**BREA, Calif.****,** **Feb. 27, 2023** **/PRNewswire/ --** ThreatHunter.ai, a leading provider of AI-driven threat hunting solutions, has announced the launch of its new program, "More Eyes," which is designed to supplement large organizations' existing security teams and help them find, track, deter and mitigate cyber-attacks.

As cyber threats continue to evolve and become more sophisticated, even large organizations with experienced IT and Cyber Security teams are not immune to attacks. ThreatHunter.ai's "More Eyes" program provides a force multiplier that adds specialized expertise, tools, and a fresh perspective to their security strategy.

The "More Eyes" program provides an additional team member that is not distracted by internal projects and can focus solely on monitoring and hunting for threats in organizations' logs and systems. ThreatHunter.ai's advanced machine learning algorithms and expert analysis can identify gaps in organizations' security posture, provide recommendations on best practices, and offer ongoing threat hunting and monitoring services to help them stay one step ahead of emerging threats.

According to James McMurry, CEO and Founder of ThreatHunter.ai, "We're excited to launch our 'More Eyes' program and offer organizations a new team member 24 hours a day for a fraction of what it would cost to add more members to their team. Our program is designed to supplement organizations' existing security resources and provide a fresh perspective on how to address today's complex cyber threats."

The "More Eyes" program includes the following technical features and capabilities:

*   Advanced Machine Learning Algorithms: ThreatHunter.ai uses advanced machine learning algorithms to analyze organizations' logs and systems, identify suspicious activity, and help prevent and mitigate cyber-attacks.
*   Expert Analysis: ThreatHunter.ai's team of experienced cybersecurity experts provides additional expertise and perspective to organizations' security strategies. They help identify gaps in security posture, provide recommendations on best practices, and offer ongoing threat hunting and monitoring services.
*   24/7 Threat Hunting and Monitoring: ThreatHunter.ai's "More Eyes" program provides organizations with an additional team member that is focused solely on monitoring and hunting for threats in their logs and systems. This 24/7 monitoring helps organizations stay one step ahead of emerging threats.

The "More Eyes" program is designed to be affordable and cost-effective, providing organizations with a new team member 24 hours a day for a fraction of what it would cost to add more members to their team. With "More Eyes," organizations can supplement their existing security resources and proactively identify and mitigate cyber threats before they cause significant harm.

**About ThreatHunter.ai:**

ThreatHunter.ai a Service-Disabled Veteran Owned Small Business, is a leading provider of AI-driven threat hunting solutions. Its advanced machine learning algorithms and expert analysis help organizations detect, identify, and respond to cyber threats. Its solutions are designed to supplement existing security resources and provide a fresh perspective on how to address today's complex cyber threats.

For more information about ThreatHunter.ai and the "More Eyes" program, please visit www.threathunter.ai.

ThreatHunter.ai Launches "More Eyes" Program to Help Large Organizations Mitigate Cyber Threats

Upgrades boost Edgio's ability to mitigate sophisticated threats and safeguard applications and data.

**Singapore, 24 February 2023 –** Edgio, Inc. (Nasdaq: EGIO), the platform of choice for speed, security and simplicity at the edge, today announced significant enhancements to its Security platform, including a new DDoS scrubbing solution and improved Web Application and API Protection (WAAP) capabilities.

The new DDoS scrubbing solution provides dedicated DDoS mitigation capacity that protects all protocols and direct-to-origin attacks. It complements Edgio’s 250+ Tbps edge network to provide full spectrum DDoS protection. WAAP enhancements include advanced rule customizer, outbound data leak prevention, proxy detection, region code support and enhanced configurability. These new features provide customers with enhanced ability to detect and respond to emerging threats, ensuring confidentiality, integrity and availability of their data and applications.

"New security vulnerabilities are growing at an accelerated rate, and with this growth, it’s imperative that technology also evolve at a similarly exponential rate to stay ahead of the threats," said Ajay Kapur, Edgio’s Chief Technology Officer. "Edgio is doing just that with these product enhancements. Our security platform continues to provide a holistic solution for our customers that can not only mitigate the largest DDoS attacks, but also ensures the protection of critical web applications and APIs."

**Key Highlights/Facts**

*   DDoS attacks are on the rise.  In fact, according to **the 2022 Verizon DBIR (Data Breach Investigations Report)**, the number one security threat is a DDoS attack (46% of attacks) — and it’s growing every year. Therefore, it’s critical to have holistic protection from the full spectrum of DDoS attacks. With the addition of DDoS scrubbing solution, Edgio is able to protect all networks and applications, including direct-to-origin network attack against non-web applications via its dedicated scrubbing capacity utilizing standard protocol such as BGP and GRE tunnel. The combination of Edgio’s Layer 3-7 DDoS protection via its 250+ Tbps with the dedicated DDoS scrubbing provides businesses with a full spectrum protection to ensure maximum resiliency and uptime of their network and applications.

*   Outbound security rules make it easier for companies to prevent attackers from causing a data breach via exploiting known vulnerabilities. Traditionally, security rules only inspect inbound requests to mitigate application attacks from the outside in. Edgio is now adding the ability for security rules to scan outbound traffic as well, which prevents sensitive data and code leakage, providing an added layer of protection for confidential customer data and preventing the client from executing malicious code. Edgio is also adding the ability to detect and block requests originating from anonymous proxies, providing additional control on the access to customers’ applications.  The advanced rules customizer allows customers to control the sensitivity of individual security rules maximizing its accuracy while minimizing false positives. Enhanced configuration management enables developers to directly import and export configuration json via both API and UI to rapidly deploy protection for new applications.

*   Whether for compliance reasons or to prevent commerce to certain countries, Edgio enables clients to control access to their applications via advance access control rules. In the latest enhancements, Edgio is adding support for more granular regional control, down to the region or province level in its WAAP’s access rules and custom security rules, supporting ongoing compliance requirements in today’s changing geopolitical environment.

Edgio's mission is to help businesses protect their web applications and data through a holistic approach to security that also improves speed and reliability. Its advanced security solutions offer full-spectrum network and application DDoS protection, advanced web application and API protection (WAAP) with Dual WAAP Mode, and enterprise-grade bot management. For more information on Edgio's security offerings, click here.

**About Edgio**

Edgio (NASDAQ: EGIO)helps companies deliver online experiences and content faster, safer, and with more control. Our developer-friendly, globally scaled edge network, combined with our fully integrated application and media solutions, provide a single platform for the delivery of high-performing, secure web properties and streaming content. Through this fully integrated platform and end-to-end edge services, companies can deliver content quicker and more securely, thus boosting overall revenue and business value.To learn more, visit edg.io and follow us on Twitter, LinkedIn and Facebook.

Edgio Strengthens Security Offering With WAAP Enhancements and DDoS Scrubbing Solution

Infighting, conscription, emigration. The war in Ukraine has pitted cybercriminals against one another like no other event before it.

Russia's war in Ukraine has shaken cyberspace at every level, from nation-state advanced persistent threats (APTs) on down to low-grade carders on Dark Web forums.

A new report from Recorded Future highlights the many effects that the Russian invasion of Ukraine, now one year past, has had in cyberspace. Threat actors have been pulled away from their computers. Allies have become enemies. Cybercrime activity has shifted and power structures have been reorganized, not least because people have been physically moving.

It all amounts to a kind of grand, multifaceted dissolution. A breakdown of the cybercrime state of affairs. Will the digital underworld ever be the same again?

**Cybercriminals Are Moving**

The internet breaks down barriers. Even thousands of miles can't prevent a hacker in Russia or Ukraine from breaching the database of a corporation in France or Canada. And yet, physical movement in the wake of the war has had lasting impacts on how cybercriminals are operating.

On one hand, of course, Ukrainians have emigrated from their country en masse.

"We believe that some threat actor groups based in Ukraine also fled when the war began, similar to their Russian counterparts," Alex Leslie, associate threat intelligence analyst at Recorded Future, tells Dark Reading.

The report refers to the case of Mark Sokolovsky, core developer for Raccoon Stealer — an information-stealing malware — who fled Ukraine to avoid conscription.

"While this is only one case study," Leslie says, "we believe it is indicative of a larger trend in which threat actors have fled Russia, Ukraine, and even Belarus to avoid conflict."

Meanwhile, Russia has been experiencing, as the authors say, a "brain drain," with IT and cybersecurity professionals leaving the country for neighboring Georgia, Kazakhstan, Finland, and Estonia. Further, the drafting of young men of fighting age has led threat actors from behind screens to the front lines.

As a result, the country "has begun to deplete its hacker reserves," Leslie explains. "What we identify is that the overall volume of activities, particularly on Russian cybercriminal forums, marketplaces, and social media channels, has decreased dramatically in waves. These waves being immediately before and after the war began, during waves of mobilization, and coinciding with Russians leaving the country."

The reordering of so many lives has led to "a bit more decentralization, both geographically and in terms of hegemonic groups and sources of activity," Leslie says.

**Cybercriminals Are Fighting One Another**

Cybercriminals come from every corner of the world, but no corner more than in Russia and Eastern Europe. Many of the great cyberattacks of history have come courtesy of criminals in Russia and Ukraine. Russian APTs have become notorious for their attacks against Ukraine but this represents a change: Russian cybercriminals have historically worked hand\-in-hand with their comrades across the border.

This kumbaya attitude was quashed on Feb. 24, 2022, when Russia invaded Ukraine and those on both sides were inspired to pledge allegiances. Most famously, the Conti group fully backed the Putin regime, then retracted, then halfway retracted its retraction. This support for the invasion was perhaps uncoincidentally attended by a giant leak of the Conti source code, tipping over a slow demise for Russia’s most prominent ransomware gang.

"We do not believe that Conti’s dissolution was a direct result of the leaks," the authors wrote, "but rather that the leaks catalyzed the dissolution of an already fracturing threat group."

Far beyond just Conti, cybercrime elements which once worked together have since split over political differences, according to Recorded Future. The authors wrote that "the so-called 'brotherhood' of Russian-speaking threat actors located in the CIS \[Commonwealth of Independent States\] has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russia’s war against Ukraine."

All the uprooting and fighting has caused fractures in the very structure of the cybercrime underground, researchers concluded.

"Russian-language Dark Web marketplaces have taken a major hit," Leslie claims. "These marketplaces have also fractured and become more diffuse," a trend compounded by the seizure of the world's No. 1 cybercrime forum, Hydra.

He adds, "We speculate that the epicenter of cybercrime may shift to English-speaking Dark Web forums, shops, and marketplaces over the next year."

How the Ukraine War Opened a Fault Line in Cybercrime, Possibly Forever

Build a playbook for employees on how to handle suspicious communications, use mail filters, and screen and verify unfamiliar calls to bolster a defensive social engineering security strategy.

Social engineering-based attacks are a popular form of security manipulation, with cybercriminals using this technique for 98% of attacks in 2022.

Social engineering can take many forms, including vishing (phone), phishing (email), and smishing (text). All have proven effective in infiltrating corporate networks. Social engineering attacks are so effective they're even outsmarting some of the best cybersecurity experts. Just last month, threat actors targeted security enthusiasts by creating fake Twitter accounts and stores for the Flipper Zero, a penetration testing tool rising in popularity. One Twitter account even responded to users — making it appear legitimate.

One social engineering tactic that's continued to hamper organizations over time is vishing, a phone-based attack that remains a successful, lucrative avenue for cybercriminals. This method is typically used to gain a foothold in an environment through a less-senior or new employee, often by the attacker posing as a help desk representative or another helpful internal resource.

**Defensive Security Options**

While many organizations understand the rise in social engineering attacks and the importance of education and awareness to prevent them, recent trends indicate a need for a more strategic approach. To kickstart a new defensive security plan designed specifically for social engineering attacks, give these practices a try.

*   **Educate from the top down.** Too often, we see organizations focused on educating newer employees. To have a real effect, organizations' security training programs must start at the top and trickle down to the bottom.

This means including the C-suite, regardless of their tenure, in regular education training and curriculum. It's not on one individual to stop social engineering attacks from happening. Rather, it requires leadership to recognize there's an ongoing challenge and put precautions in place to remediate the issue. With senior leaders regularly making security a priority across the entire business, this will help _all_ employees adopt a security-first mindset over time.

*   **Establish a playbook for employees to use when faced with a malicious form of communication.** Whether an employee receives a malicious text, call, or email, they should be equipped with an actionable list of steps to navigate and evade the situation. Arguably the most important part of a social engineering defensive security plan is the playbook.

Set up a central location where employees can access dedicated policies outlining what they should and shouldn't be doing when receiving suspicious communications. Include instructions on how to escalate a problem if malicious correspondence occurs. For example, if a malicious message comes through over the phone, the playbook will instruct the employee not to give away any information until they can confirm that person is a legitimate employee or contractor via email or Slack — reducing the likelihood of personal and company information being leaked.

Without a framework like this in place, it feels like passing the buck to others and hoping they'll figure it out — and it opens the doors for cybercriminals, who will inevitably take advantage of this weakness.

*   **Invest in email security technologies but don't solely rely on them.** A recent study found that 36% of all emails globally are spam. Implementing, configuring, and stress testing mail filters can be a great first barrier to incoming social-engineering attacks, as they can oftentimes prevent a malicious email from entering an employee's inbox. However, they cannot be the sole defense mechanism and certainly aren't infallible. Mail filters need to be a part of a more holistic, comprehensive security strategy — not the only line of defense.

I'll share a real-life example of a mail filter used as a threat vector. I recently disclosed a vulnerability within Mimecast, a popular cloud-based email protection software for businesses. During a hybrid breach-and-attack simulation and social engineering penetration test, I discovered a way to bypass the URL and file-inspection features within Mimecast Targeted Threat Protection (TTP). If left undiscovered, the flaw could have allowed an adversary to serve a malicious file or URL after the software had already deemed it secure. This is a great reminder of the vital importance of defense in depth. If or when frontline technical controls fail, organizations must have a backup to slow adversaries and prevent incident escalation.

*   **Screen everything.** Screen all incoming calls! That is the No. 1 rule for in-office _and_ out-of-office settings. If you suspect a phone call is malicious or the number is unrecognizable, screen it. After receiving one of these calls, see if they leave a voicemail and look up the number afterward within the corporate directory to see if it ties back to a colleague or vendor. Even if the caller ID is spoofed, the attacker won't be able to _receive_ calls at the impersonated number.

In these situations, it's easy for an employee to fall into panic mode and be forthcoming with personal or company information. With the right company policies, framework, and plan in place, employees will feel more comfortable taking a step back, thinking through the communication, and regaining control of the situation.

**Test Your Framework**

While incorporating all of the above will lead to a stronger defense against popular social engineering-based attacks, a final and important step is to test how successful a framework is. This could require having a pen tester come into an organization and perform common social engineering attack methods to see how employees respond. Being able to quantify and see employees using the framework in action will prove how successful the training program is — and reveal ways for evolution and improvement.

All it takes is one employee to give away sensitive information for an entire organization to fall victim to a cyberattack. By proactively tracking the results of training programs and understanding why social engineering attacks happen, businesses will set themselves and their employees up for success.

As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan

The cloud-native application protection platform market is expanding as security teams look to protect their applications and the software supply chain.

As more organizations shift to cloud-native application development to support new business features and digital transformation initiatives, software supply chain issues have become more visible. Because cloud-native development relies so heavily on open source software, organizations have to start thinking about the components that go into these applications.

To build these cloud-native applications, developers have adopted agile application development practices and rapid release cycles, and they rely heavily on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may primarily come from an established ecosystem, it is common for some to originate from unknown sources or obsolete projects.

Traditional security approaches aren't designed to handle this new approach to application development, especially for modern cloud compute and serverless architectures. This is the area cloud-native application protection platforms evolved to address. Gartner describes CNAPP as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."

According to a recent Frost & Sullivan report, sales of CNAPP topped $1.7 billion in 2021, nearly 49% higher than 2020. Frost & Sullivan projects that CNAPP revenues will grow at a compound annual growth rate of almost 26% from 2021 to 2026. The report's author, industry principal for global cybersecurity Anh Tien Vu, forecasts that by 2026, revenues will exceed $5.4 billion "because of the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."

**Prevent Problems During Development**

Attackers are increasingly homing in on cloud-native targets to exploit vulnerabilities that enter the software supply chain. Last year, the Log4Shell vulnerability in the widely deployed Log4j Java runtime library illustrated the broad impact such a vulnerability can have on the application ecosystem. Given the widespread distributed deployment of Java applications, organizations had to scramble to find and patch them after Apache Foundation's public disclosure.

"With Log4j, people didn't know whether those libraries were in use or not," says Enterprise Strategy Group senior analyst Melinda Marks. Experts frequently cite Log4j as a wake-up call to CISOs and CIOs that software development lifecycles need to collaborate more closely and shift left.

Marks says CNAPP enables organizations to establish DevSecOps processes in which software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, but it also goes further. "This is important for preventing security issues before you deploy your applications to the cloud, because once you deploy them, they're available for the hackers," Marks says.

**Monitor Runtime to Identify Priorities**

CNAPPs consolidate siloed capabilities, including the scanning of development artifacts such as containers and infrastructure as code (IaC), cloud security posture management (CSPM), cloud infrastructure management (CIEM), and runtime cloud workload protection platforms. Besides providing a more unified approach and better visibility of the risk of cloud-native computing environments, CNAPP provides common controls to mitigate vulnerabilities.

Notably, CNAPP also facilitates collaboration among application development, cybersecurity, and IT infrastructure teams, paving the way for detecting and mitigating vulnerabilities before applications are deployed into production. Security vendors such as Check Point and Palo Alto Networks are adding CNAPP capabilities to their security platforms.

Marks warns that there's a misconception about shifting security left: that it's all about moving security up front in the software development and build cycles. "There's also the need to tie in the runtime monitoring and have that context for developer workflows, so they're not wasting time on fixing things that have no impact on how the application is actually going to run in the cloud," she says.

Tackling Software Supply Chain Issues With CNAPP

A threat actor has leaked data — purportedly, samples of Telus employee payroll data and source code — on a hacker site.

Telus, one of Canada's largest telecommunications providers, is reportedly investigating a potentially major breach of its systems after a threat actor posted samples online of what the person claimed was sensitive data from the company.

The leaked data included what the adversary alleged was a sample of employee payroll records, source code from the telecom firm's private GitHub repositories, and other information.

In a post on BreachForums, according to reports, the threat actor offered for sale an email database purporting to contain the email addresses of every employee at Telus. The price for the database was $7,000. Another database, supposedly containing payroll information of the top executives at the telco, including its president, was available for $6,000.

The threat actor also offered for sale, for $50,000, a data set that the person claimed included more than 1,000 private GitHub repositories belonging to Telus. The source code available for sale apparently included an API that would allow an adversary to do SIM-swapping — a process where attackers hijack another individual's phone by transferring the number to their own SIM card.

**A Full Breach?**

"This is the FULL breach," the alleged hacker wrote in the post of BreachForums. "You will receive everything associated with Telus," including complete subdomain lists and screenshots of active sites, the post went on to say. It's unclear whether any of the data that the alleged attacker appeared to have is authentic or belonged to Telus, as claimed. The service provider did not respond to multiple Dark Reading requests for comment. 

That said, IT World Canada quoted a Telus spokesman as saying the company is currently investigating claims about a "small amount of data" related to the company's source code and certain employees being leaked on the Dark Web.

If the breach at Telus happened as the threat actor claimed, it will be the latest in a string of attacks that have targeted telecom firms recently. Just since the beginning of the year, attackers have breached multiple major telecommunications firms including three of Australia's largest: Optus, Telestra, and Dialog. And earlier this month, researchers at SentinelOne reported observing a previously unknown bad actor targeting telecom firms in the Middle East in what appeared to be a cyber-espionage campaign.

Analysts believe a couple of factors are driving the trend. The widespread and growing use of mobile devices for multifactor authentication (MFA) for instance has put a target on telecommunication companies and their networks. Financially motivated cybercriminals looking to access online accounts have also begun to increasingly target telecom providers in so-called SIM-swapping attacks to hijack phones and intercept SMS authorizations for two-factor authentication.

Another factor — a long-standing one — that has made telecom companies a big target is the opportunity they provide for adversaries to surveil people of interest. There have been numerous incidents in recent years where state-sponsored threat actors from countries that include Iran, Turkey, and China have broken into a telecom network to, among other things, steal call-data records for monitoring conversations of targeted individuals and groups.

Canadian Telecom Firm Telus Reportedly Investigating Breach

The Cybersecurity and Infrastructure Security Agency advises US and European nations to prepare for possible website attacks marking the Feb. 24 invasion of Ukraine by Russia.

The one-year anniversary of the start of the war in Ukraine could spur "disruptive and defacement attacks" on US and European websites, the US Cybersecurity and Infrastructure Security Agency (CISA) warned this week.

CISA said cyberattackers could use Feb. 24, which marks one year since the Russian invasion began, as an opportunity to wreak havoc and upheaval amid geopolitical tensions. The agency advised organizations to prepare accordingly and double down on their cybersecurity posture, referring to CISA's Shields Up cyber-defense recommendations, and its DDoS attack guidance.

"CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat," the agency said in its advisory this week.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Beware of DDoS, Web Defacements on Anniversary of Russian Invasion of Ukraine

With the right kind of exploit, there's hardly any function, app, or bit of data an attacker couldn't access on your Mac, iPad, or iPhone.

A new class of bugs in Apple's iOS, iPadOS, and macOS has been uncovered, researchers say, that could allow an attacker to escalate privileges and make off with everything on a targeted device.

This new class could "allow bypassing code signing to execute arbitrary code in the context of several platform applications," Trellix researcher Austin Emmitt wrote in a blog post on Feb. 21, "leading to escalation of privileges and sandbox escape on both macOS and iOS."

Were an attacker to exploit these vulnerabilities, they could potentially gain access to a victim's photos, messages, call history, location data, and all kinds of other sensitive data, even the device's microphone and camera. They could also use their access to wipe a device altogether.

The vulnerabilities in this class range from medium to high severity, with CVSS ratings between 5.1 and 7.1. Apple grouped them into two CVEs: CVE-2023-23530 and CVE-2023-23531. There's no indication that they've been exploited in the wild.

**NSPredicate: A Fresh Cyberattack Vector**

The cyber failure in this case arises from NSPredicate, a class that enables app developers to filter lists of objects on a device. This "innocent-looking class," as Emmitt put it, is much deeper than it may appear at first glance. "In reality, the syntax of NSPredicate is a full scripting language."

In other words, through NSPredicate, "the ability to dynamically generate and run code on iOS had been an official feature this whole time," he explained.

In one proof-of-concept, Trellix found that an attacker could use NSPredicate to execute code in "coreduetd" or "contextstored," root-level processes that allows entryway into parts of the machine such as the calendar, address book, and photos.

In another case, the researchers found an NSPredicate vulnerability in the UIKitCore framework on the iPad. Here, a malicious app would be able to execute code inside SpringBoard, the app that manages the device's home screen. Getting into SpringBoard could cause any number of compromises to just about any kind of data a user stores on the phone, or allow an attacker to simply erase the device altogether.

The silver lining for this new class of vulnerabilities is that they require an attacker already to have access to a target device. Gaining access is typically the easy part, with methods like phishing and other social engineering being so widely effective, but it also means there are steps anybody can take to harden their defenses.

"Individuals should continue to stay vigilant against social engineering and phishing attacks," McKee says, "while also ensuring they only install applications from a known trusted source. Businesses are encouraged to ensure they are doing the proper product security testing on any third-party applications they use in their infrastructure and are monitoring device logs for any suspicious or unusual activity."

**Patching Might Not Be the End of the Story**

If they haven't already, Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn't mean, however, that vulnerabilities of this kind won't pop up again.

Emmitt highlighted in the blog post how NSPredicate had already been exposed by a security researcher back in 2019, then exploited by NSO Group in 2021, in an espionage attack targeting a Saudi activist. Apple attempted to close the hole but evidently didn't finish the job, paving the way for the new discoveries.

"Elimination of a bug class is often extremely difficult to accomplish as it often requires not only code changes but education of developers," explains Doug McKee, director of vulnerability research for Trellix. "Like all bug classes, unless a mitigation is put into place which would eliminate the entire class, it would be expected that more similar vulnerabilities would be found in the future."

**The Myth of Apple’s Superior Security?**

The findings are another puncture wound in the perception that Apple devices are somehow inherently more secure than PCs or Android devices.

"Since the first version of iOS on the original iPhone," Emmitt explained, "Apple has enforced careful restrictions on the software that can run on their mobile devices."

The devices do this with code signing. Functioning somewhat like a bouncer at a club, iPhone only allows an application to run if it has been cryptographically signed by a trusted developer. If any entity — a developer, hacker, etc. — wishes to run code on the machine, but they're not "on the list," they'll be shut out. And "as macOS has continually adopted more features of iOS," Emmitt noted, "it has also come to enforce code signing more strictly."

As a result of its strict policies, Apple has earned a reputation in some corners for being particularly cyber secure. Yet that extra stringency can only extend so far.

"I think that there is a misconception when it comes to Apple devices," says Mike Burch, director of application security for Security Journey. "The assumption by the public is that they are more secure than other systems. It is true that Apple has many security features and is more stringent about what applications it allows on its devices. Still, they are just as susceptible to vulnerabilities being introduced to their devices as any other provider."

'New Class of Bugs' in Apple Devices Opens the Door to Complete Takeover

Preparation and cooperation helped to mitigate the worst of the digital damage, amid cyber sorties from all sides.

When Russia invaded Ukraine on Feb. 24, 2022, much discussion ensued about how the war would be both cyber and kinetic. A year later, the consensus seems to be that while there was a lot of cyberattack activity, it wasn't as destructive as many had feared. That was partly due to various governments and security companies helping to identify and block attacks.

Between February 2022 and February 2023, an average of 10% of all online traffic to Ukraine was mitigations of potential attacks, Cloudflare said in its analysis of the Russian invasion's impact on theUkrainian Internet. Cloudflare protected Ukrainian Web applications by filtering and monitoring HTTP traffic to block malicious attacks, including distributed denial-of-service (DDoS) attacks.

On Oct. 29, DDoS attack traffic constituted 39% of total traffic to Cloudflare's Ukrainian customers.

The company shared a graph showing the daily percentage of application layer traffic to Ukraine that Cloudflare mitigated as potential attacks using its Web application firewall (WAF). In early March, 30% of all traffic was mitigated. After a fairly quiet summer, attack activity ticked back up in early September, during the Ukrainian counteroffensive in east and south Ukraine.

More specifically, 14% of total traffic from Ukraine was mitigated as potential attacks, while 10% of total traffic to Ukraine was mitigated as potential attacks in the past 12 months.

Mitigated application-layer threats blocked by Cloudflare's WAF were 105% higher on Monday, Feb. 28, 2022 — four days after the invasion — compared with the Monday before, Feb. 21, 2022. By March 8, that figure was 1,300%.

**What Came Out of 'Shields Up'**

In anticipation of Russian cyberattacks against Ukrainian targets and against organizations in countries allied with Ukraine, the US Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to share information that could help mitigate threats. "Every organization — large and small — must be prepared to respond to disruptive cyber incidents," CISA said.

While sharing threat intelligence indubitably helped, the nature of the attacks were also less sophisticated or destructive than feared.

Cisco Talos researchers have been monitoring critical infrastructure customers to identify threats and remediate attacks. While there were a lot of concerns about destructive malware, what Talos is seeing — and blocking — a lot of is credentials harvesting, says Nick Biasini, Cisco Talos' head of outreach. Attackers are not resorting to highly sophisticated tactics but rather are employing mundane and recognizable methods to try to gain access to networks and accounts, he says.

**Impact on Critical Infrastructure**

Cloudflare's analysis of Ukraine's Internet traffic shows peaks and drops in usage corresponding with military activity. For example, the city of Chernihiv had a significant drop in traffic the first week of the war and residual traffic by mid-March, with traffic picking up after the Russian retreat in early April, Cloudflare noted. In the fall, Russian military units started targeting Ukrainian critical infrastructure, causing widespread power outages and Internet blackouts. Some of these strikes caused as much as a 50% decrease in Internet traffic, according to Cloudflare's analysis. The disruptions often lasted only a day or two, "further emphasizing the ongoing impact of the conflict on Ukraine's infrastructure," Cloudflare noted.

"Throughout the rest of the year and into 2023, Ukraine has continued to face intermittent Internet disruptions," Cloudflare also wrote.

**Ripple Effects Around the World**

Security leaders in East Asia are carefully watching how the war between Russia and Ukraine unfolds, as a lot of the geopolitical tensions and rhetoric are similar to the long-simmering situation between China and Taiwan. Organizations are "wondering what kind of disruptive attacks to expect" and how the war in Ukraine could affect the Taiwan situation, says Mihoko Matsubara, chief cybersecurity strategist at NTT. There has already been some activity, although it has been of the "cyber nuisance" variety, rather than destruction, Matsubara says. East Asian companies are already seeing DDoS attacks, defacements, and disinformation campaigns, she says.

Matsubara was careful not to downplay the seriousness of the attacks, as they are still disruptive to organizations. NTT has also seen some wiper attacks used to disrupt humanitarian aid efforts, which may be a harbinger of activities to come.

**Bad Actors Get Political**

Cybercriminals have been expressing their own opinions — and political allegiances — about the war. For example, Coalition's latest "Cyber Threat Index" report dug into attacks against databases exposed to the Internet. Coalition observed a total 264,408 IP addresses running MongoDB instances in 2022, and 68,423 of them — or 26% — were compromised. Coalition found a handful of compromised MongoDB servers where the attackers renamed the databases to SLAVA\_UKRAINI, or "Glory to Ukraine!"

"Threat actor activity is often shaped by fluctuations in economic conditions," noted the team from Kroll's Cyber Risk practice in the latest "Threat Landscape" report. "Due to the continued market volatility across the globe and the ongoing war on Ukraine, it is likely that the unstable circumstances in which attackers thrive will persist in 2023."

Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine

Employees of the EU Commission are no longer allowed to use the TikTok app thanks to concerns over data security.

The European Commission (EC) and Council of the EU announced on Feb. 23 that its employees would no longer have permission to use the popular social media app TikTok, a video hosting service owned by Chinese company ByteDance.

The EC executive body based its decision, which affects thousands of employees and contract workers, on "cybersecurity threats and actions" which could be exploited for use in cyberattacks.

"The security developments of other social media platforms will also be kept under constant review," a statement from the EC explained.

According to EU information, employees must delete TikTok from any private devices they use for work by March 15 at the latest. The app must also to be removed from private devices that use EU applications.

The announcement is coupled with a notice that important applications, including the EC's email program or Skype, would be blocked on company cellphones if TikTok is not immediately removed.

The EC declined to provide a more specific reason for demanding the removal of the app beyond what it called a "careful analysis" of the cybersecurity and data risks TikTok poses.

In a statement, TikTok's parent company ByteDance called the action "misguided" and "based on fundamental misconceptions."

"We have contacted the Commission to set the record straight and explain how we protect the data of the 125 million people across the EU who come to TikTok every month," a company statement obtained by Politico read.

There is some on-the-record justification for the ban: In early November, TikTok acknowledged that certain employees based in China had access to user data from the app's European users.

To alleviate concerns over user data security, the company recently announced its plans to explore storing the information of European users in three data centers located in Europe.

**More Comprehensive Data Security Approach Needed**

“We've recently seen steps taken by the government in the US, at both the state and federal level, to ban TikTok from state-owned devices, so it's no surprise to see the EU do so as well," notes Matt Marsden, Tanium's vice president of technical account management.

Marsden explains Chinese intelligence tactics are focused on longer-term objectives and are fueled by the sustained collection of data.

"The immense collection of user data, to now include commerce and purchasing information, combined with biometrics and activity tracking, feeds detailed intelligence to be used in operations," he says.

This data can also be leveraged to deliver targeted, timely, and often personalized psychological operations against individuals or groups of citizens. Thus, a "more comprehensive" approach needs to be taken to protect citizens from social media campaigns designed to further foreign political objectives.

"This \[influence effort\] has been observed during election cycles and politically charged events in recent years," Marsden says.

"These national bans are part of a wider issue about how much Chinese influence is deemed acceptable when it comes to national infrastructure and everyday life," adds Chris Vaughan, associate vice president for Technical Account Management in EMEA for Tanium, via email. "We have seen concerns increase in the West in recent months, with the use of Chinese surveillance technology being restricted and Chinese computer chips being rejected. There have been numerous reports of Chinese efforts to sway politicians by way of lobbying and donations, and the public via social media and the spread of disinformation.”

**Banning Apps Doesn't Solve Data Privacy Issues**

The moves follow proposed or already enacted bans on the popular social media app in the United States, where government representatives at the state and federal levels have expressed concerns that the app could harvest sensitive data from devices and make it available to the Chinese government.

In December, Texas and Maryland joined three other states in prohibiting accessing TikTok from state-owned devices.

TikTok CEO Shou Zi Chew is also expected to testify in front of Congress in March to address security concerns.

While the debate over social media bans on apps including TikTok continues to percolate, IT security experts have cautioned that in order for bans to be effective, they must be enforced through a comprehensive device visibility and governance strategy.

Banning apps is also not a panacea for more widespread data privacy concerns, others argue, many of which stem from a cultural problem in which consumers willingly hand over vast amounts of information about themselves.

Source

DARKReading