At a glance.
- NIST issues antiphishing guidance.
- Cisco patches command injection vulnerability.
- Ransomware as misdirection for cyberespionage.
- North Korean cyberespionage campaign.
- Yandex source code leaked.
- Latest trends and reports.
- Threat actor movements observed and reported over the week.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
NIST issues antiphishing guidance.
NIST has published a report encouraging the use of phishing-resistant authenticators. According to NIST Special Publication DRAFT 800-63-B4, a phishing-resistant authenticator offers “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.” NIST outlines the properties a phishing-resistant authenticator should have, and notes that these types of authenticators can only prevent attacks in which the threat actor is trying to login to something. Users should still be wary of phishing attacks that attempt to install malware or steal sensitive information. For more on NIST's antiphishing guidance, see CyberWire Pro.
Cisco patches command injection vulnerability.
Researchers at Trellix discovered two vulnerabilities in Cisco appliances, one of which could be used to gain persistent root access to the affected system. The more serious of the two vulnerabilities is CVE-2023-20076, a remote command injection flaw. The researchers first discovered this flaw in a Cisco ISR 4431 router, then found that it also affected a “wide range of other Cisco devices." Customers are urged to apply them as soon as possible. Trellix notes that “Cisco was a model partner in this research and disclosure process.” For more on the vulnerabilities and their remediation, see CyberWire Pro.
Ransomware as misdirection for cyberespionage.
LockBit has publicly taken responsibility for the attack on the London-based ION Group, Computing disclosed this morning, and is demanding a ransom by tomorrow. If the prompt ransom request is not met, stolen data from the group will be leaked, the gang threatened on a dark web site. The United States Federal Bureau of Investigation has begun their own search for information on the attack, in addition to UK regulators conducting individual investigations, Bloomberg reported. Canada's Communications Security Establishment calls the Russian-speaking ransomware gang an "enduring threat" for Canada, as well as internationally, as they notably were responsible for 22% of the nation’s attributed ransomware incidents last year, CBC Canada explains.
North Korean cyberespionage campaign.
Researchers at WithSecure are tracking a campaign by North Korea’s Lazarus Group that’s targeting “healthcare research, a manufacturer of technology used in energy, research, defense, and healthcare verticals, as well as the chemical engineering department of a leading research university.” One of the targeted healthcare research organizations was based in India. The attackers compromised their targets using known vulnerabilities in unpatched Zimbra platforms. The researchers believe the threat actor’s motive is cyberespionage.
Yandex source code leaked.
Source code belonging to Yandex, the Russian search engine giant, was leaked online. The leak doesn't appear to contain any customer data, BleepingComputer writes, and Yandex says the incident was an insider breach, not the result of an external attack. The files were stolen last July, and a former Yandex executive speculates that the motivation for the leak was political. In any case the hackers responsible don't appear to have tried to sell the code.