Killnet's leader outs the identity of the new Anonymous Russia leader, in an effort to consolidate power among pro-Russia cybercriminals.

There's drama brewing between various Kremlin-backed hacktivist groups, which percolated into public view this week with the move by Killnet group leader "Killmilk" to expose the identity of "Raty," the leader of seemingly aligned threat group Anonymous Russia.

Raty, outed as Arseni Yeliseyeu, was subsequently arrested in Belarus, Kellmilk said, according to new analysis from Flashpoint. Further, Killmilk decided to appoint a threat actor named "Radis" to head up Anonymous Russia in Raty's absence.

Following the announcement, the Anonymous Russia Telegram channel identified itself as steadfastly pro-Kremlin with a declaration of war against the "CIA rats," according to Flashpoint, and offered the group's distributed denial-of-service (DDoS) cyberattacks as a for-hire service, adding "anyone can purchase."

The episode is just the latest example of Killnet's attempts to consolidate power.

"The developing story highlights the twists and turns of pro-Kremlin hacktivism over the past approximately six months since Killnet first attempted to collect all major and minor groups under its own umbrella," Flashpoint's report said. "This endeavor has remained relatively unsuccessful."

Groups are pushing back against Killnet to strike out of their own, creating a more competitive hacktivist market, Flashpoint explained.

"In the past months several smaller groups, including Phoenix, announced the creation of their own alliances or business ventures, suggesting that the market of cybercrime services under the guise of hacktivism is getting crowded too," the report said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Killnet Boss Exposes Rival Leader in Kremlin Hacktivist Beef

The nation-stage threat group deployed custom malware on archaic versions of Cisco's router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.

As recently as 2021, the notorious Russian APT28 was exploiting network routers running outdated versions of Cisco's IOS and IOS XE operating system software, using them to deploy backdoors in networks across European and American government institutions.

APT28 — aka Fancy Bear, Strontium, Tsar Team, and Sofacy Group — is best known for its campaigns against Ukraine and the 2016 US elections. The UK National Cyber Security Centre (NCSC) has attributed this group to the 85th Special Service Centre, Military Intelligence Unit 26165, part of Russia's General Staff Main Intelligence Directorate (GRU).

NCSC, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and FBI this week published a joint advisory outlining one of APT28's less technically impressive but more economic maneuvers. According to their findings, the group used unpatched Cisco routers to access "a small number" of EU and US government institutions, on top of "approximately 250 Ukrainian victims."

Though the campaign took place two years ago, Cisco Talos in a blog post expressed how "deeply concerned" it is "by an increase in the rate of high-sophistication attacks on network infrastructure" by nation-state actors.

"We certainly have seen an increase over the last several years — even over the last six to 12 months — in targeting this type of infrastructure," says JJ Cummings, national security principal at Cisco Talos. "I think this is probably only the tip of the iceberg."

**Taking Advantage of Vulnerable Routers**

On June 29, 2017, Cisco revealed a series of vulnerabilities in the Simple Network Management Protocol (SNMP), a communications protocol for network devices running IOS versions 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17.

A specially crafted SNMP packet, the company explained, could have allowed attackers to remotely execute code on affected devices, or cause them to reboot. The vulnerabilities were grouped under CVE-2017-6742 and assigned a "High" CVSS score of 8.8.

Though a patch for the SNMP vulnerabilities was released all those years ago, by 2021 APT28 was still exploiting Cisco routers to access US, EU, and primarily Ukrainian government networks.

In the same way administrators use SNMP to remotely monitor and configure network devices, APT28 used it to remotely access devices and penetrate networks.

"A number of software tools can scan the entire network using SNMP," the advisory explained, "meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks."

In particular, APT28 took advantage of weak passwords — "community strings," in Cisco parlance — such as the default public string in order to crack routers and, in some cases, deploy their "Jaguar Tooth" malware. Jaguar Tooth was specifically designed to exploit CVE-2017-6742, stealing device information and planting a backdoor for persistent access.

**Thousands of Routers Are Exposed Online**

A remarkable number of enterprise Internet routers in operation today are publicly exposed on the open Internet. And they're not only exposed — they're vulnerable. For scale, consider this:

After a series of vulnerabilities were discovered in multiple Cisco Small Business Routers earlier this year, software company Censys scanned for any potentially vulnerable devices online. The search returned over 20,000 results, the vast majority of which are still equally exposed to this day.

And just as a software company can identify these devices, so can hackers." Usually, cybercriminals will be using tools like Shodan or Nmap to scan and look for exposed devices connected to the internet," explains James McQuiggan, security awareness advocate at KnowBe4. "Organizations may try the 'security by obscurity' model, hoping they're not discovered running older legacy systems," he says, but hackers who can find and so easily exploit these devices "have opened the electronic front door."

Cisco regularly publishes information about new vulnerabilities and risks to IT infrastructure, such as this blog post published on April 18

**Why Routers Go Unpatched**

In IT environments, Cummings observes, there's one main reason why routing devices remain unpatched for years at a time. "Think about what the primary mission of a network operations team is: to keep the network up and running, right?" A byproduct of this prioritization of reliability and availability, he says, could be that "if a device is not broken, maybe they're not going to fix it."

Further, updating can sometimes come at a cost — albeit temporary — for operations. "We've seen in a couple of cases that, while the process to upgrade isn't necessarily difficult or arduous, it's also not always without risk for network availability." If availability is the primary goal, "if they're incentivized not to impact that, anything that gets in the way is something that they're going to shy away from."

Updating IOS and IOS XE is necessary for addressing CVE-2017-6742, but in cases where doing so is tricky, there are other simple changes IT administrators can make to harden against similar infrastructure breaches. "If updates are not possible," McQuiggan says, "network monitoring — even if it's by a third-party managed security service — can alert of intrusions and possible unauthorized logins to external-facing networking equipment."

In its blog post, Cisco emphasized more than anything the need to restrict infrastructure to trusted users. "Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks," they wrote. "Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses."

Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies

Here are some of the most interesting, can't-miss sessions at the upcoming show in San Francisco.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Sizzling Sessions to Check Out at RSA Conference 2023

New funding to drive aggressive growth of industry’s only cybersecurity platform that brings enterprise grade cybersecurity to the mid-market; 300% year-over-year growth projected for 5th year in a row.

**NEW** **YORK--(****BUSINESS** **WIRE****)** **—** Coro, the modern cybersecurity platform for mid-market organizations, today announced a $75M funding round, bringing the total funding raised in the last 12 months to $155M. Coro added Energy Impact Partners to its current investors, Balderton Capital and JVP.

Coro continues to experience dramatic growth across all aspects of its business. The Company’s modern approach to cybersecurity – delivering enterprise grade security through a single platform that unifies, simplifies and automates workloads -- has been validated by more than 5000 mid-market customers across every vertical industry. Over the past year, Coro tripled its revenue, customer and employee base, and signed more than 100 new channel partners. The Company also expanded its footprint in Chicago, where a new business enablement center is under development to support the company’s direct sales team and rapidly growing network of resellers. Coro projects it will again grow 300% year-over-year in 2023, extending its extraordinary record to a 5th year in a row.

Coro will use the new funding to support its rapidly growing customer base and drive aggressive growth across its R&D, channel, sales and service teams. The new capital will also enable Coro to continue to expand the capabilities of its cybersecurity platform, both organically and through strategic acquisitions.

“Coro’s phenomenal growth shows they have the right solution for a huge and underserved market,” said Shawn Cherian, Partner at Energy Impact Partners. “Mid-market companies need a comprehensive cyber solution that protects their vital business assets without spending outrageous sums or requiring hard to find cybersecurity experts. Coro’s AI-powered platform, based on a modern approach to solving cybersecurity challenges, is taking the market by storm. We’re thrilled to be a part of the Coro revolution as they help secure the nation’s mid-market businesses and enable them to grow and thrive.”

“The additional funding is a validation that Coro’s disruption of the cybersecurity industry is succeeding,” said Guy Moskowitz, CEO, Coro. “While many cybersecurity vendors tried to address the mid-market by selling traditional products that were designed for an enterprise cybersecurity team to manage, Coro took a completely different route. Our modern approach to cybersecurity, where one platform automatically addresses all aspects of cybersecurity, was built from the ground up to ensure that mid-market companies can get enterprise grade protection without the complexity, workload or inflated price tag.”

Coro has stepped up to protect the hundreds of thousands of companies neglected by the cyber security industry by removing the three barriers inherent to the status quo: price, complexity, and the need for a dedicated cyber security team. Unlike current cyber security solutions such as anti-malware or phishing protection, which are focused on specific threats, Coro is the first SaaS solution to include all the security needed for a mid-sized business to protect its users, devices, email, data, and cloud applications. The platform uses automation to offload 95% of the security workload from IT and is offered as an affordable monthly subscription, which makes enterprise-grade security available to any business.

Coro’s modern approach to cybersecurity has been validated by significant customer growth across every vertical industry, including financial services, transportation and logistics, education, healthcare, retail, manufacturing, professional services and more. The company continues to garner top reviews from industry users, and was most recently ranked in G2’s 2023 Top 50 Cybersecurity Products and G2's 2023 Top 100 Fastest Growing Products.

**About Energy Impact Partners**

Energy Impact Partners LP (EIP) is a global investment firm leading the transition to a sustainable future. EIP brings together entrepreneurs and the world’s most forward-looking energy and industrial companies to advance innovation. With over $3 billion in assets under management, EIP invests globally across venture, growth, credit, and infrastructure – and has a team of over 80 professionals based in its offices in New York, San Francisco, Washington D.C., Palm Beach, London, Cologne, and Oslo. For more information on EIP, please visit www.energyimpactpartners.com

**About Coro**

Coro provides modern cybersecurity that unifies comprehensive protection into a single platform. Coro empowers organizations to defend against malware, ransomware, phishing, data leakage, insider threats and bots across devices, users, and cloud applications. More than 5,000 businesses depend on Coro for holistic security protection, unrivaled ease of use, and unmatched affordability. Coro’s modern cybersecurity platform automatically detects and remediates the many security threats that today's distributed businesses face, without IT teams having to worry, investigate, or fix issues themselves. In addition to Energy Impact Partners, investors in Coro include Balderton Capital, JVP, and Ashton Kutcher’s Sound Ventures.

For more information, please visit Coro at coro.net, or via LinkedIn, Twitter, or Facebook.

Coro Raises an Additional $75M Bringing the Total Raised to $155M in 12 Months

**AUSTIN, Texas – April 19, 2023 –** CrowdStrike (Nasdaq: CRWD) today introduced CrowdStrike Falcon Complete XDR, a new Managed eXtended Detection and Response (MXDR) service from the MDR and endpoint security market leader. CrowdStrike Falcon Complete XDR extends the elite expertise of its industry-leading MDR service, which includes 24/7 expert management, threat hunting, monitoring and end-to-end remediation, across all key attack surfaces to close the cybersecurity skills gap. Built on the CrowdStrike Falcon platform, CrowdStrike Falcon Complete XDR unifies human expertise with AI-powered automation and threat intelligence across security and IT categories to operationalize XDR for customers of any security maturity. CrowdStrike Falcon Complete XDR augments in-house teams of all skill levels, breaking down data and organizational silos to stop adversaries. Additionally, CrowdStrike is working with a broad ecosystem of leading partners who have built MXDR services on the CrowdStrike Falcon platform, providing customers a choice in a service delivered by CrowdStrike or managed capabilities offered by a global network of leading partners.

According to an Enterprise Strategy Group (ESG) report1, 47% of organizations believe they don’t have adequate skills for security operations. In addition, there’s an estimated cybersecurity workforce gap of 3.4 million people — and it’s holding organizations back from implementing a mature security program. Meanwhile, the CrowdStrike 2023 Global Threat Report revealed that 71% of cyber attacks detected in 2022 were malware-free (up from 62% in 2021) and interactive intrusions (hands on keyboard activity) increased 50% in 2022 – outlining how sophisticated human adversaries increasingly look to evade legacy antivirus and outsmart machine-only defenses.

“With MDR, CrowdStrike pioneered the idea of creating a seamless union between the technology, human expertise and an organization’s security team to close the gap between detection and response and deliver the outcome of stopping breaches. With Managed XDR services, organizations can entrust the implementation, management, response and end-to-end remediation of advanced threats across multiple vendors and attack surfaces — all without the burden, overhead or costs of deploying and managing a 24/7 threat detection and response function on their own,” said Tom Etheridge, chief global services officer at CrowdStrike.

**Partner-Delivered Managed XDR Services, Powered by CrowdStrike**

Today, CrowdStrike’s partners leverage the CrowdStrike Falcon platform to deliver MXDR services to customers. This unique collaboration, which has proven successful in the MDR market, has become the hallmark of CrowdStrike’s better-together strategy for bringing the value of XDR to organizations of all sizes. Leading Global System Integrators (GSIs) and Managed Security Service Providers (MSSPs) have taken advantage of delivering MXDR services powered by CrowdStrike, including:

*   **Damien Childs, BT’s Director of Cyber & Security Operations:** “The new Managed CrowdStrike Falcon XDR service from BT will allow our customers to reap the benefits of the industry-leading CrowdStrike Falcon platform, while also taking advantage of BT’s extensive managed security service capabilities. The service enables holistic threat protection that extends beyond the endpoint to also include identity and cloud security.”
*   **Rahul Bakshi, Chief Product Officer at eSentire:** “As CrowdStrike’s 2022 Global MSSP Partner of the Year, we provide 24/7 protection to small-to-medium businesses globally who lack the resources and expertise to manage the complexity of multiple points of security telemetry, including the industry-leading CrowdStrike Falcon platform. With eSentire MXDR service powered by CrowdStrike, our customers benefit from advanced protection with proactive threat hunting, deep multi-signal investigation and complete, rapid threat response, with a Mean Time to Contain of only 15 minutes.”
*   **Zeina Zakhour, CTO Digital Security, Eviden, Atos Group:** “CrowdStrike is a strategic partner for Eviden. We are excited to be once again the managed security partner of choice for CrowdStrike’s MXDR program. CrowdStrike EDR is closely integrated with Eviden’s AIsaac platform for delivering first-rate MXDR services. As the #1 MSSP worldwide, Eviden offers customers the ability to integrate existing security technologies in their environment, including XDR platforms like CrowdStrike, which independent analysts recognize as a leader.”
*   **Chris Rothe, CTO and Co-Founder at Red Canary:** “Red Canary MDR seamlessly integrates with the industry-leading CrowdStrike Falcon platform for increased protection against cyberattacks. Using CrowdStrike’s world-class XDR as the foundation, Red Canary monitors an organization’s environment 24×7 to stop more threats, reduce alert noise and speed up response.”
*   **Colin O’Connor, President of Field Operations at ReliaQuest:** “CrowdStrike is a valued partner and our integration with CrowdStrike Falcon Complete further enables us to deliver better security outcomes for joint customers. ReliaQuest GreyMatter, a security operations platform, takes telemetry from the CrowdStrike Falcon platform and combines it with data from other technologies such as SIEMs, CASBs and threat feeds to provide better context, enrich investigations and drive faster responses for proactive protection.”
*   **Alberto Sempere, VP Product & Innovation at Telefonica Tech:** “Telefonica Tech and CrowdStrike have a successful partnership. We are thrilled to have been selected as a preferred Managed Security Service Provider for the CrowdStrike MXDR program. The integration between CrowdStrike technology and Telefonica’s Tech services ensures the provision of exceptional MXDR services and is already a reality for many of our customers.”

“The CrowdStrike Falcon platform is quickly emerging as cybersecurity’s de facto XDR ecosystem. Our partners are foundational in helping organizations of all sizes on their XDR journeys. XDR is a team sport and our partner-friendly, customer-choice approach demonstrates our commitment,” said Daniel Bernard, chief business officer at CrowdStrike. “Partners have the same challenges as customers, which is finding the cybersecurity staff to deliver their services. That’s where the value proposition of CrowdStrike Falcon Complete XDR becomes extremely compelling with partners, such as BT, eSentire, Eviden, Red Canary, ReliaQuest and Telefonica Tech, who are turning to us to augment their own SOCs with CrowdStrike-powered offerings.” 

**MDR’s Market Leader Delivers World’s Best MXDR**

Ranked #1 in MDR market share by Gartner2, and recognized as a leader by IDC3 and Forrester4, CrowdStrike pioneered the MDR category with the CrowdStrike Falcon Complete offering. In the recent and first-ever MITRE Engenuity ATT&CK Evaluations for Security Service Providers, which evaluated 16 MDR providers, CrowdStrike Falcon Complete achieved the highest detection coverage, detecting 75 of 76 (or 99%) adversary techniques.

With CrowdStrike Falcon Complete XDR, CrowdStrike extends these industry-leading MDR capabilities across all supported CrowdStrike Falcon modules and third-party vendors including CrowdXDR Alliance partners.

“Organizations that are looking for a follow-the-sun coverage model and full hands-on remote triage, investigation and end-to-end remediation actions should strongly consider a managed XDR service. CrowdStrike showed in the most recent IDC MarketScape on U.S. MDR that they are well-positioned to meet the needs of organizations that are looking to implement solutions that fulfill their detection and response needs, but do not have the resources to appropriately implement, operate and maintain it,” said Craig Robinson, IDC Research VP of Security Services.

**Additional Resources**

*   For more information on CrowdStrike Falcon Complete XDR, please visit the website.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

CrowdStrike Announces Managed XDR to Close the Cybersecurity Skills Gap, Expands MDR Portfolio

Originally sentenced to 40 months in prison, the former Nintendo Switch hacker is being released early due to good behavior but still owes millions.

Gary Bowser, who was indicted in 2020 and sentenced in 2021 to 40 months in prison for being a part of a hacking ring known as Team Xecuter, has been released.

Team Xecuter was a Nintendo hacking group whose activities included selling chips that allowed users to play in pirated games. Though Bowser played a relatively smaller role in the hacking operations compared with the other members of the ring (Max Louarn and Yuanning Chen), he was the only one who was tried and convicted in the US. Bowser was charged with 11 felonies: wire fraud, conspiracy to circumvent technological measures, trafficking in circumvention devices, and conspiracy to commit money laundering.

The piracy and hacking operations cost Nintendo more than $65 million over a decade-long period of time, it was determined.

After pleading guilty to two of the charges, Bowser was fined $14.5 million and sentenced, but he is being released early due to good behavior. He has paid just $175 of the fine from his time in prison, with the help of his prison library job, meaning he still has a long way to go, to say the least. Until the full amount of his fine is paid off, his pay will continue to be docked — although only 25% to 30% can be docked at a time, as per his agreement with Nintendo.

The extremity of Bowser's sentence comes from the intended message to deter other hackers from committing similar crimes. "It's the purchase of video games that sustains Nintendo and the Nintendo ecosystem, and it is the games that make the people smile," Nintendo lawyer Ajay Singh told the court back in 2022. "It's for that reason that we do all we can to prevent games on Nintendo systems from being stolen."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Gary Bowser, Former Nintendo Hacker, Released From Prison

Unsophisticated attackers can pinpoint where a person lives by lifting metadata from Strava and other apps, even if they're using a feature specifically aimed at protecting their location information.

Fitness apps such as Strava leak sensitive location information of users, even when they've used in-app features to specifically set up privacy zones to hide their activity within specified areas, researchers have found.

Two PhD students from KU Leuven in Belgium have discovered that if a person is starting his or her activity from home, an attacker with limited skills can use high-precision API metadata revealed in the app to pinpoint their home location, even if they've set up what's called an "endpoint privacy zone" (EPZ) for that area.

Moreover, despite contacting the companies with apps leaking this data, the problem is still largely unsolved, the researchers, Karel Dhondt and Victor Le Pochat, said. They plan to present their findings at Black Hat Asia in a session called "A Run a Day Won't Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks." Dhondt and Pochat previously presented the work and its accompanying paper at the ACM Conference on Computer and Communications Security (CCS) 2022 last November.

People use fitness apps like Strava to keep track of and share data about their fitness activity — such as running, cycling, or walking. From within the app, they can set and reach fitness goals, as well as compete or fitness train virtually with friends, among other uses.

However, this data, if it falls into the wrong hands, can be used against them to locate where they live or where they frequently conduct their fitness activity, leading to potential physical harm. In 2017, this scenario came to light when researchers revealed that Strava shared secret Army base locations when personnel on active duty shared their fitness activity to the app, potentially exposing them and their military activity to enemies and putting them at physical risk.

**When App Privacy Isn't Private**

In response to this revelation, Strava and other fitness apps added privacy features — called EPZs in Strava, but which has other names in other apps. These allow users to hide portions of their route around sensitive locations, such as their homes or offices, and only track activity once they've left those defined areas.

Specifically, EPZ in Strava is a circular area that someone can configure to hide traces of activity that occur within it. Other apps covered in the research that have similar features include Garmin Connect, Relive, Komoot, Map My Tracks, and Ride With GPS.

Dhondt and Le Pochat—a cyclist and a runner, respectively—are fitness-app enthusiasts themselves and embarked on their investigation out of their own personal interest. They knew that in theory, EPZs within Strava should protect location data about these sensitive locations from being revealed to app users, or anyone else viewing their activity data.

But that's actually not the case, they found. The researchers successfully constructed a cyberattack using distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, they revealed in their research. These results allowed them to use regression analysis to predict protected locations of users even when they had set up privacy zones to hide them.

"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Dhondt explains in an interview with Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."

Using this metadata combined with maps of the local area, the researchers could make predictions about where other users ended or started their activity, thus where they live or work, he says.

Moreover, the attack itself is unsophisticated, meaning that anyone with a simple developer tool that can examine API data from Web server communications can view the leaked data, the researchers say.

"It's not like they have to forge API calls or alter ways they communicate with Strava," Dhondt says. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."

**Devising the Attack**

Researchers conducted their research using data from users worldwide and experimented to see if their attack worked in both sparsely populated or densely populated areas. It turns out that it does, but of course it's much easier to pinpoint locations in areas where there are only a few houses or other buildings, the researchers say.

Moreover, setting up a larger EPZ reduced the attack performance and success rate, while geographically dispersed activities in sparser street grids yield better attack performance. "In rural or sparse areas, if you have a privacy zone of 200 meters with only a couple of houses in the zone, it's easier to pinpoint location," Dhondt says.

In terms of the data collected and examined, the researchers conducted random, large-scale data scraping of 4,000 users and 1.4 million Strava activities in various worldwide locations over a month-long period. Their results for Strava found that the attack discovers the protected location for up to 85% of EPZs, thus only protecting 15% of users who set up these zones.

**Mitigation & (Lack of) Response **

The researchers responsibly disclosed their findings to all of the companies whose apps they investigated, as well as offered a number of ways that issues can be resolved. However, so far, only Strava has responded to researchers beyond thanking them for the disclosure, and the two are in ongoing discussions with the fitness app provider for potential mitigations.

Still, the companies don't seem particularly interested in applying mitigations, citing diminished user experience if the proposed fixes were applied, the researchers said.

"They were reluctant to apply any of our recommendations because they felt like it would negatively impact the utility for their users," Dhondt says. However, while this may be true of the some of the proposed fixes, it's not true of all of them, he says.

One mitigation, for instance, calls for the apps to minimize the accuracy of the data revealed in APIs used in network communications. In Strava, the data in the user interface about the distance traveled is rounded down with 10-meter accuracy, and the distance traveled within the privacy zone is shown rounded down with 100-meter accuracy. However, both distances are provided in the API with 0.1 meter accuracy, Le Pochat says.

Therefore, "the lower the accuracy of the reported distances in the API, the lower the success rate \[of the attack\] would be," Dhondt says.

The researchers also suggest that the apps could help the users choose the size of their privacy zone given the area in which they live and whether it's densely populated or not, which would be a relatively easy fix to do, they say. They also suggest using non-circular, less-typical shapes to create the zone to make it more difficult to pinpoint the location, which the Kommut app already does.

To be fair, though, some of the suggested mitigations do take away from the user experience of the app, the researchers acknowledge. Among these are suggestions to shift the distance slightly by taking it from the start and adding it to the end, and another to cut off the start and finish in the privacy zone from the distance measured in the app so no one could track where a user had been during their route.

"People use these apps to track their performances, so they might not like that," Dhondt says. "They take away from some of the fun and attraction of these apps."

Overall, the researchers say, Strava and other fitness-app providers have to balance the usability and functionality of these apps and decide what's more important.

"It's a difficult decision whether you prioritize privacy, which reduces the amount of data and reduces the functionality, or prioritize the functionality of the app," Le Pochat says. "Sometimes you have to make tradeoffs and give away privacy to gain functionality."

Popular Fitness Apps Leak Location Data Even When Users Set Privacy Zones

Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.

Popular attacks for a trio of critical vulnerabilities kept exploitation at the top of the list of initial-access methods in 2022, while the war between Russia and Ukraine resulted in an unprecedented volume of attacks from a specific group of threat actors.

That's according to the annual M-Trends report from Google Cloud's Mandiant, published on April 18, which highlights that a few global incidents can dramatically affect the overall threat landscape. 

The volume of attacks used in the Russia-Ukraine conflict, for example, resulted in the government sector's rise to the top of the list of targeted industries, accounting for 25% of all attacks investigated by Mandiant, up from 9% in 2021, when government agencies ranked sixth on the list. Meanwhile, about 36% of incidents investigated by Mandiant included the use of software exploits, with four out of every nine of those attacks targeting a vulnerable version of Log4j, the open source logging library.

Significant events — such as the Log4j patch effort — can have massive, albeit temporary, effects on the threat landscape, says Luke McNamara, a principal analyst with Mandiant.

"You have this ... massive spike in these methods as the initial infection vector, but a lot of it was ... the impact of one singular incident," he says, comparing the impact to the surge in supply chain attacks in 2021 due to the compromise of SolarWinds. "It's not necessarily indicative that this is going to be a large-scale trend that we're gonna see more and more of, but just something that impacts the threat activity for that given year."

Similarly, Russia's war against Ukraine had a dramatic impact on the threat landscape for more than year, Google Cloud stated in the report. A cyber-espionage group, UNC2589, and another group linked to Russian military intelligence, APT28, conducted extensive information collection and disinformation operations prior to Russia's February 2022 invasion of Ukraine. Now the threat groups appear to alternate information gathering and espionage campaigns with destructive attacks.

In the first four months of the war, the Mandiant group recorded more destructive attacks against Ukrainian organizations than in the previous eight years, according to the report.

"The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations," the Mandiant report stated. "Mandiant has never observed threat actor activity that matches the volume of attacks, variety of threat actors, and coordination of effort as was seen during the first months following the invasion by Russia."

**A Few Good Flaws**

Those attacks — and the threat landscape more generally — relied on a handful of initial access methods. Overall, 80% of the incidents investigated by Mandiant typically used a software exploit, phishing attacks, stolen credentials, or leveraged a prior compromise, the report stated. The exploitation of known vulnerabilities was the most popular initial access vector, accounting for 32% of incidents where the initial compromise could be determined, while phishing accounted for 22% and stolen credentials for 14%.

    

Exploits accounted for about a third of initial attacks, with more than 80% enabled by three vulnerabilities. Source: M-Trends 2023

Among exploits, three vulnerabilities made up the lion's share of the attacks. The primary vulnerability in Log4j (CVE-2021-44228) accounted for the largest portion (44%) of known exploits, but along with two other vulnerabilities — one affecting F5's Big-IP (CVE-2022-1388) and another affecting VMware's Workspace One Access and Identity Manager (CVE-2022-22954) — the trio accounted for nearly 90% of exploits.

Because all three vulnerabilities are often accessible remotely, attackers scan for them regularly, McNamara says.

"Targeting and exploiting perimeter devices that are accessible via the internet — things like firewalls, virtualization solutions, VPN — those are highly sought after targets for attackers," he says. "We saw this with Ukraine because \[threat groups\] leverage a lot kind of 'living on the edge,' as we put it, where they've used edge and perimeter network devices to come back in when they've been kicked out multiple times from a given organization."

**More External Detections, Less Dwell Time**

In another trend, the share of incidents discovered internally shrank in 2022, with 37% incidents detected by the targeted company and 63% of incidents disclosed to the target by a third party. The share of incidents not detected by a company's internal security teams has grown in every geography, slowly in the Americas, but much more quickly in the Asia-Pacific region (APAC) and the Europe, Middle East, and Africa (EMEA) regions.

Yet despite the more significant role played by third parties in attack detection, dwell time has decreased to 16 days in 2022, down from 21 in 2021. The debate is whether the decrease is due to defenders detecting attacks more quickly or attackers ending an attack with a destructive — and obvious — payload, Google Cloud's McNamara says.

"Really, the last two, three, four years, we've seen more and more disruptive activity, as the extortion space has become more multifaceted," he says. "Trying to kind of tease out how much of that is due to organizational maturity — organizations are getting better at catching threat actors — and how much of it is due to ... the nature of the activity itself is difficult."

However, while the median dwell time is 16 days, ransomware investigations are only seeing a median dwell time of nine days, whereas it's 17 days for non-ransomware investigations.

The cyber conflict between Russia and Ukraine also impacted the dwell time, according to Mandiant's report, as external intelligence agencies and companies notified Ukrainian organizations of breaches.

"The increase in external notification observed in 2022 is likely impacted by Mandiant’s investigative support of cyber threat activity which targeted Ukraine and an increase in proactive notification efforts," the report stated. "Proactive notifications from security partners enable organizations to launch response efforts more effectively."

3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

Combined solutions expected to deliver complete API visibility and security coverage across all of the OWASP API top 10 attacks.

**CAMBRIDGE, Mass.****,** **April 19, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today announces that it has entered into a definitive agreement to acquire Neosec, an API detection and response platform based on data and behavioral analytics.

Neosec's API security solution will complement Akamai's market leading application and API security portfolio by dramatically extending Akamai's visibility into the rapidly growing API threat landscape. The combination is designed to make it easy for customers to secure their API's by helping them discover all of their APIs, assess their risk, and respond to vulnerabilities and attacks.

"With rapidly accelerating digital transformation, APIs are the new frontier for digital business and the enablement of critical business functions," said Mani Sundaram, executive vice president and general manager, Security Technology Group, Akamai Technologies. "Enterprises expose full business logic and process data via APIs, which, in a cloud-based economy, are vulnerable to cyberattacks. Neosec's platform and Akamai's application security portfolio will allow customers to gain visibility into all APIs, analyze their behavior and protect against API attacks."

The combined API solutions are expected to put Akamai at the forefront of a critical emerging category of API security for which customers are actively seeking support. The rapidly growing global market for API security solutions is driven by the proliferation of APIs and the associated increase in cybersecurity threats. API-based architectures and microservices are the core of every application developed today, from B2B to web and mobile applications, and therefore are a primary target for attackers. Additionally, regulatory compliance laws such as FFIEC, SOC, GDPR, HIPAA and PCI DSS require enterprises to strengthen their security measures on APIs.

"What sets Neosec apart from other API security providers is the complete visibility into all API activity and the use of behavioral analytics that detect threats others miss," said Giora Engel, co-founder and chief executive officer, Neosec. "Unlike other solutions, Neosec delivers rich, XDR-like API visibility combined with detection and response capabilities that enable full investigation and threat hunting. Ultimately, Akamai customers will have a better view into all of their API activity, to identify vulnerabilities and threats before they are exposed, and detect attacks in runtime."

Neosec, headquartered in Palo Alto, California and Tel Aviv, Israel, is a privately funded company. Neosec's employees, including co-founder and CEO, Giora Engel, and co-founder and chief technology officer, Ziv Sivan, are expected to join Akamai's Security Technology business.

The acquisition is expected to close in the second quarter of 2023. For the fiscal year 2023, the acquisition is anticipated to be slightly dilutive to non-GAAP EPS by approximately $0.04 to $0.06 and is not expected to add any material revenue. On its next quarterly earnings call currently scheduled for May 9, 2023, Akamai plans to provide first quarter financial results and full year 2023 financial guidance including any expected impact from Neosec.

For more information, visit the Akamai application and API security page.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

**Akamai Statement Under the Private Securities Litigation Reform Act**

This release contains statements that are not statements of historical fact and constitute forward-looking statements for purposes of the safe harbor provisions under The Private Securities Litigation Reform Act of 1995, including, but not limited to, statements about expectations, plans and prospects of Akamai. Actual results may differ materially from those indicated by these forward-looking statements as a result of various important factors including, but not limited to, the failure of our investments in innovation to generate solutions that are accepted in the market; effects of competition, including pricing pressure and changing business models; impact of macroeconomic trends, including economic uncertainty; conditions and uncertainties in the geopolitical environment; continuing supply chain and logistics costs, constraints, changes or disruptions; defects or disruptions in our products or IT systems, including cyberattacks, data breaches or malware; failure to realize the expected benefits of any of our acquisitions or reorganizations; changes to economic, political and regulatory conditions in the United States and internationally; delay in developing or failure to develop new service offerings or functionalities, and if developed, lack of market acceptance of such service offerings and functionalities or failure of such solutions to operate as expected, and other factors that are discussed in our Annual Report on Form 10-K, quarterly reports on Form 10-Q, and other documents periodically filed with the SEC. In addition, the statements in this press release and on our quarterly earnings conference call represent Akamai's expectations and beliefs as of the date of this press release. Akamai anticipates that subsequent events and developments may cause these expectations and beliefs to change. However, while Akamai may elect to update these forward-looking statements at some point in the future, it specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing Akamai's expectations or beliefs as of any date subsequent to the date of this press release.

**Use of Non-GAAP Financial Measures**

In addition to providing financial measurements based on generally accepted accounting principles in the United States of America (GAAP), Akamai provides additional financial metrics that are not prepared in accordance with GAAP (non-GAAP financial measures). Management uses non-GAAP financial measures to understand and compare operating results across accounting periods, for financial and operational decision making, for planning and forecasting purposes, to measure executive compensation and to evaluate Akamai's financial performance. The non-GAAP financial measure used in this release is non-GAAP net income per diluted share.

Management believes that this non-GAAP financial measure reflects Akamai's ongoing business in a manner that allows for meaningful comparisons and analysis of trends in the business, as it facilitates comparing financial results across accounting periods and to those of our peer companies. Management also believes that this non-GAAP financial measure enables investors to evaluate Akamai's operating results and future prospects in the same manner as management. The non-GAAP net income per diluted share metric may exclude expenses and gains that may be unusual in nature, infrequent or not reflective of Akamai's ongoing operating results.

This non-GAAP financial measure does not replace the presentation of Akamai's GAAP financial results and should only be used as a supplement to, not as a substitute for, Akamai's financial results presented in accordance with GAAP. For historical non-GAAP measures, Akamai has provided a reconciliation of each non-GAAP financial measure used in its financial reporting and investor presentations to the most directly comparable GAAP financial measure. These reconciliations can be found under the caption "Reconciliation of GAAP to Non-GAAP Financial Measures" on the Investor Relations section of Akamai's website.

Akamai provides forward-looking statements in the form of guidance during its quarterly earnings conference calls.  This guidance is provided on a non-GAAP basis and cannot be reconciled to the closest GAAP measure without unreasonable effort because of the unpredictability of the amounts and timing of events affecting the items we exclude from non-GAAP measures. For example, stock-based compensation is unpredictable for Akamai's performance-based awards, which can fluctuate significantly based on current expectations of future achievement of performance-based targets. Amortization of intangible assets, acquisition-related costs and restructuring costs are all impacted by the timing and size of potential future actions, which are difficult to predict. In addition, from time to time, Akamai excludes certain items that occur infrequently, which are also inherently difficult to predict and estimate. It is also difficult to predict the tax effect of the items we exclude and to estimate certain discrete tax items, like the resolution of tax audits or changes to tax laws. As such, the costs that are being excluded from non-GAAP guidance are difficult to predict and a reconciliation or a range of results could lead to disclosure that would be imprecise or potentially misleading. Material changes to any one of the exclusions could have a significant effect on our guidance and future GAAP results.

Akamai's definition of the non-GAAP measure used in this press release is outlined below:

Non-GAAP net income per diluted share – Non-GAAP net income divided by weighted average diluted common shares outstanding. Diluted weighted average shares outstanding are adjusted in non-GAAP per share calculations for the shares that would be delivered to Akamai pursuant to the note hedge transactions entered into in connection with the issuances of $1,150 million of convertible senior notes due 2027 and 2025, respectively. Under GAAP, shares delivered under hedge transactions are not considered offsetting shares in the fully-diluted share calculation until they are delivered. However, the company would receive a benefit from the note hedge transactions and would not allow the dilution to occur, so management believes that adjusting for this benefit provides a meaningful view of operating performance. With respect to the convertible senior notes due in each of 2027 and 2025, unless Akamai's weighted average stock price is greater than $116.18 and $95.10, respectively, the initial conversion price, there will be no difference between GAAP and non-GAAP diluted weighted average common shares outstanding.

Non-GAAP net income – GAAP net income adjusted for the following tax-affected items: amortization of acquired intangible assets; stock-based compensation; amortization of capitalized stock-based compensation; acquisition-related costs; restructuring charges; amortization of debt discount and issuance costs; amortization of capitalized interest expense; certain gains and losses on investments; income and losses from equity method investment; and other non-recurring or unusual items that may arise from time to time.

The non-GAAP adjustments, and Akamai's basis for excluding them from non-GAAP financial measures, are outlined below:

*   Amortization of acquired intangible assets – Akamai has incurred amortization of intangible assets, included in its GAAP financial statements, related to various acquisitions Akamai has made. The amount of an acquisition's purchase price allocated to intangible assets and term of its related amortization can vary significantly and is unique to each acquisition; therefore, Akamai excludes amortization of acquired intangible assets from its non-GAAP financial measures to provide investors with a consistent basis for comparing pre- and post-acquisition operating results.
*   Stock-based compensation and amortization of capitalized stock-based compensation – Although stock-based compensation is an important aspect of the compensation paid to Akamai's employees, the grant date fair value varies based on the stock price at the time of grant, varying valuation methodologies, subjective assumptions and the variety of award types. This makes the comparison of Akamai's current financial results to previous and future periods difficult to interpret; therefore, Akamai believes it is useful to exclude stock-based compensation and amortization of capitalized stock-based compensation from its non-GAAP financial measures in order to highlight the performance of Akamai's core business and to be consistent with the way many investors evaluate its performance and compare its operating results to peer companies.
*   Acquisition-related costs – Acquisition-related costs include transaction fees, advisory fees, due diligence costs and other direct costs associated with strategic activities, as well as certain additional compensation costs payable to employees acquired from the Linode acquisition if employed for a certain period of time. The additional compensation cost was initiated by and determined by the seller, and is in addition to normal levels of compensation, including retention programs, offered by Akamai. Acquisition-related costs are impacted by the timing and size of the acquisitions, and Akamai excludes acquisition-related costs from its non-GAAP financial measures to provide a useful comparison of  operating results to prior periods and to its peer companies because such amounts vary significantly based on the magnitude of the acquisition transactions and do not reflect Akamai's core operations.
*   Restructuring charges – Akamai has incurred restructuring charges from programs that have significantly changed either the scope of the business undertaken by the Company or the manner in which that business is conducted. These charges include severance and related expenses for workforce reductions, impairments of long-lived assets that will no longer be used in operations (including right-of-use assets, other facility-related property and equipment and internal-use software) and termination fees for any contracts canceled as part of these programs. Akamai excludes these items from its non-GAAP financial measures when evaluating its continuing business performance as such items vary significantly based on the magnitude of the restructuring action and do not reflect expected future operating expenses. In addition, these charges do not necessarily provide meaningful insight into the fundamentals of current or past operations of its business.
*   Amortization of debt discount and issuance costs and amortization of capitalized interest expense – In August 2019, Akamai issued $1,150 million of convertible senior notes due 2027 with a coupon interest rate of 0.375%. In May 2018, Akamai issued $1,150 million of convertible senior notes due 2025 with a coupon interest rate of 0.125%. The imputed interest rates of these convertible senior notes were 3.10% and 4.26%, respectively. This is a result of the debt discounts recorded for the conversion features that, prior to January 1, 2022, were required to be separately accounted for as equity under GAAP, thereby reducing the carrying value of the convertible debt instruments. The debt discounts were amortized as interest expense. On January 1, 2022, Akamai adopted the new guidance for accounting for convertible instruments. This new guidance eliminated separate accounting for the equity portion, and thus the amortization of the debt discount that was recorded as interest expense.  Prior to January 1, 2022, Akamai excluded this non-cash interest expense from its non-GAAP results because it was not representative of ongoing operating performance.  After January 1, 2022, this interest expense is no longer included in or excluded from GAAP or non-GAAP results. Additionally,  the issuance costs of the convertible senior notes are amortized to interest expense and are also excluded from Akamai's non-GAAP results because management believes the non-cash amortization expense  is not representative of ongoing operating performance.
*   Gains and losses on investments – Akamai has recorded gains and losses from the disposition, changes to fair value and impairment of certain investments. Akamai believes excluding these amounts from its non-GAAP financial measures is useful to investors as the types of events giving rise to these gains and losses are not representative of Akamai's core business operations and ongoing operating performance
*   Income and losses from equity method investment – Akamai records income or losses on its share of earnings and losses from its equity method investment. Akamai excludes such income and losses because it does not have direct control over the operations of the investment and the related income and losses are not representative of its core business operations.
*   Income tax effect of non-GAAP adjustments and certain discrete tax items – The non-GAAP adjustments described above are reported on a pre-tax basis. The income tax effect of non-GAAP adjustments is the difference between GAAP and non-GAAP income tax expense. Non-GAAP income tax expense is computed on non-GAAP pre-tax income (GAAP pre-tax income adjusted for non-GAAP adjustments) and excludes certain discrete tax items (such as recording or releasing of valuation allowances), if any. Akamai believes that applying the non-GAAP adjustments and their related income tax effect allows Akamai to highlight income attributable to its core operations.

Akamai Technologies to Acquire API Security Company Neosec

MFA isn't immune from the tug of war between attackers and defenders.

It's a well-known and statistically proven fact that password-only credentials pose the highest cyber-risk to people and organizations. Passwords are easily compromised through a wide variety of attacks, such as social engineering and phishing, and often packaged and sold online.

With the widespread adoption of remote work both during and post-pandemic, the need for tighter security created an inflection point for organizations to finally adopt multifactor authentication (MFA) solutions. MFA has been around for decades, and there are abundant options in the marketplace suitable for every industry and organization. But while MFA is inherently more secure than password-only credentials, not all MFA solutions are created equal, and each must be properly configured and managed to prevent attackers from circumventing them.

The premise of MFA is that by requiring "multiple factors" for authentication — a combination of something you know, something you have, something you are and something you do — it makes the job of an attacker with, say, just a stolen password much harder. Unfortunately, when MFA is based on two weaker factors — such as a password (something you know and can easily remember) and a mobile push notification (delivered to something you have, like a mobile authenticator app) — it can still be compromised. For example, a bad actor might use a dictionary attack to obtain a password and then, upon encountering a verification step using MFA, employ push notification phishing to bombard and trick the user into approving the repeated requests. This technique is commonly referred to as MFA fatigue and was recently used by a teenager to perpetrate a successful attack on Uber.

**Phishing-Resistant MFA**

The good news is that there are phishing-resistant MFA solutions based on standards by the Fast Identity Online (FIDO 2.0) suite of specifications, which includes support for passwordless authentication. In addition, there are hardware-based options such as smart card standards and specifications based on the efforts of the Secure Technology Alliance.

Many MFA solutions employ biometrics for a "something you are" authentication factor. The beauty of biometrics is that they possess these fundamental characteristics, which are:

*   **Universal:** Every person using a system or application can be expected to possess the feature (e.g., face, finger, voice)
*   **Unique:** Every person has unique, different, and distinguishable aspects of the feature (e.g., facial features, fingerprint ridges and valleys, voice tone and intonation)

*   **Permanent:** The feature is reasonably stable, permanent, and invariable over time to perform matching
*   **Collectable:** The feature set can be acquired, measured, and processed with ease during capture
*   **Defendable:** The feature can be defended from abuse, misuse, theft, imitation, and substitution
*   **Performant:** The feature, when combined with matching and liveness detection, performs with accuracy, speed, scale, and ease of use
*   **Adoptable:** The population expected to use their personal features are willing adopters and enrollers

**The Deepfake Problem**

Leaving aside the criticisms of biometrics (over bias, collection, misuse, privacy, and surveillance), threat actors are now using presentation attack types such as deepfakes and spoofing to get around them. While it might sound like something right out of a movie script, in recent years financial institutions and banks have experienced unprecedented fraud during new account creation, loan applications, payments, and transaction disputes. These and other highly regulated industries are legally required to perform identity proofing and verification processes referred to as "electronic know your customer" (eKYC). Unfortunately, not only do many legitimate applicants fail to complete the proofing and verification process due to its complexity, but bad actors have been impersonating real people and using synthetic data seek to "mask" their identities in fake documents and during biometric enrollment.

Fortunately, deepfakes and spoofing can be thwarted through techniques (such as passive liveness detection) that are undetectable by bad actors. There are several third-party-testing and -certifying labs that not only validate vendor solutions but will also validate the implementation of the solution to ensure it is deployed effectively. And just last month, the third edition of the "Handbook of Biometric Anti-Spoofing" was released, which has been updated with broader coverage of presentation attack detection (PAD) methods for a range of biometric modalities, including face, fingerprint, iris, voice, vein, and signature recognition.

There is no question that MFA provides organizations with a significant upgrade in protection over passwords. Like most cybersecurity technologies, however, MFA isn't immune from the continual tug of war between attackers and defenders. Organizations need to think carefully about which solution they choose and how it's implemented, to avoid falling victim to the latest threats.

Source

DARKReading