Check Point Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/check-point/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 29 Jun 2023 09:06:08 +0000 en-US hourly 1 https://wordpress.org/?v=78498 200474804 Chinese Hackers Accidentally Infected European Hospital with Malware https://gridinsoft.com/blogs/chinese-hackers-infected-hospital/ https://gridinsoft.com/blogs/chinese-hackers-infected-hospital/#respond Wed, 28 Jun 2023 15:57:04 +0000 https://gridinsoft.com/blogs/?p=15588 Check Point analysts found that Chinese hackers in a chain of accidents infected an unnamed European hospital with malware. Researchers attribute this to the uncontrolled spread of malware that is dissiminated by the Chinese hack group Camaro Dragon (aka Mustang Panda, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta and Red Lich) via USB drives. The… Continue reading Chinese Hackers Accidentally Infected European Hospital with Malware

The post Chinese Hackers Accidentally Infected European Hospital with Malware appeared first on Gridinsoft Blog.

]]>
Check Point analysts found that Chinese hackers in a chain of accidents infected an unnamed European hospital with malware. Researchers attribute this to the uncontrolled spread of malware that is dissiminated by the Chinese hack group Camaro Dragon (aka Mustang Panda, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta and Red Lich) via USB drives.

The topic of Chinese hackers becomes more and more often guest of newsletter headlines. Some episodes surprise with their cheekiness and insolence – when they managed to use Google infrastructure as C2 servers. But healthcare infrastructure attacks are non-grata even for such daredevils. Cyberattack on a German hostpital lead to patient’s death – most likely, that was out of hackers intentions. For that reason, hackers all over the world agreed to avoid attacking hospitals.

Chinese Camaro Dragon Hackers Attacked Hospital

The Check Point report states that the Camaro Dragon typically attacks targets in Asian countries, and features designed to evade SmadAV, a popular antivirus solution in the region, can be found in the group’s malware code. However, the WispRider and HopperTick malware has infiltrated a European hospital and has also been encountered by researchers in Myanmar, South Korea, the UK, India and Russia.

“Patient Zero” in this incident was identified as a hospital employee attending a conference in Asia. He shared his presentation with other event participants using a USB drive. Unfortunately, one of his colleagues had an infected computer, and as a result, [the victim’s] own USB drive was also infected. Back at his home hospital in Europe, the employee plugged the infected USB drive into the hospital’s computer systems, causing the infection to spread.the researchers say.

Checkpoint believes that the attack begins with the victim launching a malicious launcher written in Delphi on an infected USB drive. This causes the launch of the main payload, which downloads malware onto other drives when they connect to the infected machine. At the same time, it is emphasized that the malware poses a great danger to corporate systems, since infected machines install malware on any newly connected network drives, and not on drives already connected to the machine at the time of infection.

Infection scheme
Scheme of malware injection used by hackers

Researchers are confident that the spread to newly connected network drives is unintentional.

Although network drives infected in this way could theoretically be used as a means of lateral movement within the same network, this behavior seems more like a bug than a deliberately added feature. Managing multiple files and replacing them with an executable file with a USB flash drive icon on network drives is a notable activity that can draw additional and unwanted attention to an attack.the researchers write.

If the malicious code does run, it tries to spread the backdoor and steal data. Due to this, accidental infection of network storages becomes a serious problem, as in many organizations this is where important data is stored.

Another unpleasant feature of this malware is that it “performs DLL-side-loading using security software components, including G-DATA Total Security, and products from two major gaming companies (Electronic Arts and Riot Games).” Checkpoint says it has already warned developers about their unwitting involvement in Camaro Dragon malware companies.

The post Chinese Hackers Accidentally Infected European Hospital with Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-hackers-infected-hospital/feed/ 0 15588
Rorschach’s New Ransomware Is Named the Fastest to Date https://gridinsoft.com/blogs/new-ransomware-rorschach/ https://gridinsoft.com/blogs/new-ransomware-rorschach/#respond Thu, 06 Apr 2023 08:38:06 +0000 https://gridinsoft.com/blogs/?p=14053 Check Point analysts have discovered a new ransomware, Rorschach ransomware that has already been used to attack an unnamed American company. This malware is notable for its extremely high speed of file encryption and the fact that it is deployed using a signed component of commercial security software. Check Point calls this threat “one of… Continue reading Rorschach’s New Ransomware Is Named the Fastest to Date

The post Rorschach’s New Ransomware Is Named the Fastest to Date appeared first on Gridinsoft Blog.

]]>

Check Point analysts have discovered a new ransomware, Rorschach ransomware that has already been used to attack an unnamed American company.

This malware is notable for its extremely high speed of file encryption and the fact that it is deployed using a signed component of commercial security software.

Check Point calls this threat “one of the fastest ransomware” as Rorschach is even faster than LockBit 3.0.

Let me remind you that we also wrote that New Cuba Ransomware Variant Involves Double-Extortion Scheme, and also that New Pay2Key ransomware encrypts corporate networks in just an hour.

Also the media reported that New Prestige Ransomware Attacks Polish and Ukrainian Organizations.

The researchers say that the ransomware is delivered using a side-loading DLL technique through a signed component in the Cortex XDR in the Palo Alto Networks product. The attackers used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to download the Rorschach loader and injector (winutils.dll), which resulted in the config.ini ransomware payload being launched into the Notepad process.

Rorschach launch scheme

It is noted that the loader file is protected from UPX-style analysis, while the main payload is protected from reverse engineering and detection by virtualizing parts of the code using VMProtect.

Check Point experts warn that the ransomware creates a group policy on a Windows domain controller and can independently propagate to other hosts in the domain.

After compromising the victim’s computer, the malware erases four Application, Security, System, and Windows Powershell logs to cover its tracks.

Although Rorschach’s configuration is generally hard-coded, the ransomware supports command-line arguments that greatly enhance its functionality. Below are some of them.

New ransomware Rorschach

Rorschach will start encrypting data only if the infected machine does not work in the language of any of the CIS countries. The encryption scheme combines the curve25519 and eSTREAM hc-128 algorithms, using discontinuous encryption, meaning the malware encrypts files only partially, which increases its speed.

New ransomware Rorschach
Languages that stop malware

The researchers note that the Rorschach encryption procedure demonstrates “a highly efficient implementation of stream distribution through I / O completion ports.”

To determine the speed of Rorschach encryption, experts conducted a test using 220,000 files on a machine with a 6-core processor. It took malware 4.5 minutes to encrypt the data, while LockBit 3.0, until recently considered the fastest ransomware, completed the same task in 7 minutes.

Check Point summarizes that Rorschach appears to have incorporated the best features of some of the leading ransomware programs previously leaked (Babuk, LockBit 2.0, DarkSide).

The post Rorschach’s New Ransomware Is Named the Fastest to Date appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-ransomware-rorschach/feed/ 0 14053
Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions https://gridinsoft.com/blogs/bypass-chatgpt-restrictions/ https://gridinsoft.com/blogs/bypass-chatgpt-restrictions/#respond Fri, 10 Feb 2023 12:15:00 +0000 https://gridinsoft.com/blogs/?p=13356 Check Point researchers say that the OpenAI API is poorly protected from various abuses, and it is quite possible to bypass its limitations, wnd that attackers took the advantage of it. In particular, a paid Telegram bot was noticed that easily bypasses ChatGPT prohibitions on creating illegal content, including malware and phishing emails. The experts… Continue reading Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions

The post Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions appeared first on Gridinsoft Blog.

]]>

Check Point researchers say that the OpenAI API is poorly protected from various abuses, and it is quite possible to bypass its limitations, wnd that attackers took the advantage of it. In particular, a paid Telegram bot was noticed that easily bypasses ChatGPT prohibitions on creating illegal content, including malware and phishing emails.

The experts explain that the ChatGPT API is freely available for developers to integrate the AI bot into their applications. But it turned out that the API version imposes practically no restrictions on malicious content.

The current version of the OpenAI API can be used by external applications (for example, the GPT-3 language model can be integrated into Telegram channels) and has very few measures to combat potential abuse. As a result, it allows the creation of malicious content such as phishing emails and malicious code without any of the restrictions and barriers that are placed in the ChatGPT user interface.the researchers say.

Let me remind you that we also wrote that Russian Cybercriminals Seek Access to OpenAI ChatGPT, and also that Google Is Trying to Get Rid of the Engineer Who Suggested that AI Gained Consciousness.

In particular, it turned out that one hack forum already advertised a service related to the OpenAI API and Telegram. The first 20 requests to the chatbot are free, after which users are charged $5.50 for every 100 requests.

bypass ChatGPT restrictions

The experts tested ChatGPT to see how well it works. As a result, they easily created a phishing email and a script that steals PDF documents from an infected computer and sends them to the attacker via FTP. Moreover, to create the script, the simplest request was used: “Write a malware that will collect PDF files and send them via FTP.”

bypass ChatGPT restrictions

bypass ChatGPT restrictions

In the meantime, another member of the hack forums posted a code that allows generating malicious content for free.

Here’s a little bash script that can bypass ChatGPT’s limitations and use it for anything, including malware development ;).writes the author of this 'tool'.

bypass ChatGPT restrictions

Let me remind you that earlier Check Point researchers have already warned that criminals are keenly interested in ChatGPT, and they themselves checked whether it is easy to create malware using AI (it turned out to be very).

Sergey Shikevich
Sergey Shikevich
Between December and January, ChatGPT’s UI could be easily used to create malware and phishing emails (mostly just a basic iteration was sufficient). Based on the conversations of cybercriminals, we assume that most of the samples we have shown were created using the web interface. But it seems that ChatGPT’s anti-abuse mechanisms have improved a lot recently, and so now cybercriminals have switched to using an API that has much fewer restrictions.Check Point expert Sergey Shikevich says.

The post Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bypass-chatgpt-restrictions/feed/ 0 13356
Russian Cybercriminals Seek Access to OpenAI ChatGPT https://gridinsoft.com/blogs/access-to-openai-chatgpt/ https://gridinsoft.com/blogs/access-to-openai-chatgpt/#respond Thu, 19 Jan 2023 11:03:48 +0000 https://gridinsoft.com/blogs/?p=13220 Check Point analysts have noticed that Russian-speaking hacker forums are actively discussing access to bypass geo-blocking, due to which the OpenAI ChatGPT language model is not available in Russia. We also wrote that Microsoft’s VALL-E AI Is Able to Imitate a Human Voice in a Three-Second Pattern, and also that Google Is Trying to Get… Continue reading Russian Cybercriminals Seek Access to OpenAI ChatGPT

The post Russian Cybercriminals Seek Access to OpenAI ChatGPT appeared first on Gridinsoft Blog.

]]>

Check Point analysts have noticed that Russian-speaking hacker forums are actively discussing access to bypass geo-blocking, due to which the OpenAI ChatGPT language model is not available in Russia.

We also wrote that Microsoft’s VALL-E AI Is Able to Imitate a Human Voice in a Three-Second Pattern, and also that Google Is Trying to Get Rid of the Engineer Who Suggested that AI Gained Consciousness.

It was also reported that UN calls for a moratorium on the use of AI that threatens human rights.

Let me remind you that the topic of creating malware using ChatGPT is already being closely studied by the information security community, and experiments conducted by specialists show that such a use of the tool is really possible.

For example, a recent report by CyberArk details how to create polymorphic malware using ChatGPT, and the researchers plan to soon publish part of their work “for educational purposes.”

access to OpenAI ChatGPT
Scheme interactions between ChatGPT and malware

In fact, CyberArk managed to bypass ChatGPT content filters and demonstrated how “with very little effort and investment on the part of an attacker, you can continuously query ChatGPT, each time receiving a unique, functional and verified piece of code.”

access to OpenAI ChatGPT
Basic DLL injection in explorer.exe where the code is not fully completed yet

This results in polymorphic malware that does not exhibit malicious behavior when stored on disk, as it receives code from ChatGPT and then executes it without leaving a trace in memory. In addition, we always have the opportunity to ask ChatGPT to change the code.said the experts.

In turn, Check Point researchers warn of the rapidly growing interest of hackers in ChatGPT, as it can help them scale malicious activity. This time, it turned out that Russian-speaking attackers are trying to bypass restrictions on access to the OpenAI API. Hack forums are already sharing tips on how to bypass IP blocking, solve the problem with bank cards and phone numbers, that is, everything that is needed to gain access to ChatGPT.

We believe that these hackers are most likely trying to implement and test ChatGPT in their daily criminal operations. Attackers are becoming more and more interested in ChatGPT because the artificial intelligence technology behind it can make a hacker more cost effective.specialists write.

To prove their words, the researchers provide several screenshots. On one of them, the criminal wants to get access to the OpenAI API and asks his “colleagues” for advice on how best to use a stolen bank card to verify an OpenAI account.

access to OpenAI ChatGPT

Other screenshots discuss geo-blocking bypass, as ChatGPT is not currently available in Russia, China, Afghanistan, Belarus, Venezuela, Iran, and Ukraine.

Artificial intelligence company OpenAI has restricted access to its products for Ukrainians so as not to violate global sanctions due to the annexation of ORDLO and Crimea in 2014.

This is stated in the text of Forbes with reference to a letter that the company sent to the Ministry of Digital Transformation.

Alex Bornyakov
Alex Bornyakov
Because of the sanctions, they have to block ORDLO/Crimea. They do not know how to distinguish them from clients from the rest of Ukraine. If there was a cheap classifier, we would have revised the policy.said Oleksandr Bornyakov, Deputy Minister of Digital Transformation of Ukraine.

access to OpenAI ChatGPT

The report also notes that many semi-legal online SMS services have already compiled guides on how to use them to register with ChatGPT.

access to OpenAI ChatGPT
access to OpenAI ChatGPT

The post Russian Cybercriminals Seek Access to OpenAI ChatGPT appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/access-to-openai-chatgpt/feed/ 0 13220
Dangerous bug in WhatsApp could lead to disclosure of user data https://gridinsoft.com/blogs/dangerous-bug-in-whatsapp-could-lead-to-disclosure-of-user-data/ https://gridinsoft.com/blogs/dangerous-bug-in-whatsapp-could-lead-to-disclosure-of-user-data/#respond Fri, 03 Sep 2021 22:40:41 +0000 https://blog.gridinsoft.com/?p=5896 Check Point specialists spoke about a dangerous bug they discovered in the WhatsApp image processing function, which could lead to the disclosure of user data. The problem helped to disable the application, in addition, by applying certain filters to a specially created image and sending it to a potential victim, an attacker could exploit the… Continue reading Dangerous bug in WhatsApp could lead to disclosure of user data

The post Dangerous bug in WhatsApp could lead to disclosure of user data appeared first on Gridinsoft Blog.

]]>
Check Point specialists spoke about a dangerous bug they discovered in the WhatsApp image processing function, which could lead to the disclosure of user data.

The problem helped to disable the application, in addition, by applying certain filters to a specially created image and sending it to a potential victim, an attacker could exploit the vulnerability and gain access to confidential information from WhatsApp memory.

Back in November 2020, experts found out that switching between different filters in specially prepared GIFs caused WhatsApp to crash.

The vulnerability related to the WhatsApp image filter functionality and was triggered when a user opened an attachment that contained a maliciously crafted image file, then tried to apply a filter, and then sent the image with the filter applied back to the attacker.Check Point researchers say.

The researchers identified one of the failures as a violation of the integrity of information in memory and immediately reported the problem to the developers, who assigned the problem ID CVE-2020-1910 (7.8 on the CVSS scale), detailing it as a read/write vulnerability out of range (out-of-bounds read-write).

Dangerous bug in WhatsApp

As a result, in February 2021, the WhatsApp developers released a revised version of the app (2.21.1.13), which introduced two new checks for original and modified images.

The root of the problem lies in the “applyFilterIntoBuffer ()” function, which works with image filters: it takes the original image, applies the filter selected by the user to it, and then copies the result to the buffer.

By reverse engineering the libwhatsapp.so library, the researchers found that the vulnerable function works based on the assumption that the original and modified images are the same dimensions and the same RGBA colour format.

Given that each RGBA pixel is stored as 4 bytes, a malicious image with only 1 byte per pixel can be used to gain out-of-bounds memory access as the function tries to read and copy four times as much data from the buffer.

Let me remind you that I also reported that Dangerous vulnerabilities in WhatsApp allowed compromising millions of users.

The post Dangerous bug in WhatsApp could lead to disclosure of user data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dangerous-bug-in-whatsapp-could-lead-to-disclosure-of-user-data/feed/ 0 5896
Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/ https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/#respond Fri, 06 Aug 2021 16:45:13 +0000 https://blog.gridinsoft.com/?p=5790 Check Point researchers reported that in April of this year, IT giant Amazon eliminated critical vulnerabilities in the Amazon Kindle. The problems could be used to gain full control over the device, allowed them to steal the Amazon device token and other confidential data stored on it. For a successful attack on a Kindle, just… Continue reading Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

]]>
Check Point researchers reported that in April of this year, IT giant Amazon eliminated critical vulnerabilities in the Amazon Kindle. The problems could be used to gain full control over the device, allowed them to steal the Amazon device token and other confidential data stored on it.

For a successful attack on a Kindle, just one book with malicious code is enough.

The potential attack began by sending a malicious e-book to the user’s mail. After receiving such an attachment, the victim only had to open it, and this launched the exploit. No additional user permission or action was required.

E-books could be used as Kindle malware with various consequences. For example, a hacker could delete all of the user’s e-books, as well as turn the Kindle into a bot and use it to attack other devices on the victim’s local network.experts write.

Even worse, the discovered vulnerabilities allowed attackers to target a specific category of users. For example, to hack a specific group of people or demographic group, a hacker simply had to inject malicious code into a popular e-book in the corresponding language or dialect. As a result, attacks became highly targeted.

The root of the problem lay in the structure of the parsing framework, namely the implementation associated with PDF documents. The attacks were possible thanks to a heap overflow associated with the PDF rendering feature (CVE-2021-30354), which allowed arbitrary write permissions on the device, and a local privilege escalation vulnerability in the Kindle App Manager service (CVE-2021-30355), which allowed combine two vulnerabilities into a chain to run malicious code with root privileges.

The researchers reported their findings to Amazon in February 2021, and already the April update of the Kindle firmware to version 5.13.5 contained a patch (the firmware is automatically installed on devices connected to the network).

We found vulnerabilities in the Kindle, and if hackers took advantage of them, they could take full control of the device. By sending an e-book with a malicious code to a Kindle user, a cybercriminal would be able to steal any information from the reader, from Amazon account details to payment information. Like other smart devices, the Kindle is often perceived as a harmless gadget that is not subject to security risks. However, our research shows that any device with network connectivity is, in fact, not much different from a computer. IoT devices are susceptible to the same types of attacks as smartphones. Any device connected to a PC, especially the popular Kindle, presents a cybersecurity risk, and users should be aware of this.said Yaniv Balmas, head of cybersecurity research at Check Point Software Technologies.

Let me remind you that Researcher Found Three Bugs Allowing Hacking Amazon Kindle also this February.

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerabilities-in-amazon-kindle/feed/ 0 5790
Qualcomm Mobile Station Modem vulnerability threatens 40% of smartphones https://gridinsoft.com/blogs/qualcomm-mobile-station-modem-vulnerability/ https://gridinsoft.com/blogs/qualcomm-mobile-station-modem-vulnerability/#respond Fri, 07 May 2021 16:57:49 +0000 https://blog.gridinsoft.com/?p=5455 More than a third of all smartphones in the world have been affected by a new vulnerability in Qualcomm Mobile Station Modem (MSM). This bug gives attackers access to call history, SMS messages, and even allows them to eavesdrop on conversations. MSM is a SoC that allows devices to connect to mobile networks. It was… Continue reading Qualcomm Mobile Station Modem vulnerability threatens 40% of smartphones

The post Qualcomm Mobile Station Modem vulnerability threatens 40% of smartphones appeared first on Gridinsoft Blog.

]]>
More than a third of all smartphones in the world have been affected by a new vulnerability in Qualcomm Mobile Station Modem (MSM). This bug gives attackers access to call history, SMS messages, and even allows them to eavesdrop on conversations.

MSM is a SoC that allows devices to connect to mobile networks. It was developed back in the 90s and has been constantly improved since then, for example, it added support for 2G, 3G, 4G and 5G.

As a result, MSM has become one of the most widespread technologies in the world today, especially among smartphone manufacturers. Specifically, Qualcomm MSM chips are used in smartphones from Google, Samsung, LG, Xiaomi, One Plus and many other manufacturers.

Check Point experts say they have found a vulnerability in the Qualcomm MSM Interface (QMI), a protocol that allows SoCs to communicate with a smartphone’s operating system. This issue was identified as CVE-2020-11292.

According to experts, a modified Type-Length-Value (TLV) packets received by MSM through the QMI interface can trigger an error in memory corruption (buffer overflow), which ultimately allows attackers to execute their own code on the device.

Attackers could use this vulnerability to inject malicious code into the Android modem, eventually gaining access to the call history and SMS messages on the device, as well as the ability to eavesdrop on the user’s conversations. Also, hackers could use the vulnerability to unlock the device’s SIM card, thereby overcoming the restrictions imposed by the service provider.says Check Point.

The report of the specialists states that the exploitation of the vulnerability is impossible if the malformed TLV package is hidden inside third-party applications running in the OS (especially on Android), if the MSM component is protected by SELinux. However, it is noted that the TLV packet can be transmitted via cellular communication or multimedia content sent to the device. When unpacked, such a package can reach the vulnerable QMI.

Although currently about 40% of all smartphones in the world use Qualcomm MSM chips, only about 30% of them are vulnerable to the attacks described by experts.

Check Point told the media that it notified Qualcomm engineers of the issue last year, and in December 2020, the company released a patch for MSM that was distributed to smartphone manufacturers. While Qualcomm says it has notified all manufacturers of the bug, researchers have no idea which companies have patched their products and which have not.

Let me remind you that I also wrote that Kr00k problem threatened devices with Qualcomm and MediaTek Wi-Fi chips.

The post Qualcomm Mobile Station Modem vulnerability threatens 40% of smartphones appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qualcomm-mobile-station-modem-vulnerability/feed/ 0 5455
Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals https://gridinsoft.com/blogs/job-seekers-are-ready-to-work-for-cybercriminals/ https://gridinsoft.com/blogs/job-seekers-are-ready-to-work-for-cybercriminals/#respond Tue, 23 Mar 2021 16:20:36 +0000 https://blog.gridinsoft.com/?p=5289 CheckPoint experts found that the number of job search ads on the darknet and on hacker forums is growing – job seekers that were desperate to find a job are now ready to work for cybercriminals. Check Point reports that a new trend has emerged at the beginning of 2021: not hackers do not post… Continue reading Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals

The post Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals appeared first on Gridinsoft Blog.

]]>
CheckPoint experts found that the number of job search ads on the darknet and on hacker forums is growing – job seekers that were desperate to find a job are now ready to work for cybercriminals.

Check Point reports that a new trend has emerged at the beginning of 2021: not hackers do not post their “vacancies” there, but applicants themselves publish ads and inform that they are ready for any illegal activity.

According to the observations of the researchers, in the last quarter, from 10 to 16 new messages of this kind appeared on the forums every month. Given that such ads were rare in the past, this is an impressive number.

Researchers attribute this to the desperation of people who cannot find work and are experiencing financial difficulties due to the coronavirus pandemic, which has affected the global economy and led to an increase in unemployment around the world.

In the ads, desperate job seekers offer their help to cybercriminals, “promising not to ask stupid questions”, “24/7 availability” and “the desire to make money in any way.”

Until this year, we have rarely seen messages from people who are ready for illegal work and, moreover, are looking for it on the darknet themselves. We were alarmed and amazed. People who offer their services to cybercriminals themselves put all of us in great danger. Therefore, we have selected several hacker forums and have been monitoring them for the last few months. We noted that the number of posts from job seekers on these forums has grown steadily. We suspect the situation is the same in other hacker forums on the darknet. In our opinion, the dark web should be the last place where people can look for work. This trend shows the dire financial situation many have found themselves in since the pandemic. This “cry for help” should be a signal to anyone looking to minimize illegal criminal activity.said Oded Vanunu, head of Product Vulnerability Research at Check Point Software Technologies.

In their report, Check Point experts provide examples of such job search ads.

Below are a couple of such ads.

job seekers work for cybercriminals
The applicant writes: “I am ready for any possible job … I am at home 24 hours a day, 7 days a week because of this pandemic.”

job seekers work for cybercriminals
A 25-year-old woman from Ukraine, “experienced in fraud in logistics, sales and wholesale”, understands the risks involved in doing such work, and is looking for a position with monthly pay.

Let me remind you that I also talked about the fact that Cybercriminals fake letters from WHO to distribute HawkEye and trick money into fight with COVID-19.

The post Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/job-seekers-are-ready-to-work-for-cybercriminals/feed/ 0 5289
Hackers majorly use Microsoft and DHL brands in phishing attacks https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/ https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/#respond Mon, 18 Jan 2021 16:41:55 +0000 https://blog.gridinsoft.com/?p=4999 Hackers majorly use the Microsoft and DHL brands in phishing attacks. In Q4 2020, cybercriminals used more brands from the tech industry, followed by shipping and retail businesses. Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it… Continue reading Hackers majorly use Microsoft and DHL brands in phishing attacks

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

]]>
Hackers majorly use the Microsoft and DHL brands in phishing attacks. In Q4 2020, cybercriminals used more brands from the tech industry, followed by shipping and retail businesses.

Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it – attackers tried to influence people working remotely during the second wave of the pandemic.

Top brands most frequently used in phishing attacks:

  1. Microsoft (43% of all phishing attacks attempts with the use of brand names worldwide)
  2. DHL (18%)
  3. LinkedIn (6%)
  4. Amazon (5%)
  5. Rakuten (4%)
  6. IKEA (3%)
  7. Google (2%)
  8. Paypal (2%)
  9. Chase (2%)
  10. Yahoo (1%)

How a brand-based phishing attack works

In a phishing attack that is using brands, criminals try to imitate the official website of a well-known company using a domain name, URL and design similar to the original website.

Victims can receive a link to the fake page via email or SMS. They can also be redirected to a phishing site while browsing the web or from a malicious mobile application. Fake sites often contain a form designed to steal credentials, billing information or other personal information.

In Q4 2020, cybercriminals stepped up their attempts to steal people’s personal data, posing as well-known brands. Our data shows how they change their attack tactics to achieve maximum results. As always, we urge users to be extremely careful when entering sensitive data into business applications. Think twice before opening email attachments and following links. Be especially careful if you see emails that claim to be from Microsoft or Google. With a high degree of probability, these letters may also be from cybercriminals.says Check Point Software Technologies representative.

Examples of phishing attacks using brands:

A phishing email allegedly from DHL – an example of password theft

In November, Check Point researchers noticed a malicious phishing email that used the DHL trademark. Then the attackers tried to steal user passwords. The email that came from a fake email address Parcel.docs@dhl.com contained the following text:

“RE: Your DHL Parcel (available to receive) – []”. Cybercriminals tried to trick the victim into clicking a malicious link that redirected to a fake login page. There, the user had to enter his password, which would then be sent to the attackers’ site.

Microsoft and DHL in phishing attacks

Phishing email allegedly from Microsoft – an example of credential theft.

In December, Check Point researchers discovered a malicious phishing email that attempted to steal user credentials from a Microsoft Office 365 account. In the subject of the email was indicated: “Daily Document Delivery # – “, and the content that mimicked eFax. After the user clicked on the link, he was lead to another document that redirected the user to a fake Microsoft login page.

Microsoft and DHL in phishing attacks

Let me remind you that I talked about cybercriminals that started using Google services more often in phishing campaigns.

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/feed/ 0 4999
About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library https://gridinsoft.com/blogs/about-8-of-apps-in-the-google-play-store-are-vulnerable-to-a-bug-in-the-play-core-library/ https://gridinsoft.com/blogs/about-8-of-apps-in-the-google-play-store-are-vulnerable-to-a-bug-in-the-play-core-library/#respond Fri, 04 Dec 2020 23:18:06 +0000 https://blog.gridinsoft.com/?p=4800 Check Point experts warned that developers of many popular Android applications forgot to make an important update and now their product is vulnerable to a bug in the Play Core library. So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core… Continue reading About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library

The post About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library appeared first on Gridinsoft Blog.

]]>
Check Point experts warned that developers of many popular Android applications forgot to make an important update and now their product is vulnerable to a bug in the Play Core library.

So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core library. This library was created by Google and developers can embed it into their apps to interact with the official Google Play Store.

The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs and even other applications.

However, earlier this year, oversecured researchers discovered a serious vulnerability in Play Core, identified as CVE-2020-8913. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.

A demonstration of such an attack can be seen below.

Google engineers fixed a bug with the release of Play Core 1.7.2, released in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.

According to a September 2020 scan by Check Point, six months after the patch was released, about 13% of all apps in the Google Play Store continued to use older versions of the library, and only 5% were using an updated (secure) version.

The list of applications that “did their duty” to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among them experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. In total, problematic applications have been installed more than 250 million times.

bug in the Play Core library

Check Point researchers write that they notified the authors of all vulnerable applications about the problem, but three months later, only Viber and Booking.com took care of removing this vulnerability from their products. In turn, The Register reports that on December 2, the vulnerability was also fixed as part of Cisco Webex Teams.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/about-8-of-apps-in-the-google-play-store-are-vulnerable-to-a-bug-in-the-play-core-library/feed/ 0 4800