WikiLeaks yesterday released another tranche of files from its Vault7, which they claim consists of leaked CIA hacking tools. The documents concentrate on exploits affecting at least twenty-five and possibly up to one hundred home router models, including devices from Linksys and D-Link. The implant described, "Cherry Blossom," is said to have been introduced in 2007. Updated routers are probably safe from such exploitation—another reason to patch these usually ignored, overlooked devices.
The Washington Post reports that the NSA is attributing the WannaCry ransomware campaign ("with moderate confidence") to North Korean espionage services. Much of that confidence derives, of course, from the sort of circumstantial evidence long cited by Symantec and others. Telefonica’s ElevenPaths security research unit is among those pointing to countervailing circumstantial evidence, but consensus is moving swiftly toward DPRK attribution.
FireEye describes a group, "FIN10," which is seeking to extort Bitcoin (100 to 500 is the demand) from North American businesses. The threat is doxing and disruption—FIN10 will put sensitive corporate data up on Pastebin if demands go unmet. The criminals establish themselves in the victim enterprise using Meterpreter or the SplinterRAT. From there they move to custom PowerShell-based utilities and pen-testing tools to obtain persistence.
More conventional ransomware has disrupted at least two British universities this week: University College London and Ulster University.
Facebook continues its efforts to disrupt extremist messaging with a mix of AI and human screening. Some of its humans have inadvertently been exposed online to the groups they're watching.