Tech Information : Check Point Software Blog

Showing posts with label Check Point Software Blog. Show all posts

SandBlast Agent Protects Against BlueKeep RDP Vulnerability

Published by Yossi Hasson, Endpoint Security Product Manager, May 28th 2019

Recently, a security advisory was released for a vulnerability in RDP (Remote Desktop Protocol) affecting multiple Windows Operating Systems prior to 8.1. According to Microsoft’s advisory, this vulnerability can be exploited for both remote code execution and denial of service attacks. All this without needing the credentials of the target machine.

Check Point’s SandBlast Agent Anti-Exploit now monitors the RDP service for both Windows 7 and Windows 2008R2 and is able to prevent this attack from occurring. Not only is SandBlast Agent able to prevent the exploit from being delivered on unpatched systems, but it is also able to prevent the exploit from being delivered to the previously vulnerable driver in patched systems.

The protection is available in SandBlast Agent’s E80.97 Client Version (Can be downloaded from sk154432).

To see Anti-Exploit’s protection in action please see the following video, where our Threat Research Group’s POC used for exploitation is blocked. In addition, you can also see how we are able to block the scan of the Metasploit module that was recently developed to identify vulnerable systems.

WATCH: SandBast Agent protects against Check Point’s Threat Research group BlueKeep based exploit

The post SandBlast Agent Protects Against BlueKeep RDP Vulnerability appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2KigyST
via

Winning with Innovative Defense

In this Stanley Cup Final, the St. Louis Blues will play against the Boston Bruins, with Game 1 scheduled for May 27th.

Advancing to the Stanley Cup Final for the first time in 49 years, the St. Louis Blues claimed a 5-1 victory over the San Jose Sharks in Game 6 on Tuesday. In contrast, the Boston Bruins are headed to the Stanley Cup Final for the third time in nine seasons, having knocked out the Carolina Hurricanes with a 4-0 win in the Eastern Conference Final.

As recently as January, the St. Louis Blues ranked at the tail of the NHL standings. Working their way up from the bottom of the heap, the Blues managed to reposition themselves by strengthening their defense, and playing with greater speed and physicality.

A wave of great defensemen render Boston Bruins fans spoiled, with Zdeno Chara and Charlie McAvoy currently leading the pack.

Check Point Software Technologies loves a great defense, and is in turn a proud advertising supporter of the Stanley Cup Finals.

Defense is a position that requires strategic thinking, and constant recalibration of the landscape to evaluate change and threats. When the threats change, you need to react fast. This is what Check Point does best.

Rapidly blasting away threats requires a collaborative partnership. In the NHL it requires a left D and a right D. In cyber security, it’s imperative to partner with a star-studded threat prevention team. With the right people on your team, you can achieve unbelievable victories.

The post Winning with Innovative Defense appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2MdB6hT
via

CloudGuard IaaS Supports Kubernetes and Container Security

By Amir Kaushansky, Product Manager, Cloudguard IaaS, published May 29th, 2019

Almost 9000 people attended Check Point’s CPX 360 events in Bangkok, Las Vegas and Vienna earlier this year where we shared security best practices, product developments and roadmap with our customers and partners.

My session was about Kubernetes and Container Security. At the end of the session, I promised to update our customers and partners with relevant roadmap announcements during 2019, and I am happy to deliver the first announcement today:

Check Point CloudGuard IaaS now supports North-South inspection for improved Kubernetes security.

The new Container security functionality is available in native Kubernetes/OpenShift as well as managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.

As part of this release, CloudGuard IaaS provides the following new features:

Secure the traffic between Kubernetes microservices and your on-premises or cloud assets (also known as “North-South traffic”) using IPsec VPN. For example: CloudGuard IaaS allows you to configure VPN between your cloud environment and on-premises, in order for your microservice to communicate securely with your on-premises database.
Incoming and outgoing traffic inspection using all Check Point security blades, including Intrusion Prevention Service (IPS), Anti-Virus, Anti Bot, and VPN, providing advanced threat prevention to your Kubernetes environment and container deployment.
Dynamic policy that changes as the Kubernetes environment changes, including an access policy that is based on Kubernetes tags (labels, services, etc.).
Full HTTPS support: CloudGuard IaaS allows you to perform inspection of SSL/TLS traffic that flows to a microservice. It allows you to choose whether to inspect the traffic or to pass it and route it based on the Server Name Indication (SNI).
Virtual Patching: Containers are built using packages which may contain vulnerabilities. In case a vulnerability is discovered in a package, updating the affected containers may take a few weeks or even a few months in some cases. CloudGuard IaaS provides the ability to define virtual patching, which prevents exploiting this vulnerability until you deploy new containers with a non-vulnerable package.

Additionally, CloudGuard IaaS allows you to automate your Kubernetes security using common scripting languages such as Terraform and Ansible.

What are a few common use cases for the new Container security functionality?

Application Control and Anti-Bot

One of the potential attack vectors in Kubernetes environments is to exploit a container and use its compute resource to spawn a bitcoin-mining container which is fetched from an external, malicious container registry. (You can read about a similar hack of Tesla’s Kubernetes deployment here.) Using CloudGuard IaaS, you can restrict communication to trusted registries only. Additionally, you can enable Anti-Bot and thereby prevent the malicious bitcoin-mining container from receiving commands from the unauthorized command and control server.

Scale Out Events

When a new pod is added to the Kubernetes environment in a scale out event, CloudGuard IaaS understands that there is a new podIt then gets the assigned IP address and updates the CloudGuard security gateway with this data. If the pod’s labels match a defined policy, the security gateway does not require any manual policy installation; it starts inspecting the traffic automatically according to the defined policy.

Vulnerability

If a new vulnerability is discovered in NGINX for example, and your engineering team estimates it will take 5 days to ship a new container, CloudGuard allows you to enable a specific IPS signature that will prevent anyone from taking advantage and exploiting the containers which use this NGINX version. Once your team deploys the containers with a non-vulnerable version, you can remove this IPS signature in order to release CloudGuard IaaS resources and improve performance.

You’re encouraged to try this new functionality for yourself:

Get a free trial of CloudGuard IaaS in the Marketplaces of Azure (with a limited-time special offer by Microsoft and Check Point), AWS, GCP or Oracle.

And please watch the Check Point blog for more announcements about Container and Kubernetes security.

To learn more visit www.checkpoint.com.

The post CloudGuard IaaS Supports Kubernetes and Container Security appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2EnjgT6
via

Microsoft and Check Point Protect Employees from Leaking Sensitive Business Data and Intellectual Property

by Dana Katz, Product Marketing Manager, Security Platforms, published May 21st, 2019

It is clear that confidential data leakage, whether malicious or unintentional, can cause serious damage to any organization. Preventing sensitive and valuable information, such as customer records, intellectual property, and financial reports, from falling into the wrong hands has become a major priority for most organizations.

To protect organizations from data loss, Microsoft and Check Point has been working closely together to integrate Microsoft Azure Information Protection (AIP) with Check Point Next Generation Firewall Security Solutions. The integrated solution keeps sensitive business data absolutely safe, regardless of where it travels or how it is shared, including via email, web browsing or file sharing services that are not included within the Microsoft eco-system.

Customers of both Check Point and Microsoft can rest assured knowing their employees will be prevented from accidentally sending sensitive and valuable business data outside of the corporate network, not just when using Outlook or Microsoft Exchange, but also when using popular applications and services such as Gmail, Dropbox, FTP & Box. By leveraging the Check Point capabilities of policy enforcement across the network, Microsoft Azure Information Protection file classification and protection capabilities are extended and substantial security gaps are sealed. Therefore, joint customers can enjoy a comprehensive Data Loss Prevention solution, their security teams can track and control the exposure of sensitive information and take corrective measures to prevent data leakage or misuse.

How Data Loss Prevention works from the end-user perspective

Let’s take a look at a common data loss scenario. Your company’s CFO just finished creating a highly confidential financial report using Microsoft Office Word. Azure Information Protection (AIP) recognizes the sensitive content in the document and prompts him to label the document as “Confidential Financial Data”. With the proper confidential label, no one in the company will be able to accidentally send this file to an external recipient or location outside of the corporate network. Regardless of the application (Outlook, Gmail, Dropbox, FTP), Check Point Data Loss Prevention (DLP) will block any improper distribution of the document and immediately notify the user. Not only does this process educate the user about any improper data handing, it helps prevent any future issues.

Data Loss Prevention – the Admin perspective

Let’s take a look at this same CFO data loss scenario from an IT administrators perspective. Many IT organizations that use Office 365 productivity solutions have also adopted AIP to classify, label and protect their sensitive information. AIP sensitivity labels can be applied automatically based on IT administrator rules and conditions, manually by end users, or in a combination where end users are given recommendations. In the use case of the CFO data loss, the IT security team has pre-configured an AIP label called “Confidential Financial Data”. Based on this label, the security teams have also defined a Check Point unified security policy rule (that includes a Content Awareness AIP data type) to protect confidential financial information from being sent outside of the organization. Once the AIP label was applied to the CFO financial report, Check Point Security Gateways were able to detect and enforce the confidential designation, regardless of where the document was sent or how it was shared.

Unified Data Loss Prevention Across the Enterprise

Because Check Point DLP enables policy enforcement of data in transit at the network level, the IT Security teams can track and control how documents are being shared and immediately take corrective measures to prevent data leakage. In addition, DLP is integrated into Check Point’s security management platform enabling enterprises to apply a unified document protection policy across the organization while also managing access control, threat prevention policies, and incident analysis.

Demo of Microsoft Azure Information Protection, Check Point DLP and SmartConsole

Take a few moments to view the demo video below, and see how the combination of Azure Information Protection, Check Point DLP and the R80 SmartConsole will protect your enterprise from leaking sensitive business data and intellectual property.

About Azure Information Protection

Azure Information Protection (AIP) is part of Microsoft Information Protection solutions, which can leverage the security capabilities of partners like Check Point. Azure Information Protection enables customers to classify, label and protect sensitive documents and emails.Sensivitity labels can be applied automatically based on the system administrator’s rules and conditions, manually by users, or a combination where users are given recommendations. Since Azure Information Protection has rights management capabilities built-in, it can be used to protect documents by defining granular user access rights down to specific groups or users.

About Check Point DLP

Check Point DLP is part of Check Point’s Next Generation Firewall Gateway products. It combines multiple technologies and processes to revolutionize Data Loss Prevention helping businesses to pre-emptively protect sensitive information from leaving the company, educating users on proper data handling policies and empowering them to remediate incidents in real-time! By enforcing security policies on all data transmitted over networks, Check Point Security Gateways offer a wide coverage of traffic transport types, including deep application awareness that protects data in motion, such as e-mail, web browsing and file sharing services.

The post Microsoft and Check Point Protect Employees from Leaking Sensitive Business Data and Intellectual Property appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2whEL37
via

Microsoft and Check Point Protect Employees from Leaking Sensitive Business Data and Intellectual Property

by Dana Katz, Product Marketing Manager, Security Platforms, published May 21st, 2019

How Data Loss Prevention works from the end-user perspective

Data Loss Prevention – the Admin perspective

Unified Data Loss Prevention Across the Enterprise

Demo of Microsoft Azure Information Protection, Check Point DLP and SmartConsole

About Azure Information Protection

About Check Point DLP

The post Microsoft and Check Point Protect Employees from Leaking Sensitive Business Data and Intellectual Property appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2whEL37
via

Critical Vulnerability in Windows OS – Learn How To Protect Yourself

In Brief

In the last few days, Microsoft has released information about a critical vulnerability in the Windows operating system (CVE-2019-0708). This vulnerability allows remote code execution by an attacker directly from the network using the Remote Desktop Protocol (RDP) in remote desktop services that affects older versions of Windows used by many users worldwide. This attack may affect many computers in every sector and industry including finance, healthcare, government, retail, industrials and others.

Key Risks:

An arbitrary attacker from the net can carry out a complete takeover of a private PC within public networks, such as Wi-Fi hotspots.
Embedded devices such as ATMs or IoT Devices are most vulnerable for takeover.
PCs within organizations’ networks are also vulnerable to a takeover using lateral movement within the network.

Why Is This So Important?

As this vulnerability is placed at the pre-authentication stage and does not require any user interaction it would allow any arbitrary attacker on the internet to execute malicious code on a victim’s private system and allow for a total takeover of a PC within any network, such as Wi-Fi hotspots, public networks and private and corporate networks.

According to Microsoft, in order to exploit this vulnerability, an attacker would have to send a specially tailored request to the target systems’ Remote Desktop Service via RDP. Given the nature of the vulnerability, once a host is infected there is great risk of lateral movement to infect other connected hosts on the same network.

Put another way and to clarify the potential exploitation of this vulnerability, it could be used in a very similar manner as that of the 2017 WannaCry attack that caused catastrophic disruption and sabotage to thousands of organizations across all industries worldwide.

Who Is Affected?

Those using certain versions of Microsoft Windows 7 and Windows Server 2008 are at risk from this vulnerability. Customers running Windows 8 and Windows 10 are not affected by this vulnerability due to these later versions incorporating more secure updates.

Those most at risk, among others, are those working with embedded devices such as ATMs in the banking sector and IoT devices in the healthcare industry. This is due to older versions of Windows known to be the systems behind these operations as well as them being prized targets for cyber criminals. As a result, since this vulnerability was announced, security professionals in hospitals and banks have been working diligently to patch their systems.

How to Protect Yourself

Block the RDP protocol on Check Point gateway product and endpoint SandBlast agent. Instructions for Check Point R77.x and R80.x are included in the link in this post.
If you are using RDP for mission critical systems – configure the Check Point gateway and endpoint product to accept connections only from trusted devices within your network. Instructions included in the link in this post.
Disable RDP on your Windows PC and servers (unless used internally) and deploy the Microsoft patch. Please note that your ability to identify vulnerable systems when used in IoT devices (corporate, finance, industrial and healthcare systems) is limited – therefore it is recommended to follow steps 1 & 2 even if patch is installed.

Currently, while Check Point researchers are investigating this vulnerability and monitoring any relevant activity in the wild, we recommend all IT professionals to deploy Microsoft patches according to the MS Security Update Guide.

Click here to learn more and get full step by step guide on how to protect yourself.

The post Critical Vulnerability in Windows OS – Learn How To Protect Yourself appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2HrqmI1
via

Check Point Releases R80.30 with 100 New Features Delivering More Protection against Malicious Downloads and Websites

R80.30 Features First Web Threat Extraction and Patent Pending Advanced SSL/TSL Security

by Michael A. Greenberg, Product Marketing Manager, Security Platforms, published May 15th 2019

R80.30 ushers in a new era of security with the industry’s first threat extraction for web, providing practical prevention against advanced threats. With this new threat extraction for web, admins will no longer have to compromise on security for productivity. R80.30 Gen V Threat Prevention protects users from malicious web downloads in real-time! Threat Extraction removes exploitable content, reconstructs files to eliminate potential threats and promptly delivers the clean content to the user. This is thanks to the fastest threat emulation engines for secure delivery of files. Even more, a Threat Prevention dashboard provides full visibility across networks, mobile and endpoints. Enterprises everywhere can now increase productivity and maintain a high security posture.

However, the Threat Prevention innovations in the newest release of R80.30 do not stop here. The software release brings new Transport Layer Security Patent-Pending Technologies providing state-of-the-art SSL Inspection. This technology delivers the power to inspect SSL-encrypted network traffic across enterprises everywhere. This innovation is crucial for a strong cyber security posture considering 94% of websites today secure web traffic with HTTPS protocol¹.

As Itai Greenberg, Check Point’s VP of Product Management, said, “HTTPS covers over 80% of all our web traffic, there is no getting away from the issue that SNI leaks every site you visit online to your Internet Service Provider. This paints a very clear picture of who you are since we know data collection on visited websites is happening. All of these factors invite both privacy and security risks, which we all know is a real problem”.

Rest assured, the SSL inspection and Threat Prevention capabilities of R80.30 keep organizations at maximum security with high performance and efficient operations. Security technologies that are supported with Full HTTPS inspection capabilities are: Application Control, URL Filtering, IPS, DLP, Anti-Virus, Anti-Bot and Threat Emulation.

With over 25 years in the industry, Check Point’s R80 platform has been delivering Advanced Threat Prevention and Comprehensive Cyber Security Management and visibility on premises, across clouds, mobile and endpoint. With R80.30, you get over 100 new features that improve advanced threat prevention and performance against Gen 5 cyber attacks. R80’s threat prevention and performance benefits are apparent to Check Point customers as over 70% have upgraded to R80. We are certain they will upgrade to the newest R80.30 release as well.

Let us look at the top 10 reasons why enterprises everywhere choose R80 for both Threat Prevention, Performance and Cyber Security Management:

Practical Prevention against Advanced Threats (introduced in R80.30)

Protect users from malicious web downloads using real-time Threat Extraction technology with a seamless user experience

State-of-the-Art SSL Inspection (introduced in R80.30)

New Patent-Pending technologies delivering the power to inspect SSL-encrypted network traffic with secure SNI verification improvements

Superior Management & Visibility

Single Pane of Glass Management – Manage security on a global level with preemptive threat prevention and full threat visibility all in one console

Single Console, Unified Policy (Introduced in R80)

Achieve operational efficiency with all access points now controlled in one place

Cyber Attack Dashboard (introduced in R80.20)

Real-time forensic & event investigation with a single view into security risks

Log Exporter (introduced in R80.20)

Enables easy integration with 3^rd parties with a simpler and faster user experience for exporting logs

Logging & Monitoring

Unified logs for Security Gateways, SandBlast Agent and SandBlast Mobile for simple log analysis

Multi-Tasking in R80 (introduced in R80.20)

Increase productivity and collaboration with granular admin delegation, concurrent administrators and concurrent admins.

Management API’s & SmartConsole Extensions (SmartConsole Extensions introduced in R80.30)

Expand & Customize the Check Point SmartConsole, integrate tools you work with directly into the SmartConsole!

Adaptive Security for Public & Private Clouds

CloudGuard family for complete cloud security: CloudGuard IaaS, SaaS and Dome9

It is clear to see our security is only as strong as our ability to manage it. Check Point provides its customers with the best security manage with the Industry’s largest integration of technologies, over 160 technology partners just for management! With Check Point R80.30 Cyber Security Management, businesses everywhere can step up to Gen V.

Find out how to manage your cyber security and learn more here.

Like what you read? Interested in trying the R80 SmartConsole? Get a free trial here!

¹Google Transparency Report – https://transparencyreport.google.com/https/overview

The post Check Point Releases R80.30 with 100 New Features Delivering More Protection against Malicious Downloads and Websites appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Q77j8C
via

Lessons Learned from the latest WhatsApp hack

by Brian Gleeson, Mobile Product Marketing Manager, published May 14th 2019

We were once again reminded that mobile devices, the one thing most of us never leave home without, are vulnerable to attacks. And once again, private individuals were attacked.

Several news organizations reported on Monday, May 13, that attackers exploited a vulnerability in WhatsApp, the popular global messaging app installed on 1.5 billion devices worldwide, and successfully installed spyware on several victims’ devices. Unbeknownst to the victims, the attackers obtained complete access to everything on the their mobile devices: personal and corporate information, email, contacts, camera, microphone, and the individual’s location.

WhatsApp is encouraging customers to update their apps as quickly as possible, and to keep their mobile operating system up to date.

Remarkably, the attackers used the vulnerability to insert malicious code and steal data from Android and iPhone smartphones simply by placing a WhatsApp call, even if the victim didn’t pick up the call. The spyware erases all logs of the call so that victims remain unaware that their device has been hacked.

The WhatsApp hack illustrates that despite their best efforts, Apple and Google cannot completely secure the users of mobile devices running their operating systems. In order to ensure users are properly protected, a mobile threat defense solution must be in place that can prevent spyware from gathering intelligence on their targets. The solution involves multiple steps:

Identifying advanced rooting and jailbreaking techniques
Detecting unknown malware
Preventing malicious outbound communications to command and control servers

All the steps above must be enabled to best prevent sophisticated attacks like the WhatsApp hack. If spyware is simply detected after infecting the device it is too late. It is paramount to ensure that the attack is prevented before it actually infects the mobile device. If, however the device becomes infected, it’s critical that no data be exfiltrated from of the device.

Learn more about the vulnerability as our research team takes a deep, technical dive: https://research.checkpoint.com/the-nso-whatsapp-vulnerability-this-is-how-it-happened/

Protect your enterprise and users from sophisticated mobile cyberattacks like the WhatsApp attack with SandBlast Mobile.

To protect your personal device against these attack learn about ZoneAlarm Mobile Security.

The post Lessons Learned from the latest WhatsApp hack appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Jkxrwf
via

April 2019’s Most Wanted Malware: Cybercriminals up to Old ‘TrickBots’ Again

Check Point’s latest Global Threat Index sees banking trojan Trickbot return to top ten list after 2 year absence

In April 2019, banking trojan Trickbot re-appeared in the top ten most wanted malware list for the first time in almost two years. The multi-purpose trojan became April’s 8th most prevalent malware variant, returning with new capabilities, features and distribution vectors. Trickbot offers a high level of flexibility and customization, which enables it to be distributed as part of multi-purpose campaigns.

Trickbot was used in one such campaign in April that coincided with Tax Day in the USA. The spam campaign sent emails with Excel files attached, which downloaded Trickbot to victims’ computers. Once downloaded, Trickbot could spread inside the network and steal banking details and confidential tax documents for fraudulent use.

Although, cryptominers still occupied the top three positions in the index, the remaining seven malware types in April’s top ten were multi-purpose trojans, which is especially concerning given the fact that they may be used not only to steal private data and credentials, but also to populate other ransomwares (in fact, we’ve seen Emotet and Trickbot populate the Ryuk ransomware). As these malware constantly morph, enterprises must have a robust line of defense against them with advanced threat prevention.

March 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
↑ XMRig- Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
↓ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↓ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
↑ Ramnit- Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
↑ Agentesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↑ Trickbot- Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
↑ Sality- Sality is a file infectors, enable to an infected systems to communicate over a peer-to-peer (P2P) network for spamming purposes, proxying of communications, compromising web servers, exfiltrating sensitive data, and coordinating distributed computing tasks to process intensive tasks.
↓ Lokibot- Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

This month Triada is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Lootor remains in second place, and Hiddad falls to third.

April’s Top 3 ‘Most Wanted’ Mobile Malware:

Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Lotoor- Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Hiddad- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. OpenSSL TLS DTLS Heartbeat Information Disclosure exploits is the most popular exploited vulnerability with a global impact of 44% of organization worldwide. For the first time after 12 months CVE-2017-7269 dropped from first place to the second, impacting 40% of organizations, followed by CVE-2017-5638 with a global impact of 38% of organizations around the world.

April’s Top 3 ‘Most Exploited’ vulnerabilities:

↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An 1. information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a 2. crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code 3. execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

Check Point’s Threat Prevention Resources are available at: http://bit.ly/2vVQWT5

The post April 2019’s Most Wanted Malware: Cybercriminals up to Old ‘TrickBots’ Again appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Q34A01
via

April 2019’s Most Wanted Malware: Cybercriminals up to Old ‘TrickBots’ Again

Check Point’s latest Global Threat Index sees banking trojan Trickbot return to top ten list after 2 year absence

March 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
↑ XMRig- Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
↓ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↓ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
↑ Ramnit- Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
↑ Agentesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↑ Trickbot- Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
↑ Sality- Sality is a file infectors, enable to an infected systems to communicate over a peer-to-peer (P2P) network for spamming purposes, proxying of communications, compromising web servers, exfiltrating sensitive data, and coordinating distributed computing tasks to process intensive tasks.
↓ Lokibot- Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

This month Triada is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Lootor remains in second place, and Hiddad falls to third.

April’s Top 3 ‘Most Wanted’ Mobile Malware:

Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Lotoor- Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Hiddad- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

April’s Top 3 ‘Most Exploited’ vulnerabilities:

↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An 1. information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a 2. crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code 3. execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

Check Point’s Threat Prevention Resources are available at: http://bit.ly/2vVQWT5

The post April 2019’s Most Wanted Malware: Cybercriminals up to Old ‘TrickBots’ Again appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Q34A01
via

Private Cloud Security: CloudGuard IaaS supports VMware’s new NSX-T 2.4 release

By Jonathan Maresky, Product Marketing Manager, Cloudguard IaaS, published May 8th, 2019

VMware has been taking real action to back up CEO Pat Gelsinger’s assertion that hybrid-cloud is the new norm, most recently through updates to their NSX-T Data Center network virtualization platform for on-prem and cloud environments. NSX-T version 2.4 was a major milestone that saw the introduction of new advanced security capabilities.

Check Point was a design partner for the new version, which is fully supported by Check Point CloudGuard IaaS. This makes sense considering the close relationship between Check Point and VMware, and that CloudGuard was the first VMware partner product to be certified for NSX-T North/South service insertion.

(The supporting version of CloudGuard IaaS is currently in final stages of certification.)

Let’s dive into a few of the security enhancements in NSX-T version 2.4 and how CloudGuard IaaS uses them to harden private cloud security for Check Point customers.

Network Topology

CloudGuard supports NSX-T Inventory.

CloudGuard reads the inventory from NSX and allows the security operator to use objects from the inventory as part of the security policy. CloudGuard watches these objects and updates the gateway regarding any change that might occur on the NSX side.

NSX-T v2.4 allows the dynamic export of network topology, providing CloudGuard with immediate access to all network configuration changes.

Dynamic, Context-Based Grouping

NSX has rich contextual knowledge of the workloads it’s protecting. Instead of using grouping and rules based on where something is in the network, with NSX customers can use constructs based on specific characteristics of the workload, including for example the workload’s Operating System or name. By applying Security Tags, workloads can also be grouped based on criteria such as the function of the application, the application tier the workload is part of, the security posture, regulatory requirements or the environment the application is deployed in. Through the use of Security Tags, policies can be applied automatically to new workloads, thus reducing manual administrative overhead. For example, when you add a new VM: as soon as you apply a meaningful tag to the new VM, it automatically assumes the relevant policies of the tag’s groups.

You can also apply these policies automatically to new workloads, thus reducing manual administrative overhead.

For example, when you add a new VM: as soon as you apply a meaningful tag to the new VM, it automatically assumes the relevant policies of the tag’s groups.

VMware app tier security posture private public cloud

Applying Security Tags to a VM (source: VMware)

Cloud network visualization for hybrid cloud

Example architecture with tags per application (source: VMware)

Policy-Based Service Insertion

Using VMware NSX-T and Check Point together provides strong security for North-South traffic entering the data center from the outside. This is done by connecting the CloudGuard IaaS security gateway to the T0-T1 router. NSX handles the deployment, plumbing and selective redirection of traffic to the CloudGuard IaaS security gateway.

CloudGuard IaaS provides powerful private cloud security features such as Firewall, Intrusion Prevention System, Anti-Bot, Antivirus, Application Control, and URL Filtering; as well as Threat Emulation and Threat Extraction for complete protection against the most sophisticated threats and zero-day vulnerabilities.

CloudGuard shows how network visualization impacts hybrid clouds security

CloudGuard IaaS with N/S service insertion protects against advanced threats

But what about East-West traffic?

“Firewalls are conceptually sound, but execution often leaves network and security teams scrambling to patch flaws and fix mistakes that hackers have already discovered and exploited. Worse, once bad data packets such as malware enter into the network they may have unimpeded access to that “East-West” traffic inside the network.” (Pete Bartolik, CSO Online)

In other words, a breach of a single network can propagate across the data center, compromising all applications. Even attacks on low priority services can expose critical or sensitive systems.

With the Distributed Firewall, NSX-T enables micro-segmentation, enabling customers to provide granular firewalling for East-West traffic within the datacenter.

VMware NSX-T 2.4 introduces the enhancement of Policy-Based Service Insertion enabling partner solutions like Check Point CloudGuard to enhance the security of East-West traffic, without making changes in the topology.

Policy service in private public cloud security vmware service

Policy-Based Service Insertion (source: VMware)

Checkpoint CloudGuard IaaS is integrating with NSX-T 2.4 East-West Service Insertion in order to provide robust protection of lateral traffic between different entities inside the cloud deployment. This lateral traffic may also be automatically redirected according to context-aware policies, as explained above.

The screenshot below shows the deployment of a new CloudGuard IaaS East-West service in the NSX-T Manager.

Deployment of a new CloudGuard IaaS East-West service in the NSX-T Manager

How Can You Improve Your Private Cloud Security?

Take precautions, including:

Keep yourself and your organization up-to-date on cloud threats and trends
Implement and enforce cloud security best practices across your organization, for example in this article
Define your organization’s security considerations, then choose a best-of-breed cloud security solution with advanced threat prevention

Check Point CloudGuard provides best-of-breed private cloud security, which is further enhanced by the above security enhancements introduced by VMware NSX-T 2.4.

CloudGuard provides consistent security policy enforcement and full threat visibility.

CloudGuard is well suited to dynamic multi-cloud and hybrid environments and supports the widest combination of private clouds and public clouds.

To learn more visit www.checkpoint.com.

The post Private Cloud Security: CloudGuard IaaS supports VMware’s new NSX-T 2.4 release appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2WCPwJf
via

Department of Homeland Security issues security warning for VPN applications — Check Point VPNs not affected

by Lloyd Tanaka, Threat Prevention Product Marketing Manager, published April 17th 2019

On Friday April 12, The CERT Coordination Center (CERT/CC) with the US Department of Homeland Security (DHS), issued a warning of a newly discovered vulnerability affecting possibly hundreds of Virtual Private Network (VPN) applications. Check Point was one of a small handful to be unaffected by this warning.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU#192371 to get details of the affected VPN applications and the problem of insecure storing of session cookies in memory and/or log files. Organizations face the risk of attackers exploiting this vulnerability to take control of an affected system.

Check Point VPN customers are not affected because of our advanced, market-leading security architecture. Check Point’s IPsec and SSL VPNs offer a number of market-leading capabilities that add safety and convenience for your remote access users, including:

Threat prevention
Incident analysis
Access control
Data security
Compliance checking
Multi-factor authentication

Customers using other VPNs should consult with their vendor. To help you assess your specific situation, we’ve formed a special VPN task force team to discuss your available options, including a quick migration to Check Point technology. Interested customers should contact our Incident Response team at https://www.checkpoint.com/support-services/threatcloud-incident-response/

Get information on Check Point’s Remote Access VPN solutions by visiting https://www.checkpoint.com/products/remote-access-vpn/

The post Department of Homeland Security issues security warning for VPN applications — Check Point VPNs not affected appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2KLgGfm
via

Game of Thrones Phishing Scams and How to Avoid Them

The long night has finally ended. Game of Thrones fans can finally come in from the cold and, like a starving dragon, start devouring the latest and final season of the massively popular TV show. But unlike the fantasy series, what is far more real is the plethora of phishing scams facing enthusiasts.

While there have been many such deceptions, from malware via pirate torrent sites to phishing scams, Check Point Research recently came across the latest in this line of malicious activities bent on taking advantage of unsuspecting fans. Below is an example of such a site that uses the official branding of the show that poses as a legitimate competition for fans to win a special gift pack of GoT merchandise. There is however, no such prize and the site instead collects as many email and mobile phone details as possible that could possibly be used in future spamming campaign.

Fig 1: example of Game of Thrones phishing site – gameofthronesratings[.]com

Another example, that aims to dishonestly collect credit card details of users by posing as an official Game of Thrones merchandise store, can be seen below.

Fig 2: example of a site disguised as Game of Thrones official online store – gameofthronesofficalshop[.]com

While many may claim to be able to tell the difference between a real site and a fake site, the use of well recognized and trusted brands, like Game of Thrones, is the preferred method for encouraging the user that the impersonated email or website is trustworthy.

Understanding the Threat

The websites we observed using the Game of Thrones brand could be split into two main categories- Legitimate or fraudulent websites. While both categories use the popularity of the brand to lure users in, their motivations are different. The legitimate websites include fan pages, online games or small shopping sites, looking for potential customers or new community members, as seen below.

Fig 3: gameofthronesgifts[.]com (a shopping site) Fig 4: gameofthronesgifts[.]com (a fan site)

The fraudulent websites on the other hand, exploit the popularity of the brand to display ads, acquire personal information or convince the user to install an unwanted program.

These fraudulent websites mostly include sites requesting personal information for marketing opportunities, and fake streaming sites, requesting the user to download a browser add-on and provide personal information, while no streaming content is displayed at the end of the process.

How ThreatGuard Can Help

ThreatGuard is a SaaS product that scans an organization’s assets on the web and notifies them when threats such as lookalike domains, exposed accounts, detected CVEs and open risky ports are detected. In the examples provided above, to find sites exploiting the popularity of Game of Thrones, we used the lookalike domains functionality.

ThreatGuard allowed us to locate lookalike domains in a very short amount of time and focus our research on the deeper threat analysis. We initially added a ‘gameofthrones’ query into ThreatGuard and got tens of results. After expending the search to more common words related to the Game of Thrones series, such as names of characters and known quotes, we found a lot of other related domains.

Fig 8: The ThreatGuard main dashboard

ThreatGuard also allowed us to focus our research on a specific word, the severity of the domain, live domains and more. For domains that were deemed more interesting, we conducted safe browsing via the ThreatGuard solution and inspected the history of the domain. This allowed us to inspect the suspicious domains without harming our hosts and understanding more about the domain we investigated. When we found a malicious domain, we automatically asked for it to be taken down by the domain registrar.

Fig 9: Focus on a specific lookalike domain

Fig 10: take down the domain by contacting the domain registrar and update all of the major web browsers

How to Avoid Being a Phishing Victim

There are ways, of course, to prevent being the next victim of a phishing attack. These include:

Think before you click. Clicking on links on trusted sites should be totally fine. Links that appear in random emails and instant messages, however, isn’t going to end well. Hovering over links that you are unsure of before clicking on them will tell you if they lead to where you’re expecting.
Make sure a site’s URL begins with “https” and there is a closed lock icon near the address bar.
Check the site’s domain name is the site you are expecting to visit and trust. If it is not then you could be about to become the next victim of a phishing scam.
Make sure you have an advanced threat prevention solution such as Check Point’s SandBlast Agent zero-phishing protection

The full list of sites found by Check Point to use the Game of Thrones brand, based on our analyst’s categorization can be found below:

Malicious:

gameofthrones\.pro

Fraud:

gameofthronesgamer\.com
gameofthronesof\.com
gameofthronesseason8online\.net
gameofthronessaison8stream\.com
gameofthronesratings\.com
gameofthronesconquesthacked\.top

Inactive:

gameofthrones-live\.com
gameofthronescast\.com
gameofthronesbingo\.com
gameofthronesfinale\.shop
gameofthronesseason6-online\.com
gameofthronesstudiotours\.com
gameofthronesslotscasino\.com
gameofthroneslegacytours\.com
gameofthronesseason7livestreaming\.com
gameofthronescollectibles\.com
gameofthronesseason7watchonline\.com
watchgameofthronesepisodes\.com

Streaming:

Gameofthroness\.club
Watchgameofthrones\.info
Gameofthronesstreamingita\.com

Shopping:

gameofthronesil\.com
gameofthroneszone\.com
gameofthronesneon\.com
gameofthronesgifts\.com
gameofthronescastle\.com
gameofthronesfandom\.com
shopatgameofthrones\.com
idolovegameofthrones\.com
gameofthronesapparel\.com
thegameofthronesparty\.com
gameofthroneskeychains\.com
gameofthronesofficalshop\.com
gameofthronestreasureshop\.com

Gaming:

realgameofthrones\.com
officialgameofthrones\.com

Blog/News:

gameofthronesblog\.com
gameofthroneseason8episodes\.com
gameofthronesseason8hbo\.com
hbogameofthronesseason7\.net
gameofthronespredict\.com

The post Game of Thrones Phishing Scams and How to Avoid Them appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Pd1BSo
via

Protect Your Business by Managing Network Security from the Palm of Your Hand

by Russ Schafer, Head of Product Marketing, Security Platforms, published April 11th 2019

Next generation cyber security attacks can happen at any time to any size business, so you need to be prepared to react immediately. Based on the 2018 Verizon Data Breach report, 58% of security breach victims are categorized as small businesses. In addition,79% of the attacks on small businesses resulted in a confirmed breach. To prevent security breaches, you need to be able to monitor your network and quickly mitigate security threats anytime and anywhere. Small businesses typically don’t have a dedicated security professional, so security management applications also need to be easy to use.

Check Point is proud to introduce the WatchTower Security Management App for Small and Medium businesses. The intuitive security management app provides real-time monitoring of network events, enables you to quickly block security threats, and configure the security policy for multiple Check Point Security Gateways.

Customers who use the Check Point 700,900 and 1400 series gateways can now manage their network security on the go with their iOS or Android mobile phone.

The WatchTower Security Management App provides the following innovative capabilities:

Network Security snapshot enables you to view the devices connected to your network and monitor potential security threats.
Real-Time Security Alerts provide notification of malicious attacks or unauthorized device connections.
On-the-Spot Threat Mitigation enables you to quickly block malware-infected devices and view infection details for further investigation.
Security Event Notification enables you to customize notifications for your top-priority security events.
Network statistic reports and charts provide insights on network usage patterns.
Network Security Event feed provides you details on all the security events by category
The Settings Manager enables you to set the security settings for multiple gateways
The Advanced policy configuration feature enables you to manage all the security policy setting through a secure web user interface.

Don’t let your company become a security breach statistic. Protect your company network while on the go using the WatchTower Security Management app.

For a free demo and a link to the iOS and Android app store pages, go to the WatchTower Security Management App page

The post Protect Your Business by Managing Network Security from the Palm of Your Hand appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2Kxh2WU
via

Check Point Partners with Google’s Cloud Identity to Improve Zero Trust Cloud Access

With enterprises migrating to the cloud, the traditional network perimeter concept is fading. A new approach is needed to ensure more secure access to cloud resources.

by Ran Schwartz, Product Manager, Threat Prevention, published April 11th, 2019

The way we do business has undergone a seismic transformation thanks to the cloud. Few other technologies have had as big an impact on productivity, allowing people to easily access enterprise applications from anywhere and at any time, while facilitating better collaboration, scalability and decision-making. More and more organizations are reaping these benefits by migrating their core infrastructure and apps to a cloud platform.

But with the benefits inevitably come challenges, not least of which is managing access to enterprise resources which are located outside of an organization’s internal network perimeter. Traditional network security solutions were designed to protect data and devices located within the corporate perimeter. However, as employees are increasingly demanding the flexibility to work from anywhere and on a variety of devices, including mobile devices, and as valuable corporate data is no longer located in just one place, the idea of a network security perimeter is losing meaning. One of the main drawbacks of this paradigm is that if hackers manage to breach the perimeter, they have free reign within an organization’s restricted network.

A Fading Perimeter Calls for a New Approach

To keep up with challenges arising from an increasingly mobile workforce, and dynamic and dispersed cloud environments, security professionals must rethink traditional enterprise security. Check Point and is taking a significant step forward in this direction, partnering with Cloud Identity to provide a new, zero trust (also known as BeyondCorp) approach to managing access to corporate resources and apps beyond the perimeter. Today, we’re joining Google Cloud’s BeyondCorp Alliance to help customers manage access to corporate data leveraging user identity attributes and device security posture.

Device-Level Security Signals for Smarter Access Management

Here’s how it works. Check Point SandBlast Mobile reports on the security posture of all mobile endpoints that are accessing an organization’s resources and data. Security posture is determined based on the analysis of app-, network-, and device-based attack vectors. Malicious apps are identified using Check Point’s Behavioral Risk Engine, which includes static code flow analysis, threat emulation, and machine-learning to detect both known and zero-day threats. This device security posture data is then fed to Google Cloud’s context-aware access engine that can be used to control access to your LOB web apps, SaaS apps, and infrastructure resource like VMs and APIs.

At the network layer, SandBlast Mobile protects against SSL attacks and also delivers powerful threat prevention capabilities through its On-device Network Protection (ONP) agent. Capabilities include anti-phishing, safe browsing, conditional access, anti-bot, and URL Filtering. And with all inspection happening locally on the device, both privacy and performance are preserved.

At the device level, SandBlast Mobile detects advanced jailbreak/rooting that may have been performed on the device, and analyzes the device for insecure configurations and other vulnerabilities.

Indicators of compromise (IOCs) are summarized in a risk score and combined with information on user identity and context of the request, to determine whether a user should be granted access to corporate resources and services.

With the integration of Check Point’s cutting-edge mobile security technology, customers can now gain unprecedented visibility over a device’s risk posture, augmenting what they know about the device and the context in which access is being requested.

Customers can leverage Check Point’s risk scores to create more granular and customized access policies for Google’s Cloud Identity, including G Suite. Granular controls make it easier for admins to grant context-aware access to resources, or to take more drastic measures if needed. For example, access can be blocked if Check Point SandBlast Mobile reports that a device is exposed to risk, or app data can be completely wiped from the device if the device is compromised.

Check Point SandBlast Mobile also reports on the health of its agent on the device – an important signal that can also be used to define access policy. If the agent is not properly installed or activated, access to corporate resources can be blocked. This input also provides admins the vital ability to enforce the proper installation and activation of Check Point SandBlast Mobile agent on endpoints across the organization, particularly on unmanaged devices.

Strengthening Zero Trust (aka BeyondCorp)

Google Cloud’s context-aware access working with Check Point SandBlast Mobile allows employees to securely access corporate resources from any device, and any location, without needing a traditional VPN. Context-aware access enables Google’s BeyondCorp security model, founded in 2011 to strengthen zero trust networks at Google and improve access management. The idea behind this model is that users should not be restricted from accessing certain resources and services based on the network they are connected to. Instead, access to resources should be conditional on user identity, device risk, and other contextual attributes. In a Zero Trust security model, access should be authenticated and encrypted regardless of whether it is within the network security perimeter.

As one of the first companies to join Google Cloud’s BeyondCorp Alliance – a new initiative through which Google Cloud and select partners are working together to deliver better security solutions – Check Point is committed to strengthening Zero Trust implementation and extending it to every device that touches the enterprise security ecosystem. “SandBlast Mobile delivers Check Point’s cutting-edge threat prevention capabilities to the mobile device, to help its customers prevent attacks that attempt to exploit mobile users and their devices to gain unauthorized access to business resources,” said Ran Schwartz, Product Manager for SandBlast Mobile, upon launch of the joint solution.

The integration is already gaining traction in the field, with many mutual customers recognizing the benefits of perimeter-less access management. Together, with our customers and partners, this is one more step Check Point is taking to address enterprise security needs as they migrate to the cloud.

Learn more about SandBlast Mobile here.

The post Check Point Partners with Google’s Cloud Identity to Improve Zero Trust Cloud Access appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2GhDZsQ
via

March 2019’s Most Wanted Malware: Cryptomining Still Dominates Despite Coinhive Closure

Check Point’s latest Global Threat Index sees cryptominers continuing to lead the top malware list despite Coinhive ceasing operation

By Check Point’s Threat Intelligence Team, published April 9th 2019

In March 2019, Coinhive dropped from the top position of the global threat index for the first time since December 2017. Despite closing its services on the 8^th March, it still held 6^th place in the list. Cryptoloot now leads the top malware list for the first time, and cryptominers continue to dominate amongst the most prevalent malware aimed at organizations globally.

Despite its closure, the Coinhive JavaScript code is still in place on many websites. No mining is taking place, but if the value of Monero increases significantly, it is possible that Coinhive may come back to life. Another possibility is that we may see other cryptominers increasing their activity in Coinhive’s absence. Instead of taking aim at websites, though, which is bringing in limited gains since cryptocurrency values began to fall across the board after the highs of 2018, they may increasingly take aim at enterprises’ Cloud environments.

The built-in scalability of cloud environments allows mining to take place at far higher volumes. Check Point’s research team have begun to see organizations being asked to pay hundreds of thousands of dollars to their Cloud vendors for the compute resources used by rogue cryptominers. This is a stark warning for organizations to secure their cloud environments from malware.

March 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑ XMRig– Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
↑ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
↓ Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
↑ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
↓ Nivdort –Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
↑ Lokibot- Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
↑ Mirai- Famous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distribute Denial of Service (DDoS).

This month Hiddad is the most prevalent Mobile malware, replacing Lotoor at first place in the top mobile malware list. Triada remains in third place.

March’s Top 3 ‘Most Wanted’ Mobile Malware:

Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with a 44% global impact. Web Server Exposed Git Repository Information Disclosure and is in second place, with OpenSSL TLS DTLS Heartbeat Information Disclosure in third, both impacting 40% of organizations worldwide.

March’s Top 3 ‘Most Exploited’ vulnerabilities:

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
↑ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-prevention-resources/index.html

The post March 2019’s Most Wanted Malware: Cryptomining Still Dominates Despite Coinhive Closure appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2UpvxRd
via

Check Point ZoneAlarm Extreme Security earns Best+++ Award from AVLab Test

By Lloyd Tanaka, Product Marketing Manager, Threat Prevention, April 8th 2019

In February of this year, AVLab performed comprehensive tests to determine which of 27 Windows 10 security solutions could best defend against a series of simulated online banking operation attacks. ZoneAlarm Extreme Security passed with flying colors, scoring a perfect 11 for 11 passed tests, receiving the firm’s prestigious Best+++ Award recommendation.

AVLab Test System

All products were tested according to AVLab’s specific, standardized procedures and the results are fully audited. The test followed these steps:

Installation of the tested solution on previously prepared image of Windows 10.
Sequential launching procedures (malware was downloaded to the system through the Chrome browser from a temporary server).
Repeating the tests on the modified settings.
Writing down the results.

AVLab challenged each solution to detect thirteen banking Trojans in the wild as well as defend against clipboard hijacking and swapping, keylogger, screenshot, RAM scraping, man-in-the-middle, HOSTS modifying, among other attacks.

ZoneAlarm Extreme Security detected all attacks. In their write-up, AVLab highlighted several ZoneAlarm capabilities:

Threat Emulation to protect against new encryption malware
Firewall that protects against modifying HOSTS files and ability to thwart internet attacks
Browser protection with the ThreatCloud intelligence database

To get the details of this AVLab test, read the full report here.

ZoneAlarm Extreme Security 2019 protects Windows PCs from unknown virus and firewall threats, including zero-day attacks, by analyzing suspicious files in the cloud before they can harm your computer. It’s the ultimate solution for internet security, firewall protection, and advanced antivirus filtering.

Available by mid-2019, is the new ZoneAlarm Extreme package which will include award-winning anti-ransomware and multi-device protection, enabling users to protect their iOS and Android devices in addition to their Windows PCs.

The post Check Point ZoneAlarm Extreme Security earns Best+++ Award from AVLab Test appeared first on Check Point Software Blog.

from Check Point Software Blog http://bit.ly/2uTTscc
via