\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/zoom-zoom-we-are-watching-you/","tags":[],"score":1.1475958824157715,"topStoryDate":null},{"id":"102","type":"Blog_Publication","name":"How we Collect Infections by the Numbers?","author":"Check Point Research Team","date":1418173213000,"description":"We have to admit there are advantages to being one of largest data security companies in the market. While our appliances and software blades are out protecting businesses around the globe, they are under attack all the time. Hackers have a lot of time on their hands and there is little downside for","content":"

We have to admit there are advantages to being one of largest data security companies in the market. While our appliances and software blades are out protecting businesses around the globe, they are under attack all the time. Hackers have a lot of time on their hands and there is little downside for them to try different attack styles.

\n

Every attack we counter is another method we add to our repository of knowledge. That knowledge database is what we call ThreatCloud. It is a collection of every known threat, where and when it occurred, and how often. Possessing this amount of data gives our analysts insight. But we do not stop there.

\n

At Check Point, we also have our own research team of analysts, developers and yes, white hat hackers who are constantly adding signatures and knowledge into ThreatCloud as well. We call that the human factor because they can spot trends, methods and attack combinations that are on the rise and ensure protections are in place. We know there are external experts that specialize in areas of interest to our customers, so we created API interfaces and a partnership marketplace called IntelliStore.

\n

Through IntelliStore, we currently offer actionable threat intelligence from iSIGHT Partners, CrowdStrike, IID, NetClean, PhishLabs, SenseCy, and ThreatGRID and there will be more to come. Customers can select and customize intelligence feeds from a variety of sources according to their organizations’ needs in specific geographies, vertical industries, and protection types. In addition to IntelliStore, we can also import other sources of threat indicators into the product as well in CSV or STIX XML. By integrating these external feeds into ThreatCloud, customers can extend the capabilities of their existing Check Point gateways with additional relevant feeds.

\n

When we conduct our annual security survey, we select a set of companies reflecting a wide range of industries located globally. We observe a representative set of security gateways, typically between 9,000-10,000 appliances and we analyze the data over a full 12 months.

\n

We then augment that with threat data for unknown malware from Check Point Threat Emulation sensors. Anonymized Threat Emulation data from the security gateways relays into ThreatCloud for aggregation, correlation and advanced analysis.

\n

Finally, we conduct a meta-analysis of over 1,000 Endpoint Security reports in a variety of organizations. This security analysis scans each host to validate data loss risks, intrusion risks and malware risks. Our research team uses our Endpoint Security report tool to checks whether an antivirus solution is running on the host, if the solution is up-to-date, whether the software is running on the latest version, and more. This tool is free and publically available from the Check Point public website.

\n

From these data sources, we create an annual security report. Like other security companies in our space, we produce this data as part of an education process. We want a world of safe computing and all of the advantages it brings, just like you.

\n

For more information on our 2014 Security Report please visit: http://www.checkpoint.com/campaigns/2014-security-report/

\n

 

\n

The post How we Collect Infections by the Numbers? appeared first on Check Point Blog.

\n","status":"PUBLISHED","fileName":"167794895","link":"http://blog.checkpoint.com/2014/12/09/how-we-collect-infections-by-the-numbers/","tags":[],"score":0.5492216944694519,"topStoryDate":null},{"id":"158","type":"Blog_Publication","name":"Mobile Security Weekly - Threats are Everywhere","author":"Ohad Bobrov","date":1404609690000,"description":"This week's issue contains four entirely different but all highly volatile mobile security threats. New vulnerabilities and threat vectors are rapidly appearing. These aren't small issues either they potentially place millions of devices and users in danger and all need receive due attention.","content":"

\"\"

\n

This week’s issue contains four entirely different but all highly volatile mobile security threats. New vulnerabilities and threat vectors are rapidly appearing. These aren’t small issues either – they potentially place millions of devices and users in danger and all need receive due attention.

\n

\"virus-mobile-attack\"

\n


\n Researchers have discovered a vulnerability present on an estimated 10% of Android phones that may allow threat actors to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, as well as PINs or patterns used to unlock vulnerable devices.
\n
\n The vulnerability resides in the Android KeyStore, a sensitive area of Android OS dedicated to storing cryptographic keys and other credentials. By exploiting the vulnerability, threat actors can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. It looks like the vulnerability only affects Android 4.3, which runs on about 10.3 % of handsets.
\n
\n http://gizmodo.com/serious-security-threat-lurks-on-86-percent-of-android-1597913405
\n
\n Why is this Significant?
\n If a threat actor can compromise the KeyStore, they can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. Although this means that most banking apps are safe, it’s still a severe issue. While nobody seems to have exploited this vulnerability yet, it’s still worrying that it went unknown for so long. It’s also unlikely to be the last of its kind.

\n


\n Another Android SMS worm is on the rampage
\n Researchers have found a rare SMS worm targeting Android devices, which is being used to further a pay-per-install scheme. The worm, dubbed “Selfmite” has only been detected on dozens of devices in North America, but sports a rather unique attack method.
\n Victims receive SMS messages containing a shortened goo.gl link, which actually leads to the Selmite worm.
\n
\n The malware will then immediately text victims’ contacts, continuing the malicious cycle via the spread of malicious URLs. The interesting part is down to the fact that Selfmite will also invite users to download a legitimate app, Mobogenie (a highly popular legitamate Android app with millions of downloads), which allows attackers to profit on a per download basis.

\n

http://news.softpedia.com/news/SMS-Worm-Selfmite-Makes-an-Entry-and-an-Exit-448657.shtml

\n

Why is this Significant?
\n It looks like Selfmite’s sole purpose is to download on the victim’s device a copy of Mobogenie, which is a legitimate app for managing and installing mobile apps, as well as multimedia content. Researchers believe that the attack is part of a software affiliation scheme which brings the threat actors revenue for each successful installation of Mobogenie – something we haven’t seen before.
\n
\n The discovery of Selfmite also comes two months after researchers discovered “Samsapo,” – believed to be the first Android worm in the wild. Android worms seem to have become an increasingly popular method to target innocent users.
\n
\n
\n A significant security vulnerability has been discovered in the Facebook SDK (V3.15.0) for both iOS and Android. Nicknamed Social Login Session Hijacking, when exploited this vulnerability, a threat actor can obtain access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).
\n
\n Many iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once an app has successfully authenticated with Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.
\n
\n The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.
\n
\n http://www.net-security.org/secworld.php?id=17074
\n
\n Why is this Significant?
\n Because the SDK is so widely used and given the strength of the vulnerability, this issue represents a substantial threat as it enable causing substantial damage to the reputations and brands of both individuals and organizations. There are so many vulnerable apps that we’re undoubtedly going to be hearing more about this problem over the coming days.

\n


\n A new Android mRAT (Mobile remote access trojan) – HijackRAT, has been discovered.
\n HijackRAT can steal banking information by disabling anti-virus applications, as well as download more malware.
\n
\n Once it has finished its initial hiding techniques, HijackRAT immediately contacts a C&C server and begins collecting sensitive information from the device, including the phone number, device ID, and contact lists. Although the C&C server was traced back to Hong Kong, it is likely a victim’s system controlled by the RAT. Evidence in the user interface suggests that the developers are Korean and the victims are Korean, as well.
\n
\n The malware specifically targets eight Korean banking applications, all of which require a popular anti-virus application, known as V3 Mobile Plus. HijackRAT is designed to disable that anti-virus application, so it can download a malicious fake update to the targeted bank application.
\n
\n http://www.theregister.co.uk/2014/07/03/android_nasty_packs_multiple_tricks/
\n
\n Why is this Significant?
\n Although only targeting Korean banks now, HijackRAT can easily be updated to target other financial institutions. Initial research also shows that there is room within the framework to enhance its bank targeting features.
\n
\n It seems the app isn’t easily available in the wild yet and perhaps is more of a POC. Either way, threat actors are catching up to the latest security protocols and have their sights on where the money is in mobile: banking apps.
\n
\n
\n
\n
\n photo cred: http://www.iwebsoftsolution.com/

\n

The post Mobile Security Weekly – Threats are Everywhere appeared first on Check Point Blog.

\n","status":"PUBLISHED","fileName":"287354726","link":"http://blog.checkpoint.com/2014/07/05/mobile-security-weekly-threats-everywhere/","tags":["mRAT","Banking Trojan"],"score":0.4905855059623718,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};