The official website of South Korea’s Air Force, now restored, was shut down for some two weeks. No attribution, but a priori probability points to Pyongyang.
More banks worldwide are investigation potential fraudulent activity enabled by their links with the SWIFT funds transfer network. Most reports suggest Southeast Asia is most affected, with the Philippines and New Zealand also noting suspicious activity. SWIFT continues to work on upgrading security.
DDoS and ransomware continue to circulate. DNS-provider NS1 was hit by a series of attacks that affected DNS delivery in four continents. With respect to ransomware, a Javascript exploitation campaign is distributing Locky.
An Office bug Microsoft patched last year continues to yield opportunities for cyber espionage. CVE-2015-2545 is being exploited by Danti (active against the Indian government), Platinum, APT16, Ke3chang, and SVCMONDR. Unpatched systems afford an uncontested attack surface.
The hybrid war Russia continues to wage against Ukraine prompts some hesitant movement toward sanctions in Europe, and inspires Ukraine’s Army to take its information operations to radio (they’re looking for an appealing DJ—Russia media have considerable reach into Ukraine).
Legislation in the US Senate that would weaken encryption seems to be stalling in the face of increased opposition.
In industry news, Palo Alto’s results disappointed investors last night, as did Splunk’s (which, in fairness, weren’t a loss). But analysts as a group seem disposed, again, to view cyber as a story-stock sector: witness Sophos, whose shares saw a small gain even after reporting a loss.
Scotland’s apparently using Stingrays.
A note to our readers. We'll be observing Memorial Day on Monday, and so will place the CyberWire on hiatus. We'll resume our regular publication and podcasting on Tuesday. Enjoy the holiday, if you observe it where you live, and, wherever you are, spare a thought for the fallen and their families.