[Check Point Software Technologies, Inc.] Check Point Research discovers vulnerability in Foxit PDF Reader
Cyberattacks exploiting PDFs are rapidly increasing
*View in browser* *Check Point Software Technologies Co., Ltd.*
Press release: May 28, 2024
**
Check Point Research discovers vulnerability in Foxit PDF Reader; cyberattacks exploiting PDF are rapidly increasing
*Foxit PDF Reader can also be used under LGWAN environment. Please update the corrected version immediately*
Check Point Software Technologies (Check
Point(R) Software Technologies Ltd. Check Point Research (Check Point) is the threat intelligence division of , NASDAQ: CHKP (Check Point).
Research (CPR) is Foxit PDF
We are calling for caution regarding attacks that exploit a new vulnerability targeting Reader users. This vulnerability is based on Foxit PDF
This exploit exploits a design flaw in Reader, revealing the dangers hidden in the PDF viewing software used by more than 700 million people around the world.
Foxit PDF
Reader is a PDF reader that boasts the second largest market share in the world, and is approved for use in LGWAN (General Government Network), an information network for administrative agencies that requires high security in Japan, and is suitable for local government operations. is also widespread. The latest version of the
vulnerability announced this time (February 2, 2024) was released by the US headquarters on May 24th (local time).
25170), but continued use of unprotected previous versions may put confidential information at risk. In addition to updating to the latest version as soon as possible, users are requested to thoroughly check the safety of the file before opening it.
Additionally, CPR statistics show that 69.1% of malicious files observed globally in the last 30 days were PDFs. In Japan, PDFs account for 12% of malicious files, and in the APAC region they rank third at 8%. By industry, medical institutions are in the most serious situation, with 83% of all organizations receiving attacks that exploit PDFs.
executive summary:
– * Vulnerability Expansion *: CPR Foxit PDF
We have identified an unusual behavior pattern that primarily targets Reader users and exploits PDFs. Attacks that exploit this vulnerability can trick unsuspecting users into executing harmful commands by manipulating security warning messages. It exploits human psychology to trick users into unintentionally providing access to sensitive information.
– *Vulnerabilities exploited from e-crime to espionage*
: CPR’s investigation revealed that a variant of this exploit is being used by cybercriminals and espionage groups. This investigation provides details on three of these cases.
– *PDF became the biggest threat*
:PDFs have become a major threat vector for malicious attachments, with approximately three-quarters of malicious files observed worldwide being PDFs in the past month. The percentage of attacks that exploit PDFs in email has significantly increased from 16% in 2022 and 20% in 2023, and this trend shows no signs of slowing down. In particular, the medical industry was the industry most attacked by malicious PDFs, with 83% of all malicious files being PDFs.
*Foxit PDF Reader with over 700 million users in over 200 countries* PDF files have become an essential part of modern digital
communication. PDF has evolved as a standard format for displaying text, images, and multimedia content in a consistent layout and format, regardless of the viewing software, hardware, or operating system (OS).
In the realm of PDF viewers, Adobe Acrobat Reader reigns as the dominant player in the industry. But Adobe Acrobat
While Reader commands the largest market share, there are a number of notable competitors competing. Among them, Foxit PDF
Reader is the leading alternative tool with over 700 million users in over 200 countries worldwide.
CPR is mainly used by Foxit
We have observed an unusual pattern of behavior targeting Reader users, including PDF abuse. This exploit causes the display of a security warning that can trick unsuspecting users into running harmful commands. A variant of this exploit is currently actively used in CPR observations.
* Risks caused by design flaws *
This exploit works with Foxit
It takes advantage of a design flaw in Reader’s warning message, is provided as a default option, and is extremely harmful. If an unwary user runs the default option twice, the exploit will launch, downloading and executing a payload from a remote server.
Default options to launch malicious commands
This exploit is used by multiple threat actors for e-crime and espionage. CPR identified and closely investigated three cases that clearly demonstrated attack chains ranging from espionage to e-crime using multiple links and tools.
One of the most famous campaigns leveraging exploits like the one mentioned above is APT-C-35, or DoNot
It may have been carried out by a spy group known as Team. This threat actor has the ability to run hybrid campaigns targeting Windows and Android devices based on the specific malware deployed, commands sent to bots, and victim data captured. Two-factor authentication (2FA) can also be bypassed.
This exploit is also used by various cybercriminals distributing well-known malware families, including:
– VenomRAT -Agent Tesla
– Remcos
-NjRAT
– NanoCore RAT
– Pony – Xworm -AsyncRAT
– DCRat When CPR tracked links to a campaign that may have been distributed via Facebook, the campaign constructed an impressive attack chain that dropped an infostealer and two cryptominers.
attack chain
CPR identified threat actor @silentkillertv in a separate campaign. The campaign utilized two chained PDF files, one of which was hosted on the legitimate website trello.com. The threat actor also sells malicious tools and advertised this exploit on April 27th.
Advertising on Telegram channel
During our investigation, CPR obtained multiple builders used by threat actors to create malicious PDF files to utilize this exploit. The majority of the collected PDFs were running PowerShell commands that downloaded and executed payloads from remote servers, but in some cases different commands were used.
Analysis of executed PDF commands
This “exploit” does not fit the traditional definition of “causing malicious activity.” More precisely Foxit, in that you are habitually led to click “OK” without understanding the potential risks. It may be classified as a form of “phishing” or psychological manipulation targeting PDF Reader users.
This “exploit” successfully evades detection because threat actors range from e-crime criminals to APT groups, and most antiviruses & sandboxes rely on Adobe, the leading PDF reader software. , has been used in the underground ecosystem for years. Due to successful infection and low detection rates, malicious PDFs are unstoppable by any detection rules and are distributed through many non-traditional methods, including Facebook. CPR Foxit this problem
When I reported this to Reader, Foxit Reader acknowledged the issue and announced that it would be improved in the latest version.
As social engineering techniques become increasingly sophisticated, users should remain vigilant, stay informed, take precautions, and implement multi-factor authentication and security measures to reduce their risk of falling victim to these attacks. It is essential to have strong security measures in place, including awareness training.
Foxit announced a fix for the newly discovered vulnerability in the latest version (2024.2.2.25170) on May 24th. However, you must also consider the time lag it takes for users to update to the latest version, or the possibility that they may not update. Also, although improvements have been made to not open files by default, it is important to be careful about social engineering to open files and file safety.
Check Point Threat Emulation, Harmony Endpoint, and Harmony Mobile Protect protects you from attacks and exploits like those described in this report, with comprehensive coverage across all attack vectors, file types, and operating systems.
– * Exploit.Wins.FoxitExploit.ta.A *
This press release was published on May 14, 2024 (U.S. time) Blog
Created based on (English).
*About Check Point Research*
Check Point
Research provides the latest cyber threat intelligence information for Check Point customers and the threat intelligence community. Check Point Threat Intelligence ThreatCloud
We collect and analyze data on cyberattacks from around the world stored in AI, and are involved in developing the effectiveness of protection functions installed in our products while deterring hackers. More than 100 analysts and researchers belong to the team, and security
We are working on cybersecurity measures in cooperation with vendors, law enforcement authorities, and each CERT organization.
Blog: https://research.checkpoint.com/
X: https://twitter.com/_cpresearch_
*About check points*
Check Point Software Technologies (https://www.checkpoint.com/ ) is a leading provider of AI-powered cloud cybersecurity platforms, providing protection to over 100,000 organizations worldwide. Check Point Software Technologies leverages the power of AI everywhere to improve cybersecurity efficiency and accuracy through
InfinityPlatform, which enables proactive defense predictions and smarter, faster responses. I am.
Infinity Platform’s comprehensive platform includes Check Point Harmony to protect your workforce and Check Point to protect your cloud.
Point CloudGuard, Check Point protects your network
Quantum and Check Point Infinity Core to enable collaborative security operations and services
Services. Check Point Software Technologies Co., Ltd., a wholly owned Japanese subsidiary of Check Point Software Technologies
https://www.checkpoint.com/jp/) was founded on October 1, 1997 and is based in Minato-ku, Tokyo.
* Social media accounts *
・Check Point Blog: https://blog.checkpoint.com
・Check Point Research Blog: https://research.checkpoint.com/ ・YouTube: https://youtube.com/user/CPGlobal
・LinkedIn:
https://www.linkedin.com/company/check-point-software-technologies/ ・X: https://twitter.com/checkpointjapan
・Facebook: https://www.facebook.com/checkpointjapan
*Inquiries from the press regarding this matter*
Check Point Public Relations Office (within NEXT PR LLC)
Tel: 03-4405-9537 Fax: 03-6739-3934
E-mail: checkpointPR@next-pr.co.jp