The app market is saturated with over 7 million apps across major stores. Analytics mobile apps have become…

The app market is saturated with over 7 million apps across major stores. Analytics mobile apps have become essential for developers and marketers to gain a competitive edge. These tools offer critical insights into user behaviour, app performance, and success metrics.

To capitalize on this growth, understanding your app’s performance is crucial. A study by App Annie reveals that apps using analytics tools see a 63% higher user retention rate and a 25% increase in user engagement. This article will guide you through selecting the best mobile app analytics tools, enabling data-driven optimization and ROI maximization.

****What are mobile app analytics tools?****

Mobile app analytics tools are sophisticated software solutions designed to track, measure, and analyze various aspects of app performance and user behaviour. These tools go beyond basic metrics like downloads and active users, providing deep insights into how users interact with your app.

Key benefits include:

*   Identifying user pain points and drop-off rates
*   Optimizing user flows and conversion funnels
*   Personalizing user experiences based on behavior patterns
*   Detecting and resolving technical issues quickly

Types of data provided:

*   User acquisition metrics (sources, demographics)
*   Engagement metrics (session length, screen flow, feature usage)
*   Retention rates and churn analysis
*   Conversion rates for in-app actions
*   Performance metrics (load times, crashes)

A survey (PDF) by Dimensional Research found that 61% of users expect apps to start within 4 seconds. Analytics tools help ensure your app meets these high user expectations by providing the data needed to continually improve performance and user experience.

****Essential features in mobile app analytics tools****

When evaluating mobile app analytics tools, look for these key features:

1.  User Behavior Tracking:
    *   Screen flow analysis
    *   Tap and gesture tracking
    *   User journey mapping
2.  Retention and Churn Analysis:
    *   Cohort analysis
    *   User lifecycle tracking
    *   Churn prediction models
3.  Conversion Funnel Analysis:
    *   Custom funnel creation
    *   Multi-touch attribution
    *   Conversion rate optimization insights
4.  Crash Reporting:
    *   Real-time crash alerts
    *   Detailed stack traces
    *   Affected user segment identification
5.  Real-time Data and Reporting:
    *   Live user activity dashboards
    *   Customizable reports
    *   Data export capabilities
6.  User Segmentation:
    *   Behavioural segmentation
    *   Demographic segmentation
    *   Custom segment creation

According to a report by Localytics, apps that implement user segmentation see a 2-3x increase in user retention rates. Additionally, Crashlytics reports that apps using crash reporting tools see a 50% reduction in crash rates within the first month of implementation.

These features enable you to gain a comprehensive understanding of your app’s performance and user behaviour, allowing for data-driven decision-making and continuous improvement.

****Leading mobile app analytics solutions****

4.  Google Analytics for Mobile Apps:
    *   Key Features: Cross-platform tracking, audience segmentation, custom event tracking
    *   Pricing: Free, with premium options available
    *   Best For: Small to medium-sized apps looking for a comprehensive, cost-effective solution
5.  Firebase:
    *   Key Features: Real-time database, crash reporting, A/B testing
    *   Pricing: Free plan available, paid plans start at $25/month
    *   Best For: Apps requiring real-time data synchronization and extensive crash analysis
6.  Mixpanel:
    *   Key Features: Advanced user segmentation, funnel analysis, retention cohorts
    *   Pricing: Free plan for up to 100,000 tracked users, paid plans start at $25/month
    *   Best For: Apps focused on user engagement and retention optimization
7.  Amplitude:
    *   Key Features: Behavioral cohorting, predictive analytics, integration with over 40 tools
    *   Pricing: Free plan for up to 10 million actions/month, custom pricing for higher volumes
    *   Best For: Large-scale apps requiring advanced behavioural analytics and predictions
8.  UXCam:
    *   Key Features: Session recordings, heatmaps, crash analytics
    *   Pricing: Free plan available, paid plans start at $99/month
    *   Best For: Apps prioritizing user experience optimization and visual analytics

According to a survey by Business of Apps, Firebase is used by 30% of mobile app developers, followed by Google Analytics at 25%, Amplitude at 15%, Mixpanel at 10%, and UXCam at 5%. However, many developers use multiple tools to cover different aspects of analytics.

When choosing a tool, consider your specific needs, budget, and the scale of your app. Each solution offers unique strengths, so evaluate them based on your priorities and app requirements.

****How to select the right tool for your needs****

Consider these factors when choosing an analytics tool:

1.  App Size and User Base:
    *   Ensure scalability for growing apps
    *   Match features to your user base size
2.  Budget:
    *   Consider long-term costs as your app grows
    *   Evaluate ROI potential of paid features
3.  Ease of Integration:
    *   Check compatibility with your tech stack
    *   Assess implementation time and resources required
4.  Data Privacy and Security:
    *   Ensure GDPR and CCPA compliance
    *   Evaluate data encryption and storage practices
5.  Scalability:
    *   Look for tools that can grow with your app
    *   Consider future feature requirements

A survey by App Annie found that 71% of app developers consider ease of integration the most crucial factor in selecting an analytics tool, followed by data privacy (65%) and scalability (58%).

****Maximizing the value of your analytics tool****

To maximize the benefits of your chosen analytics tool:

1.  Set clear, measurable goals aligned with your app’s objectives
2.  Regularly review data and share insights across teams
3.  Act on insights promptly, implementing changes based on data
4.  Continuously test and iterate to improve user experience and app performance

****Future trends in mobile app analytics****

As technology evolves, so do analytics capabilities. Keep an eye on these emerging trends:

1.  AI-powered Predictive Analytics: Machine learning algorithms will provide more accurate user behaviour predictions and personalized experiences.
2.  Privacy-First Analytics: With increasing privacy regulations, expect tools that offer advanced anonymization and consent management features.
3.  Cross-Platform Unification: Analytics tools will provide more seamless integration of data across mobile, web, and IoT platforms.
4.  Real-Time Personalization: Instant data processing will enable real-time app customization based on user behaviour.
5.  Voice and Gesture Analytics: As voice and gesture interfaces grow, analytics will evolve to track these new interaction methods.

According to Gartner, by 2025, 70% of new mobile apps will incorporate AI-driven analytics.

****Conclusion****

Choosing the right mobile app analytics tool is crucial for success in the competitive app market. By leveraging comprehensive analytics, you can make informed decisions, enhance user experience, and drive app growth. Start implementing these tools today to unlock valuable insights and stay ahead in the dynamic world of mobile apps.

1.  **How to make decentralized apps**
2.  **Building Your First Web Application with Yii Framework**
3.  **Optimizing Web Development Standards for Media Sites**
4.  **Cloud App Development and DevOps for Modern Businesses**
5.  **Benefits of Using Flutter for Cross-Platform App Development**

How to Choose the Best Analytics Tools for Mobile Apps

Days after facing a major breach, the site is still struggling to get fully back on its feet.

Source: Postmodern Studio via Alamy Stock Photo

The Internet Archive, a nonprofit digital library website, is beginning to come back online after a data breach and distributed denial-of-service (DDoS) attacks, prompting a week of its systems going offline.

Founded in 1996 by Brewster Kahle, the archive offers users free access to a historical Web collection, known as the Wayback Machine. This including access to more than 150 billion webpages, nearly 250,000 movies, 500,000 audio items, and more.

This free access to these seemingly unlimited resources all came to a halt on Oct. 9, when hackers stole and leaked the account information of a reported 31 million users. 

The users were met with a pop-up that read, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"

HIBP is the "Have I Been Pwned" site that allows users to look up whether their personal information has been compromised in a data breach.

The Internet Archive site went offline in an effort to try to prevent such attacks from continuing to happen. Founder Brewster Kahle reported on social platform X that this process would take days, if not weeks.

"The @internetarchive's Wayback Machine resumed in a provisional, read-only manner. .... Please be gentle."

And in an update yesterday, he reported that Wayback Machine is running strong, though the team is still working to bring Internet Archive items and other services online safely.

**DDoS Mania**

Netscout, which has conducted analyses on the breach, reported that its researchers observed 24 DDoS attacks against the Autonomous System Number (ASN) 7941, the ASN used by the Internet Archive project. The first attack lasted more than three hours, and during the attack, three IP addresses used by Internet Archive received DDoS attack traffic.

"These kinds of attacks energize adversaries, and they often attempt to replicate the feat," the Netscout researchers reported. 

Bruno Kurtic, co-founder, president, and CEO of Bedrock Security, notes that perhaps these kind of breaches are inevitable.

"Perimeters will be breached, vulnerabilities will be exploited … attackers will eventually be at the front door of your data stores," he says. "For most enterprises, the first and fundamental gap is not knowing where their data is. Data is fluid, it moves, it sprawls, and it is created at an exponential rate."

To protect that data, Kurtic advises "proactive policy management," as well as detection of movement, encryption, and hashing.

"Monitoring access and continuously scanning to update classifications at hundreds-of-petabytes scale is hard but essential," he adds.

Internet Archive Slowly Revives After DDoS Barrage

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

As the unique challenges of AI zero-days emerge, the approach to managing the accompanying risks needs to follow traditional security best practices but be adapted for AI.

Dan McInerney, Lead AI Threat Researcher, Protect AI

October 17, 2024

3 Min Read

Source: Blackboard via Alamy Stock Photo

COMMENTARY

With artificial intelligence (AI) and machine learning (ML) adoption evolving at a breakneck pace, security is often a secondary consideration, especially in the context of zero-day vulnerabilities. These vulnerabilities, which are previously unknown security flaws exploited before developers have had a chance to remediate them, pose significant risks in traditional software environments.  

However, as AI/ML technologies become increasingly integrated into business operations, a new question arises: What does a zero-day vulnerability look like in an AI/ML system, and how does it differ from traditional contexts?

**Understanding Zero-Day Vulnerabilities in AI**

The concept of an "AI zero-day" is still nascent, with the cybersecurity industry lacking a consensus on a precise definition. Traditionally, a zero-day vulnerability refers to a flaw that is exploited before it is known to the software maker. In the realm of AI, these vulnerabilities often resemble those in standard Web applications or APIs, since these are the interfaces through which most AI systems interact with users and data. 

However, AI systems add an additional layer of complexity and potential risk. AI-specific vulnerabilities could potentially include problems like prompt injection. For instance, if an AI system summarizes one's email, then an attacker can inject a prompt in an email before sending it, leading to the AI returning potentially harmful responses. Training data leakage is another example of a unique zero-day threat in AI systems. Using crafted inputs to the model, attackers may be able to extract samples from the training data, which could include sensitive information or intellectual property. These types of attacks exploit the unique nature of AI systems that learn from and respond to user-generated inputs in ways traditional software systems do not.

**The Current State of AI Security**

AI development often prioritizes speed and innovation over security, leading to an ecosystem where AI applications and their underlying infrastructures are built without robust security from the ground up. This is compounded by the fact that many AI engineers are not security experts. As a result, AI/ML tooling often lacks the rigorous security measures that are standard in other areas of software development. 

From research conducted by the Huntr AI/ML bug bounty community, it is apparent that vulnerabilities in AI/ML tooling are surprisingly common and can differ from those found in more traditional Web environments built with current security best practices.

**Challenges and Recommendations for Security Teams**

While the unique challenges of AI zero-days are emerging, the fundamental approach to managing these risks should follow traditional security best practices but be adapted to the AI context. Here are several key recommendations for security teams: 

*   Adopt MLSecOps: Integrating security practices throughout the ML life cycle (MLSecOps) can significantly reduce vulnerabilities. This includes practices like having an inventory of all machine learning libraries and models in a machine learning bill of materials (MLBOM), and continuous scanning of models and environments for vulnerabilities. 
    

*   Perform proactive security audits: Regular security audits and employing automated security tools to scan AI tools and infrastructure can help identify and mitigate potential vulnerabilities before they are exploited. 
    

**Looking Ahead**

As AI continues to advance, so too will the complexity associated with security threats and the ingenuity of attackers. Security teams must adapt to these changes by incorporating AI-specific considerations into their cybersecurity strategies. The conversation about AI zero-days is just beginning, and the security community must continue to develop and refine best practices in response to these evolving threats. 

**About the Author**

Lead AI Threat Researcher, Protect AI

Dan McInerney is Lead AI Threat Researcher at Protect AI. He has 15 years of experience in red-team security, written dozens of security tools, and is a top-ranked Python GitHub developer. As a senior penetration tester, Dan has focused on novel attacks in emerging fields such as 3D printing and machine learning, and is credited with seven CVEs in AI tools. He teaches penetration testing and is a highly rated BlackHat instructor.

4 Ways to Address Zero-Days in AI/ML Security

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users…

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users into downloading malware. Discover the latest tactics employed by these malicious actors and stay safe online.

Cybersecurity researchers at Sekoia have detected an uptick in cyberattacks targeting users of the popular video conferencing platform, Google Meet, employing a notorious tactic, dubbed “ClickFix.” This tactic emerged in May 2024 and involves mimicking legitimate services like Google Chrome, Facebook, or Google Meet, to trick users into downloading malware.

According to Sekoia’s report, attackers are displaying fake error messages mimicking legitimate alerts from Google Meet, prompting users to click a “Fix It” button or perform other actions. However, these actions unknowingly execute malicious code that installs malware on the victim’s device. 

The ClickFix campaign leverages multiple malware distribution campaigns. Sekoia researchers analyzed a ClickFix cluster impersonating Google Meet video conferences, which targeted both Windows and macOS users.

For Windows users, the fake error message claimed microphone or headset issues, prompting them to copy a script that downloaded Stealc and Rhadamanthys infostealers. macOS users were tricked into downloading the AMOS Stealer malware.  

> _“Given the variety of initial malicious websites redirecting to this infrastructure, we assess with high confidence that it is shared among multiple threat actors. They collaborate within a centralized Traffers team to share certain resources, including this infrastructure and the AMOS Stealer, which is also sold as Malware-as-a-Service.”_
> 
> Sekoia

****Possible Perpetrators****

The investigation revealed that two cybercrime groups, “Slavic Nation Empire” (linked with cryptocurrency scam team Marko Polo) and “Scamquerteo Team” (a subgroup of cryptocurrency scam team CryptoLove), were likely behind this ClickFix cluster. These groups specialize in targeting users involved in cryptocurrency assets, Web3 applications, and decentralized finance (DeFi).  

Both teams use the same ClickFix template to impersonate Google Meet, suggesting they share materials and infrastructure. Sekoia analysts estimate that both teams use the same cybercrime service to supply the fake Google Meet cluster, and it is likely that a third party manages their infrastructure or registers their domain names.

The malware delivered through these attacks includes infostealers, botnets, and remote access tools. These malicious programs can steal sensitive data, compromise systems, and enable further attacks.

****ClickFix Scope****

The ClickFix tactic is particularly dangerous because it bypasses traditional security measures. By not requiring users to download a file directly, it avoids detection by web browser security features. This makes it more likely to ensnare unsuspecting victims.  

To protect yourself from ClickFix attacks, be cautious of unexpected error messages, verify scripts before copying and pasting them from unknown sources, use strong security software like antivirus and anti-malware, be cautious with links, and enable two-factor authentication to add an extra layer of security to your online accounts.

1.  Konni RAT Exploiting Word Docs to Steal Data from Windows
2.  Fake Chrome Browser Update Installs NetSupport Manager RAT
3.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
4.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
5.  Popular Android Screen Recorder iRecorder App Revealed as Trojan

ClickFix Attack: Fake Google Meet Alerts Install Malware on Windows, macOS

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks.

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running **Anonymous Sudan** (a.k.a. **AnonSudan**), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — **Ahmed Salah Yousif** **Omer**, 22, and **Alaa Salah Yusuuf Omer**, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit **PayPal** the following month, followed by **Twitter/X** (Aug. 2023), and **OpenAI** (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the **FBI** and the **Department of State**.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the **U.S. Department of Justice** says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service **Telegram**, and marketed its DDoS service by several names, including “**Skynet**,” “**InfraShutdown**,” and the “**Godzilla botnet**.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

**Amazon** was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm **CrowdStrike** said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the **Cedars-Sinai Hospital** in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Sudanese Brothers Arrested in ‘AnonSudan’ Takedown

Has the role of chief privacy officer become something more than it was? And is it still a role that just one person can handle?

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

The role of the CPO — chief privacy officer — is at a crossroads. A rapidly growing number of data breaches, continually evolving regulations, and the increasing complexity of digital ecosystems have made a robust, privacy-first approach to managing data more critical for businesses than ever before. The role of a CPO was once clear-cut: Ensure compliance with privacy laws, manage data collection practices, and mitigate data risks. Now, CPOs are balancing more responsibilities than ever. Privacy has an impact on every realm of the business. So, is a CPO still a CPO, or is the role something greater? And, is it a role that just one person can handle?  

**The Expanding Scope of the CPO**

In a recent episode of my podcast, "The Privacy Insider," Google's outgoing chief privacy officer, Keith Enright, remarked that the data privacy role has expanded so much, it requires a jack of all trades. In many organizations, the CPO might manage privacy, but also aspects of security, data ethics, and even AI governance. Privacy does play a role in all these areas. But can a CPO — or chief information security officer (CISO), or chief data officer (CDO), or chief AI officer — wear all these hats and have them fit? 

Whatever mix of letters that follows the C, many companies are striving for the same goal. They want a member of the C-suite whose mandate encompasses a broader responsibility: Be the steward of data governance, protection, compliance, and ethical use. That someone with any of the above backgrounds could be overseeing all of the above responsibilities shows how intertwined the technologies, data, and risks have become. Maybe that one job should be a more integrated team effort.  

**Guarding the Wall Together **

For example, think about a data breach. Responsibility for preventing a data breach typically falls on the CISO. If a hacker pierces a company's systems, that's a security failure. But the reality of a rapidly changing threat landscape is that once you secure against one threat, another one is right behind it. For many companies, data breaches aren't an "if," but a "when." How are you protecting what's behind the wall? Good data privacy practices are good security. Are you identifying, safeguarding, and minimizing your most sensitive data? CISOs work hard on fortifying the wall, but if someone breaks through and there's nothing to steal, you've contained the immediate damage, and also the reputational and regulatory damage that can follow. Protecting an organization on all sides calls for a tightly integrated strategy.  

**And Then There's AI **

The rise of AI presents some unique challenges: What are the ethical implications of AI? Can you trust it? What's the recourse if sensitive data winds up in an AI model? Many companies turn to the CPO for guidance on the ethical use of these technologies, particularly around issues of consent, bias, and transparency. But AI governance is typically the domain of the CISO or the CDO, not the CPO. For now, no one person should own AI, because at this point in time, AI touches everything. Everyone shares the responsibility for using it wisely. 

However, CPOs can play an important role in charting a path for AI, aside from ensuring companies use it in a privacy-forward way. The ethics of using sensitive data — and as we are seeing with the European Union AI Act, the consequences of misusing it — are similar whether the offender is human or machine. Clear insight on handling and protecting sensitive data and experience with General Data Protection Regulation (GDPR) readiness can help privacy pros guide the business in managing AI's complexities. 

**The CPO as Partner**

Managing risk in a modern organization is the ultimate balancing act. Sometimes it's all hands on deck to shore up cybersecurity, sometimes it's sensitive data protection, sometimes it's AI. Privacy, security, governance, and the rest are all critical to maintain the balance, no matter what the challenge is. There may be a CPO, there may not be a CPO. Privacy management might be centralized or distributed across the business. But that doesn't change the importance of data privacy management in helping to shore up system security, define AI governance, build trust, and mitigate risk. The best role a CPO can play is in demonstrating the value of a strong privacy program to make the whole business stronger. 

**About the Author**

Founder & CEO, Osano

Arlo Gilbert is the founder and CEO of Osano, a data privacy company focused on simplifying compliance for businesses and helping them protect consumer data. He has been building successful technology companies for more than 25 years and has seen firsthand the importance of building trust and using data responsibly. He believes that consumer data privacy isn’t just good for business — it’s a fundamental right.

Is a CPO Still a CPO? The Evolving Role of Privacy Leadership

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group's affiliate panel on the dark web.
Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an

Ransomware / Network Security

Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called **Cicada3301** after successfully gaining access to the group's affiliate panel on the dark web.

Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an advertisement, calling for new partners into its affiliate program.

"Within the dashboard of the Affiliates' panel of Cicada3301 ransomware group contained sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out," researchers Nikolay Kichatov and Sharmine Low said in a new analysis published today.

Cicada3301 first came to light in June 2024, with the cybersecurity community uncovering strong source code similarities with the now-defunct BlackCat ransomware group. The RaaS scheme is estimated to have compromised no less than 30 organizations across critical sectors, most of which are located in the U.S. and the U.K.

The Rust-based ransomware is cross-platform, allowing affiliates to target devices running Windows, Linux distributions Ubuntu, Debian, CentOS, Rocky Linux, Scientific Linux, SUSE, Fedora, ESXi, NAS, PowerPC, PowerPC64, and PowerPC64LE.

Like other ransomware strains, attacks involving Cicada3301 have the ability to either fully or partially encrypt files, but not before shutting down virtual machines, inhibiting system recovery, terminating processes and services, and deleting shadow copies. It's also capable of encrypting network shares for maximum impact.

"Cicada3301 runs an affiliate program recruiting penetration testers (pentesters) and access brokers, offering a 20% commission, and providing a web-based panel with extensive features for affiliates," the researchers noted.

A summary of the different sections is as follows -

*   **Dashboard** - An overview of the successful or failed logins by the affiliate, and the number of companies attacked
*   **News** - Information about product updates and news of the Cicada3301 ransomware program
*   **Companies** - Provides options to add victims (i.e., company name, ransom amount demanded, discount expiration date etc.) and create Cicada3301 ransomware builds
*   **Chat Companies** - An interface to communicate and negotiate with victims
*   **Chat Support** - An interface for the affiliates to communicate with representatives of the Cicada3301 ransomware group to resolve issues
*   **Account** - A section devoted to affiliate account management and resetting their password
*   **FAQ** - Provides details about rules and guides on creating victims in the "Companies" section, configuring the builder, and steps to execute the ransomware on different operating systems

"The Cicada3301 ransomware group has rapidly established itself as a significant threat in the ransomware landscape, due to its sophisticated operations and advanced tooling," the researchers said.

"By leveraging ChaCha20 + RSA encryption and offering a customizable affiliate panel, Cicada3301 enables its affiliates to execute highly targeted attacks. Their approach of exfiltrating data before encryption adds an additional layer of pressure on victims, while the ability to halt virtual machines increases the impact of their attacks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate Program

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 


Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. 
UAT-5647 is also known

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#mac