The Week that Was: NIST issues antiphishing guidance. Cisco patches command injection vulnerability. Latest trends and reports. Patch news. Courts and torts.

At a glance.

• NIST issues antiphishing guidance.
• Cisco patches command injection vulnerability.
• Ransomware as misdirection for cyberespionage.
• North Korean cyberespionage campaign.
• Yandex source code leaked.
• Latest trends and reports.
• Threat actor movements observed and reported over the week.
• Updates on cyber activity in the hybrid war against Ukraine.
• Patch news.
• Crime and punishment.
• Courts and torts.
• Policies, procurements, and agency equities.
• Business news.
• Research developments.

NIST issues antiphishing guidance.

NIST has published a report encouraging the use of phishing-resistant authenticators. According to NIST Special Publication DRAFT 800-63-B4, a phishing-resistant authenticator offers “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.” NIST outlines the properties a phishing-resistant authenticator should have, and notes that these types of authenticators can only prevent attacks in which the threat actor is trying to login to something. Users should still be wary of phishing attacks that attempt to install malware or steal sensitive information. For more on NIST's antiphishing guidance, see CyberWire Pro.

Cisco patches command injection vulnerability.

Researchers at Trellix discovered two vulnerabilities in Cisco appliances, one of which could be used to gain persistent root access to the affected system. The more serious of the two vulnerabilities is CVE-2023-20076, a remote command injection flaw. The researchers first discovered this flaw in a Cisco ISR 4431 router, then found that it also affected a “wide range of other Cisco devices." Customers are urged to apply them as soon as possible. Trellix notes that “Cisco was a model partner in this research and disclosure process.” For more on the vulnerabilities and their remediation, see CyberWire Pro.

Ransomware as misdirection for cyberespionage.

LockBit has publicly taken responsibility for the attack on the London-based ION Group, Computing disclosed this morning, and is demanding a ransom by tomorrow. If the prompt ransom request is not met, stolen data from the group will be leaked, the gang threatened on a dark web site. The United States Federal Bureau of Investigation has begun their own search for information on the attack, in addition to UK regulators conducting individual investigations, Bloomberg reported. Canada's Communications Security Establishment calls the Russian-speaking ransomware gang an "enduring threat" for Canada, as well as internationally, as they notably were responsible for 22% of the nation’s attributed ransomware incidents last year, CBC Canada explains.

North Korean cyberespionage campaign.

Researchers at WithSecure are tracking a campaign by North Korea’s Lazarus Group that’s targeting “healthcare research, a manufacturer of technology used in energy, research, defense, and healthcare verticals, as well as the chemical engineering department of a leading research university.” One of the targeted healthcare research organizations was based in India. The attackers compromised their targets using known vulnerabilities in unpatched Zimbra platforms. The researchers believe the threat actor’s motive is cyberespionage.

Yandex source code leaked.

Source code belonging to Yandex, the Russian search engine giant, was leaked online. The leak doesn't appear to contain any customer data, BleepingComputer writes, and Yandex says the incident was an insider breach, not the result of an external attack. The files were stolen last July, and a former Yandex executive speculates that the motivation for the leak was political. In any case the hackers responsible don't appear to have tried to sell the code.

Latest trends and reports.

A study by Kaspersky describes the criminal labor market. Think of it as a cybercriminal’s Indeed. The Kaspersky report analyzed long-term and full-time job listings on 155 dark web forums from January 2020 through June 2022. Research found a high density of posted ads in March of 2020, suspected to be so because of the pandemic and the changing nature of the labor market. Hackers and APT groups are found to be the key employers, often searching developers (who comprise 61% of the total job listings). The highest salary shown for a developer was listed as $20,000 a month, though the median pay for the listings averaged between $1,300 and $4,000 a month for most IT professionals, with the highest medians seen in reverse engineer positions. For more on the cyber underworld's labor market, see CyberWire Pro.

Cisco AppDynamics has published a report looking at the increase in application security risks over the past several years. The survey found that “89% of technologists report that their organization has experienced an expansion in its attack surfaces over the last two years, and 46% state that this is already presenting increasing challenges.” Most respondents believe the main reason for this increase is the rapid adoption of IoT devices, the cloud, and hybrid work. Additionally, 92% of respondents “admit that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.” For more on the survey, see CyberWire Pro.

KELA has published a report looking at cybercriminals’ use of Telegram, explaining that Telegram’s Secret Chat feature provides encryption and relative anonymity. While the vast majority of the app’s users are legitimate, and Telegram has cooperated with law enforcement in the past, criminals are still attracted to the platform, both to connect with hacktivist groups and sell physical goods, including drugs, guns, and counterfeit luxury items. We stress that this amounts to abuse of a legitimate service. For more on Telegram's attractiveness to criminals, see CyberWire Pro.

A study from SecurityScorecard and The Cyentia Institute, titled “Close Encounters of the Third (and Fourth) Party Kind,” released Wednesday, describes cyber risks associated with third and fourth party providers. 98% of organizations, according to researchers, are connected with at least one third-party vendor with a recent history of a breach, defined by researchers as occurring within the last 2 years. One finding is particularly jarring: the researchers found that half of the organizations surveyed have “indirect relationships with at least 200 breached fourth-party vendors in the last two years.” For more on third-party risk, see CyberWire Pro.

A CSO Online article authored by Microsoft Security Wednesday took a deep dive into the prevalent nation-state threat trends identified in this year’s edition of their Digital Defense Report. Geopolitically motivated actors have a history of exploiting the software supply chain, but it now appears that their focus has shifted to IT services in the supply chain. The widespread use of cloud solutions and managed service providers (MSPs) makes them an attractive target for malicious actors, though they themselves are often not the end targets; rather, their connections to customers in industries like government, policy, and critical infrastructure can be compelling. Nation-state actors increasingly exploit zero-days. And, of course, "cyber mercenaries" are growing in importance. They're a particular danger to “dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced ‘surveillance as a service’ capabilities,” Microsoft explains. For more on these trends, see CyberWire Pro.

A BlackBerry survey has found that 71% of IT professionals believe that nation-state actors are already using ChatGPT to assist in launching cyberattacks, with 53% believing the top global concern to be ChatGPT’s ability to aid actors by feigning legitimate-sounding phishing emails, followed by 49% fearing both its technical and specialized learning potential amongst more inexperienced hackers, and its use in the spread of misinformation. Though most respondents believe in ChatGPT’s good potential, 95% believe government regulation will be needed for these types of tools.

Avanan has released a report detailing a campaign leveraging ClickFunnels, described as “an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses,” to bypass security measures. Ill-meaning actors are taking advantage of the service’s capability to create webpages, and are creating malicious pages with redirects to malicious links. Targets receive an email requesting the review of a file, providing a “Document Review” link. The email link opens a falsified OneDrive page with a “Get Document” button that redirects to a credential harvesting page. This incident is a textbook example of the Static Expressway: hackers leveraging the legitimacy of sites for hidden malicious purposes.

Mandiant has published a report outlining “notable changes” to the Gootloader malware over the course of 2022. The researchers say these changes “include the use of multiple variations of the FONELAUNCH launcher, the distribution of new follow-on payloads, and changes to the GOOTLOADER downloader and infection chain, including the introduction of GOOTLOADER.POWERSHELL.” The malware is also using new techniques for obfuscation. Gootloader is distributed via malicious business-related documents hosted on compromised websites.

In a series of tweets, Microsoft said that its researchers are tracking over a hundred threat actors who are engaged in deploying ransomware. Phishing remains the most common way the attackers gain access to their targets, but malvertising is growing in popularity. Another technique Microsoft researchers are seeing is deployment of bogus, malicious updates to compromise targets. Reliaquest blogged a detailed description of one network, called either "SocGholish" or "FakeUpdates" to do just that. The activity was noticed in January, and isn't, the researchers say, to be taken lightly.

Threat actor movements observed and reported over the week.

Cybersecurity firm Armorblox this morning detailed a new phishing campaign in which the hackers purport to be from DocuSign in an attempt to harvest credentials. The campaign begins with an email appearing to originate from DocuSign, with the subject line reading “Please DocuSign: Approve Document 2023-01-11.” The phishing email sender name reads “Docusign,” though the email address itself has no connection with DocuSign, nor does the domain. The phish requests the review and signature of a document. If clicked, the “VIEW COMPLETED DOCUMENT” button redirects to a malicious webpage. The page appears to be a Proofpoint login screen, though in actuality, if entered, the login credentials would be harvested. The language in the subject line of the email instills a sense of urgency in the victim. Both DocuSign and Proofpoint’s legitimacy were leveraged by the attackers to instill trust in those targeted. The accurate emulation of a DocuSign workflow also increased trust and likelihood of successful interactions for hackers. For more on this credential-harvesting campaign, see CyberWire Pro.

Researchers at DomainTools describe a fraud technique known as “pig butchering,” in which a threat actor poses as a financial advisor and eventually convinces a victim to invest in a phony cryptocurrency or another fraudulent venture. One campaign based in West Africa targeted “several hundred financial advisors,” and saw the attackers using LinkedIn and other professional networking services for research and contact, and advertising their services on social media platforms. The scammers also set up professional-looking websites, and generally try to avoid talking to the victim over the phone, preferring the site’s live chat widgets, and eventually email and WhatsApp. For more on this social engineering campaign against financial advisors, see CyberWire Pro.

Abnormal Security describes a business email compromise (BEC) gang it calls “Firebrick Ostrich” that performs third-party reconnaissance attacks in the service of subsequent business email compromise (BEC) attacks. The researchers explain that third-party reconnaissance attacks rely on open-source information rather than compromised accounts. The goal is to establish a protracted relationship with the target. After the threat actors have established that two organizations have a business relationship with each other, they’ll set up lookalike domains and email addresses to impersonate the vendor organization. They’ll then send a vague request for an invoice, hoping that an employee at the customer organization will assume it’s real. Firebrick Ostrich has launched more than 350 of these BEC attacks since April 2021, impersonating at least 151 organizations. All of the threat actor’s targets have been based in the US, although the targets seem to have been chosen opportunistically. For more on Firebrick Ostrich, see CyberWire Pro.

Sophos researchers released a report detailing their observations of fraudulent CryptoRom apps making their way into the App Store. Two CryptoRom apps were found on the Apple App Store, one called Ace Pro, and the other MBM_BitScan. Researchers suspect that the remote nature of the malicious functionalities allowed for concealment of the true nature of the app until after the stringent App Store review. Google Play also has a version of the app, though the vendor name is different. The actors behind the scams are tracked by researchers as the “ShaZhuPan” group. For more on CryptoRom, See CyberWire Pro.

Researchers at Cybersixgill Wednesday morning described the small, but pervasive group of threat actors shilling fraudulent cybersecurity certification services, from falsified diplomas and certificates to cheating services and leaked courses. Various cybersecurity certification courses are seeing an increased presence on the dark web, with researchers citing a 73% increase in advertised underground courses from 2021 to 2022. The courses hackers are selling online are from a variety of providers, and are offered at a steep discount. The average cost of cyber training courses varies, but can be upwards of $5,000, while many dark web scammers are offering courses for a maximum of around $200, based on course content. Some actors have also been seen giving the courses away in free downloads. For more on fraudulent credentials, see CyberWire Pro.

Security Affairs reported last Saturday that the LockBit Locker malware has been seen in use targeting small and midsize businesses (SMBs) in northern Europe. Though this malware is primarily operated by the group bearing the same name, these attacks don’t appear to originate from the gang. Rather, they seem to be the work of copycat actors who procured a leaked version of the gang’s malware. One instance targeting a Belgian company was observed in which a swath of internal files was encrypted by the faux-LockBit offenders. Fortunately, the company was able to resume normal operations after restoring their network from a backup, though the damage that can be wrought, even by unseasoned, unaffiliated “wannabes” (as Security Affairs affectionately calls the operators) remains considerable.

Researchers at Fortinet have discovered a malicious PyPI package called “web3-essential” that will download a malicious executable. The malware appears to be designed to steal login credentials and payment card information from browsers, including Google Chrome, Microsoft Edge, and Firefox. The researchers note that the package was published on the same day that its author joined the repository, and that “[g]iven the frequency of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages published by newly joined authors.”

Proofpoint Wednesday reported that they have observed an increase in the use of Microsoft OneNote documents as a delivery mechanism for malware in email by threat actors. Six campaigns were observed maliciously utilizing OneNote documents in December of last year, with a significant increase to 50 involved campaigns seen last month. Though the December campaigns saw a large portion of the victims in the educational sector, Proofpoint emphasizes that the majority of these attacks are distributed across a multitude of sectors, with significant variety in messages. TA577, an initial access broker first observed by Proofpoint in mid-2020 and said by the researchers to have connections with a 2021 REvil incident, was said to be observed using this method to distribute Qbot malware in late January after a month-long hiatus.

Aqua Nautilus researchers reported on a threat actor they’ve observed that they’ve coined “HeadCrab,” characterized by the researchers as a “new elusive and severe threat” impacting servers globally since September of 2021. The HeadCrab cybercriminal is said to utilize custom malware that is seemingly undetectable by both agentless and traditional antivirus approaches. The HeadCrab botnet is described as primarily targeting Redis servers, recounted by Aqua Nautilus as “open-source, in-memory data structure store[s] that can be used as a database, cache, or message broker” that lacks authentication methods, intending the servers only for use on closed, secured networks rather than the world wide web. HeadCrab is explained to have overtaken at least 1,200 servers.

Updates on cyber activity in the hybrid war against Ukraine.

ESET says a new strain of wiper malware they're calling "SwiftSlicer" has been deployed against Ukrainian networks. ESET Research tweeted their January 25th discovery with attribution to Sandworm, explaining that the wiper was deployed in Group Policy and is written in the Go programming language. SwiftSlicer represents a successor to HermeticWiper and CaddyWiper, both of which the Russian-affiliated Sandworm had deployed against Ukraine in the early phases of the invasion.

The Ukrainian Computer Emergency Response Team (CERT-UA) last Friday reported identifying five distinct strains of wiper malware in the networks of the Ukrinform news outlet. The strains, and the systems affected, were: CaddyWiper, ZeroWipe, and SDelete, all impacting Windows, AwfulShred, affecting Linux, and BidSwipe, targeting FreeBSD systems. The Russian hacktivist group "CyberArmyofRussia_Reborn" claimed credit in its Telegram channel for the infestations. BleepingComputer says that two of the strains, ZeroWipe and BidSwipe, represent either novel malware or, if they're existing, known strains, they're being tracked under unfamiliar names by CERT-UA. The SwiftSlicer wiper is being associated with Russia's GRU, specifically with the Sandworm group controlled by the service. Cyber Security Connect observes that Sandworm has a history, noting in particular their 2015 targeting of the Ukrainian power grid.

TASS quotes Russia's Deputy Foreign Minister Oleg Syromolotov as saying that the US has been responsible for recruiting and training members of Ukraine's auxiliary IT Army, a hacktivist group active against Russian targets. On Friday Roskomnadzor, Russia's Internet agency, blocked Russians' access to the US FBI, CIA, and Rewards for Justice sites, Interfax reports. They're run, the agency says, by a "hostile country," and they aim at "destabilizing the social and political situation in the Russian Federation."

Radware describes three organizations in particular that have been prominent in their support of the hacktivist mission of Russia's Killnet. The first, Infinity Music, saw its star publish a song called “KillnetFlow (Anonymous diss),” which offered support in the form of bad-boy street cred. HooliganZ Jewelry, a Moscow-based designer of street-thug inspired jewelry, is selling Killnet-branded drip. Solaris Marketplace, a darknet criminal marketplace, has made financial contributions to Killnet.

At least fourteen US medical centers were hit by distributed denial-of-service (DDoS) attacks Monday. The American Hospital Association attributed the incidents to the Russian cyber auxiliary Killnet. This week's DDoS attacks seem to have been quickly contained and mitigated, which has normally been the case with earlier Killnet actions. The hacktivists continued their distributed denial-of-service attacks against US medical centers into the week, with some of the targets reporting brief interruptions of important IT services. Delaware's Christiana Care, the University of Iowa Hospitals and Clinics, and a third-party vendor used by University of Michigan Health are among those who reported disruptions Tuesday. Becker's Hospital Review reports that Killnet has continued its attacks against hospitals in countries deemed hostile to Russia as the week has progressed, with the primarily DDoS-based attacks afflicting medical organizations in the UK, the Netherlands, the US, Germany, Poland, and the Scandinavian countries.

ESET's APT Activity Report for T3 2022, describes Sandworm’s "NikoWiper," said to be used against a Ukrainian energy company in October of last year. It's been difficult to see coordination between Russian kinetic and cyber operations, but the NikoWiper deployment at least coincided with Russian missile strikes against Ukraine's energy sector.

Russian deployment of wiper malware in the latter part of January has drawn a great deal of attention, and it was certainly a significant development, but a report by Ukraine's State Cyber Protection Centre of the State Service of Special Communication and Information Protection notes that Russian FSB-affiliated APT Gamaredon's recent activity has had a traditional objective: espionage and infostealing, “rather than system destroying activity."

Telegram, a platform that's enjoyed a reputation for anonymity, seems to have been penetrated by Russian security services. Wired reports that dissidents have been receiving police attention that seems to be accounted for only by Telegram's cooperation with the authorities.

The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.

Patch news.

CISA, the US Cybersecurity and Infrastructure Security Agency, released six Industrial Control Systems (ICS) advisories Thursday. They cover Delta Electronics DIAScreen, Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, Baicells Nova, Delta Electronics DVW-W02W2-E2, Delta Electronics DX-2100-L1-CN, and Mitsubishi Electric Multiple Factory Automation Products (Update D).

Crime and punishment.

An alleged member of the ShinyHunters cybercriminal gang, a 21 year-old Frenchman by the name of Sebastien Raoult, was extradited to the United States this week, The Register reports. The gang is said to involve itself in identity and corporate data thievery, as well as occasional extortion. HackRead wrote last Saturday was charged with nine counts, including "conspiracy, computer intrusion, wire fraud, and aggravated identity theft." He pleaded not guilty, and was detained until a hearing in early April.

Courts and torts.

EdScoop reports that the US Federal Trade Commission (FTC) has ordered California education technology provider Chegg to improve its security practices. As we previously noted, the FTC filed a complaint against Chegg last year for failing to adequately protect the personal information of its customers and employees, which resulted in four data breaches impacting more than 40 million users. On Friday, FTC commissioners voted unanimously in favor of finalizing an order that directs Chegg to take various steps to better secure its data. The steps include limiting the data the company collects and stores, introducing multifactor authentication options, and allowing users to access their data and delete it if they choose. Chegg has been given ninety days to develop a comprehensive information security plan. Director of the FTC’s Bureau of Consumer Protection Samuel Levine, stated, “Chegg took shortcuts with millions of students’ sensitive information. The order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.”

A lawsuit was filed against US online lending marketplace LendingTree in connection with a data breach that occurred in February 2022. The plaintiffs claim that the company failed to adequately protect users’ financial information. Bloomberg Law reports that on Wednesday federal Magistrate Judge David S. Cayer of the US District Court for the Western District of North Carolina determined that the lawsuit should be heard by an arbitrator, as the terms of use agreed to by all LendingTree account holders included a provision requiring all disputes be sent to arbitration. Back in July LendingTree notified 70,000 customers that their data had been impacted in the breach, but the complaint says that when the company disclosed the incident it failed to inform customers of the full scope of the breach.

On Monday, Hope College, a private liberal arts institution located in the US state of Michigan, was hit with a third class-action lawsuit linked to a data breach that occurred last fall. As FOX 17 West Michigan News (WXMI) explains, the incident exposed sensitive student data including names, dates of birth, and Social Security numbers. Two lawsuits were filed in December in which the plaintiffs accused the school of negligence, claiming victims were not informed about the breach in a timely fashion. One of those suits is requesting $5 million in damages. This third suit accuses the school of negligence as well as breaching fiduciary duty, unjust enrichment, breaching an implied contract and violating the Michigan Consumer Protection Act. When asked for a response back in December, Hope College stated that it “can not comment on pending litigation” but said that the school had conducted a thorough investigation and had reported the matter to federal law enforcement. 

Policies, procurements, and agency equities.

The Federal News Network reports that the US Cybersecurity and Infrastructure Security Agency (CISA) is establishing a new office dedicated to managing supply chain risk. The group will be led by Shon Lyublanovits, a former General Services Administration official who currently heads CISA’s project management office for cyber supply chain risk management (C-SCRM). Lyublanovits explains, “We’ve got to get to a point where we move out of this idea of just thinking broadly about C-SCRM and really figuring out what chunks I want to start to tackle first, creating that roadmap so that we can actually move this forward.” Congress established the Federal Acquisition Security Council (FASC) in 2018 to focus on government-wide security IT supply chains policies. Sean Peters, deputy program manager for FASC at the Office of Management and Budget said CISA has been designated as FASC’s “information sharing agency.” Meanwhile, FASC is developing a scorecard to help agencies and other organizations manage supply chain risk management challenges.

The Wall Street Journal reports that the Netherlands and Japan have agreed to join the US in restricting exports of advanced chip-manufacturing equipment to China. US President Joe Biden’s administration has been working to disrupt China’s military development by cutting the country off from access to cutting edge tech, and convincing allies to do the same. Top security officials from the Netherlands and Japan met with US national security adviser Jake Sullivan on Friday to discuss these efforts and agreed to implement export controls that would prevent companies with critical technologies from exporting their goods to China. Specifically, the Netherlands will prohibit Dutch photolithography company ASML Holding NV from selling their most advanced machines to China, and Japan will set similar restrictions on tech firm Nikon Corp. Insiders say the agreement hasn’t been formally announced yet due to concerns China might retaliate.

In response to a surge in cyberattacks against targets in India, which culminated with the recent attack on the All India Institute Of Medical Science, India’s Union Ministry of Home Affairs (MHA) says it’s finalizing plans for a new wing of police force “special commandos” focused on fighting cybercrime. Tribune Media reports that the plans were announced in the presence of PM Shri Narendra Modi last week at the All India Conference of Director Generals/ Inspector Generals of Police, and officials say the commandos will be deployed to each district across the country. Unlike existing cyber personnel on the police force, these specialists will undergo unique training and be endowed with the legal authority to immediately launch an investigation as soon as a cyberthreat or cybercrime is identified. 

Business news.

In updates on cyber and tech business news in the past week, we've seen announcements of a few acquisitions and investments. Texas-based investment firm Vista Equity Partners has completed its acquisition of KnowBe4, a California-based provider of security awareness training. Radiant Logic, a company specializing in identity data unification headquartered in California, has entered into an agreement to acquire French Identity Governance and Analytics organization Brainwave GRC. US defense and intelligence technology provider LinQuest Corporation has announced their acquisition of Ohio-based software engineering company Hellebore Consulting Group. Australian security vendor Tesserent has bought Brisbane-headquartered infosecurity training group ALC Group in a deal valued at $5.8 million. OneSpan, a digital agreement security company based in Chicago, has announced their agreement to acquire Australian secure storage startup ProvenDB. Los Angeles-based identity management company Saviynt has raised $205 million in growth funding from AllianceBernstein affiliate, AB Private Credit Investors’ Tech Capital Solutions group. Cloud data security company Sentra has raised $30 million in Series A funding, led by Standard Investments. Maryland-headquartered vulnerability management software firm Tenable has launched a $25 million venture fund under the name Tenable Ventures, intended to be used to drive seed and early-stage businesses focused on discovery, assessment and management of cybersecurity risk.

In this week's cyber and tech labor news, major companies continue to make cuts. Software company SAP has announced intentions to cut up to 3,000 members of its workforce, citing significant profit decreases at the end of 2022, according to the Wall Street Journal. Amidst what Bloomberg described as an "upbeat" yearly sales projection from the company, IBM announced plans to cut a "ballpark" figure of approximately 3,900 staff, CFO James Kavanaugh said last Wednesday. CTech noted the interesting decision made by Israeli cybersecurity company Checkmarx to hold an elaborate kickoff in Cancun, Mexico for 250 employees after laying off around 100 employees to "refocus resources" only months earlier. For a more comprehensive view into this week's business news, check out this week's CyberWire Pro Business Briefing.

Research developments.

In this week's research news, Kaspersky warns that the financially motivated threat actor Prilex is using three new versions of its malware (also called "Prilex") that can disable contactless payment transactions. Trend Micro has discovered a new ransomware dubbed "Mimic" that abuses the legitimate Windows filename search tool called "Everything" to query filenames and extensions for encryption. Check Point describes the history of TrickGate, a malware packer first observed in 2016, seen to distribute many strains of popular malware, including Trickbot, Maze, Emotet, REvil, Cobalt Strike, Formbook, and AgentTesla. For a deeper excursion into this week's cybersecurity research developments, see this week's edition of the CyberWire's Pro Research Briefing.