**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

After its second cyberattack in under a year, General Bytes urges customers to up the security on their personal accounts to prevent losses from hackers.

Over St. Patrick's Day weekend, unidentified hackers stole more than $1.6 million in cryptocurrency from Bitcoin ATMs owned by General Bytes.

In what the ATM owner called a security incident of the highest severity, threat actors were able to exploit a zero-day flaw by uploading "his own java application remotely via the master service interface used by terminals to upload videos, and run it using batm user privileges," the advisory released by General Bytes stated.

Once the attackers were able to accomplish this, they secured access to the database, where they were able to "read and decrypt API keys used to access funds in hot wallets and exchanges, send funds from hot wallets, and download usernames, password hashes" as well as turn off the two-factor authentication (2FA) feature. 

This cryptocurrency-related breach is the second aimed at General Bytes in under a year, the last of which occurred less than a year ago, in August.

Though the company has stated that it has run multiple security audits since 2021, this was a vulnerability that was never caught. General Bytes advises its terminal operator customers to keep their servers behind firewalls and VPNs, as well as assume that the passwords and API keys to exchanges and hot wallets used by end users are compromised — and should be changed accordingly.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Zero-Day Bug Allows Crypto Hackers to Drain $1.6M From Bitcoin ATMs

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** BigID, the leading platform for data security, compliance, privacy, and governance,, announced today that native integrations with leading Security Orchestration, Automation, and Response (SOAR) platforms, including Splunk SOAR (formerly Phantom) and Palo Alto Networks Cortex XSOAR (formerly Demisto).

Enterprises have been struggling with responding to the deluge of security events generated by all their security information and event management systems. The volume and complexity of these events increases the need for automated security orchestration and response (SOAR) platforms to help security teams streamline and automate their incident response processes.

BigID's native integrations with SOAR platforms, including Splunk, Palo Alto Networks and Torq , provide customers with access to thousands of pre-built playbooks, enabling them to automate the incident response process from detection to remediation. With these native orchestrations, customers can seamlessly manage and automate their security response workflows, reducing response time and improving overall security posture.

"BigID is committed to helping organizations manage and secure their sensitive data. With these native integrations with leading SOAR platforms, we're able to provide customers with a powerful, integrated solution that enables them to streamline their incident response processes and more effectively manage security risks," said Dimitri Sirota, CEO of BigID.

With this integration, customers can now:

*   Leverage automation to reduce response time and improve accuracy
*   Automate incident response workflows with access to thousands of SOAR playbooks
*   Gain better visibility into incidents and manage responses with ease
*   Increase productivity and reduce the manual effort involved in incident response

The integration with Splunk SOAR, Cortex XSOAR and Torq offers a seamless user experience and significant improvements to security operations.

For more information, please visit www.bigid.com or visit https://home.bigid.com/demo to see it in action.

**About BigID:**

BigID enables organizations to know their enterprise data and take action for data-centric security, privacy, compliance and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, the 2021 and 2022 Deloitte 500, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

SOURCE BigID

BigID's Data Security Posture Management Solution Integrates With SOAR Platforms

For companies, training an existing worker is cheaper than hiring, while for employees, training brings job security and more interesting work.

Companies continue to value cybersecurity skills, but many have moved their focus from hiring cybersecurity professionals to training up in-house staff on needed cybersecurity skills.

The monthly number of cybersecurity-related job postings plummeted by nearly a third (31%) in the last month, compared with its peak a year ago, according to employment services firm Indeed.com. Yet cybersecurity is the No. 1 desired skill set that companies would like their employees to learn, with 59% of technology leaders rating cybersecurity as a top-three topic for training, ahead of both data science and cloud skills, according to training firm Pluralsight.

For companies that need to fill gaps in their employee's technical skills, training employees in new skill sets — "upskilling" in the industry parlance — is a relative bargain, compared with the cost of hiring a new employee, says Gary Eimerman, chief product officer at Pluralsight.

"Given the level of risk, cybersecurity hacks are a boardroom conversation across organizations," he says. "Upskilling internally for cybersecurity talent is significantly more cost effective than hiring externally for cybersecurity skills."

Companies would both hire and train cybersecurity professionals, but given the shortage in available skilled workers, training has taken precedence, says Bill Reynolds, research director at Foote Partners, a workforce research firm. The average estimate to hire a technology workers, such as a full-time developer, is about $32,000.

"They are absolutely doing both, but with the significant shortfall in the marketplace for skilled cybersecurity professionals, the sense I'm getting by talking to hundreds of employers ... is that they're focusing more right now on training and developing talent from within," he says. "And it is not just technical skills — they want a whole market basket of soft nontech skills \[as well\]."

**Cybersecurity Skills as Layoff Protection?**

As recession fears continue to roil the technology industry, on March 20 Amazon announced its second tranche of layoffs — this time, planning to cut 9,000 corporate and technology workers, bringing the total number of job affected to 27,000. Cybersecurity vendors have not been spared, shedding thousands of employees in the last three quarters, with some companies cutting more than a quarter of their workforce, according to tracking site Layoffs.fyi.

    

Cybersecurity takes the top spot among skills preferred by employers for training purposes. Source: Pluralsight

Yet, overall, workers with cybersecurity skills have largely been protected from layoffs, due to the relative difficulty in hiring or replacing them. Only 10% of C-level executives intend to lay off cybersecurity staff, much lower than other departments, such as human resources (30%), finance (24%), and even information technology (14%).

As another metric, two-thirds of tech executives have been asked to reduce costs, but 72% still plan to increase investments in the development of technology skills, according to Pluralsight's "2023 State of Upskilling" report. 

"When layoffs are on the table for an organization, where the cuts are made is highly individualized based on business need," Pluralsight's Eimerman says. "Among layoffs that have been done in the tech industry, few have focused on technology-specific roles." 

**Cybersecurity as the Most-Wanted Tech Skill**

Among technology skills, cybersecurity is most often in the top-three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets, according to Pluralsight's report.

But learning such skills has gained priority for employees, too, who list their top reasons for upskilling as salary growth, personal development, and job security. 

Across the 53 noncertified cybersecurity skills tracked by Foote Partners, the average worker commands a 12.3% base-salary cash premium. Skills such as security auditing, penetration testing, vulnerability scanning and management, DevSecOps, and cyberthreat intelligence all have significant premiums, Reynolds says.

Some combinations of skills are in even greater demand, such as cloud and cybersecurity, he says. With companies focused on shrinking their attack surface area and putting more security capabilities into a very small footprint, for example, workers with cybersecurity, embedded OS, optimizing, and threat detection skills together would garner even greater premiums. 

"From a career perspective, there is so much opportunity for cybersecurity professionals," he says.

While a lack of time and budget has undermined upskilling efforts in the past, workers have new incentives in the tighter employment market: Almost half say that a hiring freeze or pause has resulted in them doing more duties outside their job function. In 2022, 60% of workers cited "I'm too busy" as the top barrier to gaining new technology skills, according to Pluralsight. In 2023, that number dropped to 42%, while 30% cited uncertainty in where to focus their efforts as a top barrier.

Cybersecurity Skills Shortage, Recession Fears Drive 'Upskilling' Training Trend

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The Monster using a mobile device is certainly not the way _Frankenstein_ author Mary Shelley — or even_Young Frankenstein_ screenplay writers Mel Brooks and Gene Wilder — ever envisioned him. But modern times call for a modern creature, and now it's up to you to set the updated scene with a clever cybersecurity-related caption. Our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the April 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading March Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

A round of applause goes to Todd Schamberger, information security manager/CISSP at accounting firm Miller Kaplan. Todd's caption (below) hit the nail — er, computer — right on its head. And a big thanks to all who submitted their ideas!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: It's E-Live!

Threat actors are using legitimate network assets and open source code to fly under the radar in data-stealing attacks using a set of custom malware bent on evasion.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

**A Focus on Detection Evasion**

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and \[they\] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

**Custom Malware at a Glance**

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

**Going Beyond Network-Level Detection**

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."

Custom 'Naplistener' Malware a Nightmare for Network-Based Detection

Third-party breaches have a wide effect that legacy security practices can no longer detect.

Cybersecurity is a huge priority for the federal government, from President Biden's Executive Order 14028 to the National Cyber Strategy, but there's still one major gap in their net: third parties. In fact, nearly 60% of all data breaches are initiated via third-party vendors, which are often undetectable by the usual outward-facing approach to security until they have reached the perimeter of an organization.

The Transportation Security Administration's (TSA) no-fly list hack is the latest example of the massive risk that a third-party leak can have on federal cybersecurity. Data breaches in third parties cast a wide net of effects across the private and public sector alike, which legacy cybersecurity practices can no longer detect. As the Biden administration determines its cyber path, it is imperative that we all take a step back to look at the expanding security perimeter.

**The Effects of Third-Party Data Risk Are Far Reaching**

With more data being shared every day outside typical security perimeters, a single third-party data leak is enough to cause a devastating breach that can take down anything from the largest company to the most critical federal agency. Visibility is the primary culprit at play with third-party risk. In fact, the average organization shares sensitive data with 583 third parties — a staggering number of possible attack vectors to monitor. For the US government, this means contractors, vendors, other agencies, and more.

The effects of the expanding digital supply chain and weak visibility combine to open a variety of risks. SolarWinds is the most notorious example of a third-party supply chain hack, affecting not only organizations that used the software but also their network of customers and partners. The reach of this impact is especially important to consider for the federal government, where agencies play host to both critical and sensitive data for the nation and its citizens. Protection from a chain reaction of data compromise can only come from regularly updating security practices and technology.

The US government is making consistent strides to undergo a digital transformation — and this must expand to cybersecurity in the face of third-party risks. It cannot rely on legacy cybersecurity standards. Today's threats require always-on system security technologies and practices. Questionnaires, policies, and process reviews are ineffective in the new digital landscape.

**Preemptive Cybersecurity Combats Third-Party Risk**

To be effective, a third-party risk strategy must be preemptive. It is fairly common practice to review security policies, along with past security incidents and remediations of potential vendors, to predict future risk. However, this is not enough — it is merely reviewing a plan of prevention and attack.

It is, of course, imperative to make informed decisions regarding third-party relationships by researching organizations and their areas of possible exposure before committing to share data with them. Part of this evaluation should be understanding their dedication to visibility and strong security hygiene. Though scanning for malicious behavior is an important step, negligence also plays a major role in security vulnerabilities, and partners should be evaluated on how up to date their practices are.

Implementing contracts for existing partnerships can help address any found weaknesses. Those that fail to comply with security standards can be dealt with by enforcing clawback clauses and integrating supply chain penalties for data leaks of confidential information.

From there, it's important to maintain that preemptive security posture through ongoing monitoring and risk assessment. For part of a larger third-party life cycle management plan, helpful tools include automated risk management platforms, regular real-time risk assessments, and tools (such as external attack surface management, or EASM) for continually discovering, inventorying, classifying, prioritizing, and monitoring sensitive external assets within an IT infrastructure. \[Note: The author's company is one of many that offer EASM.\]

Most private and public organizations recognize the importance of cybersecurity, yet there are surprisingly still some laggard industries, and this poses a strong threat to federal cybersecurity. As we see more cyber priorities rolling out from the federal government — and better security practices trickling down to vendors through Cybersecurity Maturity Model Certification (CMMC) — we can hope to see more initiatives around these growing issues in the future. With the TSA no-fly leak behind us, third-party data protection should take a top spot in federal cyber priorities.

Controlling Third-Party Data Risk Should Be a Top Cybersecurity Priority

Aembit launches from stealth with a cloud-based identity access management platform for enterprise workloads.

Modern applications tend to be widely distributed and rely on multiple services, technologies, and APIs. Developers need to be able to authenticate the application to those services, store those credentials securely, and monitor access. While security and DevOps teams can integrate their existing identity access management platform with secrets-management tools, and enable audit logging, the resulting system tend to be challenging to implement and operate.

This is the problem Aembit, which emerged from stealth today, is tackling with its cloud-based platform. Aembit helps organizations provide seamless and secure access from client workloads to their APIs, databases, and cloud resources. DevOps and security teams can manage how federated workloads talk to each other without requiring developers to make changes to their applications, the company says.

Aembit defines workloads as “any program or application utilizing computing, data, networking, and storage to perform one or more tasks.” Examples include custom applications, HTTP-based APIs from software-as-a-service providers or API gateways, databases, data warehouses, data lakes, and application services provided by hyper-scale cloud vendors.

Founded in 2021, Aembit’s identity access management platform “gives identities to your workloads, authenticates them, authorizes them to access each other based on policies you set, and logs all accesses and access attempts for auditing and analytics,” the company said last fall.

Workload IAM is a sub-category of the broader IAM market, as it focuses on workload-to-workload interactions. IAM most commonly focuses on allowing human users to securely access applications and systems; workload IAM authorizes applications and services to access other applications and services. It’s an area that organizations are increasingly paying attention to because these connections can be abused. The breach at CircleCI is a good example – a system breach in CircleCI resulted in organizations having to rotate their secrets. The recent T-Mobile data breach, where data affiliated with 37 million customer accounts were stolen, was the result of an exploited API.

“The mesh of workload-to-workload connections created when software talks to other software need to be identified, secured and managed,” Jake Seid, co-founder and general partner of Ballistic Ventures, said in a statement. “Aembit is defining this new category of Workload IAM to defend enterprises’ most critical digital assets.”

As part of the launch, Aembit also raised $16.6 million in seed funding from Ballistic Ventures and Ten Eleven Ventures. Aembit’s co-founders, David Goldschlag and Kevin Sapp, previously co-founded New Edge Labs, which was sold to Netskope in 2019. The pair also founded mobile device management platform Trust Digital, which was acquired by McAfee in 2010.

IAM Startup Aembit Secures How Workloads Connect to Services

UK cybersecurity authorities and researchers tamp down fears that ChatGPT will overwhelm current defenses, while the CEO of OpenAI worries about its use in cyberattacks.

The dizzying capacity for OpenAI to vacuum up vast amounts of data and spit out custom-tailored content has ushered in all sorts of worrying predictions about the technology's ability to overwhelm everything — including cybersecurity defenses.

Indeed, ChatGPT's latest iteration, GPT-4, is smart enough to pass the bar exam, generate thousands of words of text, and write malicious code. And thanks to its stripped-down interface anyone can use, concerns that the OpenAI tools could turn any would-be petty thief into a technically savvy malicious coder in moments were, and still are, well-founded. ChatGPT-enabled cyberattacks started popping up just after its user-friendly interface premiered in November 2022.

OpenAI co-founder Greg Brockman told a crowd gathered at SXSW this month that he is concerned about the technology's potential to do two specific things really well: spread disinformation and launch cyberattacks.

"Now that they're getting better at writing computer code, \[OpenAI\] could be used for offensive cyberattacks," Brockman said.

No word on what OpenAI intends to do to mitigate the chatbot's cybersecurity threat, however. For the time being, it appears to be up to the cybersecurity community to mount a defense.

There are current safeguards put in place to keep users for using ChatGPT for unintended purposes, or for content deemed too violent or illegal, but users are quickly finding jailbreak workarounds for those content limitations.

Those threats warrant concern, but a growing chorus of experts, including a recent post by the UK's National Cyber Security Centre, are tempering concerns over the true dangers to enterprises with the rise of ChatGPT and large language models (LLMs).

**ChatGPT's Current Cyber Threat**

Work products of chatbots can save time taking care of less complex tasks, but when it comes to performing expert work like writing malicious code, OpenAI's ability to do that from scratch isn't really ready for prime time yet, the NCSC's blog post explained.

"For more complex tasks, it's currently easier for an expert to create the malware from scratch, rather than having to spend time correcting what the LLM has produced," the ChatGPT cyber-threat post said. "However, an expert capable of creating highly capable malware is likely to be able to coax an LLM into writing capable malware."

The problem with ChatGPT as a cyberattack tool on its own is that it lacks the ability to test whether the code it's creating actually works or not, says Nathan Hamiel, senior director of research with Kudelski Security.

"I agree with the NCSC's assessment," Hamiel says. "ChatGPT responds to every request with a high degree of confidence whether it's right or wrong, whether it's outputting functional or nonfunctional code."

More realistically, he says, cyberattackers could use ChatGPT the same way they do other tools, like pen testing.

**ChatGPT Threat "Massively Overhyped"**

The harm to IT teams is that overblown cybersecurity risks being ascribed to ChatGPT and OpenAI are sucking already scarce resources away from more immediate threats, as Jeffrey Wells, partner at Sigma7, points out.

"The threats from ChatGPT are massively overhyped," Wells says. "The technology is still in its infancy, and there is little to no reason why a threat actor would want to use ChatGPT to create malicious code when there is an abundance of existing malware or crime-as-a-service (CaaS) that can be used to exploit the list of known and growing vulnerabilities."

Rather than worrying about ChatGPT, enterprise IT teams should focus their attention on cybersecurity fundamentals, risk management, and resource allocation strategies, Wells adds.

The value of ChatGPT, as well as an array of other tools available to threat actors, come down to their ability to exploit human error, says Bugcrowd founder and CTO Casey Ellis. The remedy is human problem-solving, he notes.

"The entire reason our industry exists is because of human creativity, human failures, and human needs," Ellis says. "Whenever automation 'solves' a swath of the cyber-defense problem, the attackers simply innovate past these defenses with newer techniques to serve their goals."

But Patrick Harr, CEO of SlashNext, warns organizations not to underestimate the longer-term threat ChatGPT could pose. Security teams, meanwhile, should look to leverage similar LLMs in their defenses, he says.

"Suggesting that ChatGPT is low risk is like putting your head in the sand and carrying on like it doesn’t exist," Harr says. "ChatGTP is only the start of the generative AI revolution, and the industry needs to take it seriously and focus on developing AI technology to combat AI-borne threats."

ChatGPT Gut Check: Cybersecurity Threats Overhyped or Not?

With HinataBot, malware authors have created a beast many times more efficient than even the scariest botnets of old, packing more than 3Tbit/s DDoS speeds.

Former Mirai hackers have developed a new botnet, dubbed HinataBot, with the potential to cause far greater damage with far fewer resources required from its operators than its predecessor.

Mirai is one of the world's most notorious botnets. In circulation since the mid-2010s, it uses Internet of Things (IoT) devices like routers and cameras to hit targets with massive amounts of traffic to force distributed denial of service (DDoS). Some of its most notorious attacks were against French technology company OVH, the government of Liberia, and DNS provider Dyn, an attack that touched websites such as Twitter, Reddit, GitHub, CNN, and many more.

Now, in a report published March 16, researchers from Akamai noted that HinataBot has only been in development since mid-January. Despite that, according to initial tests, it packs in orders of magnitude more powerful than its predecessor, reaching more than 3 Tbit/s traffic flows.

**Just How Powerful Is HinataBot?**

In its heyday, the Mirai botnet managed to flood its victims with hundreds of gigabytes per second in traffic — up to 623 Gbit/s for the KrebsOnSecurity website, and nearly 1 Tbit/s against OVH. As OVH noted at the time, that huge wave of data was enabled by a network of around 145,000 connected computers, all sending requests to their systems simultaneously.

To gauge the relative strength of HinataBot the Akamai researchers ran 10-second test attacks. "If the botnet contained just 1,000 nodes," they found, "the resulting UDP flood would weigh in at around 336 Gbps per second." In other words, with less than 1% of the resources, HinataBot was already capable of producing traffic approaching Mirai's most vicious attacks.

When they considered what HinataBot could do with 10,000 nodes — roughly 6.9% of the size of peak Mirai — the resulting traffic topped out at more than 3.3 Tbit/s, many times stronger than any Mirai attack.

"These theorized capabilities obviously don't take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc.," Akamai researchers warned in the report, "but you get the picture. Let's hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale."

**Why Hackers Are Choosing Golang**

Much of the reason for HinataBot's improvements comes down to how it was written.

"Most malware has traditionally been written in C++ and C," explains Allen West, one of the principal researchers of the report. Mirai, for example, was written in C.

In more recent years, though, hackers have become more creative. "They're trying to take any new approach they can, and these new languages — such as Go, with its efficiencies and the way it stores strings — makes it more difficult for people to deal with."

"Go" — short for "Golang" — is the high-level programming language underpinning HinataBot. It's similar to C, but, in some ways, it's more powerful. With Golang, explains Chad Seaman, another author of the report, hackers "get better error handling, they get memory management, they get easy threaded worker pools, and a little bit more of a stable platform that provides some of the speed and performance you would associate with a C-level language, and C or C++ binaries, with a lot of things that they don't have to manage."

"It just lowers the bar on technical difficulty," he says, "while also raising the performance bar over, say, some of the other traditional languages."

For all of these reasons, Go has become a popular choice for malware authors. Botnets like kmsdbot, GoTrim, and GoBruteForcer are cases in point. "Go is becoming more performant and more mainstream and more common," Seaman says, and the malware that results is all the more powerful for it.

**How Much Should Businesses Worry About HinataBot?**

As scary as HinataBot may be, there may be a bright side.

HinataBot isn't simply more efficient than Mirai — it _must be_ more efficient because it's working with less.

"The vulnerabilities through which it's spread are not new or novel," Seaman says. HinataBot leverages weaknesses and CVEs already known to the security community and utilized by other botnets. It's an environment quite different than that of which Mirai operated in circa 2016–'17, when IoT vulnerabilities were novel and security for the devices was not top of mind.

"I don't think we're going to see a case of another Mirai, unless they get creative in how they're distributing and their infection techniques,” Seaman says. "We're not going to see another 70,000 or 100,000-node, Mirai-like threat from the Hinata authors under their current tactics, techniques, and procedures."

A less optimistic observer might note that, being only a couple of months old now, there is plenty of time for HinataBot to improve upon its limited weaknesses. "It may just be an introductory phase, right?" Seaman points out. "They're grabbing at low hanging fruit so far, without needing to go out and do anything really novel yet."

Nobody can yet say how big this botnet will become, or in what ways it'll change over time. For now, we can only prepare for what we know — that this is a very powerful tool, operating over known channels and exploiting known vulnerabilities.

"There's nothing that they're doing within the traffic that's circumventing security controls we've already put in place," notes Larry Cashdollar, the third author of the report. "The exploits are old. There are no zero days. So, as it stands, the fundamental security principles for defending against this kind of threat" — strong password policies, dutiful patching, and so on — "are the same. They're still sufficient."

Source

DARKReading