Blog News -  Úvod 
Úvod  APT blog  Attack blog 
BigBrother blog  BotNet blog  Bug blog  Cyber blog  Cryptocurrency blog  Exploit blog  Hacking blog  Hardware blog  ICS blog  Incident blog  IoT blog  Malware blog  OS Blog  Phishing blog  Ransomware blog  Safety blog  Security blog  Social blog  Spam blog  Vulnerebility blog

 

Datum

Název

Info

Blog

Companies

17.3.19

“CryptoSink” Campaign Deploys a New Miner Malware

Recently, threat researchers from F5 Networks spotted a new campaign targeting Elasticsearch systems. It leverages an exploit from 2014 to spread several new malwares designed to deploy an XMR (Monero) mining operation.

Cryptocurrency blog

F5 Labs

17.3.19

Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in February 2019

Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect current “in the wild” malware, and to get an insight into a threat actor’s attack pattern. So, what did we see in February 2019?

Security blog

F5 Labs

17.3.19

Intentionally Insecure: Poor Security Practices in the Cloud

I’m writing this on the last day of February 2019. So far this year, there have been five documented cases of organizations exposing their private data due to misconfigured S3 buckets or cloud databases.

Security blog

F5 Labs

17.3.19

Good Bots, Bad Bots, and What You Can Do About Both

It’s hard to get through any news cycle today without bots coming up. Those we hear about most spread spam, propagate fake news, or create fake profiles and content on social media sites—often to influence public opinion, spark social unrest, or tamper with elections.

BotNet blog

F5 Labs

17.3.19

Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing

Malware authors attempt to evade detection by executing their payload without having to write the executable file on the disk. One of the most commonly seen techniques of this "fileless" execution is code injection. Rather than executing the malware directly, attackers inject the malware code into the memory of another process that is already running.

Phishing blog

FireEye

17.3.19

Breaking the Bank: Weakness in Financial AI Applications

Currently, threat actors possess limited access to the technology required to conduct disruptive operations against financial artificial intelligence (AI) systems and the risk of this targeting type remains low. However, there is a high risk of threat actors leveraging AI as part of disinformation campaigns to cause financial panic

Security blog

FireEye

17.3.19

Going ATOMIC: Clustering and Associating Attacker Activity at Scale

At FireEye, we work hard to detect, track, and stop attackers. As part of this work, we learn a great deal of information about how various attackers operate, including details about commonly used malware, infrastructure, delivery mechanisms, and other tools and techniques. This knowledge is built up over hundreds of investigations and thousands of hours of analysis each year.

Attack blog

FireEye

17.3.19

APT40: Examining a China-Nexus Espionage Actor

FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort.

APT blog

FireEye

17.3.19

FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings

This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering (FLARE) team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware.

Malware blog

FireEye

16.3.19

Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager

This blog post is an in-depth look at an interesting logic bug class in the Windows Kernel and what I did to try to get it fixed with our partners at Microsoft. The maximum impact of the bug class is local privilege escalation if kernel and driver developers don’t take into account how the IO manager operates when accessing device objects. This blog discusses how I discovered the bug class and the technical background. For more information about the further investigation, fixing and avoiding writing new code with the bug class refer to MSRC’s blog post.

Vulnerebility blog

Project Zero

14.3.19

SimBad: A Rogue Adware Campaign On Google Play

Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store. This particular strain of Adware was found in 206 applications, and the combined download count has reached almost 150 million. Google was swiftly notified and removed the infected applications from the Google Play Store.

OS Blog

Checkpoint

14.3.19

Operation Sheep: Pilfer-Analytics SDK in Action

Check Point Research has recently discovered a group of Android applications massively harvesting contact information on mobile phones without the user’s consent. The data stealing logic hides inside a data analytics Software Development Kit (SDK) seen in up to 12 different mobile applications and has so far been downloaded over 111 million times.

OS Blog

Checkpoint

14.3.19

Microsoft Patch Tuesday – March 2019

This month the vendor has patched 64 vulnerabilities, 17 of which are rated Critical.

Vulnerebility blog

Symantec

14.3.19

Several Cryptojacking Apps Found on Microsoft Store

On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store.

Cryptocurrency blog

Symantec

14.3.19

Whitefly: Espionage Group has Singapore in Its Sights

In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.

BigBrother blog

Symantec

14.3.19

GlitchPOS: New PoS malware for sale

Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers.

Malware blog

Cisco Talos

14.3.19

Microsoft Patch Tuesday — March 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2

Vulnerebility blog

Cisco Talos

14.3.19

Vulnerability Spotlight: Privilege escalation bug in CleanMyMac X's helper service

CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw. The application scans through the system and user directories looking for unused and leftover files and applications.

Vulnerebility blog

Cisco Talos

14.3.19

The sights and sounds of Cisco Talos at RSA 2019

An estimated 45,000 people attended this year’s RSA Conference in San Francisco to hear talks from some of the greatest minds in security.As always, Cisco and Talos had a massive presence at the conference, topping off the week with a keynote address featuring Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, a senior vice president and general manager of Cisco’s Internet-of-things business group.

Exploit blog

Cisco Talos

14.3.19

Vulnerability Spotlight: Multiple local vulnerabilities in Pixar Renderman

The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root.

Vulnerebility blog

Cisco Talos

14.3.19

Cisco, Talos tout importance of IoT security at RSA keynote

By 2020, Gartner predicts 20 billion connected devices will be online — and more devices mean more security threats. Connected devices have exploded into the public and corporate landscape, rattling the bars of the cyber security cage.

IoT blog

Cisco Talos

14.3.19

Vulnerability Spotlight: Remote code execution vulnerability in Antenna House Rainbow PDF Office Server Document Converter

Antenna House Rainbow PDF Office Server Document Converter contains a heap overflow vulnerability that could allow an attacker to remotely execute code on the victim machine. Rainbow PDF is a software solution that converts Microsoft Office documents into a PDF. This specific flaw lies in the way the software converts PowerPoint files into PDFs

Vulnerebility blog

Cisco Talos

14.3.19

Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters

Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads.

Attack blog

Cisco Talos

12.3.19

Cuckoo SandBox on AWS

From software vulnerabilities to APT groups, there are many areas of cyber research that Check Point Research is involved with. Arguably, one of the most challenging areas of research, though, is malware analysis.

APT blog

Checkpoint

12.3.19

Gaming industry still in the scope of attackers in Asia

The repository of email addresses and other records would offer a gold mine of data for scammers

Spam blog

Eset

12.3.19

Over 2 billion records exposed by email marketing firm

Asian game developers again targeted in supply-chain attacks distributing malware in legitimately signed software

Incident blog

Eset

8.3.19

Android Messaging: A Few Bugs Short of a Chain

About a year and a half ago, I did some research into Android messaging and mail clients. At the time, I didn’t blog about it, because though I found bugs, I wasn’t able to assemble them into a credible attack. However, in the spirit of writing about research that didn’t go as expected, I have decided to share it now. I think there is something interesting to learn about the impact of design choices on security from this research.

OS Blog

Project Zero

8.3.19

PXE Dust: Finding a Vulnerability in Windows Servers Deployment Services

Many large organizations use Windows Deployment Services (WDS) to install customized operating systems on new machines in the network. The Windows Deployment Services is usually, by its nature, accessible to anyone connected via an LAN port and provides the relevant software. They determine the Operating System as well as the accompanying programs and services for each new network element.

Vulnerebility blog

Checkpoint

8.3.19

Flaws in smart car alarms exposed 3 million cars to hijack

The vulnerabilities, which resided in associated smartphone apps, were both easy to find and easy to fix

Vulnerebility blog

Eset

8.3.19

RSA conference, USA 2019: Keynotes and key words

A bright tomorrow of technical delight, or a dismal future of digital dysfunction?

Security blog

Eset

8.3.19

RSA 2019: Protecting your privacy in a NIST and GDPR world

Protecting your privacy is no longer just an option but a legal requirement in many parts of the world

Security blog

Eset

8.3.19

International Women’s Day 2019: How can we be better allies?

Every year on March 8, we celebrate International Women's Day to honor the social, economic, cultural and political achievements of women. But we also acknowledge that there is still a long way to go before we’ve truly reached gender parity. This day gives us the opportunity to reflect on how we can achieve that balance. So it’s particularly fitting that the theme of this year’s International Women’s Day is “Balance for Better”

Cyber blog

Eset

8.3.19

Latest Chrome update plugs a zero-day hole

It now turns out that the vulnerability in the browser was being exploited in tandem with a zero-day in Windows

Vulnerebility blog

Eset

8.3.19

RSA – IoT security meets SMB

Some tips that businesses can do to get better at it without breaking the bank

IoT blog

Eset

8.3.19

Payment processors remain phishers’ favorites

The latest report from the Anti-Phishing Working Group offers a mixed bag of findings about the phishing landscape in 2018

Phishing blog

Eset

8.3.19

Teen earns US$1 million in bug bounties

A ‘white hat’ from Argentina has come a long way since winning his first reward of US$50 in 2016

Security blog

Eset

5.3.19

Jmail Breaker: Profiting from Joomla’s Mail Service

Joomla! is one of the most popular CMS platforms and is used by hundreds of thousands of organizations worldwide. Over the years, many vulnerabilities were found in the product, such as Joomla Core Sterilizer Cross-Site Scripting Filter Privilege Escalation (CVE-2017-7985) and Joomla Object Injection Remote Command Execution (CVE-2015-8562). Indeed, over the past two years, there is evidence of a significant surge in the number of Joomla known vulnerabilities.

Vulnerebility blog

Checkpoint

5.3.19

MacOS Malware Pedia

With a massive growth in new malware and infections, MacOS security awareness is now more important than ever, and yet many people believe that if they are using MacOS they are “safe” and should not be concerned about getting infected. Even though malware for MacOS is years behind Windows malware in the sense of sophistication, complexity, number of infections and more, MacOS malware is becoming more sophisticated as time goes by.

OS Blog

Checkpoint

5.3.19

A New InfoStealer Campaign Targets APAC Windows Servers

As time goes by, malware writers invent new methods to bypass security products. During our research, we came across an attack targeting Windows servers in APAC and revealed the attackers infrastructure, where we observed the uploading of sensitive data, such as Windows login credentials, OS version and IP addresses (internal and external) from between 3-10 different victims each second.

Malware blog

Checkpoint

3.3.19

DJ Marshmello concert on Fortnite: An iconic event that also attracted scammers

The first virtual concert to take place inside a video game attracted interest not only from players but also from scammers, who tried to take advantage of the huge event by tricking users into buying tickets even though the concert was free

Spam blog

Eset

3.3.19

ICAO victim of a major cyberattack in 2016

The organization was the victim of a water-hole attack, likely attributable to the APT LuckyMouse group

APT blog

Eset

3.3.19

Coinhive cryptocurrency miner to call it a day next week

The service became notorious for its use by ne’er-do-wells looking to make a quick buck by hijacking the processing power of victim machines to generate virtual money

Cryptocurrency blog

Eset

3.3.19

‘Highly critical’ bug exposes unpatched Drupal sites to attacks

Worse, attackers have already been spotted targeting the flaw to deliver cryptocurrency miners and other payloads

Cryptocurrency blog

Eset

3.3.19

How to spot if your password was stolen in a security breach

Following the revelation that a list containing millions of stolen usernames and passwords had appeared online, we tell you a few different ways to find out if your credentials were stolen in that—or any other—security breach

Incident blog

Eset

3.3.19

Google aims for password-free app and site logins on Android

With FIDO2 certification for Android, Google is setting the stage for password-less app and website sign-ins on a billion devices

OS Blog

Eset

3.3.19

Escalating DNS attacks have domain name steward worried

The keeper of the internet’s ‘phone book’ is urging a speedy adoption of security-enhancing DNS specifications

Attack blog

Eset

3.3.19

Cyber-extortionists take aim at lucrative targets

A new report shines some light on multiple aspects of the growing threat of cyber-extortion

Cyber blog

Eset

3.3.19

ML-era in cybersecurity: A step toward a safer world or the brink of chaos?

As the use of this technology grows so does the risk that attackers may hijack it

Cyber blog

Eset

3.3.19

How costly are sweetheart swindles?

And that’s on top of the heartache experienced by the tens of thousands of people who fall for romance scams each year

Spam blog

Eset

21.2.19

Extracting a 19 Year Old Code Execution from WinRAR

n this article, we tell the story of how we found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer. The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.

Vulnerebility blog

Checkpoint

21.2.19

North Korea Turns Against New Targets?!

Over the past few weeks, we have been monitoring suspicious activity directed against Russian-based companies that exposed a predator-prey relationship that we had not seen before. For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group – Lazarus.

APT blog

Checkpoint

21.2.19

Vol.3 – 2019 Security Report

n the first installment of this 2019 Security Report we reviewed the latest trends and threats facing the IT security industry today. In the second we took a deeper look at the cyber crime underworld to get a grasp on the democratization of cybercrime, and understood how malware has shifted gears to take a more stealth-like approach to infect organizations. In this installment we focus on how threat actors are able to keep one step ahead by targeting the weakest points in an organization’s IT infrastructure – the cloud, mobile and IoT. Indeed, these platforms offer a threat actor a much higher chance of success and fewer obstacles to overcome due to them being traditionally less protected.

Cyber blog

Checkpoint

21.2.19

Combing Through Brushaloader Amid Massive Detection Uptick

Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems. Brushaloader is currently characterized by the use of various scripting elements, such as PowerShell, to minimize the number of artifacts left on infected systems. Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems

Malware blog

Cisco Talos

21.2.19

JavaScript bridge makes malware analysis with WinDbg easier

As malware researchers, we spend several days a week debugging malware in order to learn more about it. We have several powerful and popular user mode tools to choose from, such as OllyDbgx64dbgIDA Proand Immunity Debugger.

Malware blog

Cisco Talos

21.2.19

Siegeware: When criminals take over your smart building

Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities

Cyber blog

Eset

21.2.19

Switzerland offers cash for finding security holes in its e-voting system

Anybody with hacking prowess can take a crack at reading votes or even rigging the vote count itself

BigBrother blog

Eset

21.2.19

Criminal hacking hits Managed Service Providers: Reasons and responses

Recent news articles show that MSPs are now being targeted by criminals, and for a variety of nefarious reasons. Why is this happening, and what should MSPs do about it?

Hacking blog

Eset

21.2.19

Google – “Here’s how we cracked down on bad apps last year”

Apps downloaded from Google Play were eight times less likely to compromise a device than apps from other sources

OS Blog

Eset

21.2.19

Smoke damage and hard drives

A closer look at the damage caused by smoke particles and some steps you can take to aid recovery

Hardware blog

Eset

17.2.19

Several Cryptojacking Apps Found on Microsoft Store

Symantec found eight apps on Microsoft's app store that mine Monero without the user's knowledge.

Malware blog

Symantec

17.2.19

Microsoft Patch Tuesday – February 2019

This month the vendor has patched 74 vulnerabilities, 20 of which are rated Critical.

Vulnerebility blog

Symantec

17.2.19

Microsoft Patch Tuesday — February 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player

Vulnerebility blog

Cisco Talos

17.2.19

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

Vulnerebility blog

Cisco Talos

17.2.19

What you can learn from Cisco Talos’ new oil pumpjack workshop

Every day, more industrial control systems (ICS) become vulnerable to cyber attacks. As these massive, critical machines become more interconnected to networks, it increases the ways in which attackers could disrupt their operations and makes it tougher for those who protect organizations' networks to cover all possible attack vectors.

ICS blog

Cisco Talos

17.2.19

Malta’s leading bank resumes operations after cyberheist-induced shutdown

Bank of Valetta, which went dark for a day after the fraudulent transfers of €13 million, is now looking to get the money back

Attack blog

Eset

17.2.19

Navigating the murky waters of Android banking malware

An interview with ESET malware researcher Lukáš Štefanko about Android banking malware, the topic of his latest white paper

Malware blog

Eset

17.2.19

Attack at email provider wipes out almost two decades’ worth of data

Instead of financial gain or other, more usual, goals, the attacker leaves ‘scorched digital earth’ behind

Spam blog

Eset

17.2.19

When love becomes a nightmare: Online dating scams

Roses are red, violets are blue, watch out for these scams or it may happen to you

Spam blog

Eset

17.2.19

Why you should choose a pseudonym at Starbucks

Innocently providing your name at your local coffee shop is just an example of how easy it can be for miscreants to cut through the ‘privacy’ of social media accounts

Social blog

Eset

17.2.19

Apple to pay teenager who uncovered FaceTime bug

The decision to award the bug has been welcomed but one security researcher has said that they need to do more to compensate those who find bugs

OS Blog

Eset

17.2.19

First clipper malware discovered on Google Play

Cryptocurrency stealers that replace a wallet address in the clipboard are no longer limited to Windows or shady Android app stores

Cryptocurrency blog

Eset

7.2.19

2018 in Snort Rules

The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to cryptocurrency miners. Talos researchers identified APT campaigns including VPNFilter, predominantly affecting small business and home office networking equipment, as well as Olympic Destroyer, apparently designed to disrupt the Winter Olympics. 

Safety blog

Cisco Talos

7.2.19

Reverse RDP Attack: Code Execution on RDP Clients

Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers. Whether it is used to help those working remotely or to work in a safe VM environment, RDP clients are an invaluable tool.

Attack blog

Checkpoint

7.2.19

Report: Under the Hood of Cyber Crime

Since the dawn of the internet, a cyber crime ecosystem has been developing right beneath our fingertips. And much like the maturing of the Internet, this ecosystem has come a long way since its inception.

Cyber blog

Checkpoint

7.2.19

The Curious Case of Convexity Confusion

Some time ago, I noticed a tweet about an externally reported vulnerability in Skia graphics library (used by Chrome, Firefox and Android, among others). The vulnerability caught my attention for several reasons: Firstly, I looked at Skia before within the context of finding precision issues, and any bugs in the code I already looked at instantly evoke the “What did I miss?” question in my head.

Security blog

Project Zero

7.2.19

Tech Support Scams Now Get Users to Install Potentially Unwanted Apps

Tech support scams continue to prey on unwitting victims. We have seen in recent months how these scams are constantly evolving, from the use of call optimization to the use of Advanced Encryption Standard (AES) and a multi-level obfuscation scheme.

Spam blog

Symantec

7.2.19

DanaBot updated with new C&C communication

ESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated protocol for C&C communication and slight modifications to architecture and campaign IDs

BotNet blog

Eset

7.2.19

Google rolls out Chrome extension to warn you about compromised logins

The new tool aims to help in an age when billions of login credentials are floating around the internet

Safety blog

Eset

7.2.19

European Commission orders recall of children’s smartwatch over privacy concerns

The watch has been found to expose its wearers to a high level of risk of being contacted and monitored by attackers

BigBrother blog

Eset

5.2.19

ExileRAT shares C2 with LuckyCat, targets Tibet

Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. In our case, we received an email message from the CTA mailing list containing an attachment, "Tibet-was-never-a-part-of-China.ppsx," meant to attack subscribers of this Tibetan news mailing list.

Malware blog

Cisco Talos

5.2.19

SpeakUp: A New Undetected Backdoor Linux Trojan

Check Point researchers have spotted a new campaign exploiting Linux servers to implant a new Backdoor which evades all security vendors. The new Trojan, named “SpeakUp” after one of its command and control names, exploits known vulnerabilities in six different Linux distributions. The attack is gaining momentum and targeting servers in East Asia and Latin America, including AWS hosted machines.

Malware blog

Checkpoint

5.2.19

Houzz discloses data breach, asks some users to reset passwords

Citing an ongoing investigation, the company wouldn’t say how or when the incident occurred

Incident blog

Eset

2.2.19

Cyber Security Week in Review (Feb. 1)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Cyber blog

Cisco Talos

2.2.19

Fake Cisco Job Posting Targets Korean Candidates

Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process. 

BigBrother blog

Cisco Talos

2.2.19

Vulnerability Spotlight: Multiple vulnerabilities in ACD Systems Canvas Draw 5

Cisco Talos is disclosing several vulnerabilities in ACD Systems' Canvas Draw 5, a graphics-editing tool for Mac. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format that's used in Canvas Draw. PCX was a popular image format with early computers, and although it's been replaced by more sophisticated formats, it is still in use and fully supported by Canvas Draw.

Vulnerebility blog

Cisco Talos

2.2.19

Examining Pointer Authentication on the iPhone XS

In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel PAC signatures for the A keys, which is sufficient to execute arbitrary code in the kernel using JOP. The technique I discovered was (mostly) fixed in iOS 12.1.3. In fact, this fix first appeared in the 16D5032a beta while my research was still ongoing.

Exploit blog

Project Zero

2.2.19

Four new caches of stolen logins put Collection #1 in the shade

The recently discovered tranches of stolen login credentials freely floating around the internet total 2.2 billion records

Incident blog

Eset

2.2.19

Japan to probe citizens’ IoT devices in the name of security

Smart devices were targeted by more than one-half of cyberattacks detected in the country in 2017

BigBrother blog

Eset

2.2.19

Cybercrime black markets: Dark web services and their prices

A closer look at cybercrime as a service on the dark web

Cyber blog

Eset

2.2.19

‘We’re coming for you’, global police warn DDoS attack buyers

First closing in on operators, now on users, as the hunt continues and law enforcement in many countries is about to swoop down on people who bought DDoS attacks on WebStresser

Attack blog

Eset

2.2.19

“Love you” malspam gets a makeover for massive Japan-targeted campaign

ESET researchers have detected a substantial new wave of the “Love you” malspam campaign, updated to target Japan and spread GandCrab 5.1

Spam blog

Eset

30.1.19

Suspected GDPR violations prompt over 95,000 complaints

Eight months after the landmark rules came into effect, data released by the European Commission provides a glimpse into the law’s application

BigBrother blog

Eset

30.1.19

Russia hit by new wave of ransomware spam

Among the increased number of malicious JavaScript email attachments observed in January 2019, ESET researchers have spotted a large wave of ransomware-spreading spam targeting Russian users

Ransomware blog

Eset

30.1.19

Hear me out! Thousands tell UK taxman to wipe their voice IDs

Even so, the database has grown to seven million voiceprints amid a controversy that puts the spotlight on the privacy implications of the collection of biometric information

Security blog

Eset

30.1.19

Apple takes Group FaceTime offline after discovery of spying bug

The company is rushing to fix a glitch that may let other iPhone users hear and see you – before you answer the call

Vulnerebility blog

Eset

30.1.19

voucher_swap: Exploiting MIG reference counting in iOS 12

In this post I'll describe how I discovered and exploited CVE-2019-6225, a MIG reference counting vulnerability in XNU's task_swap_mach_voucher() function. We'll see how to exploit this bug on iOS 12.1.2 to build a fake kernel task port, giving us the ability to read and write arbitrary kernel memory. (This bug was independently discovered by @S0rryMybad.) In a later post, we'll look at how to use this bug as a starting point to analyze and bypass Apple's implementation of ARMv8.3 Pointer Authentication (PAC) on A12 devices like the iPhone XS.

Exploit blog

Project Zero

30.1.19

Vulnerability Spotlight: Multiple vulnerabilities in coTURN

Today, Cisco Talos is disclosing three vulnerabilities in coTURN. coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable from the internet — to provide firewall traversal solutions.

Vulnerebility blog

Cisco Talos

30.1.19

Vulnerability Spotlight: Python.org certificate parsing denial-of-service

Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. Python can crash if getpeercert() is called on a TLS connection, which uses a certificate with invalid DistributionPoint in its extension.

Vulnerebility blog

Cisco Talos

30.1.19

Vulnerability Spotlight: Multiple WIBU SYSTEMS WubiKey vulnerabilities

Cisco Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. It allows the users to manage software license via USB key. A third vulnerability is located in userland and can be triggered remotely, as it's located in the network manager.

Vulnerebility blog

Cisco Talos

30.1.19

APT39: An Iranian Cyber Espionage Group Focused on Personal Information

APT39 is an Iranian cyber espionage group responsible for widespread theft of personal information.

APT blog

FireEye

28.1.19

Cryptocurrency and Blockchain Networks: Facing New Security Paradigms

Blockchain technology offers the promise of enhanced security, but also presents its own challenges.

Cryptocurrency blog

FireEye

28.1.19

Bypassing Network Restrictions Through RDP Tunneling

With more threat actors using Remote Desktop Protocol, security teams are being challenged to decipher between legitimate and malicious RDP traffic.

Malware blog

FireEye

28.1.19

Cisco AMP tracks new campaign that delivers Ursnif

Cisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to AMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via malicious emails along with the IceID banking trojan.

Malware blog

Cisco Talos

28.1.19

What we learned by unpacking a recent wave of Imminent RAT infections using AMP

Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

Malware blog

Cisco Talos

28.1.19

Dynamic Data Resolver (DDR) - IDA Plugin

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. But, if you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Cisco Talos is here with Dynamic Data Resolver (DDR) a new plugin for IDA that aims to make the reverse-engineering of malware easier.

Security blog

Cisco Talos

28.1.19

Emotet re-emerges after the holidays

While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. Cisco Talos recently discovered several new campaigns distributing the infamous banking trojan via email. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet.

Malware blog

Cisco Talos

28.1.19

Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities

TP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.

Vulnerebility blog

Cisco Talos

28.1.19

Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor

PyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This ransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access to their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.

Ransomware blog

Cisco Talos

28.1.19

Why we want users' feedback on Snort rule documentation

When Snort alerts the end user, the rule documentation is their first and possibly only avenue to find information on malicious traffic in their network. We know this can be better, and we want your help in determining what we can do to make Snort users more knowledgable and provide them more information.

Security blog

Cisco Talos

28.1.19

Microsoft Patch Tuesday — January 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

Vulnerebility blog

Cisco Talos

28.1.19

Vulnerability Spotlight: Multiple Apple IntelHD5000 privilege escalation vulnerabilities

A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Vulnerebility blog

Cisco Talos

28.1.19

Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X

Today, Cisco Talos is disclosing several vulnerabilities in MacPaw’s CleanMyMac X software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.

Vulnerebility blog

Cisco Talos

28.1.19

2019 State of Malware report: Trojans and cryptominers dominate threat landscape

Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.

Malware blog

Malwarebytes

28.1.19

Sly criminals package ransomware with malicious ransom note

Ransomware is not dead. It’s changing—and we need to be ready for them.

Ransomware blog

Malwarebytes

28.1.19

A user’s right to choose: Why Malwarebytes detects Potentially Unwanted Programs (PUPs)

By identifying and detecting Potentially Unwanted Programs (PUPs), Malwarebytes protects its users while giving them the right to choose whether they continue using their services. Learn why we do this, and how software programs can be reconsidered as legitimate under our PUP criteria.

Malware blog

Malwarebytes

28.1.19

Browser push notifications: a feature asking to be abused

Whoever invented browser push notifications must have been able to guess they would be abused for advertising. This post explains what they are and how to disable them.

Security blog

Malwarebytes

28.1.19

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

While many tech-savvy folks are familiar with two-factor authentication (2FA), more are unaware that there are several ways around it. A tool called Modlishka, the English pronunciation for the Polish word for "mantis," is the latest in this list

Safety blog

Malwarebytes

28.1.19

Collection 1 data breach: what you need to know

In what's being dubbed one of the largest data dumps in history, Collection 1 contains the data of over 770 million people. But is it really as bad as it sounds? We take a closer look and let users know what to do if their info is caught up in the mix.

Incident blog

Malwarebytes

28.1.19

Hosting malicious sites on legitimate servers: How do threat actors get away with it?

Is money all hosting providers care about when it comes to allowing malicious sites on their servers? Or is there more at play? We embark on an investigation to discover their motives.

Malware blog

Malwarebytes

28.1.19

Improved Fallout EK comes back after short hiatus

The Fallout exploit kit is back with some noteworthy improvements.

BigBrother blog

Malwarebytes

28.1.19

The Advanced Persistent Threat files: APT10

While security companies are getting good at analyzing the tactics of nation-state threat actors, they still struggle with placing these actions in context and making solid risk assessments. So in this series, we're going to take a look at a few APT groups, and see how they fit into the larger threat landscape—starting with APT10.

APT blog

Malwarebytes

28.1.19

Cybersecurity Barometer: Cybercrime’s impact on privacy and security

Study shows the majority of Americans fear the misuse of their personal data supplied to websites, and view cybercrime as a threat to their country

Cyber blog

Eset

28.1.19

Can you spot the phish? Take Google’s test

Everybody loves quizzes. So why not take this one and hone your phish-spotting prowess?

Phishing blog

Eset

28.1.19

Former employee blamed for hack of WordPress plugin maker

The plugin’s users are recommended to change their passwords on WPML’s website following havoc reportedly wrought by a disgruntled ex-employee

Hacking blog

Eset

28.1.19

Google fined €50 million for violating EU data privacy rules

France’s data protection watchdog issues the first major penalty under the EU’s new privacy regime

BigBrother blog

Eset

28.1.19

Email security does not end with your password

A strong password is a great start, but there are more ways to make sure that your email is as secure as possible

Security blog

Eset

22.1.19

Threat Trends Analysis Report

2018 introduced a challenging threat landscape. Threat actors consistently improved their cyber weapons, adopted new methods and adapted their attacks to emerging technologies. And although it may have seemed the past year was quieter, this is far from the case.

Cyber blog

Checkpoint

22.1.19

A Nasty Trick: From Credential Theft Malware to Business Disruption

FireEye is activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections.

Malware blog

FireEye

22.1.19

Global DNS Hijacking Campaign: DNS Record Manipulation at Scale

We detail three different ways we have seen DNS records be manipulated to enable victim compromises.

Hacking blog

FireEye

22.1.19

Digging Up the Past: Windows Registry Forensics Revisited

Learn about using Windows registry data when performing forensic analysis of computer networks.

Security blog

FireEye

22.1.19

OVERRULED: Containing a Potentially Destructive Adversary

FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry.

APT blog

FireEye

21.1.19

Taking a page from the kernel's book: A TLB issue in mremap()

This is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management.

Bug blog

Project Zero

21.1.19

NRSMiner updates to newer version

More than a year after the world first saw the Eternal Blue exploit in action during the May 2017 WannaCry outbreak, we are still seeing unpatched machines in Asia being infected by malware that uses the exploit to spread.

Cryptocurrency blog

F-Secure Blog

21.1.19

Twitter bug may have exposed private tweets of Android users for years

If you use Twitter for Android and want your tweets to be private, you may want to play safe and review your settings

Social blog

Eset

21.1.19

Two men charged with hacking into SEC in stock-trading scheme

The hacking duo is believed to have exploited a software flaw and compromised several SEC workstations with malware in order to take early peeks at financial disclosures

Hacking blog

Eset

21.1.19

773 million email IDs, 21 million passwords for anyone to see in massive data dump

The vast dossier of login details appears to have been gathered from data stolen in many breaches

Incident blog

Eset

21.1.19

New Year’s resolutions: Routing done right

As another thing to improve this year, you may want to route your focus on a device that is the nerve center of your network and, if poorly secured, the epicenter of much potential trouble

Hardware blog

Eset

21.1.19

Car and almost $1m on offer for Tesla Model 3 hacks

The electric car maker is raising the ante in automotive security, putting one of its swanky models as a target at a hacking contest

Hacking blog

Eset

21.1.19

What makes a cybercriminal?

Forget balaclavas or hoodies; these cybercriminals are hiding in plain sight

Cyber blog

Eset

21.1.19

Face unlock on many Android smartphones falls for a photo

No 3D-printed heads or realistic masks were needed to trick even a handful of high-end handset models into unlocking their screens

Hardware blog

Eset

16.1.19

Hacking Fortnite

Played in a virtual world, players of ‘Fortnite’, the massively popular game from game developer Epic Games, are tasked with testing their endurance as they battle for tools and weapons that will keep them secure and the ‘last man standing’.

Hacking blog

Eset

9.1.19

CES – singularity and securing the car

What's in store for automotive security once cars morph into mobile living rooms and working spaces? And how about transportation at large?

Security blog

Eset

9.1.19

New Year’s resolutions: Get your passwords shipshape

In case there are some blank entries in your laundry list of New Year’s resolutions, we have a few tips for a bit of cybersecurity ‘soul searching’. Here’s the first batch, looking at how you can fix your good ol’ passwords.

Cyber blog

Eset

9.1.19

EU offers bug bounties on popular open source software

The program with a prize pool of almost US$1 million aims to leverage the ‘power of the crowd’ in order to prevent another Heartbleed

BigBrother blog

Eset

9.1.19

Personal data of German political elite dumped online

The vast trove of data was released online and disseminated via Twitter over the span of four weeks – without anybody really noticing

BigBrother blog

Eset

9.1.19

What is threat cumulativity and what does it mean for digital security?

A reflection on how acknowledging the cumulative nature of cyber-threats and understanding its implications can benefit our digital security

Security blog

Eset

9.1.19

This Netflix-themed scam prompts FTC to issue warning

The message starts off with the kind of information that is apt to send shivers down the spines of many binge-watchers

Spam blog

Eset

9.1.19

Ransomware vs. printing press? US newspapers face “foreign cyberattack”

Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks.

Malware blog

Eset

9.1.19

2018: Research highlights from ESET’s leading lights

As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018

Malware blog

Eset

9.1.19

Analysis of the latest Emotet propagation campaign

An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activity

Malware blog

Eset

9.1.19

What should you do with your old devices

Disposal of old tech requires thought and effort and the need to cleanse the device of any personal data is just one of the concerns

Hardware blog

Eset

9.1.19

SPARE: Five tips for a safer online shopping experience

There is still some time left to pick up some last-minute shopping before it’s too late but in the rush to do so don’t forget to do it safely

Cyber blog

Eset

1.1.19

Ransomware vs. printing press? US newspapers face “foreign cyberattack”

Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks.

Ransomware blog

Eset

1.1.19

2018: Research highlights from ESET’s leading lights

As the curtain slowly falls on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018

Malware blog

Eset

1.1.19

Analysis of the latest Emotet propagation campaign

An analysis of the workings of this new Emotet campaign, which has affected various countries in Latin America by taking advantage of Microsoft Office files to hide its malicious activity

Malware blog

Eset

1.1.19

What should you do with your old devices

Disposal of old tech requires thought and effort and the need to cleanse the device of any personal data is just one of the concerns

Security blog

Eset

21.12.18

SPARE: Five tips for a safer online shopping experience

There is still some time left to pick up some last-minute shopping before it’s too late but in the rush to do so don’t forget to do it safely

Security blog

Eset

21.12.18

Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service

The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customers

Malware blog

Eset

21.12.18

Microsoft issues emergency fix for Internet Explorer zero-day

Details are sparse about a security hole that Microsoft said is being exploited in targeted attacks

Vulnerebility blog

Eset

21.12.18

VBS Unique Detection

On the 29th November a VBS file was identified by Check Point’s Threat Emulation detection engine to be communicating with an external resource. Fortunately, the file inspection the engine decided to stop the attack at the most primary and earliest stage of the attack. 

Malware blog

Checkpoint

21.12.18

Spaceballs Security: The Top Attacked Usernames and Passwords

What attackers spend their time and energy on attacking, and how they attack it, is the best indication of what works for them. Outside of targeted attacks for specific espionage, hacktivism, or warfare purposes, cybercrime is a volume game.

Security blog

F5 Labs

21.12.18

Submissions for talks at the 2019 Talos Threat Research Summit are now open

When Cisco Talos launched the first ever Talos Threat Research Summit last year, we never could have anticipated how popular it would be.

Cyber blog

Cisco Talos

21.12.18

Year in Malware 2018: The most prominent threats Talos tracked this year

It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies.

Malware blog

Cisco Talos

20.12.18

Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

Microsoft released an out-of-band (OOB) patch on Wednesday related to a vulnerability in the scripting engine of Internet Explorer. This particular vulnerability is believed to be actively exploited in the wild and should be patched immediately.

Vulnerebility blog

Cisco Talos

20.12.18

Threat Actors Rapidly Adopt New ThinkPHP RCE Exploit to Spread IoT Malware and Deploy Remote Shells

F5 researchers have observed multiple new campaigns leveraging a very recent exploit against ThinkPHP, a popular PHP framework in China. Within days of its discovery, the vulnerability had already been exploited in the wild by multiple threat actors. With this vulnerability, we see a pattern similar to those we have seen in other RCE vulnerabilities, such as Apache Struts 2 – CVE-2017-5638 mentioned last year, where attackers rushed to capitalize on the time it takes organizations to patch and profit from it.

Vulnerebility blog

F5 Labs

20.12.18

On VBScript

Vulnerabilities in the VBScript scripting engine are a well known way to attack Microsoft Windows. In order to reduce this attack surface, in Windows 10 Fall Creators Update, Microsoft disabled VBScript execution in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default.

Vulnerebility blog

Project Zero

20.12.18

Searching statically-linked vulnerable library functions in executable code

Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables. This blog post discusses the technical details of an Apache-licensed open-source library to detect code from other open-source libraries in executables, along with some real-world findings of forked open-source libraries in real-world software.

Vulnerebility blog

Project Zero

20.12.18

How the Grinch Stole Your Christmas Lights: Leaky LED Bulbs Could be Remotely Controlled

Internet of Things (IoT) devices for the home continue to be popular, and many people may be considering buying more smart home gadgets this Christmas. It seems that every device now has a smart version that can be integrated into the home network, from microwaves to showers, from heating to smoke detectors.

IoT blog

Symantec

20.12.18

Yes, Chromebooks can and do get infected

As a Mac malware specialist, I’ve seen more than my share of folks saying “Macs don’t get viruses” over the years. I’ve seen and experienced first-hand that this isn’t true—even on iOS, where despite having tight, built-in security, iPhones are still capable of getting infected by rare malware. I suppose that I shouldn’t be surprised, then, when I hear someone claim that “viruses on Chrome OS don’t exist.”

Malware blog

Malwarebytes

20.12.18

Flaw in Twitter form may have been abused by nation states

Twitter announced in a blog post Monday that they discovered and addressed a security flaw in one of their support forms. The discovery was made on November 15—more than a month ago—and promptly fixed the next day. So why are we only hearing about it now?

Social blog

Malwarebytes

20.12.18

All the reasons why cybercriminals want to hack your phone

 Why would a criminal want to hack your phone? Perhaps the better question may be: Why wouldn't they? We take a look at all the reasons hackers have for breaking into your most precious device—and what you can do to stop it.

Cyber blog

Malwarebytes

20.12.18

NASA fears hackers may have stolen employee data

A probe launched immediately after the discovery of the suspected incident has yet to establish the scale of the potential damage

Incident blog

Eset

18.12.18

Connecting the dots between recently active cryptominers

Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor.

Cryptocurrency blog

Cisco Talos

18.12.18

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape.

Cryptocurrency blog

Cisco Talos

18.12.18

DanaBot November Campaigns Target European Banks and Email Providers

First detected in May 2018,1 DanaBot is a banking trojan that has since shifted its targets from banks in Australia to banks in Europe, as well as global email providers such as Google, Microsoft and Yahoo for the holiday phishing season.

BotNet blog

F5 Labs

18.12.18

Target targeted: Five years on from a breach that shook the cybersecurity industry

In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers

ICS blog

Eset

18.12.18

Cybersecurity Trends 2019: Privacy and intrusion in the global village

With just days left in 2018, ESET experts offer their reflections in ‘Cybersecurity Trends 2019’ on themes that are set to figure prominently in the upcoming year

Cyber blog

Eset

18.12.18

The most popular passwords of 2018 revealed: Are yours on the list?

Besides the usual suspects among the worst of passwords, a handful of notable – but similarly poor – choices make their debuts

Security blog

Eset

16.12.18

How to protect yourself as the threat of scam apps grows

As the threat of bogus apps continues, what can we do to protect ourselves against these fraudulent practices?

Spam blog

Eset

15.12.18

Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail

After a two-year absence, the destructive malware Shamoon (W32.Disttrack.B) re-emerged on December 10 in a new wave of attacks against targets in the Middle East.

Malware blog

Symantec

15.12.18

How threat actors are using SMB vulnerabilities

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.

Vulnerebility blog

Malwarebytes

15.12.18

Compromising vital infrastructure: the power grid

How are we doing at protecting the vital infrastructure of our power grid and its components against physical and cyberattacks?

Cyber blog

Malwarebytes

15.12.18

Data scraping treasure trove found in the wild

3 large databases containing scraped content landed in front of security researchers. How bad is it?

Incident blog

Malwarebytes

15.12.18

Bitcoin Bomb Scare Associated with Sextortion Scammers

Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient's building.

Cryptocurrency blog

Cisco Talos

14.12.18

What are Deep Neural Networks Learning About Malware?

An analysis of FireEye’s deep learning-based malware classifier.

Malware blog

FireEye

14.12.18

Adventures in Video Conferencing Part 5: Where Do We Go from Here?

Overall, our video conferencing research found a total of 11 bugs in WebRTC, FaceTime and WhatsApp. The majority of these were found through less than 15 minutes of mutation fuzzing RTP. We were surprised to find remote bugs so easily in code that is so widely distributed. There are several properties of video conferencing that likely led to the frequency and shallowness of these issues.

Vulnerebility blog

Project Zero

14.12.18

Malaysian government targeted with mash-up espionage toolkit

An interview with ESET researchers Tomáš Gardoò and Filip Kafka on their research of a malware toolkit used in espionage against the Malaysian government

BigBrother blog

Eset

13.12.18

Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp

Not every attempt to find bugs is successful. When looking at WhatsApp, we spent a lot of time reviewing call signalling hoping to find a remote, interaction-less vulnerability. No such bugs were found. We are sharing our work with the hopes of saving other researchers the time it took to go down this very long road. Or maybe it will give others ideas for vulnerabilities we didn’t find.

Vulnerebility blog

Project Zero

13.12.18

50 CVEs in 50 Days: Fuzzing Adobe Reader

The year 2017 was an inflection point in the vulnerability landscape. The number of new vulnerabilities reported that year was around 14,000, which is over twice the number from the year before (see table below). The probable reason for this is the increased popularity of automatic vulnerability finding tools, also known as “fuzzers”.

Vulnerebility blog

Checkpoint

13.12.18

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

We are sharing a new IDAPython library that provides scriptable emulation features to reverse engineers.

Malware blog

FireEye

13.12.18

Android Trojan steals money from PayPal accounts even with 2FA on

There is no evidence that the flaw was misused during the six days it was alive, said the tech giant

Malware blog

Eset

13.12.18

Google+ to shut earlier as new bug exposed data of 52.5 million users

ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication

Social blog

Eset

12.12.18

Flurry of new Mac malware drops in December

Last week, we wrote about a new piece of malware called DarthMiner. It turns out there was more to be seen, as not just one but two additional pieces of malware had been spotted. The first was identified by Microsoft’s John Lambert and analyzed by Objective-See’s Patrick Wardle, and the second was found by Malwarebytes’ Adam Thomas.

Malware blog

Malwarebytes

12.12.18

Data scraping treasure trove found in the wild

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it.

Security blog

Malwarebytes

12.12.18

Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp

WhatsApp is another application that supports video conferencing that does not use WebRTC as its core implementation. Instead, it uses PJSIP, which contains some WebRTC code, but also contains a substantial amount of other code, and predates the WebRTC project. I fuzzed this implementation to see if it had similar results to WebRTC and FaceTime.

Exploit blog

Project Zero

12.12.18

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

Vulnerebility blog

Cisco Talos

12.12.18

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

Vulnerebility blog

Cisco Talos

11.12.18

Next Generation Dark Markets? Think Amazon or eBay for criminals

The “evolution” of these markets is making cybercrime easier than ever before

Cyber blog

Eset

11.12.18

Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

Symantec researchers have uncovered extensive insights into a cyber espionage group behind a recent series of cyber-attacks designed to gather intelligence on targets spread primarily across the Middle East as well as in Europe and North America.

BigBrother blog

Symantec

11.12.18

Brazilian users’ mobile devices attacked by a banking Trojan

Doctor Web virus analysts have detected the Android.BankBot.495.origin Trojan attacking Brazilian financial institution customers on Google Play. This Trojan uses Android’s special features (Accessibility Service). It uses them to control infected mobile devices and steal their owners’ confidential data

Malware blog

Dr Web

11.12.18

in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal

Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed "secure instant messaging applications." These apps claim to encrypt users' messages and keep their content secure from any third parties.

Social blog

Cisco Talos

10.12.18

The Ransomware Doctor Without a Cure

When it comes to ransomware attacks, there is nothing a company hates more than paying the demanded ransom. It is an unexpected fine often caused by a tiny, yet crucial mistake – an unpatched device, an out-of-date product or an innocent human error.

Ransomware blog

Checkpoint

7.12.18

DanaBot evolves beyond banking Trojan with new spam-sending capability

ESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating with another criminal group.

BotNet blog

Eset

5.12.18

Formjacking: Targeting Popular Stores Near You

Formjacking, the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately. In our previous blog, we discussed how formjacking generally works and cited a few publicly reported attacks that targeted popular online businesses.

Malware blog

Symantec

5.12.18

The Dark Side of the ForSSHe

ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats.

Malware blog

Eset

5.12.18

New ‘Under the Radar’ report examines modern threats and future technologies

The new malware we see being developed and deployed in the wild have features and techniques that allow them to go beyond what they were originally able to do, either for the purpose of additional infection or evasion of detection.

Malware blog

Malwarebytes

5.12.18

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

Vulnerebility blog

Malwarebytes

5.12.18

Adventures in Video Conferencing Part 1: The Wild World of WebRTC

Over the past five years, video conferencing support in websites and applications has exploded. Facebook, WhatsApp, FaceTime and Signal are just a few of the many ways that users can make audio and video calls across networks.

Vulnerebility blog

Project Zero

5.12.18

The DNS Attacks We’re Still Seeings

In early 2017, even decades after its adoption, the Domain Name System (DNS) is still the Achilles’ heel of the internet. This is because nearly everything on the Internet requires DNS, but the DNS service relies on a protocol that is both unreliable and easy to impersonate. It is for these two reasons that attackers target DNS for direct attack or subversion to support other attacks.

Attack blog

F5 Labs

5.12.18

An introduction to offensive capabilities of Active Directory on UNIX

In preparation for our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises' Active Directory forests.

Security blog

Cisco Talos

4.12.18

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

Vulnerebility blog

Cisco Talos

4.12.18

Scam iOS apps promise fitness, steal money instead

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users

Incident blog

Eset

4.12.18

CyberwarCon – focusing on the impact of cyber-badness

A welcome return to the hacker conferences of yesteryear

Cyber blog

Eset

2.12.18

Wireshark update 2.6.5 available

Wireshark version 2.6.5 is available: release notes.

Vulnerebility blog

SANS

1.12.18

The Evolution of BackSwap

The BackSwap banker has been in the spotlight recently due to its unique and innovative techniques to steal money from victims while staying under the radar and remaining undetected.

Malware blog

Checkpoint

1.12.18

Injecting Code into Windows Protected Processes using COM - Part 2

In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process.

Exploit blog

Project Zero

1.12.18

Marriott Starwood data breach: 5 defensive steps travelers should take now

Defensive steps for Marriott Starwood guests worried their personal information may have been compromised by the massive data breach

Incident blog

Eset

1.12.18

Cyberattacks on financial sector worries Americans most

A recent survey carried out by ESET has revealed that Americans are worried most about cyberattacks on the financial sector, listing it above attacks against hospitals, voting systems, or energy supply companies

Attack blog

Eset

30.11.18

Obfuscated Command Line Detection Using Machine Learning

This blog post presents a machine learning approach to detecting obfuscated Windows command line invocations on endpoints.

Security blog

FireEye

30.11.18

Digital Takeaways From the Supreme Court Fight

It’s always interesting to watch how the ongoing digital transformation of our lives is changing the world in ways we never would have anticipated years ago. Financial information, social interactions, even our physical locations may be up for grabs in cyberspace, with real-world ramifications.

Security blog

F5 Labs

30.11.18

Reviewing Recent API Security Incidents

In the 18 Application Protection Report, we mentioned the potential vulnerabilities associated with application programming interfaces (APIs). These APIs specify how various application components and clients should autonomously interact with each other to deliver the application experience.

Security blog

F5 Labs

30.11.18

Don’t Accept Risk With a Pocket Veto

We who live risk management know there are four responses when confronted with a credible risk to our organizations. We can treat the risk to reduce it. We can avoid the risk by altering our organization’s behavior.

Security blog

F5 Labs

30.11.18

Cyber Security Predictions: 2019 and Beyond

As you think about how to deploy in advance of a new year of cyber threats, here are the trends and activities most likely to affect your organization

Security blog

Symantec

30.11.18

Operation Eversion: Eight Indicted in Law Enforcement Takedown

Symantec part of industry group that assisted FBI-led takedown against 3ve ad-fraud scam.

Spam blog

Symantec

30.11.18

Tech Support Scams Increasing in Complexity – Part 3

Scammers make use of multiple encoding techniques at one go to create a multiple-level obfuscated scam.

Spam blog

Symantec

30.11.18

You Better Watch Out: Online and Offline Threats Endanger Payment Card Data

Cyber attackers are using old tricks and new to steal customers’ payment card details from retailers this shopping season.

Cyber blog

Symantec

29.11.18

US indicts two over SamSam ransomware attacks

The hacking and extortion scheme took place over a 34-month period with the SamSam ransomware affecting over 200 organizations in the US and Canada

Ransomware blog

Eset

29.11.18

3ve – Major online ad fraud operation disrupted

International law enforcement swoops on fake ad viewing outfit

Cyber blog

Eset

29.11.18

KingMiner: The New and Improved CryptoJacker

Crypto-Mining attacks have grown and evolved in 18. Due to the rise in value and popularity of crypto currencies, hackers are increasingly motivated to exploit the CPU power of their victims’ machines for crypto-mining operations.

Cryptocurrency blog

Checkpoint

29.11.18

Trojan clicker distributed under the guise of DynDNS

Typically, cybercriminals use several traditional malware distribution channels, the main one being spamming. However, occasionally one comes across other means of distribution. Doctor Web’s experts will touch on one of them in this article.

Malware blog

Dr Web

29.11.18

DNSpionage Campaign Targets Middle East

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Cyber blog

Cisco Talos

27.11.18

German chat site faces fine under GDPR after data breach

The country’s first fine under GDPR is lower than might have been expected, however, as the company earns praise for its post-incident cooperation and enhanced security measures

Cyber blog

Eset

26.11.18

New mining Trojan for Linux removes anti-viruses

One of today’s most common ways of obtaining illegal earnings is to mine cryptocurrency covertly, using the resources of a computer without the owner’s consent. Doctor Web recently discovered a miner that infects Linux devices.

Cryptocurrency blog

Dr Web

26.11.18

Banking Trojan attacks European users of Android devices

Banking Trojans remain among the most dangerous malware programs; they help attackers steal confidential information and money from users. Doctor Web malware analysts have detected one such Trojan on Google Play.

Malware blog

Dr Web

23.11.18

New Yorker accused of stealing $1m from Silicon Valley executive via SIM swap

The suspect is believed to have carried out the scam on no fewer than six executives in the Bay Area, albeit ultimately with varying success

Cyber blog

Eset

23.11.18

Black Friday special by Emotet: Filling inboxes with infected XML macros

Emotet starts another massive spam campaign just as Black Friday begins to pick up steam

Malware blog

Eset

23.11.18

Good deal hunting: Staying safe on Black Friday

As the unofficial beginning of the holiday shopping season catches us up in the frenetic hunt for all those fantastic bargains, the shopping bonanza presents a host of risks to your online safety. Here are a few tips for going on a shopping spree and staying safe

Cyber blog

Eset

23.11.18

Who needs passwords? Microsoft now lets you in with your face or security key

The software giant takes passwords one step closer to obsolescence as it now enables users to log into their Microsoft accounts with more modern forms of authentication

Safety blog

Eset

21.11.18

Cmd and Conquer: De-DOSfuscation with flare-qdb

Learn how to use flare-qdb to bring “script block logging” to the Windows command interpreter, and more

Malware blog

FireEye

21.11.18

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor

Today, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. 

Vulnerebility blog

Cisco Talos

21.11.18

OceanLotus: New watering hole attack in Southeast Asia

ESET researchers identified 21 distinct websites that had been compromised including some particularly notable government and media sites

BigBrother blog

Eset

21.11.18

Sednit: What’s going on with Zebrocy?

In August 18, Sednit’s operators deployed two new Zebrocy components, and since then we have seen an uptick in Zebrocy deployments, with targets in Central Asia, as well as countries in Central and Eastern Europe, notably embassies, ministries of foreign affairs, and diplomats.

Cyber blog

Eset

21.11.18

Two Brits jailed for TalkTalk hack

The breach exposed the personal data of 160,000 people and cost the telecom company £77 million

Cyber blog

Eset

20.11.18

Cybersecurity a big concern in Canada as cybercrime’s impact grows

90% of Canadians surveyed agreed that cybercrime was an important "challenge to the internal security of Canada"

Cyber blog

Eset

20.11.18

What scams shoppers should look out for on Black Friday and Cyber Monday

Last year, consumers spent a record $6.59 billion during the annual online shopping day, an all-time record, according to Adobe Insights. Still, that doesn’t mean no one is rushing out the night of Thanksgiving to do their shopping. Shoppers still went out in droves on Black Friday last year — Adobe estimated that Americans spent $2.43 billion on Nov. 25, 2017.

Cyber blog

Cisco Talos

20.11.18

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.

Phishing blog

FireEye

19.11.18

Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

Vulnerebility blog

Cisco Talos

16.11.18

New Strain of Olympic Destroyer Droppers

Over the last few weeks, we have noticed new activity from Hades, the APT group behind the infamous Olympic Destroyer attack. Moreover, this new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group.

APT blog

Checkpoint

15.11.18

Security researchers bypass encryption on self-encrypting drives

Industry standard specification does not guarantee the safety of the self-encrypting drives despite verification

Cyber blog

Eset

15.11.18

TrickBot takes over as top business threat

There’s a newer, more sophisticated banking Trojan in town attempting to penetrate business networks and giving Emotet a run for its money. And its name is TrickBot. 

BotNet blog

Malwarebytes

15.11.18

FLARE VM Update

FLARE VM has gone through many major changes to better support our users’ needs.

Vulnerebility blog

FireEye

14.11.18

Heap Feng Shader: Exploiting SwiftShader in Chrome

On the majority of systems, under normal conditions, SwiftShader will never be used by Chrome - it’s used as a fallback if you have a known-bad “blacklisted” graphics card or driver. However, Chrome can also decide at runtime that your graphics driver is having issues, and switch to using SwiftShader to give a better user experience.

Exploit blog

Project Zero

14.11.18

Deja-XNU

This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2.

Exploit blog

Project Zero

14.11.18

Microsoft Patch Tuesday – November 18

This month the vendor has patched 62 vulnerabilities, 13 of which are rated Critical.

Vulnerebility blog

Symantec

10.11.18

Metamorfo Banking Trojan Keeps Its Sights on Brazil

Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers.

Malware blog

Cisco Talos

9.11.18

Emotet launches major new spam campaign

The recent spike in Emotet activity shows that it remains an active threat.

Spam blog

Eset

9.11.18

US Air Force invites white hats to find hackable flaws, again

This is the third time that the air force wants ethical hackers to uncover chinks in its digital armor.

BigBrother blog

Eset

9.11.18

FASTCash: How the Lazarus Group is Emptying Millions from ATMs

On October 2, 18, an alert was issued by US-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI. According to this new alert, Hidden Cobra (the U.S. government’s code name for Lazarus) has been conducting “FASTCash” attacks, stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016.

APT blog

Symantec

9.11.18

18 Phishing and Fraud Report: Attacks Peak During the Holidays

Phishing attack? Absolutely. Success? Likely. Risk of incident? High. Breach costs? About $6.5 million.

Phishing blog

F5 Labs

8.11.18

DJI Drone Vulnerability

Besides from consumers, though, it has also taken a large share of the corporate market, with customers coming from the critical infrastructure, manufacturing, agricultural, construction, emergency-management sectors and more. With so many customers worldwide, both consumer and corporate, DJI drones can obtain data and images from a wide range of viewpoints and across a large spectrum of subject matter.

Vulnerebility blog

Checkpoint

8.11.18

Supply-chain attack on cryptocurrency exchange gate.io

Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange

Cryptocurrency blog

Eset

1.11.18

New Ramnit Campaign Spreads Azorult Malware

This summer we wrote about the Ramnit malware and its underlying “Black” botnet campaign which was used for distributing proxy malware. Much to our surprise, the C&C servers of the “Black” botnet were shut.

BotNet blog

Checkpoint

30.10.18

SamSam: Targeted Ransomware Attacks Continue

Ransomware group remains highly active in 18, focussing mainly on organizations in the U.S.

Ransomware blog

Symantec

30.10.18

Gallmaker: New Attack Group Eschews Malware to Live off the Land

A new attack group is targeting government, military, and defense sectors in what appears to be a classic espionage campaign.

Malware blog

Symantec

30.10.18

Symantec’s Latest Intelligence Page: Your Weather Report for the Threat Landscape

We've revamped the Latest Intelligence page with new metrics and a new look.

Security blog

Symantec

30.10.18

Ransomware and the enterprise: A new white paper

Ransomware remains a serious threat and this new white paper explains what enterprises need to know, and do, to reduce risk

Ransomware blog

Eset

30.10.18

Zooming In On “Domestic Kitten”

In recent years, Iran has been channeling significant resources into cyber warfare, devoting designated entities within multiple government agencies to conduct extensive espionage campaigns against foreign countries such as the United States, Israel.

BigBrother blog

Checkpoint

25.10.18

ESET releases new decryptor for Syrian victims of GandCrab ransomware

ESET experts have created a new decryption tool that can be used by Syrian victims of the GandCrab ransomware. It is based on a set of keys recently released by the malware operators

Ransomware blog

Eset

25.10.18

Banking Trojans continue to surface on Google Play

The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users

Malware blog

Eset

25.10.18

LuminosityLink RAT author sentenced to 2.5 years in jail

As part of his plea agreement, the author of the malware also forfeited the proceeds from his crimes – 114 Bitcoin worth $725,000

Malware blog

Eset

25.10.18

GreyEnergy: Updated arsenal of one of the most dangerous threat actors

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks

APT blog

Eset

25.10.18

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by a Russian government-owned technical research institution located in Moscow.

BigBrother blog

FireEye

25.10.18

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

FireEye compiled data to identify the most pervasive and highest priority security risks in industrial facilities.

ICS blog

FireEye

25.10.18

18 Flare-On Challenge Solutions

The fifth annual Flare-On Challenge is over, with 114 finishers out of 4,893 registrants.

Security blog

FireEye

25.10.18

FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin

We introduce idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules

Vulnerebility blog

FireEye

25.10.18

APT38: Details on New North Korean Regime-Backed Threat Group

We release details on APT38, a threat group we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide.

APT blog

FireEye

18.10.18

The Emergence of the

New Azorult 3.3

During the last week, Check Point Research spotted a new version of Azorult in the wild being delivered through the RIG exploit kit, as well as other sources. Azorult is a long known information stealer and malware downloader, with this particular version being advertised in an underground forum since October 4.

Exploit blog

Checkpoint

18.10.18

Godzilla Loader and the Long Tail of Malware

To most victims, malware is a force of nature. Zeus, Wannacry, Conficker are all vengeful gods, out to punish the common man for clicking the wrong link. Even for a security analyst, it’s easy to fall into the kind of thinking where malicious tools and campaigns emerge out of the ether, forged by an invisible hand.

Malware blog

Checkpoint

27.9.18

The ‘Gazorp’ Dark Web Azorult Builder

On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, cryptocurrency related data and more.

Cryptocurrency blog

Checkpoint

20.9.18

Fake finance apps on Google Play target users from around the world

Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange

Cryptocurrency blog

Eset

20.9.18

The Occasional Orator

) Part 1

Speaking at conferences can be daunting for presenters but often it is about striking the right balance between content and delivery

Cyber blog

Eset

20.9.18

Bristol airport takes flight screens offline after apparent ransomware attack

The screens in “key locations” are back up and running again, while the airport paid no ransom to return its systems to working order

Ransomware blog

Eset

20.9.18

One in three UK orgs hit by cryptojacking in previous month, survey finds

Conversely, only a little over one-third of IT executives believe that their systems have never been hijacked to surreptitiously mine digital currencies

Cryptocurrency blog

Eset

14.9.18

Meet Black Rose Lucy, the Latest Russian MaaS Botnet

An organization needs to have a collaborative hiring process, advised Steve Jobs. Always a group to follow mainstream trends closely, in recent years we’ve seen cyber criminals take greater heed of this advice by increasingly hiring cyber mercenaries and Malware-as-a-Service (MaaS) providers as a way to carry out their malicious activities.

BotNet blog

Checkpoint

14.9.18

Domestic Kitten: An Iranian Surveillance Operation

Chinese strategist Sun Tzu, Italian political philosopher Machiavelli and English philosopher Thomas Hobbes all justified deceit in war as a legitimate form of warfare. Preceding them all, however, were some in the Middle East who had already internalized and implemented this strategy to great effect, and continue to do so today.

BigBrother blog

Checkpoint

30.8.18

Ransom Warrior Decryption Tool

On August 8th, a new ransomware, dubbed ‘RansomWarrior’, was found by the Malware Hunter Team. Going by the ransom note shown to its victims, RansomWarrior seems to have been developed by Indian hackers, who...

Ransomware blog

Checkpoint

28.8.18

CeidPageLock: A Chinese RootKit

Research by: Israel Gubi Over the last few weeks, we have been observing a rootkit named CEIDPageLock being distributed by the RIG Exploit kit. The rootkit was first discovered by 360 Security Center...

Exploit blog

Checkpoint

26.8.18

Interactive Mapping of APT-C-23

Research by: Aseel Kayal Last month, we investigated the renewal of a targeted attack against the Palestinian Authority, attributed to the APT-C-23 threat group. Although this campaign was initially discovered in early 2017,...

APT blog

Checkpoint

20.8.18

Ryuk Ransomware: A Targeted Campaign Break-Down

Over the past two weeks, Ryuk, a targeted and well-planned Ransomware, has attacked various organizations worldwide. So far the campaign has targeted several enterprises, while encrypting hundreds of PC, storage and data centers...

Ransomware blog

Checkpoint

16.8.18

VBEtaly: An Italian Ursnif MalSpam Campaign

Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.

Malware blog

Checkpoint

12.8.18

Faxploit: Sending Fax Back to the Dark Ages

Research By: Eyal Itkin and Yaniv Balmas Fax, the brilliant technology that lifted mankind out the dark ages of mail delivery when only the postal service and carrier pigeons were used to deliver..

Vulnerebility blog

Checkpoint

12.8.18

Man-in-the-Disk: Android Apps Exposed via External Storage

Research By: Slava Makkaveev Recently, our researchers came across a shortcoming in the design of Android’s use of storage resources. Careless use of External Storage by applications may open the door to an...

Attack blog

Checkpoint

7.8.18

FakesApp: A Vulnerability in WhatsApp

Research By: Dikla Barda, Roman Zaikin and Oded Vanunu As of early 18, the Facebook-owned messaging application, WhatsApp, has over 1.5 billion users with over one billion groups and 65 billion messages sent...

Vulnerebility blog

Checkpoint

5.8.18

Ramnit’s Network of Proxy Servers

Research By: Alexey Bukhteyev As you may know, Ramnit is one of the most prominent banking malware families in existence today and lately Check Point Research monitored a new massive campaign of Ramnit, dubbed...

Malware blog

Checkpoint

31.7.18

Osiris: An Enhanced Banking Trojan

Research By: Yaroslav Harakhavik and Nikita Fokin Following our recent analysis of the Kronos banking Trojan, we discovered that Kronos has also now been enhanced to hide its communication with C&C server using Tor....

Malware blog

Checkpoint

30.7.18

A Malvertising Campaign of Secrets and Lies

Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple...

Malware blog

Checkpoint

30.7.18

Emotet: The Tricky Trojan that ‘Git Clones’

The Emotet Trojan downloader originally debuted in 2014 as a banking Trojan that took an unusual approach to stealing banking credentials; Instead of hooking per-browser functions in the victim’s web browser process, Emotet...

Malware blog

Checkpoint

30.7.18

GlanceLove: Spying Under the Cover of the World Cup

When the whistle of the first match of the 18 World Cup blew, it didn’t just signal the start of an exciting tournament for football fans worldwide, but also gave the green light...

Malware blog

Checkpoint

30.7.18

Cyber Attack Trends: 18 Mid-Year Report

When it comes to the global cyber threat landscape, threats are ever evolving, keeping organizations, as well as the security research community, constantly challenged. In our Cyber Attack Trends: 18 Mid-Year Report we...

Attack blog

Checkpoint

30.7.18

Deep Dive into UPAS Kit vs. Kronos

By Mark Lechtik Introduction In this post we will be analyzing the UPAS Kit and the Kronos banking Trojan, two malwares that have come under the spotlight recently due to the back story...

Malware blog

Checkpoint

30.7.18

Scriptable Remote Debugging with Windbg and IDA Pro

Required Background: Basic experience with virtual machines, i.e. creating a VM and installing an OS. The most technically involved it gets is setting up a working SSH server on one of the VMs

Vulnerebility blog

Checkpoint

30.7.18

Remote Code Execution Vulnerability on LG Smartphones

Research by: Slava Makkaveev Background A few months ago, Check Point Research discovered two vulnerabilities that reside in the default keyboard on all mainstream LG smartphone models (termed by LG as ‘LGEIME’). These...

Vulnerebility blog

Checkpoint

30.7.18

Telegram: Cyber Crime’s Channel of Choice

Introduction The Dark Web is a hive of illicit activity. From illegal guns and drug dealing to the Ransomware-as-a-Service programs buyers and sellers can use this medium to trade and exchange both knowledge..

Ransomware blog

Checkpoint

30.7.18

SiliVaccine: Inside North Korea’s Anti-Virus

By: Mark Lechtik and Michael Kajiloti Revealed: In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea’s home-grown anti-virus software, SiliVaccine. One of several interesting.

Security blog

Checkpoint

30.7.18

A Crypto Mining Operation Unmasked

Introduction With the emerging threat of miners and the rise of cryptocurrencies that have taken the world by storm lately, Check Point Research has been keeping an eye out for mining campaigns. During

Cryptocurrency blog

Checkpoint

30.7.18

MMap Vulnerabilities – Linux Kernel

By: Eyal Itkin As part of our efforts in identifying vulnerabilities in different products, from time to time we also review the Linux Kernel, mainly searching for vulnerabilities in different drivers. In this

Vulnerebility blog

Checkpoint

30.7.18

NTLM Credentials Theft via PDF Files

Just a few days after it was reported that malicious actors can exploit a vulnerability in MS outlook using OLE to steal a Windows user’s NTLM hashes, the Check Point research team can.

Vulnerebility blog

Checkpoint

30.7.18

A New Phishing Kit on the Dark Net

Check Point Research and the cyber intelligence company, CyberInt, have collaborated to discover the next generation in phishing kits, currently being advertised on the Dark Net. Unlike previous kits which are primarily composed.

Phishing blog

Checkpoint

30.7.18

Check Point’s 18 Security Report

2017 was a pivotal year that surprised many in the IT security industry. From the resurgence of destructive ransomware, IoT botnets, data breaches and mobile malware to full scale nation state attacks, it is

Security blog

Checkpoint

30.7.18

Uncovering Drupalgeddon 2

By Eyal Shalev, Rotem Reiss and Eran Vaknin Abstract Two weeks ago, a highly critical (25/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-18-002 / CVE-18-7600), was disclosed by the Drupal security team. This vulnerability

Vulnerebility blog

Checkpoint

30.7.18

Return of the Festi Rootkit

Festi, a once popular rootkit is back in the wild, distributed mainly by the RIG exploit kit. A long known Windows rootkit, Festi dates back to 2009 where at that time it served.

Exploit blog

Checkpoint

30.7.18

Necurs is Back, Just in Time for Easter

After a drastic decline in the volume of spam coming from the Necurs spambot observed by Check Point Telemetry in the past month, the infamous botnet is back once again and is spreading.

Spam blog

Checkpoint

30.7.18

Tribute to Kris Kaspersky

Just over a year ago one of the greatest minds in the cyber research world sadly passed away. Born in the small Russian village of Uspenskoye, Kris Kaspersky, originally named Nikolay Likhachev, suffered.

Security blog

Checkpoint

30.7.18

RottenSys: Not a Secure Wi-Fi Service At All

Research By: Feixiang He, Bohdan Melnykov, Elena Root Key Findings: RottenSys, a mobile adware, has infected nearly 5 million devices since 2016. Indications show the malware could have entered earlier in the supplier..

Malware blog

Checkpoint

30.7.18

The GandCrab Ransomware Mindset

Key Points: In 18 even ransomware is agile. Learn about the mindset of the GandCrab ransomware developers. Take a deep dive into the inner workings of GandCrab’s operation. Get an overview of two

Ransomware blog

Checkpoint

30.7.18

Guest Accounts Gain Full Access on Chrome RDP

Researchers: Ofer Caspi, Benjamin Berger Chrome Remote Desktop is an extension to the Chrome browser that allows users to remotely access another computer through Chrome browser or a Chromebook. It is fully cross-platform, and.

Security blog

Checkpoint

30.7.18

Check Point Mobile Research Team Looks Back On 2017

The mobile world is extremely dynamic and changes rapidly, so it’s always a little hectic to follow its lead. For this reason, we try to stop every once in a while and take.

Security blog

Checkpoint

30.7.18

Jenkins Miner: One of the Biggest Mining Operations Ever Discovered

The Check Point research team has discovered what could potentially become one of the biggest malicious mining operations ever seen. As seen in our previous report of the RubyMiner, these types of attacks

Cryptocurrency blog

Checkpoint

30.7.18

A New Rig Exploit Kit Campaign Dropping XMRig Miner

Cryptocurrency values may be tumbling but cyber criminals are still hedging their bets on its long term returns. Check Point researchers have discovered a new malvertising campaign leading to the Rig Exploit Kit..

Exploit blog

Checkpoint

30.7.18

DorkBot: An Investigation

Research By: Mark Lechtik Overview: DorkBot is a known malware that dates back to 2012. It is thought to be distributed via links on social media, instant messaging applications or infected removable media.

BotNet blog

Checkpoint

30.7.18

Malware Displaying Porn Ads Discovered in Game Apps on Google Play

Research by: Elena Root & Bogdan Melnykov Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside around 60 game apps, several of which

Malware blog

Checkpoint

30.7.18

‘RubyMiner’ Cryptominer Affects 30% of WW Networks

In the last 24 hours, 30% of networks worldwide have experienced compromise attempts by a crypto-miner targeting web servers. During that period, the lone attacker attempted to exploit 30% of all networks worldwide.

Cryptocurrency blog

Checkpoint

30.7.18

Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability

By: Omer Gull and Netanel Ben Simon Background A few weeks ago, a vulnerability in the Office Equation 3.0 process (EQNEDT32.EXE) was discovered by Embedi. For a couple of reasons this event raised.

Vulnerebility blog

Checkpoint

30.7.18

Malicious Flashlight Apps on Google Play

Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts override the user’s decision to disable ads showing outside of a.

Malware blog

Checkpoint

30.7.18

Huawei Home Routers in Botnet Recruitment

A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild..

Vulnerebility blog

Checkpoint

30.7.18

November Cyber Roundup

November was another busy month as people geared up for Black Friday shopping and the pitfalls that brings to both online retailers and consumers alike. Take a look at our quick roundup of..

Cyber blog

Checkpoint

30.7.18

ParseDroid: Targeting The Android Development & Research Community

Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android..

Malware blog

Checkpoint

30.7.18

Christmas is Coming: The Criminals Await

By Dikla Barda, Roman Zaikin and Oded Vanunu Black Friday symbolizes the start of the end of year shopping season. During this period, online shopping is expected to increase rapidly as consumers search.

Cyber blog

Checkpoint

30.7.18

IoTroop Botnet: The Full Investigation

Last week, thanks to the Check Point web sensor network, our researchers discovered a new and massive IoT Botnet, ‘IoTroop’. Due to the urgency of this discovery, we quickly published our initial findings.

BotNet blog

IoT blog

Checkpoint

30.7.18

Bad Rabbit: The Full Research Investigation

What is this all about? Earlier this week a new ransomware attack dubbed ‘Bad Rabbit’ broke out and has so far affected The Ukraine, Russia, Turkey and Bulgaria.  Various healthcare, media, software and.

Ransomware blog

Checkpoint

30.7.18

A New IoT Botnet Storm is Coming

Key Points: A massive Botnet is forming to create a cyber-storm that could take down the internet. An estimated million organizations have already been scanned with an unknown amount actually infected. The Botnet.

BotNet blog

IoT blog

Checkpoint

30.7.18

The Perfect ‘Inside Job’ Banking Malware

Researchers:  Mark Lechtik and Raman Ladutska The Brazilian cyberspace is known to be a whole ecosystem of its own and, although the banking malware that originates there has traditionally been somewhat basic, recent..

Malware blog

Checkpoint

30.7.18

September’s Most Wanted Malware: Locky Shoots Back Up Global Rankings

Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month. Locky has...

Malware blog

Checkpoint

30.7.18

EternalBlue – Everything There Is To Know

Introduction Since the revelation of the EternalBlue exploit, allegedly developed by the NSA, and the malicious uses that followed with WannaCry, it went under thorough scrutiny by the security community. While many details.

BigBrother blog

Checkpoint

30.7.18

August’s Most Wanted Malware: Banking Trojans and Ransomware That Want Your Money

Check Point’s latest Global Threat Index has revealed that banking trojans were extensively used by cyber-criminals during August with three main variants appearing in the top 10. The Zeus, Ramnit and Trickbot banking..

Ransomware blog

Checkpoint

30.7.18

ExpensiveWall: A dangerous ‘packed’ malware on Google Play that will hit you in your wallet!

Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges for fake services to users’ accounts without their knowledge. According to...

Malware blog

Checkpoint

30.7.18

Beware of the Bashware: A New Method for Any Malware to Bypass Security Solutions

With a growing number of cyber-attacks and the frequent news headlines on database breaches, spyware and ransomware, quality security products have become a commodity in every business organization. Consequently a lot of thought..

Ransomware blog

Checkpoint

30.7.18

July’s Most Wanted Malware: RoughTed and Fireball Decrease, But Stay Most Prevalent

Check Point’s latest Global Threat Impact Index reveals that that the number of organizations impacted globally by the RoughTed malvertising campaign fell by over a third during July, from 28% to 18%. RoughTed

Malware blog

Checkpoint

30.7.18

Is Malware Hiding in Your Resume?

Eran Vaknin, Dvir Atias, Alon Boxiner The popular business social network LinkedIn has accumulated over 500 million members across 200 countries worldwide. Whether you’re a manager seeking to expand your team or a..

Malware blog

Checkpoint

30.7.18

Cyber Attack Trends: Mid-Year Report

Looking back at the first half of 2017, the word ransomware is probably one of the first that come to mind, courtesy of WannaCry and the more recent Petya attacks that dominated the.

Cyber blog

Checkpoint

30.7.18

Get Rich or Die Trying: A Case Study on the Real Identity behind a Wave of Cyber Attacks on Energy, Mining and Infrastructure Companies

Over the past 4 months, over 4,000 organizations globally have been targeted by cyber attacks which aim to infect their networks, steal data and commit fraud.  Many of these companies are leading international.

Cryptocurrency blog

Checkpoint

30.7.18

“The Next WannaCry” Vulnerability is Here

This Tuesday, Microsoft released a security patch including 48 fixes, 25 of which are defined as “critical”. While Microsoft updates happen every month, this one reveals an especially dangerous vulnerability – CVE-2017-8620. Behind this dull.

Vulnerebility blog

Checkpoint

30.7.18

JavaScript Lost in the Dictionary

Check Point threat Intelligence sensors have picked up a stealth campaign that traditional anti-virus solutions are having a hard time detecting. On July 17th SandBlast Zero-Day Protection started showing a massive email campaign which was..

Cyber blog

Checkpoint

30.7.18

June’s Most Wanted Malware: RoughTed Malvertising Campaign Impacts 28% of Organizations

THE TAKEAWAY Check Point’s latest Global Threat Impact Index revealed that 28% of organizations globally were affected by the Roughted malvertising campaign during June. IN CONTEXT A large-scale malvertising campaign, RoughTed is used...

Malware blog

Checkpoint

30.7.18

OSX/Dok Refuses to Go Away and It’s After Your Money

Following up on our recent discovery of the new OSX/Dok malware targeting macOS users, we’d like to report that the malicious actors behind it are not giving up yet. They are aiming at.

Malware blog

Checkpoint

30.7.18

Hacked in Translation – “Director’s Cut” – Full Technical Details

Background Recently, Check Point researchers revealed a brand new attack vector – attack by subtitles. As discussed in the previous post and in our demo, we showed how attackers can use subtitles files

Attack blog

Checkpoint

30.7.18

May’s Most Wanted Malware: Fireball and Wannacry Impact More Than 1 in 4 Organizations Globally

THE TAKEAWAY: Check Point’s latest Global Threat Impact Index revealed more than one in four organizations globally was affected by the Fireball or Wannacry attacks during May. The top three malware families were...

Malware blog

Checkpoint

30.7.18

How the CopyCat malware infected Android devices around the world

Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues...

Malware blog

Checkpoint

30.7.18

BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor

Background In the wake of WannaCry, a new cyber threat has emerged from the NSA leak. Making use of previously exposed tools, Petya once again is engaged in another large scale attack. Important.

Malware blog

Checkpoint

30.7.18

Preventing Petya – stopping the next ransomware attack

Check Point’s Incident Response Team has been responding to multiple global infections caused by a new variant of the Petya malware, which first appeared in 2016 and is currently moving laterally within customer.

Ransomware blog

Checkpoint

30.7.18

Threat Brief: Petya Ransomware, A Global Attack

[updated 6/28] A worldwide attack erupted on June 27 with a high concentration of hits in Ukraine – including the Ukrainian central bank, government offices and private companies. The attack is distributing what seems..

Ransomware blog

Checkpoint

30.7.18

CrashOverride

On June 20th Check Point published an IPS signature providing virtual patching for the Siemens SIPROTEC DoS vulnerability. This IPS signature can help protect against a new malware, CrashOverride, also known as Industroyer–..

Vulnerebility blog

Checkpoint

30.7.18

Anatomy of the Jaff Ransomware Campaign

Last month, Check Point researchers were able to spot the distribution of Jaff Ransomware by the Necurs Botnet. The ransomware was spread using malicious PDF files that had an embedded docm file, which.

Ransomware blog

Checkpoint

30.7.18

FIREBALL – The Chinese Malware of 250 Million Computers Infected

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns.

Malware blog

Checkpoint

30.7.18

BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools

Background Rarely does the release of an exploit have such a large impact across the world. With the recent leak of the NSA exploit methods, we saw the effects of powerful tools in..

BigBrother blog

Checkpoint

30.7.18

The Judy Malware: Possibly the largest malware campaign found on Google Play

Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean

Malware blog

Checkpoint

30.7.18

Hacked in Translation – from Subtitles to Complete Takeover

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers..

Malware blog

Checkpoint

30.7.18

April’s Most Wanted Malware: Exploit Kit Attacks Continue, While Slammer Worm Resurfaces Again

Check Point’s latest Global Threat Impact Index detected a continued increase in the number of organizations being targeted with Exploit Kits, as Rig EK became the most prevalent form of attack, while there..

Malware blog

Checkpoint

30.7.18

Check Point Reveals Global WannaCry Ransomware Infection Map at CPX Europe 2017

Check Point researchers have been investigating the ransomware campaign in detail since it was first reported. With a new Check Point WannaCry Ransomware Infection Map, the researchers were able to track 34,300 attack.

Ransomware blog

Checkpoint

30.7.18

WannaCry – New Kill-Switch, New Sinkhole

Check Point Threat Intelligence and Research team has just registered a brand new kill-switch domain used by a fresh sample of the WannaCry Ransomware. In the last few hours we witnessed a stunning...

Ransomware blog

Checkpoint

30.7.18

WannaCry – Paid Time Off?

Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware! Now, let us explain why: As of this writing , the 3 bitcoin accounts associated with.

Ransomware blog

Checkpoint

30.7.18

Global Outbreak of WannaCry

[Updated May 17, 2017] On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing..

Ransomware blog

Checkpoint

30.7.18

JAFF – A New Ransomware is in town, and it’s widely spread by the infamous Necurs Botnet

Necurs, one of the largest botnets, went offline during the holiday period of 2016 and through the beginning of 2017. However it returned only to shortly peak late in April, spreading Locky using..

Ransomware blog

Checkpoint

30.7.18

DiamondFox modular malware – a one-stop shop

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure...

Malware blog

Checkpoint

30.7.18

Update – OSX/Dok Campaign

Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware. These new variants have the same functionality as the previous ones, and are designed to.

Malware blog

Checkpoint

30.7.18

OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic (updated)

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check.

Malware blog

Checkpoint

30.7.18

Check Point Discloses Vulnerability that Allowed Hackers to Take over Hundreds of Millions of WhatsApp & Telegram Accounts

One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to

Vulnerebility blog

Checkpoint

30.7.18

2016 H2 Global and Regional Threat Intelligence Trends

Introduction New, sophisticated threats continue to emerge on a daily basis across multiple platforms: social media, mobile platforms, email, and web pages. At the same time, prominent malware and attack methods continue to.

Cyber blog

Checkpoint

30.7.18

An In-depth Look at the Gooligan Malware Campaign

Check Point mobile threat researchers today published a technical report that provides deep technical analysis of the Gooligan Android malware campaign, which was first announced on November 30. The report discusses the ins and outs of.

Malware blog

Checkpoint

30.7.18

More Than 1 Million Google Accounts Breached by Gooligan

As a result of a lot of hard work done by our security research teams, we revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of..

Malware blog

Checkpoint

30.7.18

ImageGate: Check Point uncovers a new method for distributing malware through images

Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these..

Malware blog

Checkpoint

18

Increased Use of a Delphi Packer to Evade Malware Classification

The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools.

Malware blog

FireEye

18

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov.

Malware blog

FireEye

18

APT10 Targeting Japanese Corporations Using Updated TTPs

In July 18, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector.

APT blog

FireEye

18

Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware

FireEye identified a new exploit kit that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

Exploit blog

FireEye

18

Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East

FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East.

BigBrother blog

FireEye

18

Announcing the Fifth Annual Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering (FLARE) team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 18.

Vulnerebility blog

FireEye

18

BIOS Boots What? Finding Evil in Boot Code at Scale!

This post details the challenges FireEye faced examining boot records at scale and our solution to find evil boot records in large enterprise networks.

Vulnerebility blog

FireEye

18

On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation

On Aug. 1, 18, indictments were unsealed announcing the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7.

Cyber blog

FireEye

18

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

FireEye recently observed a campaign involving Microsoft Office vulnerabilities being used to distribute the FELIXROOT backdoor.

Malware blog

FireEye

18

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

This blog post discusses the various trends that we have been observing related to cryptojacking activity.

Cryptocurrency blog

FireEye