Some big stuff this week so let’s get right into it !
- First story of the week is by FireEye and brings news of a zero-day being actively exploited in the wild in the Office EPS processing component. Both a well known nation state actor and a financially motivated one were seen utilizing the exploits.
- Read More @ https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
- Next, a security researcher has discovered that certain HP laptop models come with a built in keylogger that was installed as part of the audio driver software. Seems like this was in there for debugging purposes and just not taken out or implemented properly.
- Read More @ http://thehackernews.com/2017/05/hp-audio-driver-laptop-keylogger.html
- Next, another article by FireEye about a new APT group (APT32) that has been targeting organizations in Vietnam, or with ties to Vietnam. This is a brand new group FireEye is tracking so there is no attribution as of yet to any specific nation state.
- Read More @ https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
- Next, Microsoft has patched a rather severe vulnerability in its Malware Protection Engine discovered by the researchers at Google’s Project Zero. Microsoft responded extremely quickly to patch this vulnerability drawing much praise from Tavis Ormandy who was one of the researchers responsible for the discovery.
- Read More @ https://www.infosecurity-magazine.com/news/microsoft-patch-malware
- 3 Chinese hackers were fined $8.9 million for hacking into law firms and using the discovered data for stock trading.
- Read More @ http://www.darkreading.com/attacks-breaches/hackers-face-$89-million-fine-for-law-firm-breaches/d/d-id/1328840
- Next, easily the biggest story of the week is in regards to a massive new ransomware attack named “WannaCry” that was utilizing the ShadowBroker leaked NSA exploits ETERNALBLUE and DOUBLEPULSAR to infect and spread to over 200,000+ machines over the weekend. Some of the first victims were the British NHS and a Spanish telecommunications giant Telefonica. So far there are reported infections in over 99 countries in what’s being called the biggest ransomware attack to date.
- Read More @ https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
- Continuing on the theme of WannaCry, there was some success in slowing down the spread of this ransomware due to a built in “kill switch” discovered by a U.K researcher @MalwareTech who registered the domain used for the kill switch thus rending that sample inert. However, since then 2.0 versions of WannaCry have been reported that use a different kill switch domain.
- Read More @ http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html
- Next, the US-Cert has released a number of IOCs for the WannaCry ransomware. There is a collection of IOCs from different vendors trickling in since the attack began, so here is another source of them to check your environment for.
- Read More @ https://www.us-cert.gov/ncas/alerts/TA17-132A
- Lastly, Microsoft President Brad Smith has posted quite a scathing post blasting the agencies like NSA/CIA for hoarding exploits and essentially allowing attacks like WannaCry to happen. Smith argues that if the agency had reported these flaws when they were discovered to Microsoft, attack like this would have been prevented. I have to say, I agree. Though I don’t believe it will happen.
- Read More @ https://www.engadget.com/2017/05/14/microsoft-blasts-spy-agency-exploit-hoarding/