Security Technology: Check Point Software Blog

Showing posts with label Check Point Software Blog. Show all posts

Department of Homeland Security issues security warning for VPN applications — Check Point VPNs not affected

by Lloyd Tanaka, Threat Prevention Product Marketing Manager, published April 17th 2019

On Friday April 12, The CERT Coordination Center (CERT/CC) with the US Department of Homeland Security (DHS), issued a warning of a newly discovered vulnerability affecting possibly hundreds of Virtual Private Network (VPN) applications. Check Point was one of a small handful to be unaffected by this warning.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU#192371 to get details of the affected VPN applications and the problem of insecure storing of session cookies in memory and/or log files. Organizations face the risk of attackers exploiting this vulnerability to take control of an affected system.

Check Point VPN customers are not affected because of our advanced, market-leading security architecture. Check Point’s IPsec and SSL VPNs offer a number of market-leading capabilities that add safety and convenience for your remote access users, including:

Threat prevention
Incident analysis
Access control
Data security
Compliance checking
Multi-factor authentication

Customers using other VPNs should consult with their vendor. To help you assess your specific situation, we’ve formed a special VPN task force team to discuss your available options, including a quick migration to Check Point technology. Interested customers should contact our Incident Response team at https://www.checkpoint.com/support-services/threatcloud-incident-response/

Get information on Check Point’s Remote Access VPN solutions by visiting https://www.checkpoint.com/products/remote-access-vpn/

The post Department of Homeland Security issues security warning for VPN applications — Check Point VPNs not affected appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2KLgGfm

Game of Thrones Phishing Scams and How to Avoid Them

The long night has finally ended. Game of Thrones fans can finally come in from the cold and, like a starving dragon, start devouring the latest and final season of the massively popular TV show. But unlike the fantasy series, what is far more real is the plethora of phishing scams facing enthusiasts.

While there have been many such deceptions, from malware via pirate torrent sites to phishing scams, Check Point Research recently came across the latest in this line of malicious activities bent on taking advantage of unsuspecting fans. Below is an example of such a site that uses the official branding of the show that poses as a legitimate competition for fans to win a special gift pack of GoT merchandise. There is however, no such prize and the site instead collects as many email and mobile phone details as possible that could possibly be used in future spamming campaign.

Fig 1: example of Game of Thrones phishing site – gameofthronesratings[.]com

Another example, that aims to dishonestly collect credit card details of users by posing as an official Game of Thrones merchandise store, can be seen below.

Fig 2: example of a site disguised as Game of Thrones official online store – gameofthronesofficalshop[.]com

While many may claim to be able to tell the difference between a real site and a fake site, the use of well recognized and trusted brands, like Game of Thrones, is the preferred method for encouraging the user that the impersonated email or website is trustworthy.

Understanding the Threat

The websites we observed using the Game of Thrones brand could be split into two main categories- Legitimate or fraudulent websites. While both categories use the popularity of the brand to lure users in, their motivations are different. The legitimate websites include fan pages, online games or small shopping sites, looking for potential customers or new community members, as seen below.

Fig 3: gameofthronesgifts[.]com (a shopping site) Fig 4: gameofthronesgifts[.]com (a fan site)

The fraudulent websites on the other hand, exploit the popularity of the brand to display ads, acquire personal information or convince the user to install an unwanted program.

These fraudulent websites mostly include sites requesting personal information for marketing opportunities, and fake streaming sites, requesting the user to download a browser add-on and provide personal information, while no streaming content is displayed at the end of the process.

How ThreatGuard Can Help

ThreatGuard is a SaaS product that scans an organization’s assets on the web and notifies them when threats such as lookalike domains, exposed accounts, detected CVEs and open risky ports are detected. In the examples provided above, to find sites exploiting the popularity of Game of Thrones, we used the lookalike domains functionality.

ThreatGuard allowed us to locate lookalike domains in a very short amount of time and focus our research on the deeper threat analysis. We initially added a ‘gameofthrones’ query into ThreatGuard and got tens of results. After expending the search to more common words related to the Game of Thrones series, such as names of characters and known quotes, we found a lot of other related domains.

Fig 8: The ThreatGuard main dashboard

ThreatGuard also allowed us to focus our research on a specific word, the severity of the domain, live domains and more. For domains that were deemed more interesting, we conducted safe browsing via the ThreatGuard solution and inspected the history of the domain. This allowed us to inspect the suspicious domains without harming our hosts and understanding more about the domain we investigated. When we found a malicious domain, we automatically asked for it to be taken down by the domain registrar.

Fig 9: Focus on a specific lookalike domain

Fig 10: take down the domain by contacting the domain registrar and update all of the major web browsers

How to Avoid Being a Phishing Victim

There are ways, of course, to prevent being the next victim of a phishing attack. These include:

Think before you click. Clicking on links on trusted sites should be totally fine. Links that appear in random emails and instant messages, however, isn’t going to end well. Hovering over links that you are unsure of before clicking on them will tell you if they lead to where you’re expecting.
Make sure a site’s URL begins with “https” and there is a closed lock icon near the address bar.
Check the site’s domain name is the site you are expecting to visit and trust. If it is not then you could be about to become the next victim of a phishing scam.
Make sure you have an advanced threat prevention solution such as Check Point’s SandBlast Agent zero-phishing protection

The full list of sites found by Check Point to use the Game of Thrones brand, based on our analyst’s categorization can be found below:

Malicious:

gameofthrones\.pro

Fraud:

gameofthronesgamer\.com
gameofthronesof\.com
gameofthronesseason8online\.net
gameofthronessaison8stream\.com
gameofthronesratings\.com
gameofthronesconquesthacked\.top

Inactive:

gameofthrones-live\.com
gameofthronescast\.com
gameofthronesbingo\.com
gameofthronesfinale\.shop
gameofthronesseason6-online\.com
gameofthronesstudiotours\.com
gameofthronesslotscasino\.com
gameofthroneslegacytours\.com
gameofthronesseason7livestreaming\.com
gameofthronescollectibles\.com
gameofthronesseason7watchonline\.com
watchgameofthronesepisodes\.com

Streaming:

Gameofthroness\.club
Watchgameofthrones\.info
Gameofthronesstreamingita\.com

Shopping:

gameofthronesil\.com
gameofthroneszone\.com
gameofthronesneon\.com
gameofthronesgifts\.com
gameofthronescastle\.com
gameofthronesfandom\.com
shopatgameofthrones\.com
idolovegameofthrones\.com
gameofthronesapparel\.com
thegameofthronesparty\.com
gameofthroneskeychains\.com
gameofthronesofficalshop\.com
gameofthronestreasureshop\.com

Gaming:

realgameofthrones\.com
officialgameofthrones\.com

Blog/News:

gameofthronesblog\.com
gameofthroneseason8episodes\.com
gameofthronesseason8hbo\.com
hbogameofthronesseason7\.net
gameofthronespredict\.com

The post Game of Thrones Phishing Scams and How to Avoid Them appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Pd1BSo

Protect Your Business by Managing Network Security from the Palm of Your Hand

by Russ Schafer, Head of Product Marketing, Security Platforms, published April 11th 2019

Next generation cyber security attacks can happen at any time to any size business, so you need to be prepared to react immediately. Based on the 2018 Verizon Data Breach report, 58% of security breach victims are categorized as small businesses. In addition,79% of the attacks on small businesses resulted in a confirmed breach. To prevent security breaches, you need to be able to monitor your network and quickly mitigate security threats anytime and anywhere. Small businesses typically don’t have a dedicated security professional, so security management applications also need to be easy to use.

Check Point is proud to introduce the WatchTower Security Management App for Small and Medium businesses. The intuitive security management app provides real-time monitoring of network events, enables you to quickly block security threats, and configure the security policy for multiple Check Point Security Gateways.

Customers who use the Check Point 700,900 and 1400 series gateways can now manage their network security on the go with their iOS or Android mobile phone.

The WatchTower Security Management App provides the following innovative capabilities:

Network Security snapshot enables you to view the devices connected to your network and monitor potential security threats.
Real-Time Security Alerts provide notification of malicious attacks or unauthorized device connections.
On-the-Spot Threat Mitigation enables you to quickly block malware-infected devices and view infection details for further investigation.
Security Event Notification enables you to customize notifications for your top-priority security events.
Network statistic reports and charts provide insights on network usage patterns.
Network Security Event feed provides you details on all the security events by category
The Settings Manager enables you to set the security settings for multiple gateways
The Advanced policy configuration feature enables you to manage all the security policy setting through a secure web user interface.

Don’t let your company become a security breach statistic. Protect your company network while on the go using the WatchTower Security Management app.

For a free demo and a link to the iOS and Android app store pages, go to the WatchTower Security Management App page

The post Protect Your Business by Managing Network Security from the Palm of Your Hand appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Kxh2WU

Check Point Partners with Google’s Cloud Identity to Improve Zero Trust Cloud Access

With enterprises migrating to the cloud, the traditional network perimeter concept is fading. A new approach is needed to ensure more secure access to cloud resources.

by Ran Schwartz, Product Manager, Threat Prevention, published April 11th, 2019

The way we do business has undergone a seismic transformation thanks to the cloud. Few other technologies have had as big an impact on productivity, allowing people to easily access enterprise applications from anywhere and at any time, while facilitating better collaboration, scalability and decision-making. More and more organizations are reaping these benefits by migrating their core infrastructure and apps to a cloud platform.

But with the benefits inevitably come challenges, not least of which is managing access to enterprise resources which are located outside of an organization’s internal network perimeter. Traditional network security solutions were designed to protect data and devices located within the corporate perimeter. However, as employees are increasingly demanding the flexibility to work from anywhere and on a variety of devices, including mobile devices, and as valuable corporate data is no longer located in just one place, the idea of a network security perimeter is losing meaning. One of the main drawbacks of this paradigm is that if hackers manage to breach the perimeter, they have free reign within an organization’s restricted network.

A Fading Perimeter Calls for a New Approach

To keep up with challenges arising from an increasingly mobile workforce, and dynamic and dispersed cloud environments, security professionals must rethink traditional enterprise security. Check Point and is taking a significant step forward in this direction, partnering with Cloud Identity to provide a new, zero trust (also known as BeyondCorp) approach to managing access to corporate resources and apps beyond the perimeter. Today, we’re joining Google Cloud’s BeyondCorp Alliance to help customers manage access to corporate data leveraging user identity attributes and device security posture.

Device-Level Security Signals for Smarter Access Management

Here’s how it works. Check Point SandBlast Mobile reports on the security posture of all mobile endpoints that are accessing an organization’s resources and data. Security posture is determined based on the analysis of app-, network-, and device-based attack vectors. Malicious apps are identified using Check Point’s Behavioral Risk Engine, which includes static code flow analysis, threat emulation, and machine-learning to detect both known and zero-day threats. This device security posture data is then fed to Google Cloud’s context-aware access engine that can be used to control access to your LOB web apps, SaaS apps, and infrastructure resource like VMs and APIs.

At the network layer, SandBlast Mobile protects against SSL attacks and also delivers powerful threat prevention capabilities through its On-device Network Protection (ONP) agent. Capabilities include anti-phishing, safe browsing, conditional access, anti-bot, and URL Filtering. And with all inspection happening locally on the device, both privacy and performance are preserved.

At the device level, SandBlast Mobile detects advanced jailbreak/rooting that may have been performed on the device, and analyzes the device for insecure configurations and other vulnerabilities.

Indicators of compromise (IOCs) are summarized in a risk score and combined with information on user identity and context of the request, to determine whether a user should be granted access to corporate resources and services.

With the integration of Check Point’s cutting-edge mobile security technology, customers can now gain unprecedented visibility over a device’s risk posture, augmenting what they know about the device and the context in which access is being requested.

Customers can leverage Check Point’s risk scores to create more granular and customized access policies for Google’s Cloud Identity, including G Suite. Granular controls make it easier for admins to grant context-aware access to resources, or to take more drastic measures if needed. For example, access can be blocked if Check Point SandBlast Mobile reports that a device is exposed to risk, or app data can be completely wiped from the device if the device is compromised.

Check Point SandBlast Mobile also reports on the health of its agent on the device – an important signal that can also be used to define access policy. If the agent is not properly installed or activated, access to corporate resources can be blocked. This input also provides admins the vital ability to enforce the proper installation and activation of Check Point SandBlast Mobile agent on endpoints across the organization, particularly on unmanaged devices.

Strengthening Zero Trust (aka BeyondCorp)

Google Cloud’s context-aware access working with Check Point SandBlast Mobile allows employees to securely access corporate resources from any device, and any location, without needing a traditional VPN. Context-aware access enables Google’s BeyondCorp security model, founded in 2011 to strengthen zero trust networks at Google and improve access management. The idea behind this model is that users should not be restricted from accessing certain resources and services based on the network they are connected to. Instead, access to resources should be conditional on user identity, device risk, and other contextual attributes. In a Zero Trust security model, access should be authenticated and encrypted regardless of whether it is within the network security perimeter.

As one of the first companies to join Google Cloud’s BeyondCorp Alliance – a new initiative through which Google Cloud and select partners are working together to deliver better security solutions – Check Point is committed to strengthening Zero Trust implementation and extending it to every device that touches the enterprise security ecosystem. “SandBlast Mobile delivers Check Point’s cutting-edge threat prevention capabilities to the mobile device, to help its customers prevent attacks that attempt to exploit mobile users and their devices to gain unauthorized access to business resources,” said Ran Schwartz, Product Manager for SandBlast Mobile, upon launch of the joint solution.

The integration is already gaining traction in the field, with many mutual customers recognizing the benefits of perimeter-less access management. Together, with our customers and partners, this is one more step Check Point is taking to address enterprise security needs as they migrate to the cloud.

Learn more about SandBlast Mobile here.

The post Check Point Partners with Google’s Cloud Identity to Improve Zero Trust Cloud Access appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2GhDZsQ

March 2019’s Most Wanted Malware: Cryptomining Still Dominates Despite Coinhive Closure

Check Point’s latest Global Threat Index sees cryptominers continuing to lead the top malware list despite Coinhive ceasing operation

By Check Point’s Threat Intelligence Team, published April 9th 2019

In March 2019, Coinhive dropped from the top position of the global threat index for the first time since December 2017. Despite closing its services on the 8^th March, it still held 6^th place in the list. Cryptoloot now leads the top malware list for the first time, and cryptominers continue to dominate amongst the most prevalent malware aimed at organizations globally.

Despite its closure, the Coinhive JavaScript code is still in place on many websites. No mining is taking place, but if the value of Monero increases significantly, it is possible that Coinhive may come back to life. Another possibility is that we may see other cryptominers increasing their activity in Coinhive’s absence. Instead of taking aim at websites, though, which is bringing in limited gains since cryptocurrency values began to fall across the board after the highs of 2018, they may increasingly take aim at enterprises’ Cloud environments.

The built-in scalability of cloud environments allows mining to take place at far higher volumes. Check Point’s research team have begun to see organizations being asked to pay hundreds of thousands of dollars to their Cloud vendors for the compute resources used by rogue cryptominers. This is a stark warning for organizations to secure their cloud environments from malware.

March 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑ XMRig– Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
↑ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
↓ Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
↑ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
↓ Nivdort –Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
↑ Lokibot- Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
↑ Mirai- Famous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distribute Denial of Service (DDoS).

This month Hiddad is the most prevalent Mobile malware, replacing Lotoor at first place in the top mobile malware list. Triada remains in third place.

March’s Top 3 ‘Most Wanted’ Mobile Malware:

Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with a 44% global impact. Web Server Exposed Git Repository Information Disclosure and is in second place, with OpenSSL TLS DTLS Heartbeat Information Disclosure in third, both impacting 40% of organizations worldwide.

March’s Top 3 ‘Most Exploited’ vulnerabilities:

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
↑ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-prevention-resources/index.html

The post March 2019’s Most Wanted Malware: Cryptomining Still Dominates Despite Coinhive Closure appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2UpvxRd

Check Point ZoneAlarm Extreme Security earns Best+++ Award from AVLab Test

By Lloyd Tanaka, Product Marketing Manager, Threat Prevention, April 8th 2019

In February of this year, AVLab performed comprehensive tests to determine which of 27 Windows 10 security solutions could best defend against a series of simulated online banking operation attacks. ZoneAlarm Extreme Security passed with flying colors, scoring a perfect 11 for 11 passed tests, receiving the firm’s prestigious Best+++ Award recommendation.

AVLab Test System

All products were tested according to AVLab’s specific, standardized procedures and the results are fully audited. The test followed these steps:

Installation of the tested solution on previously prepared image of Windows 10.
Sequential launching procedures (malware was downloaded to the system through the Chrome browser from a temporary server).
Repeating the tests on the modified settings.
Writing down the results.

AVLab challenged each solution to detect thirteen banking Trojans in the wild as well as defend against clipboard hijacking and swapping, keylogger, screenshot, RAM scraping, man-in-the-middle, HOSTS modifying, among other attacks.

ZoneAlarm Extreme Security detected all attacks. In their write-up, AVLab highlighted several ZoneAlarm capabilities:

Threat Emulation to protect against new encryption malware
Firewall that protects against modifying HOSTS files and ability to thwart internet attacks
Browser protection with the ThreatCloud intelligence database

To get the details of this AVLab test, read the full report here.

ZoneAlarm Extreme Security 2019 protects Windows PCs from unknown virus and firewall threats, including zero-day attacks, by analyzing suspicious files in the cloud before they can harm your computer. It’s the ultimate solution for internet security, firewall protection, and advanced antivirus filtering.

Available by mid-2019, is the new ZoneAlarm Extreme package which will include award-winning anti-ransomware and multi-device protection, enabling users to protect their iOS and Android devices in addition to their Windows PCs.

The post Check Point ZoneAlarm Extreme Security earns Best+++ Award from AVLab Test appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2uTTscc

Secure your Serverless Infrastructure with CloudGuard Dome9

By Marina Segal, Product Manager, Cloudguard Dome9, published April 5th, 2019

In a previous blog, we had discussed how serverless security requires a security-centric approach. To recap, serverless security requires a holistic approach, where security of AWS Lambda functions, as well as various other cloud-native services (such as S3, and DynamoDB) are continuously protected. In this blog, we will dive specifically into a few aspects of securing AWS Lambda functions, communication to those services, and how CloudGuard Dome9 can help address some of those security challenges.

Serverless Security Challenges

Securing Lambda Privileges

As your application scales, you might be using step functions or scaling to 100s of Lambda functions. This results in more permissions that need to be managed and fine tuned which can be a challenging task in a highly dynamic cloud environment across thousands of AWS accounts. If a Lambda function is compromised, the most important security defense is to restrict what these compromised functions can do (aka privileges). Additionally, as the number of Lambda functions grow, it is important to ensure that there should not be any policies that grant blanket permissions (‘*’) to resources.

Image taken from AWS

Securing External Data

Communication to all AWS services from your Lambda function needs to be encrypted and authenticated. The same due diligence must also be applied when storing sensitive data. A handful of AWS services also offer server-side encryption for your data at rest — S3, RDS and Kinesis streams, and Lambda has built-in integration with KMS to encrypt your functions’ environment variables. For services/DBs that do not offer built-in encryption — eg. DynamoDB, Elasticsearch, etc. it is easy to forget. In the case of a data breach, this can cost organizations,

How CloudGuard Dome9 Can Help

Typically admins use IAM roles to ensure fine grained control over who can invoke which actions on which resources. But it is still imperative to ensure you are adhering to the Principle of Least Privilege (POLP) when configuring Lambda permissions. In the serverless framework, the default behaviour is to use the same IAM execution role for all functions in the service. While this might seem an easy choice, it is not a good practice to follow.

The recommended practice is to have one IAM role per each Lambda function in order to follow the POLP. With CloudGuard Dome9, you can ensure that your Lambda functions will have the minimum privileges needed to perform the required tasks.

List<Lambda> should not have items groupBy [executionRoleArn] length() > 1

It is also recommended and considered a standard security best practice to grant minimal or least privilege, allowing only the permissions required to perform a task. As best practice, security teams need to determine the specific permissions needed by your Lambda functions, and then craft IAM policies for these permissions only, instead of full administrative privileges. With CloudGuard Dome9, you can quickly assess if any of your functions have blanket permissions.

Lambda should not have executionRole.combinedPolicies contain [policyDocument.Statement contain-any [Effect = ‘Allow’ and (Resource =’*’ or Resource contain[$=’*’] ) and Action contain [‘%*%’] or Action =’*’ or Action contain [$=’*’]]]

Use secure transport when transmitting data to and from services (both external and internal ones). If you’re building APIs with API Gateway and Lambda, then you’re forced to use HTTPS by default, which is a good thing. However, the API Gateway is always publicly accessible and you need to take the necessary precautions to secure access to internal APIs.

DynamoDB / Kinesis / S3

It is recommended to enable Server Side Encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization. With CloudGuard Dome9, you can quickly scan and assess whether Kinesis has encryption turned on.

Kinesis should have encrypted=true

You can also easily verify if server side encryption is enabled on DynamoDB tables with the innovative Dome9 Governance Specification Language (GSL) found within the Compliance Engine of CloudGuard Dome9.

DynamoDbTable should have encrypted=true

For S3 buckets, best practice dictates that all data in the cloud be encrypted both at rest as well as in flight when data is read from or written to a bucket. Read more about how to encrypt data in flight to S3 buckets can help protect against man-in-the-middle and sniffing attacks.

With CloudGuard Dome9, you can quickly ensure that S3 Buckets have server side encryption at-rest enabled to protect sensitive data for at-rest data.

S3Bucket should have encryption.serverSideEncryptionRules

You can also ensure that S3 Buckets enforce encryption of data transfers using Secure Sockets Layer (SSL) for in-transit communication.

S3Bucket should have policy.Statement contain [Effect=’Deny’ and Condition.Bool.aws:SecureTransport=’false’] and policy.Statement contain [Action contain [‘s3:GetObject’] or Action contain [‘s3:*’]]

For further guidance, feel free to check out our open source Cloud Security Posture Repository (CSPR) of comprehensive security controls and compliance checks for your cloud environments.

Dome9 is now part of the Check Point Software Technologies family as a core offering to enhance its cloud security portfolio. Check Point CloudGuard IaaS and CloudGuard Dome9 combine to offer a comprehensive security solution for public cloud environments. To learn more, please visit CloudGuard Dome9.

The post Secure your Serverless Infrastructure with CloudGuard Dome9 appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2FS3Ki3

Xiaomi Vulnerability: When Security Is Not What it Seems

Smartphones usually come with pre-installed apps, some of which are useful and some that never get used at all. What a user does not expect, however, is for a preinstalled app to be an actual liability to their privacy and security.

Check Point Research recently discovered a vulnerability in one of the preinstalled apps in one of the world’s biggest mobile vendors, Xiaomi, which, with almost 8% market share in 2018, ranks third in the mobile phone market. Ironically, it was the pre-installed security app, ‘Guard Provider’, which should protect the phone from malware, which exposes the user to an attack.

Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware. For full technical details on how, please visit Check Point Research.

Like all pre-installed applications like Guard Provider, these kinds of apps are present on all mobile devices out-of-the-box and cannot be deleted. Check Point responsibly disclosed this vulnerability to Xiaomi, which released a patch shortly after.

Fig 1: Xiaomi’s preinstalled Security App, known as ‘Guard Provider’

The Pros and Cons of SDKs

A software development kit (SDK) is a set of programming tools to help developers create apps for a specific platform. In the case of mobile devices, mobile SDKs have definitely helped developers by removing the need to spend time writing code and developing back-end stability for functionalities unrelated to the core of their app.

Indeed, as more and more SDKs are developed, new capabilities and opportunities present themselves to app developers and ultimately add better functionality to their end users.

But as more and more third party code is added to the app, the effort around keeping its production environment stable, protecting user data and controlling the performance gets much more complicated.

Known as ‘SDK Fatigue’ this increased use of multiple SDKs within the same app makes the app more susceptible to problems such as crashes, viruses, malwares, privacy breaches, battery drain, slowdown, and many other problems.

The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions, these main disadvantages are:

A problem in one SDK would compromise the protection of all the others.
The private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.

According to a recent report though, the use of multiple SDKs in a single app is far more common than one might think. On average a single app now has over 18 SDKs implemented within the same app. But by doing so, developers leave organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device.

2 + 2 Does Not Always = 4

While an organization’s IT Security personnel are not expected to know the precise ins and outs of the SDKs used to build the apps that employees may be putting on to their devices, they should be aware that the way apps are built can carry their own hidden security risks. For while one may assume that elements used even within a security app would all be secure, as seen in the above vulnerability in Xiaomi’s pre-installed apps, this is far from the case.

Developers and corporations alike need to also be aware that having a secure element combined with another secure element within an app on their phone does not necessarily mean that when these two elements are implemented together that the device as a whole will remain secure.

The only defense against these types of hidden and obscure threats is to ensure your organization’s fleet of mobile devices are protected from potential Man-in-the-Middle attacks.

Check Point SandBlast Mobile would detect and prevent such attacks, thereby eliminating the potential threats caused by the use of multiple SDK usage within the same app.

The post Xiaomi Vulnerability: When Security Is Not What it Seems appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2K6QoDX

Momo Challenge: A scary hoax with a stern warning

By Lloyd Tanaka, Product Marketing Manager, April 3rd 2019

The Momo Challenge, a purported suicide game targeting children on Facebook or YouTube, reared its ugly head, yet again. This urban legend sent chills to caregivers, schools, and police agencies that children were being lured by social media user Momo to engage in violent attacks and self-harm. Though deemed a hoax, Momo serves as a stern warning that children online are not immune from cyber abuse.

The Challenge offers us three valuable lessons: 1) Children readily access content via websites, YouTube videos, messaging apps, and social media apps, 2) The internet is the breeding ground for content, good and bad, fact and fiction, and 3) Technology is available to prevent cyberthreats and cyberbullying with children.

Blocking harmful content in schools

Realizing the need to bring safe online experiences for school-age children, Check Point Software created SandBlast for Education. This solution shields learners on Chromebook laptops from online abuses such as inappropriate content, phishing attacks, and cyberbullying in social networks. It ensures a safer, risk-free internet environment by monitoring and alerting of students’ online behavior and protects a school’s IT infrastructure from cyber threats.

SandBlast for Education gets children’s web browsing off to a safe start. As seen in the graphic below, a single check of a box shows the ease in providing safe searches on Google, YouTube, Bing, among other search engines.

To prevent access to malicious websites, SandBlast for Education blocks offending URLs and filters out harmful content. School IT administrators could have proactively blacklisted key words such as “Momo,” “Suicide,” “Kill,” and “Die” to prevent access to an online nightmare like Momo.

SandBlast also uses anti-bullying technology to prevent cyberbullying prevalent in chats, instant messaging, and other social networking sites, including Facebook. The following image shows how easy it is to enable content filtering in SandBlast for Education:

Cyberthreats targeting children are a real and present danger. As educational technologies (EdTech) have grown and with the increased collection of student data, so have safety and privacy concerns. Under-secured endpoints increase the risks as cyber criminals locate ‘soft targets’ to harvest data that can be sold on the dark web.

The U.S. Federal Bureau of Investigation in a Public Service Announcement cited the diverse types of data that can be collected in school settings. It can include:

Personally identifiable information (PII)
Biometric data
Academic progress
Behavioral, disciplinary and medical information
Web browsing history
Other sensitive data

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identify theft, or other means of targeting children.”[1] –U.S. Federal Bureau of Investigation

[1] “Public Service Announcement, Alert Number I-091318-PSA,” Federal Bureau of Investigation, Sep 13, 2018

Fortunately, the Momo Challenge was a viral hoax, but it and other online abuses should serve as a warning that every day, students and schools are targeted by cyber criminals. Parents and school district administrators can take solace that technology is available today to reduce the online risks in schools, and prevent children from entering the dark areas of the internet.

Information on SandBlast for Education can be obtained by visiting https://www.checkpoint.com/solutions/education/

The post Momo Challenge: A scary hoax with a stern warning appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2Ucj57h

Xero Transforms Their Security Culture With CloudGuard IaaS

by Moti Sagey, March 25th 2019

As businesses continue to move their workflow into the cloud, the need for multi-layered protection is critical. The dynamic nature of cloud infrastructure introduces a variety of new challenges, so implementing advanced protection beyond the traditional security approach will help your organization ward off the next storm.

Xero, a global online platform for small businesses and their advisors, identified key challenges within their cloud infrastructure. The company was spending an immense amount of time and resources controlling the environment rather than fully supporting product innovation. Xero were looking for a solution that extend their security management-as-a-service feature to the DevOps teams without slowing down product development.

“Security was the first thing we thought about,” said Aaron McKeown, Head of Security Engineering and Architecture, Xero. “We had to think about data encryption, inbound and outbound traffic connectivity, and protection against web-based attacks like DDoS, cross-site scripting, and SQL injection attacks.”

The Xero team worked with Check Point to integrate CloudGuard IaaS into their architecture. Check Point CloudGuard IaaS delivers automated, multi-layered, elastic security that scales with the dynamic AWS environment. This enabled traffic to be directed to a defined “security zone” for security scrubbing based on any number of attributes—regulatory requirements, policy, type of traffic, and others.

“Check Point and AWS have released Xero from the constraints of traditional management and security practices,” said McKeown. “Together we enable a strong, positive security culture across the business without limiting growth in any way.”

Thanks to the automated security solution, Xero was able to transform the company’s security culture across security engineering, DevOps, and partnerships. Xero moved 700,000 customers, 59 billion records, $1 trillion worth of transactions to a secure, fully managed AWS environment in nine months. For more information about how Xero integrated CloudGuard into their security infrastructure, read about their customer case study here.

The post Xero Transforms Their Security Culture With CloudGuard IaaS appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2FAWTtm

This March Madness, Don’t Get Upset by Cyber Criminals: Protect Your Organization from Cinderella Teams

With the first two rounds in the rear view mirror and the sweet sixteen coming up, we’re excited to announce that Check Point is sponsoring this year’s NCAA Division 1 Men’s Basketball Tournament – if you’re going to the games, be sure to look for Check Point’s ad in the official game day program

Whether you’re watching the madness live or streaming it at work, cyber threat actors are still plugging away at trying to attack your organization. Understanding a little bit about your match up will go a long way to make sure that you emerge from the madness unscathed.

Hackers Go Dancing: Cyber Security Lessons From College Hoops

Every year, a low-seeded, overlooked underdog team manages to make a run of miraculous upsets, creating one of the most iconic narratives in American sports: the college basketball Cinderella team.

From North Carolina State winning the whole tournament as a #6 seed in 1983 to #12 Oregon gearing up this Thursday to face #1 Virginia in the Sweet Sixteen, the single-elimination format of the tournament leads to a dizzyingly high level of variance. A wannabe Cinderella team just needs to outwork and outsmart the Goliaths, getting it right just enough times to overcome the odds.

A successful malware attack operates in a similar dynamic. As our VP of Products, Dorit Dor, noted in Forbes recently, the criminals need to get it right just once in order to “win”… while the security vendors need to get it right every time. Companies that don’t secure their mobile AND cloud environments with a comprehensive and unified security system are allowing just enough gaps for the cyber attackers to pull off the upset.

Modern, fifth-generation cyber attackers can move laterally, meaning that the margin of error for companies is extremely slim. They just need to infect one employee’s phone – when that phone connects to the company’s internal network at the office, cyber attackers have the ability to “jump” the malware to the network, too.

Without the right protection, the cyber criminal’s Cinderella story doesn’t look like much of a fairy tale.

Stay connected with Check Point for more cyber security insights on our Twitter, LinkedIn and Facebook, and learn more about Check Point Infinity here.

The post This March Madness, Don’t Get Upset by Cyber Criminals: Protect Your Organization from Cinderella Teams appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2Tzq30X

Check Point Forensic Files: Monero CryptoMiner Campaign Adapts APT Techniques

By Richard Clayton, March 19th 2019

Since mid-January, our Sand Blast Agent Forensics team noticed a new variant of the Monero mining malware spreading throughout organizations worldwide. Interestingly, this malware showed similarities with the infection and propagation techniques of APT attacks and made use of legitimate IT admin tools, Windows system tools and previously disclosed Windows vulnerabilities to carry out the attack.

Before we dive into this particular campaign, though, it will serve us well to understand a little bit about APT attacks, how they work and why they are so dangerous to an IT network.

There are essentially 6 main steps taken during an APT Attack:

The attack’s entry point is initially gained via an email, network, file, or application vulnerability and inserts malware into an organization’s network. At this point, the network is considered compromised but not yet breached.
The malware then probes for additional network access and vulnerabilities or communicates with command-and-control (C&C) servers to receive additional instructions and/or malicious code.
The malware will then typically establish additional points of compromise to ensure that the attack can continue if one point is subsequently closed.
Once a threat actor determines that they have established reliable network access, they gather target data, such as account names and passwords, even if they are encrypted.
The malware collects this data on a staging server and then exfiltrates it off the network to be placed under the full control of the threat actor. At this point, the network is considered breached.
Evidence of the attack is then removed, but the network remains compromised. This allows for the attacker to be able to return at any time to continue the breach and carry out additional malicious operations.

Fig 1: Attack overview as seen by Forensics Report – Click here for full report.

A Monero APT Campaign

Since mid-January, we noticed a new variant of the Monero mining malware starting to spread. In fact, the malware showed similarities with the infection and propagation techniques of APT attacks. In addition, the highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs.

The malware used in the attack consists of two variants of Trojans identified as “Trojan.Win32.Fsysna” and a variant of a Monero cryptominer.

Fig 2: Incident Tree overview as seen by CheckPoint Forensics Report. Click here for full report.

The Attack Flow

It is unclear how the initial infection of an unprotected PC in a network occurs but since the malware utilizes Mimikatz, it is clear that it spreads through unpatched network systems easily and rapidly.

After being dropped and executed in the ‘User Temporary’ folder, its first action is to drop a copy of itself in the ‘Windows Temp’ folder for persistence. This will be described shortly.

The Trojan’s first instruction is to stop other/older instances of itself that have previously run on the machine. It uses Windows’ default Taskkill application to achieve this purpose. It additionally uses the WMI application to stop other processes that running from Windows Temp folder and have names as its payload. Next is to use Netsh Windows utility to open the proper ports it needs for connection to the mining network. Finally in order to establish persistence, it cleans up older versions of itself and continues to create new tasks to start a new process on continuous basis.

Fig 3: “Updater” writing secondary payloads into the Temp folder.

A secondary payload is then dropped in the Temp folder which is essentially a slightly modified version of the Trojan but set to run from different paths on the system. Just like the Updater.exe, the new payload stops all previous versions of the Trojan that was running from the temp location and moves itself as ‘wmiex.exe’ to the system folder. From then on, using Windows as a legitimate tool, it creates a scheduled task to mimic a web server application and run on startup. It goes on to flush the dns cache of the system and start the scheduled task it has created.

As seen in the above diagram of the report file, the ‘Suspicious Events’ tab also shows another abnormality.

All the Trojan binaries are signed by Shenzhen Smartspace Software technology. However, the SandBlast engine detects the invalid signature, which was most likely stolen from another binary, and marks it as suspicious activity. Currently, not all vendors on the market detect this fake certificate and some competitors actually mark it as a signed process.

Fig 5: All binaries are signed with invalidated certificates from Shenzhen Smartspace Software technology.

After reboot the Trojan repeats all the persistent techniques from the Windows Command line in order to survive any automated clean-up utility, or updates its binaries to the latest clients. You can see CMD’s arguments in the below diagram and how the process uses WMI commands to replace legitimate Windows processes with the Trojan and the cryptominer’s binaries.

Fig 6: Legitimate methods used by the Miner in order stablish persistence and skip detection

During the attack chain, a PowerShell script launch was observed that attempts to connect to a series of predefined IP addresses and potentially infects other machines as well. Closer Inspection of the content of the PowerShell script shows the script is a custom version of the popular Invoke-SMBClient utility along with a mixture of other scripts that uses Windows tools in order to obtain data from the local machine and pass it on to the CnC server. This could potentially download other payloads. In our lab, we observed the script sending script version, a MAC address of the virtual machine, along with the installed Anti-Virus and its version.

Fig 7: Deobfucated version of script as seen in the Content tab pointing to open source utility Invoke-SMBClient

A secondary PowerShell script is then launched at a later stage by the Trojan that upon closer inspection points to the Invoke-Cats, an obfuscated script based version of Mimikatz. The content of the script is an exact match to the script observed in the Github repository.

Fig 8: Invoke-Cats being launched by the persistent Trojan.

The Trojan also connects to the C&C server and updates the server with the latest info from the infected machine. At a later stage, a Bitcoin Miner is also downloaded to the infected machine which runs parallel to Miner Miner.

Fig 9: Network activity of the Minero Miner process and connection to C&C servers.

An Addition to Check Point’s SandBlast Agent Forensics Report is the Reputation details page which summarizes all the malicious indicators of comprise in one page. This helps to assist the analyst and ease detection of false positives. This view contains reputation, where available, from Threat Cloud for all non-trusted URLs, Domains and Hashes found in the Forensics Analysis.

Fig 10: Reputation Details page which is part of Enterprise Endpoint Security E80.92 Windows Clients.

Conclusion

The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no so easy steps for remediation.

The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistency would make these attacks harder to detect without increasing false positive detection in the organization.

The use of Open Source and script based tools in order to make lateral movements in the organization, and increase infection rates in loosely secured organizations, also indicates highly skilled actors are behind this attack.

To avoid being a victim of this attack we advise IT professionals to download patches and updates and ensure an advanced threat prevention solution is implemented across all parts of your IT network.

IOCs:

d4e2ebcf92cf1b2e759ff7ce1f5688ca

59b18d6146a2aa066f661599c496090d

a4b7940b3d6b03269194f728610784d6

1c791ae1e8356395f0c4a9a4a8fb65e8

5ab6f8ca1f22d88b8ef9a4e39fca0c03

d81233988ec80f56ea4094bad7ab5814

http://i.haqo.net/i.png

https://ift.tt/2HG2zVu

http://i.haqo.net

https://ift.tt/2HvEmBQ

https://ift.tt/2HEMdwh.

https://ift.tt/2HvEnFU

https://ift.tt/2HEMfEp

http://sv.symcd.com

https://ift.tt/2HrGcni

https://ift.tt/2HG2AZy

http://p.beahh.com

http://d.beahh.com

224.0.0.22

68.183.178.71

153.92.4.49

185.243.114.99

172.104.177.202

The post Check Point Forensic Files: Monero CryptoMiner Campaign Adapts APT Techniques appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2HvaOEI

Mobile Supply Chain Attacks Are More Than Just an Annoyance

By Richard Clayton, Check Point Research Marketing

Mark Twain once wrote there are few things harder to put up with than the annoyance of a good example. He would have had a hard time then putting up with the latest shining example of why it is so necessary to have an advanced security solution installed on your mobile device.

In a latest discovery, Check Point Research has come across a massive mobile adware campaign that has already delivered an eye-watering 147 million downloads across almost 210 infected apps on the Google Play Store. Dubbed ‘SimBad’, due to most of the infected apps being simulator games, the worldwide campaign makes use of the phone unbearable by displaying countless ads outside of the application, with no visible way to uninstall the incriminating apps.

The Height of Annoyance

The infected apps all use a malicious SDK to carry out their operation. While there are other SDKs available for the monetization of mobile apps, the game developers have chosen to use an SDK they benefits them by displaying a far higher number of ads in order to increase their profits.

The apps’ malicious behavior includes:

Showing ads outside of the application, for example when the user unlocks their phone or uses other apps.
Constantly opening Google Play or 9Apps Store and redirecting to another particular application, so the developer can profit from additional installations.
Hiding its icon from the launcher in order to prevent uninstallation.
Opening a web browser with links provided by the app developer.
Downloading APK files and asking the user to install it.
Searching a word provided by the app in Google Play.

This is not the first time a third party element has been used to infect the supply chain however.

Beware of the Supply Chain Attack

Modern software applications, such as websites or mobile phone apps, are built using complex supply chains of third party libraries or open source components. After all, why reinvent the wheel when there are off-the-shelf solutions that can help an organization’s software engineers to build applications that help enable business operations? There is, however, a downside to using third-party code – Supply Chain Attacks.

In supply chain attacks, attackers leverage trusted third party vendors to deliver malware to unsuspecting customers by inserting malware into third-party code. From the attacker’s point of view, poisoning a company’s software supply chain by infecting one of the components within it is highly tempting and arguably easier than a direct attack on the organization itself.

While there have been notable examples of such attacks, including the massively disruptive NotPetya attack and the compromise of the widely used CCleaner security tool in 2017, in another alarming discovery by Check Point researchers, another group of Android applications were found to be mass harvesting contact information from users’ mobile phones without their knowledge or consent via malware hidden inside a monetization Software Development Kit (SDK).

Infecting the Supply Chain

Check Point Research recently discovered a group of Android applications to have malware hidden inside a monetization Software Development Kit (SDK), named SWAnalytics, which was integrated into seemingly innocent Android applications published in major third party Chinese app stores. After app installation, whenever SWAnalytics senses victims opening an infected application, or rebooting their phones, it silently steals and sends their entire list of contacts to a remote server.

Until now, 12 infected applications, the majority of which being system utility apps, have been downloaded a staggering total of over 111 million times. In theory, this means the attacker could have collected the names and contact numbers of a third of China’s entire population.

Such data could, of course, circulate in underground markets for further exploit, ranging from rogue marketing, targeted telephone scam or friend referral program abuse.

Interestingly, in July 2018 US intelligence agencies issued a report highlighting concerns that software supply chain attacks represent an emerging threat from China that could erode America’s long-term competitive economic advantage.

Why Supply Chain Attacks Are Easy Pickings for Attackers

Because organizations have often invested more heavily in technology to protect their data and networks, cyber criminals must find innovative ways to circumvent those defenses — including exploiting vulnerabilities in the software supply chain. Through the supply chain threat actors can reach a wide range of organizations due to third party code that is used by so many software engineers across all industries. But the reasons go deeper than this.

For one, organizations trust that the third party code they use has built-in security. Unfortunately this is not always the case. As third-party providers often prioritize speed to market over security, it means their code can easily be intercepted and compromised. By the time it is used by the software engineer within an organization, it could well be too late and risks the final software application itself being compromised too.

Attackers are well aware that DevOps teams are driven by speed to make organizations more agile so often develop and deploy applications without the necessary security checks. Knowing this allows them to take advantage of these sacrifices of security concerns.

Furthermore, there is no good way to partition third party libraries or code from your organization’s in-house built code. As a result, it all runs within the same privilege. That means that anything the application can do, all the libraries can also do. So if the application can access your database, there is nothing to stop your libraries from doing the same.

Protecting Against Supply Chain Attacks

So is there is anything that can be done to prevent supply chain attacks affecting your organization?

Unfortunately, there is no easy answer for defending against these types of attacks. Organizations need to understand what commercial and open source products they are using, and be aware of and prepared for potential attacks using legitimate software as a vector.

Adopting a “hygiene first” approach to your organization’s security architecture will give you full visibility into your IT environment and help address any blind spots. As more and more applications are added to your IT ecosystem security teams often struggle to keep updated on who is installing such applications and where. As a result, these applications can quickly become a liability.

As a result, it is important to have cutting-edge end-point prevention solutions, networking controls/segmentation, and improved controls around privileged credentials to prevent an attack from spreading across your entire corporate network.

SandBlast Mobile’s unique security infrastructure, On-device Network Protection, delivers threat prevention capabilities to enterprise mobile devices that were previously only available in network and endpoint security solutions. By inspecting and controlling all network traffic on the device, SandBlast Mobile prevents phishing attacks across all apps, email, SMS, iMessage and messaging apps. In addition, the solution prevents accessing malicious or restricted websites, and infected devices from accessing corporate resources and communicating with botnets. To ensure data and user privacy, SandBlast Mobile validates cellular traffic on the device itself without routing data through a corporate gateway.

Conclusion

While the software supply chain is crucial for DevOps teams to build and deploy business applications quickly and efficiently, the risks they pose can easily undermine and compromise your organization’s security.

The proliferation of third-party software used within organizations, though, is not likely to slow down. Along with this growth, supply chain attacks are also likely to increase due to insufficient protection of software development and distribution channels.

As a result, within this complex threat landscape the best protection against destructive software supply chain attacks is to leverage advanced threat prevention technologies, powered by advanced threat intelligence, combined with a ‘hygiene first’ approach to protecting your organization’s digital assets.

Check Point’s SandBlast Mobile protects against info stealing malware such as that seen in the above research. For more details, please visit Sand Blast Mobile.

For full technical details about the Chinese SDK apps, please visit Check Point Research.
For full technical details about the SimBad malicious apps, please visit Check Point Research.

The post Mobile Supply Chain Attacks Are More Than Just an Annoyance appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2TzlNDm

Mobile Supply Chain Attacks Are More Than Just an Annoyance

By Richard Clayton, Check Point Research Marketing

The Height of Annoyance

The apps’ malicious behavior includes:

Showing ads outside of the application, for example when the user unlocks their phone or uses other apps.
Constantly opening Google Play or 9Apps Store and redirecting to another particular application, so the developer can profit from additional installations.
Hiding its icon from the launcher in order to prevent uninstallation.
Opening a web browser with links provided by the app developer.
Downloading APK files and asking the user to install it.
Searching a word provided by the app in Google Play.

This is not the first time a third party element has been used to infect the supply chain however.

Beware of the Supply Chain Attack

Infecting the Supply Chain

Such data could, of course, circulate in underground markets for further exploit, ranging from rogue marketing, targeted telephone scam or friend referral program abuse.

Why Supply Chain Attacks Are Easy Pickings for Attackers

Protecting Against Supply Chain Attacks

So is there is anything that can be done to prevent supply chain attacks affecting your organization?

Conclusion

Check Point’s SandBlast Mobile protects against info stealing malware such as that seen in the above research. For more details, please visit Sand Blast Mobile.

For full technical details about the Chinese SDK apps, please visit Check Point Research.
For full technical details about the SimBad malicious apps, please visit Check Point Research.

The post Mobile Supply Chain Attacks Are More Than Just an Annoyance appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2TzlNDm

February 2019’s Most Wanted Malware: Coinhive Quits While Still at the Top

By Check Point’s Threat Intelligence team, published March 11th

In February 2019, Coinhive led the global threat index for the 15^th successive month, having announced that it will cease operation on the 8^th March 2019 as it is no longer economically viable. Meanwhile, our researchers discovered several widespread campaigns distributing GandCrab in Japan, Germany, Canada and Australia, among several other targeted nations.

These operations emerged over the last two months, and one of the most recent campaigns has been associated with a new version of the GandCrab ransomware. The new version, GandCrab V5.2, includes most of the features of the last, but with a key change in encryption that renders the decryption tool for previous versions ineffective. As we saw in January, this demonstrates that threat actors continue to exploit distribution methods while creating new and more dangerous versions of existing malware forms.

GandCrab’s new version proves once again that although there are malware families that stay in the top malware list for several months and seems to be static, they actually keep trying to find new methods to evade security products detections. To effectively combat this, our researchers continuously trace them based on their malware family DNA.

Meanwhile, cryptominers continue to dominate the threat index despite their global impact decreasing gradually as the value of cryptocurrencies declines. The rising cost of mining along with the decline in the Monero Cryptocurrency value saw Coinhive’s value fall from 18% in October 2018 to 12% in January 2019, and to 10% this month. It is not yet clear whether the top position will be taken by another form of cryptomining malware, or another malware form entirely.

February 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↓ XMRig– Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
↓ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
↑ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
↓ Nivdort –Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
↑ Gandcrab– Ransomware distributed via the RIG and GrandSoft Exploit Kits, as well as email spam. The ransomware is operated in an affiliates program, with those joining the program paying 30%-40% of the ransom revenues to the GandCrab author. In return, affiliates get a full-featured web panel and technical support.
↑ Authedmine– A version of the infamous JavaScript miner CoinHive. Similarly to CoinHive, Authedmine is a web-based crypto miner used to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. However unlike CoinHive, Authedmine is designed to require the website user’s explicit consent before running the mining script.
Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

This month Lotoor is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Triada remains in third place.

February’s Top 3 ‘Most Wanted’ Mobile Malware:

Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with 45%. OpenSSL TLS DTLS Heartbeat Information Disclosure is the second most prevalent vulnerability with a global impact of 40%, followed by Web servers PHPMyAdmin Misconfiguration Code Injection exploit, impacting 34% of organizations worldwide.

February’s Top 3 ‘Most Exploited’ vulnerabilities:

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

↑ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-prevention-resources/index.html

The post February 2019’s Most Wanted Malware: Coinhive Quits While Still at the Top appeared first on Check Point Software Blog.

from Check Point Software Blog https://ift.tt/2NUymDj