2017-5-15 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• A global attack has infected tens of thousands of machines with WannaCryptor ransomware. To spread
  within an infected network, the attack exploits a vulnerability in the Windows OS SMB EternalBlue communication protocol, developed by NSA and leaked last month by “Shadow Brokers” threat group. Among the victims are hospitals, telecommunication companies, car manufacturers and others. The attack was halted thanks to a security researcher that registered a “kill-switch” domain hardcoded in the malware. The kill-switch was later altered, and a new sinkhole was registered by Check Point researchers. Following the attack, Microsoft released patches for old, unsupported, Windows versions. It is yet unclear how the attack started, and how/if one can get the encrypted files back.
• The known Russian threat group, Fancy Bear, has been targeting the Romanian Ministry of Foreign
  Affairs. The group used a fake NATO email address to send phishing emails with malicious attachments.
• Security researchers have found a new attack on internet-based IP cameras and recorders. The attack
  originated by PERSIRAI, a new IoT Botnet using C&C servers belonging to the Iranian research institute.
• A new WhatsApp scam has been detected in the wild. In the scam, a well-designed phishing message and website offer free access to Netflix for a year in return of a certain amount of WhatsApp shares; thus promising its authentic-appearance distribution, as victims are tempted to send it to their contacts.
• Two universities from Singapore have suffered a security breach, potentially aiming to reach sensitive
  government or research documents.
• Threat actors have been spotted tricking users of the popular social network “VKontakte”, by sending them malicious messages offering free license keys for Dr.Web Anti-virus.

VULNERABILITIES AND PATCHES

• A security flaw in one of Android’s security mechanisms has been found by Check Point’s Mobile Research Team. The flaw exists in the permission model for apps, that was implemented in the Android “Marshmallow” version.
• A high number of vulnerabilities were found in ASUS routers by security researchers. A successful exploitation of the vulnerabilities could grant attackers with the routers’ passwords and full permissions. The company published a firmware update to all the vulnerable devices.
• Security researchers have found a vulnerable program in HP’s Conexant audio driver package. The program monitors user’s keystrokes for various functionalities, such as microphone mute/unmute. The vulnerability allows any framework or process with access to Window’s MapViewOfFile API to turn the program into a keylogger. The issue has been patched by HP.
• New critical remote code execution vulnerability in Microsoft Windows has recently been disclosed to
  Microsoft and patched.THREAT INTELLIGENCE REPORT
• A new research, conducted by Check Point’s researchers, describes a new ransomware named JAFF. The
  malware was seen being distributed by the Necrus botnet.
•  DiamondFox, a modular malware-as-a-service offered for sale on various underground forums, has been
  investigated by Check Point’s researchers. The malware is capable of performing various functionalities,
  from info-stealing to running DDoS attacks using infected machines as bots.
• Two CIA malware frameworks were leaked in Wikileaks “Vault 7” project that covers leaked CIA threat
  tools. Both frameworks, “AfterMidnight” and “Assassin”, allow attackers to load and execute payloads
  on infected machines.