The pardon comes after 11 years in prison for Ross Ulbricht, who was sentenced to life without parole on several charges, including computer hacking, distribution of narcotics, and money laundering.

Source: White House Photo via Alamy Stock Photo

NEWS BRIEF

On just his second day in office, President Trump has pardoned Ross Ulbricht, the creator and owner of an underground criminal forum website known for cybercrime and drug trafficking.

Known as "Dread Pirate Roberts," Ulbricht operated the anonymous marketplace, known as "Silk Road," from 2011 to 2013, until law enforcement shut down the site and arrested him in California.

At 31, Ulbricht was convicted of distributing narcotics, engaging in a continuing criminal enterprise, conspiring to commit computer hackings, conspiring to create fake identities, and laundering money, all of which earned him life in prison without parole — a harsh sentence that law enforcement insisted would act as a deterrent to others.

The Justice Department pursued charges against Ulbricht's associates, who claimed to have murdered five people on his behalf, though there is no evidence of these murders taking place.

Silk Road at the time was described as "the most sophisticated and extensive criminal marketplace on the Internet" by US Attorney Preet Bharara, and it was considered a place for criminals to buy and sell illegal drugs and other illegal goods anonymously and outside the lens of law enforcement.

Libertarian activists have supported Ulbricht's release for years on the premise that Ulbricht's early writings on his ideas for Silk Road stemmed from his interest in creating a free and anonymous marketplace.

In May 2024, President Trump promised to commute Ulbricht's sentence. After being reminded by Ulbricht of his promise via social media platform X, Trump fulfilled this campaign promise.

"I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross," Trump posted to his Truth Social site yesterday. "The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!"

Prior to his sentencing, Ulbricht stated that Silk Road was a costly idea that he "deeply regrets" in a letter to the judge when seeking leniency, however, it remains unclear if he continues to maintain these beliefs more than a decade later.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Trump Pardons 'Silk Road' Dark Web Drug Market Creator

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Will 2025 See a Rise of NHI Attacks?

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates' official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

"These are greenfield opportunities — it's tremendous," he says. "There's national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology."

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC's "2025 Digital Trust Insights: South Africa and Africa" report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC's "2025 Digital Trust Insights: Middle East" report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

**Biometrics Embraced by Mideast, African Markets**

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

"With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors," he says. "Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification."

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key's Sullivan.

"After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint \[in the system\]," he says. "From then on, anytime they want to authenticate that user, they just touch a finger. They've just now started rolling out the ability to do that without even presenting your card for subsequent business."

**An Easy Upgrade Path**

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key's Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

"The use case is typically one where you have users that are moving around, and you don't want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor," he says. "We have to accommodate the fact that a lot of companies still use traditional technologies and don't want to just make a big-bang switch, so we we allow them to sort of start with what they're doing now ... \[and\] as they start to see the power of having a biometric option, they can evolve to that."

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company's Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting's Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

"As digital identity ecosystems expand," Murphy says, "AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Copyright © 2025. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.

[Virtual Event]: Cybersecurity's Most Promising New and Emerging Technologies

In a letter sent today, the acting DHS secretary terminated membership to all advisory boards, including the Cyber Safety Review Board (CSRB) tasked with investigating state-sponsored cyber threats against the US.

Source: Sipa USA via Alamy Stock Photos

Editor's note: This story was updated on 1-22-25 to reflect that Chris Krebs resigned from the CSRB on Jan. 18, prior to President Trump taking office.

NEWS BRIEF

In its first full day, the Trump administration axed all advisory committee members within the Department of Homeland Security, including the people that make up the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB). The CSRB was actively working on investigating Salt Typhoon, the Chinese state-sponsored hacking group responsible for breaches of at least nine telecommunications networks in the past several months.

In a letter dated Jan. 20, acting secretary of the Department of Homeland Security Benjamine C. Huffman said the move was meant to avoid a "misuse of resources," and terminated all current memberships on advisory committees immediately.

Members of the CSRB include a who's who of cybersecurity, from companies such as Sentinel One, represented by former CISA head Chris Krebs, who was fired in 2020 as head of CISA in the waning days of the previous Trump administration. Prior to the letter, on Jan 18., Krebs preemptively resigned from the board ahead of Trump taking office. The CSRB also included several former Biden administration officials. It was created as part of Biden's 2021 cybersecurity executive order to "review and assess ... significant cyber incidents" impacting the federal executive branch of the US government.

While the letter did not enumerate which committees might be reconstituted with new participants, it did add that, in general, dismissed DHS committee members are welcome to reapply to DHS in the future, according to a copy of the letter shared by Eric Geller on X.

"Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities," the letter read before thanking the outgoing members for their service.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trump Fires Cyber Safety Board Investigating Salt Typhoon Hackers

Sophos noted more than 15 attacks have been reported during the past three months.

Source: True Images via Alamy Stock Photo

NEWS BRIEF

Sophos X-Ops' Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there attackers take control of a victim's device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing.

"We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts," said the Sophos researchers in their report. 

The ransomware deployed by these two groups include Black Basta and Python ransomware; the researchers note that STAC5777 in particular is highly active.

Though Sophos has deployed detections for the malware included in these campaigns, it recommends organizations take further steps to prevent attacks, such as ensuring their Microsoft 365 services restrict Teams calls from outside organizations, as well as raise employee awareness of these tactics, which are not normally covered in anti-phishing trainings.

Sophos provided a list of indicators of compromise for these campaigns available for viewing on its GitHub repository.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

The advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country's intelligence community.

Source: SROOLOVE via Shutterstock

Advanced persistent threat group "DONOT Team" is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

The "Tanzeem" and "Tanzeem Update" apps purport to be chat apps but do not work as advertised. Instead, once installed on a system they prompt the user to turn on the device's accessibility feature and grant access to several easily misused permissions. The apps then shut down and proceed to stealthily harvest information from the compromised device, according to researchers at Cyfirma, who recently spotted the new DONOT campaign.

**Intelligence Gathering and Beyond**

"The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia," Cyfirma noted in a blog post on Jan. 17. The goal appears to be to collect intelligence of strategic importance to India, the security vendor said.

Cyfirma's analysis of Tanzeem and Tanzeem Update showed the apps using OneSignal, a popular customer engagement platform, to send push notifications to users who install either app on their devices. OneSignal basically allows developers and businesses to send in-app messages, emails, and SMS messages to users across mobile devices, Web browsers, desktop apps, and other platforms.

When a user installs Tanzeem or Tanzeem Update on their device, they receive a push notification via OneSignal that prompts them to start a fake chat. Users tricked into clicking on the "Start Chat" prompt receive a subsequent prompt asking them to enable Android accessibility services to use the app. The victim is then directed to the accessibility settings page from which the app accesses several dangerous permissions. These include permissions that allow the two malicious Android apps to read and fetch call logs from the compromised device; to read and fetch contact information; and to search for and fetch data from the file manager.

Researchers at Cyfirma also found the apps to access several other permissions such as those that allow the threat actor to delete and read both incoming and outgoing text messages. They also can access the Android device's internal storage to extract its exact location and monitor its movement on a real-time basis.

Significantly, Cyfirma found the malicious apps using push notifications to try and get victims to install additional malicious payloads on compromised devices to ensure persistence. "This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma noted.

**A Persistent South Asian Threat**

DONOT Team, which some vendors track as APT-C-35, SectorE02, and Viceroy Tiger, is a threat group with a likely nexus to India that has been operational since at least 2016. Several vendors have associated the group with attacks and data theft campaigns targeting entities in South Asia. In November 2024, Cyble linked DONOT Team to a campaign targeting manufacturing companies in Pakistan associated with the country's defense and maritime industries.

Others, such as ESET have reported on DONOT Team using sophisticated Windows and Android malware in espionage campaigns targeting organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported finding three malicious Android apps on Google's Play store that the threat actor used against targeted individuals in Kashmir and Pakistan.

DONOT Team is one of several APT groups believed to be operating out of India that is engaged in a range of malicious activities, including online extortion scams, hacktivism, and increasingly, cyber espionage and surveillance. Security experts believe that at least some of the activity is tied to geopolitical tensions in the region and to a broader growth in all kinds of cybercrime in South Asia in recent years.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DONOT Group Deploys Malicious Android Apps in India

The company reports that it is not experiencing any operational issues within its business, so far.

Source: JHVEPhoto via Alamy Stock Photo

NEWS BRIEF

Hewlett Packard Enterprise (HPE) is conducting an investigation after a threat actor said it had stolen data from the company's network.

IntelBroker, a cyberattack group that has been active since at least 2022, claimed responsibility for the breach on the BreachForums underground forum, alleging that it had access to the company's API, WePay, private and public GitHub repositories, Zerto and iLO source code, old user information, and more.

Previously, IntelBroker claimed to have breached organizations such as AMD, Europol, Cisco, Nokia, and others, and its members have served in leadership positions at BreachForums.

And this isn't the first time HPE has faced breaches at the hands of malicious actors. In 2018, APT10 hackers reportedly compromised some HPE systems, hacking into customer devices; and in 2021, its Aruba Central network monitoring platform was breached, allowing threat actors to access data regarding monitored devices.

As HPE investigates the most recent data breach claims, it remains unclear if there is any truth to them, and, if so, how the breach occurred.

"HPE became aware on Jan. 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE," an HPE spokesperson tells Dark Reading. "HPE immediately activated our cyber-response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims."

HPE also reported that there is no evidence that customer information was involved, and currently no operational impact to the business.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

HPE Investigates After Alleged Data Breach

Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.

Source: Aleksey Funtap via Alamy Stock Photo

Separate spinoffs of the infamous Mirai botnet are responsible for a fresh wave of distributed denial-of-service (DDoS) attacks globally. One is exploiting specific vulnerabilities in Internet of Things (IoT) devices to establish "expansive" botnet networks, while the other has been targeting organizations in North America, Europe, and Asia with DDoS attacks since the end of 2024, researchers have found.

An ongoing operation within Mirai dubbed "Murdoc\_Botnet" (which began in July and has more than 1,300 active IPs) is targeting Avtech cameras and Huawei HG532 routers, researchers from Qualys revealed in a report posted today.

The researchers uncovered more than 100 distinct sets of servers associated with the Murdoc botnet, "each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign," Qualys lead security researcher Shilpesh Trivedi wrote in the post.

Meanwhile, a botnet that comprises malware variants derived from both Mirai and Bashlite is exploiting security flaws and weak credentials in IoT devices in DDoS attacks spanning the globe, according to separate research from Trend Micro. "The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host," the researchers said.

Related:Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

The two campaigns demonstrate the ongoing impact of Mirai, a botnet that has spawned myriad variants since its source code was leaked in 2016 and which remains a significant security threat 10+ years after first appearing on the cyberattack scene.

**Murdoc Botnet Exploits Specific Flaws**

The Murdoc botnet delivering Mirai malware uses existing exploits, including CVE-2024-7029 and CVE-2017-17215, to download next-stage payloads. The former is an Avtech camera flaw that allows for commands to be injected over the network and executed without authentication, while the latter is a remote code execution (RCE) flaw found in Huawei routers.

Most of the IP addresses associated with the Murdoc botnet campaign are found in Malaysia, followed by Thailand, Mexico, and Indonesia.

Qualys researchers discovered more than 500 samples containing ELF files and shell script files associated with the Murdoc botnet. Each shell script "is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc\_Botnet, into the devices," Trivedi wrote in the post.

**An Expansive DDoS Campaign Targets US**

Related:DONOT Group Deploys Malicious Android Apps in India

Meanwhile, researchers at Trend Micro initially detected "large-scale" DDoS botnet attacks against Japanese organizations, including major corporations and banks, starting at the end of 2024, but then tracked the activity to a larger global campaign. Organizations in the US were most affected by the attacks, followed by companies in Bahrain, Poland, and Spain, among various other countries.

The primary devices targeted in the attacks have been wireless routers and IP cameras from well-known brands, including TP-Link and Zyxel routers, and Hikvision IP cameras. As with the Murdoc botnet activity, cyberattackers here targeted flaws in the devices to compromise them, but they also used weak passwords to gain access.

In terms of attack vector, the researchers found two different types of DDoS attacks related to the activity, they said. One type overloads the network by sending a large number of packets, while the other exhausts server resources by establishing a large number of sessions.

"In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously," according to the post.

**How to Defend Against DDoS Cyberattacks**

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

With Mirai variants continuing to spawn new botnets for mounting new and widespread DDoS attacks, it's important that organizations can identify and protect their networks from floods of unwanted traffic, the researchers said.

Qualys researchers recommended that organizations regularly monitor the suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts, as well as exercise caution in executing shell scripts from unknown and untrusted sources.

Meanwhile, Trend Micro analysts recommended different mitigation efforts for the two types of DDoS attacks that they observed. For attacks that flood the network with packets, the researchers recommended organizations use a firewall or router to block specific IP addresses or protocols and restrict traffic; collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network; and strengthen router hardware to increase the number of packets that can be processed.

For attacks that exhaust resources by establishing a large number of sessions, Trend Micro recommended that organizations limit the number of requests that can be sent by a specific IP address within a certain period of time; use third-party services to separate attack traffic and process clean traffic; and perform real-time monitoring and block IP addresses with a high number of connections, among other mitigations and preventions.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks

Set for release in March, Cisco AI Defense will provide algorithmic red teaming of large language models with technology that came over as part of the Robust Intelligence acquisition last year.

Source: Andriy Popov via Alamy Stock Photo

Cisco is expanding its cloud security platform with new technology that will let developers detect and mitigate vulnerabilities in artificial intelligence (AI) applications and their underlying models.

The new Cisco AI Defense offering, introduced Jan. 15, is also designed to prevent data leakage by employees who use services like ChatGPT, Anthropic, and Copilot. The networking giant already offers AI Defense to early-access customers and plans to release it for general availability in March.

AI Defense is integrated with Cisco Secure Access, the revamped secure service edge (SSE) cloud security portfolio that Cisco launched last year. The software-as-a-service offering includes zero-trust network access, VPN-as-a-service, a secure Web gateway, cloud access security broker, firewall-as-a-service, and digital experience monitoring.

Administrators can view the AI Defense dashboard in the Cisco Cloud Control interface, which hosts all of Cisco's cloud security offerings.

**Gaps in AI Capabilities**

AI Defense is intended to help organizations that are concerned about the security risks associated with AI but are under pressure to implement the technology into their business processes, said Jeetu Patel, Cisco's chief product officer and executive VP, at the launch event.

"You need to have the right level of speed and velocity to keep innovating in this world, but you also need to make sure that you have safety," Patel said. "These are not trade-offs that you want to have. You want to make sure that you have both."

According to Cisco's 2024 AI Readiness Survey, 71% of respondents don't believe they are fully equipped to prevent unauthorized tampering of AI within their organizations. Further, 67% said they have a limited understanding of the threats specific to machine learning. Patel said AI Defense addresses these issues.

"Cisco AI Defense is a product which is a common substrate of safety and security that can be applied across any model, that can be applied across any agent, any application, in any cloud," he said.

**Model Validation at Scale**

Cisco AI Defense is primarily targeted at enterprise AppSecOps organizations. It allows developers to validate AI models before applications and agents are deployed into production.

Patel noted that the challenge with AI models is that they are constantly changing with new data added to them, which changes the behavior of the applications and agents.

"If models are changing continuously, your validation process also has to be continuous," he said.

Seeking a way to offer the equivalent of red teaming, Cisco last year acquired Robust Intelligence, a startup founded in 2019 by Harvard researchers Yaron Singer and Kojin Oshiba, and the core component of AI Defense. The Robust Intelligence Platform uses algorithmic red teaming to scan for vulnerabilities, along with a mechanism Robust Intelligence created called Tree of Attacks with Pruning, an AI-based method of using automation to systematically jailbreak large language models (LLMs).

According to Patel, Cisco AI Defense uses detection models from generative AI (GenAI) platform provider Scale AI and threat intelligence telemetry from Cisco's Talos and its recently acquired Splunk to continuously validate the models and automatically recommend guardrails. Further, he noted that Cisco designed AI Defense to distribute those guardrails through the network fabric.

"This essentially allows us to deliver a purpose-built model and data for going out, allowing us to validate if a model is going to work as per expectations or if it's going to surprise us," said Patel, adding that it typically takes most organizations seven to 10 weeks to validate a model. "We can do it within 30 seconds because this is completely automated," he said.

**An Industry-First?**

Analysts believe Cisco is the first major player to launch technology that can address automated model verification at that scale.

"I don't know anyone else who's done anything close to this," says Frank Dickson, group VP for IDC's security and trust research practice. "I've heard people doing what we might call an LLM firewall, but it's not as intricate and complex as this. The ability to do this kind of automated pen testing in 30 seconds looks pretty slick."

Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence, agrees, noting that a variety of large vendors are approaching security for GenAI in different ways.

"But in Cisco's case, it made the first acquisition of a startup with this focus with its pickup of Robust Intelligence, which is at the heart of this initiative," Crawford says. "There are a range of other startups in this space, any of which could be an acquisition target in this emerging field, but this was the first such acquisition by a major enterprise IT vendor."

Addressing AI security will be a major concern this year, given the rise in attacks against vulnerable models, Crawford says.

"We have already seen examples of LLM exploits, and experts have considered the ways in which it can be manipulated and attacked," he says.

Such incidents, often described as LLMjacking, are waged by exploiting vulnerabilities with prompt injections, supply chain attacks, and data and model poisoning. One notable LLMjacking attack was discovered last year by the Sysdig Threat Research Team, which observed stolen cloud credentials targeting 10 cloud-hosted LLMs. In that incident, the attackers accessed credentials from a system running a vulnerable version of Laravel (CVE-2021-3129).

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading