Dealing with the implications of ChatGPT. Telegram impersonation affects cryptocurrency firm. Phishing attacks.

At a glance.

• Dealing with the implications of ChatGPT.
• Telegram impersonation affects cryptocurrency firm.
• Phishing attacks.
• The NOTAM outage appears not to have been caused by a cyberattack.
• Ransomware attacks and developments.
• Dark Pink APT active against Asian targets.
• Kinsing cryptojacking targets Kubernetes instances.
• The Health3PT initiative seeks to manage 3rd-party risk.
• Iranian VPN users afflicted by Trojanized installation apps.
• Updates on cyber activity in Russia’s hybrid war against Ukraine.
• Patch news.
• Courts and torts.
• Policies, procurements, and agency equities.
• Business news.
• Research developments.

Dealing with the implications of ChatGPT.

AIM reports that the New York City Department of Education has banned ChatGPT on school devices due to concerns about plagiarism. Vox notes that the chatbot is able to write decent essays that can pass popular anti-plagiarism tools like Turnitin. The Daily Beast reports that students are already using the AI to complete writing assignments. Technology question-and-answer site also banned the use of ChatGPT due to technical errors in its responses. Even if the service is technically banned by schools, however, it’s difficult to see how such a ban could be enforced.

Princeton student Edward Tian attempted to offer a solution to this dilemma by creating an app called GPTZero, designed to detect if an essay was written by a human or an AI. The Daily Beast explains that GPTZero uses “perplexity” and “burstiness” as metrics. Perplexity is “a measurement of randomness in a sentence,” while burstiness is “the quality of overall randomness for all the sentences in a text.” Human-written sentences generally vary in complexity, while bots usually create sentences that are consistently low-complexity. For more on the implications of ChatGPT, see CyberWire Pro.

Telegram impersonation affects cryptocurrency firm.

SafeGuard Cyber Monday morning released a report detailing an observed instance of impersonation of a cryptocurrency firm in Telegram that may have been the activity of threat actor DEV-0139. In December 2022, Microsoft released research around a threat actor they’ve tracked as DEV-0139. The malicious actor is said to have “joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms.” An Excel file sent by the actor named “OKX Binance & Huobi VIP fee comparision.xls” contains malicious macros. For more on this (probable) DEV-0139 campaign, see CyberWire Pro.

Phishing attacks.

Avanan, a Check Point Software Company, released a report detailing a phishing campaign impersonating Facebook for credential harvesting. The attack begins with an email appearing to be from Facebook saying that the victim’s account had been suspended for violations of “Community Standards”. They’re told they have the ability to “appeal” the decision within 24 hours, or face permanent account deletion. The threat actor provides a link, which in actuality leads to a credential harvesting page, but appears to be from Meta. For more on the impersonation campaign, see CyberWire Pro.

AhnLab Security Emergency Response Center (ASEC) researchers reportedly found at least two phishing pages, “pokemon-go[.]io” and “beta-pokemoncards[.]io,” offering the installer of a fake Pokemon NFT card game used to distribute the NetSupport RAT onto victim devices, Cybernews reports. Clicking the “Play on PC” button on the phishing page would download a faux game installer, containing in actuality the NetSupport RAT, ASEC said. Neither of the links were reportedly active as of Monday. For more on Pokémon NFT phishbait, see CyberWire Pro.

Avanan released a blog this week detailing a new variation of an attack first observed in November 2022, leveraging Microsoft Customer Voice to bypass security scanners in a technique known as the Static Expressway. This variation of the attack sends an email appearing to be a shared fax containing “particularly sensitive or confidential information.” If the end user clicks on the email link, they’ll land on a page with a link to preview or print the document, which leads to a legitimate Customer Voice URL. Linked in the “CLICK HERE TO PRINT” button is what appears to be a OneDrive login screen, but in reality is a credential harvesting page. For more on the static expressway, see CyberWire Pro.

It’s the time of year when many companies inform their employees of raises or other changes to their compensation. Criminals are using this to shape their phishbait. Proofpoint describes the form the phishing is assuming: “With bonus and #salary reviews coming up, threat actors know it and are using these lures for #socialengineering. On January 10th 2023, @proofpoint observed emails with #phishing links purporting to be from #HumanResources and utilizing bonus and #payraise lures.”

The NOTAM outage appears not to have been caused by a cyberattack.

The US Federal Aviation Administration grounded all domestic flights early yesterday morning after an outage of the Notice to Air Missions system. A technical failure appears to be behind the approximately 90-minute outage, rather than the work of nefarious actors. The FAA initially reported the outage and grounded all domestic flights at 7:15 AM ET Wednesday, saying they were “working to fully restore” the NOTAM system. Just before 9:00 AM ET, Bloomberg explains, the ground stop was officially lifted, with normal air traffic operations “gradually” returning. The FAA revealed that they preliminarily linked the outage to a damaged database file. The Wall Street Journal writes that Canadian provider, NAV Canada, saw an outage of their NOTAM system as well just after 10:00 AM ET, which was restored at roughly 1:15 PM ET. According to the New York Times, a spokeswoman for NAV Canada, Vanessa Adams, said that she did not believe there was a connection to the FAA outage, despite the coincidence.

A source speaking to CNN claimed that air traffic controllers recognized the system issue on Tuesday afternoon, intending to reboot the system during less congested hours, on Wednesday morning. The reboot took place as planned, though the system still “wasn’t completely pushing out the pertinent information that it needed for safe flight, and it appeared that it was taking longer to do that,” according to CNN’s source, which led to the eventual grounding order. A senior government official cited aging infrastructure as a contributing factor, noting that the system is “30 years old and not scheduled to be updated for another six years,” according to NBC News. For background on the NOTAM outage, see CyberWire Pro.

Ransomware attacks and developments.

Cyber disruptions to the UK’s Royal Mail service, first reported on Wednesday as a “cyber incident,” has now been identified as a ransomware attack, linked to the Russian-affiliated LockBit gang, Computing reports. The Telegraph broke the news of the confirmed ransomware attack Thursday, with attribution to LockBit, or an actor using the gang’s encryptor. The attack was behind the encryption of devices used for shipping internationally, and ransom notes were reportedly printed on printers intended for customs dockets. The ransom note claims to be “LockBit Black Ransomware,” with links to Tor sites used by LockBit operators and a ‘Decryption ID’ said by multiple security researchers to be unusable, Bleeping Computer confirmed yesterday. When Bleeping Computer reached out for comment, LockBit Support claimed that the gang “did not attack Royal Mail and they blamed it on other threat actors using their leaked builder.” There is “no end in sight” to service disruption, stressed a Royal Mail spokesperson, the BBC reported last night. For more on the Royal Mail ransomware attack, see CyberWire Pro.

The Guardian has confirmed that it sustained a ransomware attack last month. The Guardian Media Group’s CEO Anna Bateson and the Guardian’s editor-in-chief Katharine Viner sent an email to employees on Wednesday stating that the firm had suffered a “highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network.” The attackers were able to access personal data of the company’s UK employees. Graham Cluley explains that these data included “names, addresses, dates of birth, National Insurance numbers, bank account details, salary information, and identity documents such as passports.” For more on the Guardian breach, see CyberWire Pro.

Delinea has published its 2022 State of Ransomware Report, finding that there’s been a sharp decrease in the volume of ransomware attacks, though the average ransom demand has gone up. Delinea found that only 25% of respondents said their organizations were hit by ransomware in 2022, down from 64% in 2021. The number of victims who paid the ransom also fell from 82% to 68%. The researchers aren’t sure what led to this decline, but they note that it may be due to the reorganization among major ransomware crews (particularly Conti) that took place during 2022. Despite the slowdown in attacks, the researchers found that the average ransom demand has gone up over the past year. The survey also highlights a discouraging trend: organizations seem to be taking the ransomware threat less seriously than they did in 2022. The researchers found that most (76%) of organizations increase their security budgets only after they’ve suffered a ransomware attack. For more on the ransomware trends of the year that just ended, see CyberWire Pro.

Moody’s Investors Service released a comment on the December attack against The Hospital for Sick Children (SickKids) in Toronto. While the impact of the attack itself was contained, the hospital’s exposure to risk, along with an apology and alleged remedy from the threat actors, seems out of the ordinary. The ransomware attack against SickKids took place on December 18.The hospital did not pay the ransom, and the overall attack has been contained, more or less, with 80% of systems back online, and most systems causing delays back to normal. Despite efforts from the hospital over the last few years to mitigate cyber risk, this attack shows that the hospital was still susceptible to ransomware. For more on Moody’s assessment, see CyberWire Pro.

Researchers at At-Bay believe a critical Citrix vulnerability is being exploited by the Royal ransomware gang. Citrix disclosed CVE-2022-27510 on November 8th, 2022. The vulnerability “allows for the potential bypass of authentication measures on two Citrix products: the Application Delivery Controller (ADC) and Gateway.” At-Bay researchers last week observed what appears to be the first known exploitation of the flaw in the wild. The researchers recommend that organizations apply Citrix’s patches and mitigations as soon as possible. For more on Royal’s exploitation of Citrix, see CyberWire Pro.

Dark Pink APT active against Asian targets.

Group-IB reported that it’s observing extensive activity by the Dark Pink APT. The researchers have been unable to connect it to any previously observed campaigns, which leads them to conjecture that Dark Pink represents a new threat group. “The confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam,” the report says. Dark Pink seems to be a cyberespionage outfit. Its mission appears to be collection of industrial intelligence.

Kinsing cryptojacking targets Kubernetes instances.

Microsoft describes the initial access techniques used by the Kinsing cryptojacking malware to target Kubernetes instances. Microsoft explains that the two most common tactics used by Kinsing to gain initial access are “[e]xploitation of weakly configured PostgreSQL containers and exploiting vulnerable images.” Kinsing attackers search for applications with container images that are vulnerable to remote code execution. Applications that were exploited by this method include PHPUnit, Liferay, WebLogic, WordPress. For more on the Kinsing attacks, see CyberWire Pro.

The Health3PT initiative seeks to manage 3rd-party risk.

The Health 3rd Party Trust (Health3PT) Initiative and Council was announced today, bringing together leaders in the healthcare industry to approach third-party cyber risk management. The Health3PT initiative seeks to approach solutions to the problem of third-party cyber risk management, with many security leaders in the US healthcare industry taking part. This comes following increased targeting of the healthcare industry by malicious actors, with the intent to better defend healthcare systems against supply chain attacks. “Managing third party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides,” said Shenny Sheth, Deputy CISO for Centura Health. “That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes.” For more on Health3PT, see CyberWire Pro.

Iranian VPN users afflicted by Trojanized installation apps.

Bitdefender has reported that Trojanized versions of VPN installers are staging SecondEye, a monitoring application, on victims’ devices. SecondEye is sold legitimately, but this is a surreptitious use of the product to gain insight into user activity. Many Iranians have sought out consumer VPN products as a way of shielding themselves from monitoring by their government. Bitdefender calls the campaign “EyeSpy,” and says that the software it installs “has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.” While the researchers don’t offer attribution, the victimology suggests an Iranian threat group.

Updates on cyber activity in Russia’s hybrid war against Ukraine.

Since Russia’s invasion of Ukraine, Moldova has felt more uneasy than any other country in the Near Abroad except Ukraine itself. There are too many parallels to Ukraine’s situation for comfort. Like Ukraine, Moldova has received hostile Russian attention in cyberspace. Ukraine has seen factitious liberation movements seek to detach Donetsk and Luhansk; Moldova has an even longer history of Russian-sponsored secession in Transnistria. The Record reports that Moldova’s government has, over the past week, seen a surge in phishing attempts seeking to compromise official and corporate networks. These efforts have been accompanied by impersonation campaigns that misrepresent themselves as communications originating with senior Moldovan officials.

Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection of Ukraine, told Politico that Ukraine was gathering information on the ways in which Russian cyberattacks have constituted war crimes. Some of the Russian cyber intelligence work has allegedly been used to support “filtration,” that is, the identification of civilians regarded as posing a threat to Russian occupation. “Russian troops often use filtration procedures on occupied territories to identify people who support Ukraine, who were engaged in public service, or military service, so they capture them, then torture, kill,” Zhora said. Ukrainian authorities are referring the digital evidence they’ve collected to the International Criminal Court with a view to eventual prosecution of the Russian personnel and officials responsible.

EU Reporter notes that the annual report from the European Union’s cybersecurity agency, ENISA, describes ways in which Russia’s war has driven an increase in cyberattacks. As we’ve had many occasions to observe, the consequences of those attacks have fallen short of prewar expectations.

Russian hacktivists (Killnet is a prominent example) have served as auxiliaries in Russia’s hybrid war, and they have been particularly active against targets in countries friendly to Ukraine. Russia has far fewer friends and partners internationally, but one of them, Iran, has now apparently been hit by pro-Ukrainian hacktivists. SC Media reports that distributed denial-of-service (DDoS) attacks have affected a number of Iranian websites, including but not limited to sites belonging to the National Iranian Oil Company and Iran’s supreme leader Ali Khamenei. The hacktivists who claimed credit, the Record reports, are clear that their operations are a reprisal for Iran’s willingness to supply Russia with Shahed drones used in attacks against Ukrainian cities. They explicitly threaten attacks against industrial control systems if Iran doesn’t stop the weapons flow.

SentinelOne describes a Russian hacktivist auxiliary campaign against NATO organizations, bearing the paradoxical name “NoName057(16),” and known to have been active since March of 2022. The threat group specializes in DDoS, and it deploys such attacks against websites it regards as important to countries that have been friendly to Kyiv and critical of Russia’s war against Ukraine. Its operations are similar to those of Killnet, SentinelOne says that NoName057(16) has been responsible for action against the Danish financial sector that Reuters reported early this week. The threat group has also this week been active against campaign websites associated with the upcoming Czech presidential election.

GitHub has taken down accounts associated with hacktivist group NoName057(16). CyberScoop quotes a GitHub representative: “We disabled the accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attacks or uses GitHub as a means to deliver malicious executables.”

Russia has taken exception to Reuters’ report, last week, that the Cold River group, widely believed to operate on behalf of Russian intelligence, had attempted to compromise workers at the US Brookhaven, Argonne, and Lawrence Livermore National Laboratories. “The latest pseudo investigation was unfortunately published by Reuters news agency,” Maria Zakharova, Russia’s Foreign Ministry spokeswoman, said yesterday in a press briefing, and cited a lack of evidence from the outlet. Reuters stands by its story, as indeed Reuters should.

The CyberWire’s continuing coverage of the unfolding crisis in Ukraine may be found here.

Patch news.

On Patch Tuesday this week, prominent among the updates published were those issued by Microsoft (ninety-eight patches, with one vulnerability fully disclosed and a second undergoing active exploitation in the wild) and by Adobe (for Acrobat and Reader, InDesign, InCopy, and Dimension).

The US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control Systems (ICS) Advisories Tuesday, one for Black Box KVM, the other for Delta Electronics InfraSuite Device Master (Update A). On Thursday, twelve more were released. They affect Sewio RTLS Studio, RONDS Equipment Predictive Maintenance Solution, InHand Networks InRouter, Panasonic Sanyo CCTV Network Camera, SAUTER Controls Nova 200 – 220 Series (PLC 6), Johnson Controls Metasys, Hitachi Energy Lumada APM, Siemens S7-1500 CPU devices, Siemens Mendix SAML Module, Siemens Automation License Manager, Siemens Solid Edge before V2023 MP1, and Philips Patient Information Center iX (PIC iX) and Efficia CM Series (Update A).

SAP also issued patches this week. Thomas Fritsch, SAP security researcher at Onapsis, offered some perspective on the fixes provided for the widely used family of business software: 

• “SAP Security Note #3262810, tagged with a CVSS score of 9.9, patches a critical Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform, which can be exploited by an authenticated attacker over the network and can cause a high impact on the confidentiality, integrity, and availability of the application. The note contains a patch and a workaround for those customers who can’t provide this patch immediately, the latter of which can only be used as a temporary solution as it removes, stops or disables the affected service. 
• “SAP Security Note #3275391, also tagged with a CVSS score of 9.9, patches a loophole that allowed an unauthenticated attacker to execute crafted database queries in SAP Business Planning and Consolidation Microsoft. The crafted queries can include commands to read, modify, or delete arbitrary data from the backend database. 
• “SAP Security Note #3089413, tagged with a CVSS score of 9.0, which addresses a capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, may affect a wide number of SAP customers and the complexity of the mitigation suggests a lot of work, both for SAP administrators and potentially for SAP development departments.” 

LookingGlass Cyber released a blog explaining the most prevalent known exploited vulnerabilities (KEV) present in the US financial sector in November of last year. Over half of the vulnerabilities detected by LookingGlass in November 2022 were found affecting insurance, with approximately a quarter composed of credit intermediaries, and a third resulting from third-party service providers. The most commonly observed KEV in the US financial services sector was CVE-2015-1635. The seven year old Remote Code Execution vulnerability is said to impact Windows, and is still common in critical infrastructure today. For more on these KEVs, see CyberWire Pro.

Courts and torts.

Seattle Public Schools has filed a lawsuit against the parent companies of TikTok, Instagram, Facebook, YouTube, and Snapchat, claiming that the social media platforms have driven a rise in mental and emotional health issues among youth. The Seattle school district said in a statement that excessive social media use is harmful to young people, and social media companies have intentionally crafted their products to be addictive. For more on the lawsuit, and industry’s response to it, see CyberWire Pro.

On Monday the US Supreme Court rejected the bid of Israeli spyware maker NSO Group to end the lawsuit filed against the company by WhatsApp. The encrypted messaging platform claims that NSO targeted fourteen hundred of its users with NSO’s Pegasus surveillance software, and WhatsApp parent company Meta is attempting to block NSO from all of its platforms and servers, as well as recover unspecified damages. NSO argues that it should be considered a foreign government agent, meaning the company would be entitled to immunity under US law limiting lawsuits against foreign countries, but the US Justice Department wrote that “NSO plainly is not entitled to immunity here.” As Security Week recounts, the WhatsApp suit is just one of many currently being lodged against NSO, which has been accused of selling its spyware to government clients seeking to snoop on journalists, rights activists, and politicians across the globe. NSO has also been blacklisted by the US Commerce Department, which says the company’s products were complicit in “transnational repression.” WhatsApp spokesperson Carl Woog said, “We firmly believe that their operations violate U.S. law and they must be held to account for their unlawful operations.” NSO responded, “We are confident that the court will determine that the use of Pegasus by its customers was legal.”

The US Securities and Exchange Commission filed a lawsuit on Tuesday against Washington, DC-based law firm Covington & Burling for the names of almost 300 clients impacted by the company’s undisclosed 2020 hack, Reuters explained Wednesday. The hack, conducted by cyberespionage gang Hafnium, which Reuters notes is allegedly Chinese-affiliated, “gained unauthorized access to the firm’s computer network and certain individual devices,” the National Law review detailed yesterday. The SEC is looking to see if any person or organization impacted or involved in the hack has violated federal securities laws, but Covington asserts that they are bound by attorney-client privilege, and that only seven of the files of affected companies had any data of interest; a figure not able to be confirmed by the SEC.

The US Supreme Court is in the midst of a case challenging Section 230 of the Communications Decency Act of 1996, which shields internet companies from liability for the content posted by users. The plaintiffs are the family of Nohemi Gonzalez, a woman who was killed in a 2015 ISIS terrorist attack, and they argue that video streaming site YouTube not only knowingly allowed radicalizing videos on their platform, but that YouTube’s algorithms also recommended those videos to viewers. Yesterday, the Wall Street Journal reports, YouTube parent company Google filed a new brief arguing that scaling back Section 230 could not only lead to increased censorship, but could also result in an increase in offensive content on smaller platforms who drop their filters in order to avoid liability for censoring their content. The brief reads, “This Court should decline to adopt novel and untested theories that risk transforming today’s internet into a forced choice between overly curated mainstream sites or fringe sites flooded with objectionable content.” The case is set for oral arguments on February 21.

Policies, procurements, and agency equities.

Reuters reports that the US states of New Jersey and Ohio Monday announced they are banning the use of TikTok, the popular video-streaming app owned by Chinese tech company ByteDance, on government devices. As the Washington Post notes, the two states are joining the growing list of nearly two dozen states that have imposed restrictions on the use of TikTok due to concerns that user data could end up in the hands of the Chinese government. While the majority of these states are headed by Republican leaders, some Democrat governments, like New Jersey, have also joined the fray. Ohio’s Republican Governor Mike DeWine stated, “These surreptitious data privacy and cybersecurity practices pose national and local security and cybersecurity threats to users of these applications and platforms and the devices storing the applications and platforms.” New Jersey’s Democrat Governor Phil Murphy said that in addition to banning the app from state devices, he is also banning software vendors, products, and services from over a dozen vendors including Huawei, Hikvision, Tencent Holdings, ZTE Corporation, and Kaspersky Lab. On Friday, Wisconsin Governor Tony Evers announced his state was also banning use of TikTok on state-owned or managed devices, and last month US lawmakers banned the app from federal employee devices.

Marco Mendicino, Canada’s federal public safety minister, says he is willing to work with other parliamentarians to update the Liberal government’s cybersecurity legislation. The bill in question, which was introduced last year, stipulates that key enterprises in the banking and telecommunications sectors must improve their cybersecurity and transparency regarding digital attacks, or risk penalties for noncompliance. Global News explains that civil society groups and parliament members from the opposition have expressed concerns that the bill would allow government surveillance in violation of private companies’ privacy rights, and would also authorize the government to collect broad categories of information from operators that could pose a risk to personal data. Mendicino has argued that the legislation is necessary to protect Canada’s essential systems from cyber threats, but he conceded in a recent interview that the government is ready to compromise in order to find “ways in which we might improve this bill,” and that the overarching goal is to “put in place the smart and prudent steps to guard against potential threats to our national security in cyberspace.”

Business news.

In this week’s business news, we’ve seen the acquisition of application security company nVisium by Minnesota-based pentesting and attack service management company NetSPI. Cerberus Sentinel, a cybersecurity and compliance provider based in Arizona, has signed a definitive agreement to acquire Argentinian cybersecurity company RAN Security, with the transaction expected to close later this year. Netskope, a California-based cloud security company, has raised $401 million in convertible notes from investment funds managed by Morgan Stanley Tactical Value, with participation from Goldman Sachs Asset Management, Ontario Teachers’ Pension Plan and CPP Investments, CRN reports. The Wall Street Journal reported last week that the creators of the widely known ChatGPT chatbot, OpenAI, are reportedly in talks with potential investors about sales of shares that put the company at a $29 billion valuation, said those familiar with the situation.

Twitter has seen more slashes to its workforce in the last week. The Information reports that 40 advertising data scientists and engineers at the social media giant were laid off last Wednesday. A cut of at least a dozen trust and safety team employees in the blue bird’s Dublin and Singapore offices took place Friday, Bloomberg reports. Fortune wrote Saturday that those impacted by Twitter’s layoffs in November finally received severance agreements that left the former employees disappointed. Insider reports that the severance packages contained offers of one month of severance pay on the basis that there would be no speaking of the company or lawsuits against it. Musk previously said he would provide three months of severance, but it seems as though he included the two months of “non-working employment,” in which the former employees continued to be paid while waiting for the severance. The method of delivery for the payments themselves also had to be confirmed by Twitter to be legitimate, as the email was automatically filtered into multiple spam inboxes for suspected phishing.

Other companies have been reacting similarly to negative trends in the economy. Amazon is laying off 18,000 people, citing overhiring and economic uncertainty as reasoning for the layoffs, Computing wrote last Thursday. The 1.2% of the staff that is affected will be notified by January 18, the BBC reports. Crypto lender Genesis Global Trading laid off 30% of its staff across all departments on Thursday, the Wall Street Journal reports, and is considering filing for bankruptcy. Yahoo Finance reports that Salesforce announced Wednesday plans to cut 10% of its workforce, with CEO Marc Benioff claiming responsibility and citing hiring “too many people leading into this economic downturn,” in a statement to employees. Cisco is also reportedly cutting 673 jobs to save money, CRN reports.

For a more in-depth look into this week’s business news, see this week’s edition of the CyberWire’s Pro Business Briefing.

Research developments.

In cybersecurity research news this week, Check Point is tracking a financially motivated threat actor dubbed “Blind Eagle” that’s targeting entities based in Ecuador with phishing emails that purport to come from an Ecuadorian government institution. Blind Eagle’s previous campaigns were confined to targeting entities in Colombia. The researchers explain that the threat actor uses a combination of remote access Trojans and living-off-the-land tactics. A security research team led by Sam Curry found vulnerabilities affecting vehicles from sixteen leading car manufacturers over the course of 2022. The car manufacturers have since released patches for the flaws, and Curry’s team last week published an extensive writeup on the vulnerabilities.

For a deeper foray into this week’s cybersecurity research, check out this week’s edition of the CyberWire’s Pro Research Briefing.