing too, not helped by a new vulnerability in the popular mobile messaging app, WhatsApp. Dubbed ‘FakesApp’, the flaw allowed a threat actor to intercept and manipulate messages in order to create and spread misinformation.


In an eye-opening research, vulnerabilities were also highlighted in the cloud infrastructure of DJI, the world’s leading drone manufacturer. Through an oversight in the user identification process, an attacker could have potentially gained access to a user’s flight images, logs, live camera views and flight video footage.



Mobile Wanderings


Regarding mobile, last year began with a jaunt into the world of malicious apps when over 60 fake children’s apps were downloaded from Google’s official Play Store and infected up to seven million times with the ‘AdultSwine’ malware. Despite Google’s efforts to secure their app store, malware also managed to evade detection to hide inside 22 flashlight apps and be downloaded up to 7.5 million times by unsuspecting victims.


Vulnerabilities were also found in mobile devices themselves, specifically flaws in the keyboard updating process of LG mobile devices. This journey into the way manufacturers build the devices we all use on a daily basis highlighted just how careful organizations need to be when allowing their employees to carry out business operations from their smartphones.


Similarly, our Man-in-the-Disk research alerted app developers to the dangers that lurk in how they use External Storage, a resource that is shared across all applications and does not enjoy Android’s built-in Sandbox protection.



Digging for Gold


The roads to new discoveries in 2018 were also littered  with attacks on organizations’ servers and endpoints, often by way of crypto-jackers. While ransomware previously hauled in quick profits for cyber criminals via smash and grab attacks, crypto-jacking offered them long term rewards in more stealth like intrusions. Indeed, in less than just 24 hours in January last year, the RubyMiner malware had attempted to infect around 30% of networks worldwide.


It came as no surprise then that a month later our researchers came across one of the biggest malicious mining operations ever seen by way of the JenkinsMiner campaign that targeted Jenkins, the leading open source automation server.


As the year progressed it became evident through our research into KingMiner that crypto-jackers were evolving. KingMiner rapidly deployed two improved versions that saw the attacker employing various evasion techniques to bypass emulation and detection methods.


Avoiding the Evil Eye of Nation State Espionage


Our travels, however, revealed that it was not just cyber criminals who were exploiting new technologies for their own gain. State and non-state actors were also manipulating end users to carry out espionage. Those behind the Domestic Kitten campaign enticed their victims to download spyware infected applications to collect sensitive information about them such as phone call records, SMS messages, geo-locations, photos and more.


Non-state actors were also caught spying under the cover of the World Cup and manipulating their targets to click on malicious phishing links and download a fake game scheduling mobile app. These malicious components within it included the ability to harvest users’ SMS messages, phone contacts, voice recordings, photos and more. The attack served as a good example of how threat actors make use of major events to attract potential victims and to hide within the scores of legitimate apps which relate to these events.


And finally, reaching one of the most unknown parts of the world, North Korea, our intrepid researchers managed to gain a look deep inside SiliVaccine, the Hermit Kingdom’s own anti-virus solution. Among several fascinating aspects was that a key component of SiliVaccine is actually a copy of TrendMicro’s own virus detection engine. Curiously, SiliVaccine also permitted one particularly malware to pass through its gates. Considering that North Korea is known for monitoring foreign journalists and its own dissidents, this should certainly raise an eyebrow.




Like all great adventures, last year’s exploration into cyber space presented some great challenges and obstacles for our threat research team. Having now ushered in 2019, Check Point Research will no doubt come across and tell the stories of many more types of malware, vulnerabilities and exploits.

Indeed, as the cyber threat landscape evolves and morphs into uncharted territories, you can be sure our team will be there to challenge and learn from them. By encountering these hurdles, and overcoming them, they will continue to return with new knowledge that makes not only them but also the organizations we protect stronger.