Home Tags Checkpoint

Tag: Checkpoint

The stealth-action tale of killer clones is one of the scariest Irsquo;ve played all year.
"This technology at the airport... is premature.
Itrsquo;s not the right way to go."
Man charged by Oregon, and the feds, for stripping at a TSA checkpoint.
This research started when we discovered an infected Pokeacute;mon GO guide in Google Play. We detected the malware as Trojan.AndroidOS.Ztorg.ad.

After some searching, I found some other similar infected apps that were being distributed from the Google Play Store.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.
But it only works if you’re monitoring a brain while the crime’s taking place.
Ars tours the training facility the military is using to teach humans how to help robots help us.

Checkpoint says it has found one million accounts compromised by Gooligan.

Malware intended to boost advertising revenue and app ratings on the Google Play store could potentially infect 74 percent of Android devices, according to security researchers.

Nicknamed "Gooligan," the malware uses a phishing scam to steal authentication tokens for Google accounts, allowing it to download fake apps to the users' Android phones and tablets without their knowledge, according to Checkpoint Security.

Gooligan's primary motivation appears to be monetary. Its creators likely receive payment when the apps it downloads promote themselves by using the hijacked Google account to leave fake positive reviews and simulate tapping on ads.

There is no evidence that Gooligan is accessing any user data from hijacked accounts, according to Google. The company wrote in a blog post that it is aware of other similar malware—it calls the genre "Ghost Push"—and is working with Checkpoint to investigate and protect users.

Ghost Push affects older Android Ice Cream, Jelly Bean, KitKat, and Lollipop mobile operating systems, but they are found on 74 percent of Android devices.

Checkpoint says it has found one million accounts compromised by Gooligan; 57 percent are in Asia, 19 percent in the Americas, 15 percent in Africa, and 9 percent in Europe. Its team created a tool to check if your account has been compromised, as well as a list of apps known to be affected by Gooligan.

The apps appear to be mostly junk utilities and games, with names like WiFi Enhancer, Perfect Cleaner, and Puzzle Bubble-Pet Paradise.

Gooligan is one of many strains of Ghost Push malware to surface. The Android security team has been tracking the Ghost Push family since 2014, and last year found more than 40,000 apps associated with it. In addition to Gooligan, there are potentially more than 150,000 similair malware strains, Google said. Each time it finds one, it revokes the stolen authentication tokens and notifies users that their accounts have been breached.

A new Android malware has managed to steal access to more than 1 million Google accounts, and it continues to infect new devices, according to security firm Checkpoint. “We believe that it is the largest Google account breach to date,” the security firm said in a blog post. The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia. Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding. Once Gooligan is installed, it attempts to root the device, as a way to gain full control. The malware does this by exploiting well-known vulnerabilities in older versions of Android. “These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user,” Checkpoint said. Checkpoint Gooligan will then go on to steal the user's Google authorization tokens, giving the malware access to Gmail, Google Play, and other related services.   Of the 1 million Google accounts breached, 19 percent were based in the Americas, 9 percent in Europe, while 57 percent were in Asia, according to Checkpoint. By gaining access to users' Google accounts, the malware is likely attempting to generate revenue for its creators. It does this by installing apps promoted by legitimate advertising networks, and then writing positive reviews for them on Google Play. “An attacker is paid by the network when one of these apps is installed successfully,” Checkpoint said.  Security researchers first noticed an earlier version of Gooligan last year, when it appeared in the malicious SnapPea app. It wasn’t until this past summer that the malware reappeared with upgraded processes. Checkpoint has published a website that lets users check if their Google account was breached by Gooligan. Security experts also caution users should avoid downloading apps from third-party app stores. This is because these stores often do little to verify that the apps offered are safe for use. The creators of Gooligan are also spreading the malware by sending SMS text messages to unsuspecting victims containing links to download apps carrying the harmful coding.  Google didn’t immediately respond to a request for comment. But Checkpoint said that Google is investigating the matter and revoking authentication tokens that were stolen by the malware.
Cick-to-self-p0wn attack sneaks Locky ransomware past Zuck's security model Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that's distributing the dangerous Locky ransomware. The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties. The flaw as described is, in this writer's opinion, ultimately of little risk to El Reg's tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk. The attack is also significant in that it breaks Facebook's security controls. In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the flaw by sending a .jpg image file through Facebook Messenger. The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded. Images sent over Messenger appear as previews, not attachments. They must then double-click the saved .hta file to unleash the Locky ransomware. While the attack is not automated and, it does break Facebook's hypervigilant security model and is fairly regarded by Checkpoint as a Facebook "misconfiguration". Facebook will undoubtedly fix the flaw; The Social Network™ already warns users who open a browser javascript console to protect against malicious code. Checkpoint's chaps says the attack is useful because Facebook is a trusted asset. “As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms,” Ziakin and Barda write. “Cyber criminals understand these sites are usually white listed, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities." Facebook's javascript console warning. Those users who do open the hta file will unleash one of the worst ransomware variants in mass circulation, encrypting their local files in a way that leaves backup restoration or ransom payment as the only options available to them. There is no decryption method for Locky, and most victims will find their backup files also deleted. Locky is under active development. Its authors have recently switched to the .zzzzz encrypted file extension with a new downloader that has lower antivirus detection rates. ® Youtube Video Sponsored: Customer Identity and Access Management
Updated qemu-kvm-rhev packages that fix several bugs and add variousenhancements are now available for Red Hat Virtualization Hypervisor 7. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linuxon AMD64 and Intel 64 systems.

Why try to extract pennies from kiddies when there's businesses to be bilked? Criminals behind the massive Cerber ransomware enterprise are now targeting businesses as well as individuals with a module that kills and encrypts databases, warns Intel's former security arm McAfee. Cerber had conducted more than 160 campaigns when examined in July targeting 150,0000 users and raking in a cracking US$195,000 in profits in that month alone. Of that figure, Cerber's developer pocketed some US$78,000. It is estimated the malware earns authors and affiliates some US$1 million to US$2.5 million a year. Those figures surpass 2015 ransomware profits said to net authors a conservative US$84,000 a month for slinging ransomware at a cost of US$6000.

That's a whopping 1425 per cent profit margin. Security strategist Matthew Rosenquist says chasing businesses is the "next evolution" of ransomware. "[Cerber] now attempts to stop database processes running on the target system so it can encrypt the data," Rosenquist says. "This is a significant shift in focus from consumers to businesses, which typically run databases containing important operational data. "When database files are open and in use by software, they cannot easily be encrypted." It may not be the first to target businesses. The Register has been told of private ransomware variants sent to a limited number of highly-target organisations that encrypt very valuable databases and documents, demanding ransoms topping tens of thousands of dollars for the supply of decryption keys. Rosenquist warns administrators to be on alert for databases abruptly stopping which could signal Cerber is starting its encryption run. It appears there is no method to decrypt Ceber-encrypted files since an update to the malware rendered CheckPoint's decoding tool ineffective. Security engineers are continually working to find a dwindling pool of implementation and side-channel vulnerabilities to help decrypt files encrypted with high quality ransomware. The problem has this year been formalised into the NoMoreRansom alliance which unifies a formerly scattered and silo-ed, but furious effort by malware researchers to lay ruin to scores of ransomware variants, leaving a scant few including the latest Ceber, Cryptxxx, and Cryptowall unbroken. Victims who cannot decrypt their ransomware infections should also try Trend Micro's continually updated decryption tool. ® Sponsored: Customer Identity and Access Management
Updated cfme packages that fix bugs and add various enhancementsare now available for Red Hat CloudForms 4.1.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section. Red Hat CloudForms Management Engine delivers the insight, control,and automation needed to address the challenges of managing virtualenvironments. CloudForms Management Engine is built on Ruby on Rails,a model-view-controller (MVC) framework for web applicationdevelopment. Action Pack implements the controller and the viewcomponents.* An input validation flaw was found in the way CloudForms regularexpressions were passed to the expression engine via the JSON API and theweb-based UI. A user with the ability to view collections and filter themcould use this flaw to execute arbitrary shell commands on the host withthe privileges of the CloudForms process. (CVE-2016-7040)This issue was discovered by Tim Wade (Red Hat).Additional Changes:This update fixes bugs and adds various enhancements.Documentation for these changes is available in the Release Notes linkedto in the References section.All CFME users are advised to upgrade to these updated packages, whichcorrect these issues and add these enhancements. Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat CloudForms 4.1 SRPMS: cfme-     MD5: 89572e8486cea08263785597bdfbc0afSHA-256: bc44d158abc61656e0cb91a60f27f960d3bc133f8a2878b68b6e97e797ea22d8 cfme-appliance-     MD5: b3c5ba11bfce7b5bb880637ae958dbebSHA-256: aeb5b894d50215e58099d3e9077bfe929a613344be4372f9cd590a98e5db724c cfme-gemset-     MD5: 294f0ba500b938ed7a9e6a7854276022SHA-256: d31a74dd4512d28b19f878d0089cb6b5205eb38b0f7a91e0eaeb08efaa0f5432 rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.src.rpm     MD5: 987d269d305ce6b5b0707c773bfbfde4SHA-256: 359c25623c2ac3c8a1a3b67237f7b234b6b585e1f6393ce9512b7438d1d3704f rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.src.rpm     MD5: 4ccc899d9fc7566fb87b483d324138a2SHA-256: c7185f33d1479f4ca2c7828b3dad2787b6051f8cf7d91127ec889bed8c20abb8 rh-ruby22-rubygem-thin-1.7.0-1.el7cf.src.rpm     MD5: c2b632982f988492d7b2a60c4f2115e8SHA-256: 3c49e958de179d6f6a970601a34e5c8a4b1c048398221eb2911b438feec68333   x86_64: cfme-     MD5: f44a16be40b53bfd0ddc30c7efd9a3f0SHA-256: 184a87fe0a7115bae4ba47602d568d64a60d45ca5997b5b4499f26d5faf3feaf cfme-appliance-     MD5: 41796182ab044650036fb67ce9024dd0SHA-256: a9df3744fb333988ee6020dbe8c899ebb09a8da4e312dc0c51bc9e4d67559de3 cfme-gemset-     MD5: a9ad53e5d7c51a425e9dbb1689472178SHA-256: 449d34f8aae1cd858bf360f5e7ad14c6e48971a6d89fcea499deeab4b3e0c6be rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.x86_64.rpm     MD5: 70a302fcc119d189f2c6008b64416ed1SHA-256: d1b263246254921445b4fe514d16d4b0b33b4d2f6044a09d21aefd11c3266cd8 rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.noarch.rpm     MD5: f71dc8b43f55ebb00fc7e1ed0e48e21aSHA-256: 288a31b71ad41c60c68b97249ad5e32f220eb501a39babb2751446c92614cf8f rh-ruby22-rubygem-pkg-config-doc-1.1.7-1.el7cf.noarch.rpm     MD5: 1b9db3e37bf119a93fc00163833df3f8SHA-256: 1f69fe30fcf771f39aff88cb7c782b45e4ff711cd7c86fe80997e8f70979a556 rh-ruby22-rubygem-thin-1.7.0-1.el7cf.x86_64.rpm     MD5: ec0b655f82936ad2b579772b07e10188SHA-256: 60dd1b5a87bd59e6f2d8901d5304a6735cdec35062f8ebb76ea273b6f800a4c0   (The unlinked packages above are only available from the Red Hat Network) 1337552 - Common datastore across multiple vcenter causes inventory confusion for provisions1337577 - service requests don't show dynamic drop down selections1343517 - When using external auth and removing a user from all groups the user's groups are not updated and he is still able to log-in to CFME Web-UI1343717 - Openstack cloud provider - when using Keystone v3 domain for registration we need to ignore the projects that the user doesn't have access to1343719 - Provisioning from RHEVM 3.6 template loses template boot sequence1346953 - [RFE] Unable to set number_of_vms in non-generic service catalog items1346989 - [RFE] Keystone domains support1346990 - VM refreshes are failing but the message status from each of the EmsRefresh.refresh commands shows 'ok' in error1347278 - [RFE] - lifecycle button missing from cloud images1347330 - [ja_JP] Translations are missing in 'Compute'-'Clouds' menu and its sub menus1347692 - [ja_JP] Translation issues on cloud intelligence->chargeback->assignments page.1348631 - CPU Right Size recommendations only take into account CPU sockets, not cores per socket1348637 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page.1348644 - [ja_JP] Translation issues on Services -> Requests page1348648 - [ja_JP] Translations are missing in Compute-Services menu1348649 - [ALL LANG] All contents are unlocalized under Control->Log.1349059 - [ja_JP] Translations are either misplaced or missing on Settings->Configuration->Settings1349423 - Dynamic Dropdown list of AWS instance Type for AWS GovCloud seems to be returning instance types that are not supported by AWS GovCloud1351332 - [RFE] [SDN] - No providers tags relations displayed in Tolopogy1352016 - Missing policy button on some of the Network Manager Relationship pages1353291 - String interpolations must not be present in toolbar definitions1354503 - OSP refresh fails with Policy doesn't allow os_compute_api:os-availability-zone:detail to be performed.1357865 - RHEV VM Reconfigure: Set memory to a size smaller than guaranteed memory fail1358323 - In Networks menu should all names in plural1361175 - Error when canceling orchestration stack retirement form1361176 - [RFE] Chargeback of containers based on tags1361178 - Cannot Cancel Smart State Analysis of Container that is not completing -1361693 - Advanced search in workloads expression element "Registry" hides select bar for element type1362227 - Clicking on Reset button while editing a provider throws error message in UI for firefox browser1362627 - [RFE] Allow reporting relationship between OpenShift pods and the image they run1362631 - Maintain uniformity in dropdown values in japanese locale1362634 - Package/Application icon in CloudForms looks like Apple AppStore logo1362704 - Stack : Link " ManageIQ/Providers/Cloud Manager/Orchestration Stacks" shows "Page does not exists"1363753 - SSUI : All languages are not shown in SSUI login dropdown1363754 - [RFE] 'LDAP Group Look Up' string needs to changed to 'External auth Group Look Up' when auth mode is set to external(httpd)1363891 - Datastores: " ActionController::RoutingError " when clicking on reload button1364222 - Accessing the tags method of an MiqAeServiceLan object results in a NoMethodError exception1364501 - Customer reporting growth of sessions table to an enormous size and postgresql logs don't indicate any auto-vacuum activity is happening1366358 - SSUI: logo not displayed on login screen1366596 - Container SSA results are aggregated instead of updated1366597 - unable to tag datastores via rest api or UI1366598 - Failed container scanning job does not timeout1366599 - Image List shows "Unknown image source" for images1368165 - Start date for report schedule is set to tomorrow1368167 - Service provisioning messages overlapped in self service ui1368168 - Editing RHEVM has default API Port 5000 in UI even though no port was set when creaing1368170 - GCE instance was retired, but was not power off1369583 - [Configuration management Jobs] - Wrong title of downloaded files1370196 - LDAP group lookup fails with json UTF conversion errors1370198 - Cloud tenant and AZ from overcloud show up in undercloud relationships1370202 - page doesn't exist after session timeout on provider timeline page1370208 - Unable to authenticate to RHEV provider after migration from cfme- (3.2) to cfme- (4.1)1370209 - Request to restore diagnostic functionality critical to support (ie, current appliance settings) removed in the CFME 4.11370211 - Azure: undefined method `downcase'1370216 - Azure provider fails EMS refresh1370309 - missing rights to show AWS security groups caused null1370310 - add support for secondary fixed IP addresses for AWS ENI interfaces1370476 - No html Id's defined for the bootstrap switches in manage quota form1370478 - "unexpected token at ..." error when validating Tower which returns internal server error 5001370480 - Incorrect name is used for default Azure provider during discovery1370481 - Catalog item becomes corrupt after removing template it was using1370488 - Changing default instance_name in custom button from "Automation" to "Request"1370568 - METHOD:: does not accept a full path to a method1370569 - VMware folder support showing more than just folders1370574 - Errno::ETIMEDOUT: Connection timed out on Azure at gallery.azure.com1370575 - Region description doesn't change1370586 - Multi-rate chargeback report can not be queued.1371174 - After adding generic/orchestration catalog item infinispinner and 502 error(appliance crashed)1371267 - Unable to get to Topology link in breadcrumb trail on Network Manager entities page1371268 - [RFE] Add Global filters for RHEV block datastores1371269 - C&U collection tab can sometimes be blank1371270 - Cloud network manager availability zones back button redirects me to cloud provider1371272 - unable to use {nil => "<default>"} with self provisioning when selecting dialog_tenant_name1371311 - [Ansible Tower] Provider cannot be removed when selected from accordion tree1371640 - [RFE] Create AWS EC2 appliance1371666 - [ja_JP, zh_CN] Need to translate the title and tool-tips on Control -> Log page.1371668 - [ja_JP, zh_CN] Need to translate drop-down config. menu options on Compute -> Containers -> Providers1371669 - [ja_JP, zh_CN] Need to translate menu options under configuration on Networks -> providers.1371670 - [ja_JP, zh_CN] Need to translate drop-down options and some strings on Optimize -> Planning page.1371671 - [ja_JP, zh_CN] Need to translate strings on Automate -> Requests page1371979 - Error:undefined method `size' for nil:NilClass when clicked on cloud provider after deleting network manager1371980 - Automation Method Error When Accessing 'host'/'hosts' From a Switch1371981 - Type Template/VM filter under VMs is useless1372413 - UI: Inconsistent behavior when adding duplicate provider; infra provider X configuration manager1372775 - Refresh Configuration Management Provider does not work when selected from the explorer tree1372801 - Add ability to swap the default threaded puma web server for thin1374377 - [RFE] Reporting on OpenShift Custom Labels1374420 - multiple ip address for the same network_port_id for openStack provider1374423 - Select button options " By Infrastructure providers" and "All VMs" should be renamed1374450 - Compliance check history isn't shown if compliance policy is unconditional1374695 - Multi-tenancy - tenant name not renamed in Set group ownership dropdown menu1374696 - Adding rhevm infrastrcture provider and filling in bad IP bad user/pass error1374815 - Error on Azure Cloud Discovery: wrong number of arguments1375205 - SSUI displays "null" for azure resource group or fails if <new resource group> is selected1375311 - validate_request for cloud does not include support for flavors1375326 - Providers quick search should have searched string in brackets next to the title like all other pages1375330 - Azure provisioning missing pre and post methods.1375343 - Upgrade azure-armrest to - Amazon Image details doesn't open1376130 - Utilization tree remembers selected node1376132 - :cold_sweat: Don't include AvailabilityMixin into Object, that's really bad1376137 - Fix report scheduler timer_types1376138 - Change column type of cpu_cores_used_cost in reports to currency1376139 - Fixed port_scan.rb file and related changes1376140 - Memoize image_path helper in build_tags_tree1376141 - Add single select false to guest access pair options on EC21376143 - Move _('locale_name') to Vmdb::FastGettextHelper1376144 - ChargebackContainerProject - Filter project by tag1376146 - Discrepancy in objects count in Containers Overview following Provider overview1376147 - Re-check Authentication button for Providers in the GTL view1376150 - Fix the toolbar button tooltip for Providers in GTL view1376151 - Container Chargeback report: Rate Range by Project1376153 - Update x1.32xlarge to enhanced and clustered networking.1376154 - Replace corrupted PNGs1376155 - cap&u dont puke when _debug1376157 - SSUI : language : Shopping cart validation message needs to switch language when one is selected1376158 - Update gettext catalogs from Zanata1376159 - Use Rails version or higher1376160 - Relationships filter_by_resource_type scope1376161 - Azure - Enhanced C&U support1376162 - Azure cache1376163 - Move join region logic into a rake task1376164 - recent version of draper gem1376165 - Changing default instance_name in custom button from "Automation" to "Request"1376167 - Reworked building VMware nested datacenter folders in factory girl1376168 - Fix Caching Issues for MiqDiskCache Module1376169 - Show provider status color by bearer type authentication on container topology1376170 - Multi endpoints dialog message1376171 - Update required ovirt_metrics version1376172 - BAT Handling in Checkpoint Disks Issues1376173 - With the updated net-ldap 0.14.0, Net::LDAP:LdapError is no longer used.1376174 - Make connection_configuration respect the default authentication type1376175 - ArVirtual - Ownership uses virtual attributes / delegates1376176 - Modify Azure Runner to use existing EMS1376177 - Take 2: Speed up "VMs & Instances in My LDAP Group" filter in /vm_or_template/explorer1376178 - Allow more than one iso datastore per type of EMS1376513 - Unexpected error when clicked on service request1376520 - service template provision tasks failing in check provision method1376528 - [RHV 4.0] Provision VM ends up with "Validating New Vm" endless retries1376557 - Clicking Automate triggers an error.1376574 - Azure Enterprise Agreement subscriptions not catching events1377416 - Unknown Error while refreshing Azure1377420 - [ja_JP, zh_CN] User login credentials verification fail message is not localized These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: