In the screenshot, the following happens: the audio driver looks to see if there is an entry in the Windows registry, does not find it, and writes an audio file to the hard drive. The investigation discovered a bug in the driver for the Realtek audio chip: it checked for the presence of a flag that enabled the debug mode (DebugFunction = 1), but it incorrectly worked out the situation when there was no entry in the registry, and began, without the user's knowledge, to record sound from the microphone whenever it was addressed to itself (for example when the researcher opened the sound settings).
You can understand the security officer who requested the audit: a bunch of microphone recordings in the Windows temporary directory is very similar to the traces of a spyware program. Until March 2020, such audio driver activity could go unnoticed. But with the transition to remote work, recordings of many hours of conference calls began to fall on the system disk. In some cases, this even led to the overflow of the drive. Which, apparently, launched the investigation of this incident. However, strange computer behavior doesn't always indicate malicious activity - sometimes it's just a mistake.
The ERNW blog has no data on the prevalence of this problem. Only a specific version of the driver with a failure is indicated - Realtek High Definition Audio Driver 6.0.1.8045. The developer made a fairly common mistake: incorrect operation of the driver was invisible during debugging, when the required key was registered in the registry. And one more thing: such a "feature" of standard software is easy to adapt for really malicious actions.
What else happened
Research by Kaspersky Lab. The first is about reducing the absolute number of ransomware-ransomware attacks on user PCs. Do not relax: operators have clearly switched from widespread malware to targeted attacks on companies. The second is a report on the activity of APT groups in the first quarter of 2021.
Brian Krebs writes about a hole in the API of Experian, a major US credit bureau. For a long time, the database could be accessed without authorization.
Cryptocurrencies are killing free continuous integration tools. The blog of LayerCI, a provider of such a solution, describesattempts to abuse systems that allow you to execute your own code on other people's resources for mining cryptocurrencies.
More than 4 million email addresses have appeared in the Haveibeenpwned database after the Emotet botnet was destroyed. Such a non-standard data source will allow notifying users whose passwords have been stolen as a result of a malware infection on their computer.