The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version 4.9.2.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5647: AI ChatBot 4.9.2 - Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file — Wordfence Intelligence

With a new emphasis on the Hamas attacks on Israel, the US Treasury has proposed designating foreign cryptocurrency “mixer” services as money launderers and national security threats.

Hamas’ attacks Against Israel on October 7 have shifted the geopolitical landscape and triggered a looming Israeli ground assault in the Gaza Strip. Now the ripple effects are reaching the cryptocurrency industry, where they’ve become the United States Department of the Treasury’s rallying cry for a crackdown on cryptocurrency anonymity services.

The US Treasury’s Financial Crimes Enforcement Network (FinCEN) today released a set of proposed rules that would designate foreign cryptocurrency “mixers”—services that blend users’ digital funds to offer more anonymity and make them harder to trace—as money laundering tools that pose a threat to national security and would thus face new sanctions and regulations. The new rules, if adopted following a 90-day period of public comment and debate, would potentially represent the broadest restrictions imposed yet on the mixing services and could make it far harder for cryptocurrency holders to put their money through the services before cashing it out at a US cryptocurrency exchange, or even at a foreign exchange that accepts US customers.

While the proposed rules were almost certainly in the works long before October 7, the Treasury’s announcement of the proposed rules tied the push for a change in policy directly to the use of cryptocurrency by Hamas and militant groups in Gaza. “The Treasury Department is aggressively combatting illicit use of all aspects of the CVC ecosystem by terrorist groups,” Wally Adeyemo, deputy secretary of the Treasury, wrote in a statement, using the term “CVC” to mean convertible virtual currency. Adeyemo says that this includes Hamas and Palestinian Islamic Jihad, a militant group that often aligns with Hamas, which Israel blamed for an explosion at a hospital in Gaza earlier this week.

Cryptocurrency mixers have existed almost as long as Bitcoin itself. They offer to take in a user’s cryptocurrency, blend it with that of other users, and return the funds so that they are harder to follow from their origin to destination on blockchains, which generally record every transaction in full public view. The Treasury’s rule change would designate those cryptocurrency-mixing services—or at least the majority of them that are based outside the US—as a “primary money laundering concern.” They would thus be considered a threat to US national security as defined by section 311 of the Patriot Act, a section of the law designed to restrict how domestic financial institutions interact with potential sources of terrorist financing.

The rule change would mean that US financial services, as well foreign ones with US customers—including cryptocurrency exchanges—would have to go through extra record-keeping and reporting requirements for funds that have touched a foreign cryptocurrency mixer, and it might even allow the Treasury to block US exchanges from handling those funds. “We’ve never seen anything like this before,” says Ari Redbord, the head of global policy for TRM Labs, a blockchain analysis firm. Redbord notes that the rule change isn’t proposing a blanket ban on foreign mixing services, only new rules for interacting with them. “The reality, however, is that 311 actions oftentimes have a sort of name-and-shame effect, where people are just not wanting to engage with these platforms out of fear of being caught up in money laundering or other type of illicit activity.”

Redbord, who previously served as an advisor to the Treasury’s undersecretary for Terrorism and Financial Intelligence, also notes that the proposal was no doubt being considered prior to the latest Hamas attacks and that the Treasury must have changed the proposal’s focus from the use of cryptocurrency by other national security threats, like North Korea and Russia, to Hamas and militant groups in recent days. “Having been at Treasury for a number of years, you don’t just roll out an action like this out over the course of 10 days,” says Redbord. “They’ve kind of shifted the narrative toward Hamas because that’s the news.”

Hamas and militant groups’ use of cryptocurrency, while significant, pales in comparison to the amount of cryptocurrency used by other illicit actors. Hamas, for instance, raised $41 million in cryptocurrency over the past two years, and Palestinian Islamic Jihad raised $91 million, according to a report last week in the _Wall Street Journal_ that cited analyses by cryptocurrency tracing firms and seizures by the Israeli government.

It’s not clear, however, how much of those funds actually made it to these groups before being seized. In fact, Hamas asked its donors to stop using cryptocurrency in April of 2023, due to the public nature of the transactions on blockchains and the risk of prosecution. Cryptocurrency tracing firm Chainalysis, which frequently works with government and law enforcement customers, went so far as to publish a blog post yesterday cautioning against mistaken analyses that overestimate the role of cryptocurrency in financing entities like Hamas and the Palestinian Islamic Jihad.

North Korean state-sponsored cybercriminals, Russian ransomware gangs, and other criminal groups, by contrast, have pocketed billions of dollars through their theft of cryptocurrency or use of the technology as a means of demanding extortion payments from victims. Thieves stole $3.8 billion in crypto last year—much of which went to the North Korean regime—and ransomware hackers extorted close to $450 million in just the first half of 2023, according to Chainalysis.

Those criminals often use cryptocurrency mixing services, funneling hundreds of millions of dollars into mixing services like ChipMixer and Sinbad.io. In fact, US law enforcement and the Treasury Department have aggressively sanctioned or shut down one mixer service after another in recent years, including Blender, TornadoCash, and Bitzlato, often citing their use in laundering the profits of those North Korean and Russian hackers.

The new FinCEN rules would be less severe than those sanctions, indictments, and busts—a new regulatory process rather than a ban—but also far wider in scope, says Jason Somensatto, Chainalysis’ head of North America public policy. “The impact can be much broader,” says Somensatto. “They can say that this applies to _all_ mixing services that people are interacting with.”

As the Treasury doubles down on its push to cut off crypto-based money laundering—and now points to Hamas as a new impetus for that crackdown—TRM Labs’ Redbord cautions that US regulators shouldn’t go too far in censuring services that do, in some cases, offer financial privacy to legitimate users. After all, without mixers, most cryptocurrency transactions are fully public in nature. “I think the challenge for regulators is, how do we thread the needle between stopping illicit actors from using these platforms but at the same time allow regular users to enable some degree of privacy?” Redbord says. “I think the concern is that this could very much be throwing the baby out with the bathwater.”

Citing Hamas, the US Wants to Treat Crypto "Mixers" as Suspected Money Launderers

**PRESS RELEASE**

**PALO ALTO, Calif.****,** **Oct. 19, 2023** **/PRNewswire/ --** Artificial intelligence (AI) provides a powerful tool for energy companies to deliver an affordable, reliable clean energy transformation. Today before a U.S. House Energy and Commerce Subcommittee, EPRI Senior Technical Executive Jeremy Renshaw testified that parties need to collectively work on addressing today's AI challenges and tomorrow's opportunities.

For more than a decade, EPRI has been studying AI and its potential impacts on the energy sector, and in the last five years, the institute has accelerated its activities around AI and data science. To date, EPRI has been involved in more than 70 projects related to AI applications in the energy sector.

As EPRI research has found, AI can help energy companies improve efficiency of existing assets, assist with wildfire risk evaluation and early-stage detection, aid vegetation management and storm recovery, and optimize energy usage, among other benefits.

"AI allows computers and humans to interact more effectively to improve safety and reliability while reducing costs," Renshaw testified before the House Energy and Commerce Subcommittee on Energy, Climate, and Grid Security. "This is done by allowing humans to do what humans do best - creative thinking and dealing with new or unforeseen situations, while computers do what computers do best - rapid, accurate computations," he said.

"While AI has come a long way in a short amount of time, there are still many more opportunities to solve existing challenges today, as well as considerations for ethical and responsible use of AI," Renshaw noted. Among pressing considerations:

*   **Data privacy and security**: AI models are typically trained on large datasets, which may contain personally identifiable information or other sensitive data. Steps should be taken to ensure the security and privacy of the data.
*   **AI-assisted cybersecurity**: EPRI and other companies are developing tools to proactively monitor and address suspicious cyber-related activity.
*   **Data**: Without sufficient quantity and quality of data, AI systems can potentially produce erroneous results that can be used in decision-making processes.
*   **Workforce training**: People need to be trained on how and when AI is the right tool to use and when it is not.

"Clearly, AI will have a significant impact on the energy industry, likely both positive and negative. It is anticipated that, through the introduction of AI, utilities will be able to utilize its benefits for maintaining or improving safety, affordability, reliability, efficiency, and environmentally friendly energy production," Renshaw concluded.

A copy of Renshaw's prepared testimony is available here. To learn more about EPRI's AI work, visit www.ai.epri.com.

**About EPRI**

Founded in 1972, EPRI is the world's preeminent independent, non-profit energy research and development organization, with offices around the world. EPRI's trusted experts collaborate with more than 450 companies in 45 countries, driving innovation to ensure the public has clean, safe, reliable, affordable, and equitable access to electricity across the globe. Together, we are shaping the future of energy.

SOURCE EPRI

AI 'Will Have a Significant Impact on Energy Industry,' EPRI Tells Congress

**PRESS RELEASE**

**CHICAGO****,** **Oct. 17, 2023** **/PRNewswire/ --** Fingerprint, the world's most accurate device intelligence platform, raised $33 million in Series C funding led by Nexus Venture Partners with participation from Uncorrelated Ventures. Fingerprint aids developers in building device identification with flexible APIs capable of identifying fraudsters while ensuring low-friction experiences for trusted users. The Fingerprint platform leads with best-in-class accuracy, identifying 99.5% of returning users in less than 500 milliseconds of processing time. The new funding brings the company's total funding to $77 million.

"With the gradual death of cookies and proliferation of VPNs, high accuracy device identification has never been more important. Companies battle sophisticated attacks from online fraudsters while needing to ensure their trusted customers have a frictionless experience," said Dan Pinto, Fingerprint's co-founder and CEO. "Fingerprint solves this challenge for thousands of companies by enabling accurate device identification and providing additional signals to inform visitor intent without inconveniencing legitimate users."

Since its last round of funding in 2021, Fingerprint has seen significant growth stemming from its ease of integration, instant value for new customers via API and extensive documentation. Industry leaders like Dropbox trust Fingerprint to detect and block account takeover attempts, while Neiman Marcus relies on the same technology to create personalized experiences for its most valued customers.

"Fingerprint is becoming a modern utility for the internet economy to combat fraud," said Abhishek Sharma, Managing Director of Nexus Venture Partners. "Any business that processes online transactions or payments should use Fingerprint. Its device intelligence API helps high-scale websites and apps prevent fraudulent transactions. We're impressed by the product's ability to deliver 10x+ ROI for its customers consistently. We love Fingerprint's developer-focused go-to-market approach coupled with its ubiquitous open-source library, FingerprintJS. The company has commercially grown 20x over the past three years. It has a resounding product-market fit, from small businesses to large public companies. We're thrilled to triple down and further strengthen our partnership with Fingerprint."

Unlike other device identification methods, Fingerprint's persistent visitor identifier continuously improves and maintains accuracy, even as browsers are upgraded. Providing a complete view of all users across web and mobile devices — whether or not they are logged in or concealing their identity — enables companies to build superior frauddetection and user experiences. Companies use Fingerprint for a variety of use cases, including:

*   Protecting login pages from automated account takeover attacks and phishing attempts.
*   Preventing payment fraud of all forms for payment processors and eCommerce retailers.
*   Account sharing detection and prevention for SaaS and subscription services.
*   Securing cryptocurrency exchanges.
*   Building paywalls that can't be evaded by going incognito, changing IP addresses or clearing cookies.
*   Restricting access for bad actors in online gaming and gambling.

Fingerprint also makes it easy for any developer to get started with popular third-party integrations such as Cloudflare, Segment, CloudFront and many more. Additionally, Fingerprint partners with software vendors, including Dodgeball, Okta and Spec, to generate additional value for customers and increase customer retention.

The funding will enable Fingerprint to accelerate adoption within larger Enterprise customers, which have been a critical driver of the company's recent growth. Fingerprint aims to build new tools and capabilities to tackle the most complex challenges in device identification.

For more information on Fingerprint device intelligence, visit Fingerprint.com.

**About Fingerprint**

Fingerprint, powered by the most accurate device intelligence platform, enables companies to prevent fraud and improve user experiences. Fingerprint processes almost 100 signals from the browser, device, and network to generate a stable and persistent unique visitor identifier that can be used to understand visitor behavior. With a commitment to best-in-class data security and privacy, Fingerprint is proud to be ISO 27001 certified, SOC 2 Type II, GDPR, and CCPA compliant. Fingerprint is trusted by over 6,000 companies worldwide, including 16% of the top 500 websites, to help catch sophisticated fraudsters and personalize experiences for trusted users. Learn more at fingerprint.com.

**About Nexus Venture Partners**

Nexus Venture Partners is a venture capital firm that supports extraordinary founders in building product-first companies. The firm takes a high-conviction approach, serving as inception, seed, or series-A stage partner to founders, actively engaging with them throughout the company lifecycle. With $2.6B capital in management, Nexus portfolio includes Postman, Apollo.io, MinIO, Fingerprint, Nx, Druva, Observe.ai, Rancher, Pubmatic, Delhivery, H2O.ai, Hasura, Kaltura, Quizizz, Sibros, TileDB, Turtlemint, Unacademy, Zepto, and Zomato. For more information, visit www.nexusvp.com or follow @nexusvp on X.

Fingerprint Raises $33M in Series C Funding to Accelerate Enterprise Device Intelligence and Fraud Prevention Adoption

**PRESS RELEASE**

**AUSTIN, Texas** – **Oct. 10, 2023** – SailPoint Technologies, Inc., a leader in enterprise identity security, today released the findings from the 2023 edition of its annual research report, ‘The Horizons of Identity Security,’ at Navigate 2023. Produced in collaboration between SailPoint and Accenture, a leading global professional services company, the report is based on insights from more than 375 global cybersecurity executives across the Americas, Europe and Asia. The goal was to examine the current state and future direction of the identity security market.

With 90% of cybersecurity breaches being identity related, identity security is the most important security aspect that every organization must get right. Yet, findings from the Horizons of Identity Security report show that 44% of companies are still at the beginning of their identity journeys. And, concerningly, even mature companies cover less than 70% of the identities in their organizations through foundational governance capabilities. However, respondents noted that communicating the business value of identity security to executives is a key challenge. This underscores the need for identity security advocates to build executive-friendly business cases that are tailored to their audiences’ strategic priorities and value-driven mindset.

A worrying 77% of respondents indicate that “limited executive sponsorship or focus” is a primary obstacle to investment in identity security, second only to budgetary constraints (91%). However, report findings clearly demonstrate that a strong identity security program can power business agility and innovation, risk mitigation, efficiency gains, and advancement of tech initiatives. For example, it can accelerate organizational change by as much as 30% through quicker integration of identities, applications, data and infrastructure. 

“A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders,” said Matt Mills, President of Worldwide Field Operations, SailPoint. “In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way. Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”

Identity ecosystems are becoming increasingly complex and a preferred attack vector for threat actors. According to the report findings, on average more than 30% of the identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities, machine identities and data. Bringing those identities under the umbrella of a strong identity management program is essential for breach avoidance. Foundational security capabilities accelerate incident response, prevent bad actors from authenticating into internal systems and limit excessive access rights for employees — which survey respondents selected as the most common security deficiency enabling breaches.

Among other notable findings in the report was the fact that AI-based solutions have proven to be a potent accelerator, helping businesses add advanced new capabilities and drive greater agility. Encouragingly, the report shows a growing number of organizations are exploring AI-backed dynamic trust models to evolve access based on user behavior. The findings also show that companies leveraging SaaS, AI and automation scale a notable 10-30% faster and get more value for their security investment through increased capability utilization. More specifically, an identity platform leveraging automation and AI enables companies to scale identity-related capabilities up to 37% faster than companies without AI enablement. 

“Organizations are facing unprecedented challenges when it comes to managing their complex identity environments and massive data sets,” said Damon McDougald, the global Security Digital Identity lead at Accenture. “While advanced technologies like artificial intelligence and generative AI are making it easier to expedite, manage and scale identity security initiatives many organizations are still at the start of their journeys. Organizations should view this as an opportunity to accelerate their identity maturity timetable and establish a foundation for a secure digital transformation.”

**Adoption Assessment tool**

SailPoint is launching a new adoption assessment tool that can help organizations assess their current capabilities, as well as how they stack up against their peers. The tool can help businesses identify what their greatest barriers to stronger identity security are, and how they can generate greater business value by investing in identity. To access the adoption assessment tool, click here. 

SailPoint’s flagship ‘Navigate: Identity Security Accelerated’ conference kicks off in Austin, Texas on October 9th, and will be followed by a series of global events in London, Singapore, Sydney, Washington DC, Toronto and São Paulo. To register, visit the Navigate website.

**2023 Horizons of Identity Security Resources**

*   To download a copy of the 2023 Horizons of Identity Report, click here. 
*   Read more about the report’s top findings in this SailPoint blog. 
*   For a snapshot of the report’s key findings, click here. 
*   To reference the 2022 Horizons of Identity Report or take the maturity assessment, click here. 

**About SailPoint**

SailPoint is a leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Unveils Annual 'Horizons of Identity Security' Report

Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.

Thursday, October 19, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter. 

I continue to be saddened by all the conflict in Israel and Gaza that’s still ongoing. I’ll be back with a “normal” newsletter next week, as unfortunately, there doesn’t seem to be a peaceful solution coming any time soon.  

In the meantime, I just wanted to use this space again to provide a roundup of the best resources I found this week for Cybersecurity Awareness Month. Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient. 

*   The Annual Cybersecurity Attitudes and Behaviors Report 2023 (National Cybersecurity Alliance) 
*   2023 Data Breach Investigations Report (Verizon) 
*   Cisco is continuing to invest in the future of skills certifications. Here’s how the company thinks it’ll help fill the lack of cybersecurity experts (Fortune) 
*   The open nature of XDR and cross-domain telemetry (Cisco Secure livestream) 
*   Federal Cyber Chief Tells Agencies to Tap Brakes on AI (Wall Street Journal) 
*   Former NSA Director: AI is ‘double-edged sword’ for cybersecurity (The Hill) 
*   Small-Business Cybersecurity: 20 Effective Tips From Tech Experts (Forbes) 
*   5 quick tips to strengthen your Android phone security today (ZDNet) 
*   Fact Sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems (CISA) 
*   Cisco 2023 Consumer Privacy Survey 

**The one big thing **

Cisco has identified active exploitation of a previously unknown, zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. This affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.   

**Why do I care? **

Security researchers have already confirmed that threat actors have installed implants on targeted devices by exploiting this vulnerability. Up to 10,000 devices could already be affected, according to some estimates. In a worst-case scenario, the attacker could execute arbitrary code on the targeted devices. 

**So now what? **

Cisco recommends in its security advisory disabling the HTTP server feature on internet-facing systems. This is consistent with, not only best practices, but guidance the U.S. government has provided in the past on mitigating risk from internet-exposed management interfaces. As this is a critical vulnerability, Talos strongly recommends affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory. As soon as a patch is available, Talos and Cisco will be informing users, who should then patch as soon as possible.  

**Top security headlines of the week **

**Government officials are starting to disclose the true breadth of Russia’s cyber attacks at the outset of its invasion of Ukraine.** The head of the cyber division of Ukraine’s intelligence service said in a recent interview with Recorded Future that Ukraine worked with the U.S. to disrupt multiple attempts at disrupting Ukraine’s critical infrastructure in February 2022, right as Russia was launching a ground invasion of Ukraine. Sandra Joyce, the executive vice president of global intelligence at Mandiant, also said in a separate interview this week that protecting Ukraine in the initial weeks and months of the invasion was like “hand-to-hand combat.” Joyce also said that her company saw more wiper malware deployed against Ukraine in the first few weeks of the invasion than it had all of the past eight years it had partnered with Ukraine. Another top Ukrainian cybersecurity official called these attacks from Russia “nothing but a war crime.” (The Record, Yahoo! News) 

**Internet giant Amazon is slowly rolling out passkeys as a login method for its users.** Amazon quietly added the feature under users’ account management portal to opt into setting up a passkey. This means users can login using biometric authentication on their device, such as their fingerprint or face scan. This conceivably makes it more difficult for bad actors to access their accounts unknowingly, as they’d need physical access to their device. However, this login option still does not work on Amazon’s native apps, like Prime Video or Amazon shopping, on mobile devices. And the passkey login still requires a multi-factor authentication code to be entered, which would conceivably be redundant with a passkey. A spokesperson for Amazon told news outlet TechCrunch that the company is “in the early stages of adding Passkey support for Amazon.com to give customers another secure way to access their accounts. We will have more to share soon.” (TechCrunch, Dark Reading) 

**Threat actors in Vietnam attempted to infiltrate U.S. government officials’ devices with spyware earlier this year,** according to a new report, as well as devices belonging to a high-profile CNN anchor. The spyware was embedded in links placed in messages on the social media platform formerly known as Twitter. While the attempts appear to be unsuccessful, it does highlight the continued threat that spyware poses, specifically the Predator software, which Talos has written about previously. An Italian cybersecurity research group also recently found that bad actors were trying to spread spyware through fake national alerts in Italy. The actors have set up a fake site posing as Italy’s recently released IT Alert program for natural disasters, urging users to download an app to receive critical alerts. (Washington Post, Cyber Security Hub) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #158: How to find the right password management solution for you 
*   Why logging is one of the most overlooked aspects of incident response, and how Cisco Talos IR can help 
*   Snapshot fuzzing direct composition with WTF 
*   Ransomware versus data theft 

**Upcoming events where you can find Talos **

**ATT&CKcon 4.0** **(Oct. 24 - 25)** 

_McLean, Virginia_ 

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._ 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241**   
**MD5:** a5e26a50bf48f2426b15b38e5894b189   
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Generic::1201 

**SHA 256:** 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5   
**MD5:** 8c80dd97c37525927c1e549cb59bcbf3     
**Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos 

**SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440**   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 2ebfc0b6ae3e80ca4e5a3ebfa4d9d7e99818be183d57ce6fbb9705104639bf95   
**MD5:** 2371212b783f959809647de4f476928b   
**Typical Filename:** wzncntdmgkm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

More helpful resources for users of all skill levels to help you Take a Security Action

The Israelis are building a cyber defense system that will use ChatGPT-like generative AI platforms to parse threat intelligence.

Israel is rapidly developing a cyber defense system to address emerging digital threats and protect its critical infrastructure.

Modeled on Israel's Iron Dome defense air defense system, the Cyber Dome has been developed to include generative AI platforms to help filter out genuine threats from the sea of threat intelligence and cyberattack claims that the country parses every day.

According to media reports, it will be staffed by practitioners from various governmental departments, including the Israel Defense Forces (IDF) intelligence Unit 8200, the J6 and Cyber Defense Directorate within the IDF, cyber units of Mossad and Shin Bet, and the Israeli Ministry of Defense.

Gaby Portnoy, director general of the Israel National Cyber Directorate, told The Week that the various departments will work with the Israel National Cyber Directorate, with the latter doing "the internal work." Private companies and research organizations will also participate.

Plans were originally announced in summer 2022, but Cyber Dome development is now being advanced in light of the Gaza conflict, Portnoy said. No specific details regarding the mechanisms and tools of the cyber defense system have yet been provided to the public.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Powered Israeli 'Cyber Dome' Defense Operation Comes to Life

An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008. A specially crafted document can cause memory corruption, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Published:2023/10/19  Last Updated:2023/10/19

**Overview**

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities.

**Products Affected**

*   Ichitaro series
*   Rakuraku Hagaki series
*   JUST Office series
*   JUST Government series
*   JUST Police series

A wide range of products is affected. For the details, refer to the information provided by the developer.

**Description**

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below.

*   **Use after free (CWE-416)** - CVE-2023-34366
    
    CVSS v3
    
    CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    **Base Score: 3.3**
    
    CVSS v2
    
    AV:L/AC:M/Au:N/C:N/I:N/A:P
    
    **Base Score: 1.9**
    
*   **Integer overflow (CWE-190)** - CVE-2023-38127
    
    CVSS v3
    
    CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    **Base Score: 3.3**
    
    CVSS v2
    
    AV:L/AC:M/Au:N/C:N/I:N/A:P
    
    **Base Score: 1.9**
    
*   **Access of resource using incompatible type (Type confusion) (CWE-843)** - CVE-2023-38128
    
    CVSS v3
    
    CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    **Base Score: 3.3**
    
    CVSS v2
    
    AV:L/AC:M/Au:N/C:N/I:N/A:P
    
    **Base Score: 1.9**
    
*   **Improper validation of array index (CWE-129)** - CVE-2023-35126
    
    CVSS v3
    
    CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
    
    **Base Score: 3.3**
    
    CVSS v2
    
    AV:L/AC:M/Au:N/C:N/I:N/A:P
    
    **Base Score: 1.9**
    

**Impact**

Processing a specially crafted file may lead to the product's abnormal termination.

**Solution**

**Apply the Patch**  
Apply the patch according to the information provided by the developer.  
For more information, refer to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

The reporter states that arbitrary code execution is possible.  
On the other hand, the developer states that impact of the vulnerabilities is abnormal termination only, as arbitrary code exaction has not been proven. From these, on this advisory the impact is described as abnormal termination only.

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Cisco Talos Security Intelligence & Research Group reported these vulnerabilities to JustSystems Corporation and coordinated. JustSystems Corporation and JPCERT/CC published respective advisories in order to notify users of the solution through JVN.

**Other Information**

CVE-2023-35126: Multiple vulnerabilities in JustSystems products

Categories: News
Categories: Ransomware
Tags: IT-SA

Tags:  ransomware

Tags:  AI

Tags:  ChatGPT

Tags:  NIS2

The major talking points IT-SA included ransomware, ChatGPT, and NIS2.



(Read more...)




The post The hot topics from Europe's largest trade fair for IT security appeared first on Malwarebytes Labs.

IT-SA Expo & Congress claims to be Europe's largest trade fair for IT security. And it really covers a wide range of security and security-related products and services. The event takes place in Nuremberg, Germany and provides an opportunity for vendors to show themselves to the public, create new contacts and leads, and check out what the competition is up to.

As one of the Malwarebytes representatives, I had the opportunity to walk around, talk to people, and listen to some of the talks given by representatives from throughout the industry.

All in all, I observed a lot of talks, and of the ones I heard that weren’t about promoting a product, most of them roughly fell into 3 categories: Ransomware, AI/ChatGPT, and NIS2.

**Ransomware**

Ransomware is still considered the most alarming cybersecurity threat to businesses, which isn't surprising given that Germany is regularly in the top five most targeted countries in our monthly ransomware reviews, which often makes it the first country on the list where English is not the primary language. As one of Europe’s leading economies there is some serious money to be made by the cybercriminals.

The focus in ransomware developments is the shift in attention to the earlier stages of the attacks. By the time files are being encrypted, attackers have probably already been in situ for a while, moving laterally through the victim's network and stealing their data. Some ransomware gangs even stop here and don’t proceed to encryption anymore. Encryption routines are easy to detect and stop, but spotting the suspicious behavior the precedes it turns out to be much harder.

**AI and ChatGPT**

AI, and ChatGPT in particular, are very much at the forefront of everyone’s attention. Mostly because we are curious, maybe even a bit anxious, to see what the future will bring.

As distinguished researcher Mikko Hyppönen explained, it’s not the tool we should be worried about, but the intentions of its users. Yes, artificial intelligence can find zero-days. Is that great because we can use to find vulnerabilities that need patching, or is it awful, because it will allow the cybercriminals to find vulnerabilities and exploit them?

And another researcher told us that after the introduction of ChatGPT and its peers, they noticed a 27% increase in the linguistic complexity of phishing emails. The times where we could spot the phisher by looking at the number of typo’s might be behind us. LLM’s allow phishers to create long, error-free emails that first gain the trust of the target and then get them to open an attachment or click a link.

**NIS2**

The NIS2 Directive is EU-wide legislation on cybersecurity. Its purpose is to heighten the security levels for critical infrastructure in the European Union.

Businesses identified by the member states as operators of essential services in sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services, and online marketplaces, will have to comply with the security and notification requirements under the directive.

NIS2 has to be turned into laws by EU member states, which means it can be incorporated differently in every member state to functionally harmonize with local legislation. In Germany the third draft bill was presented in September 2023. So, while it’s slowly shaping up there is nothing definite about what will be included in the final draft.

A few things have been in all three drafts and seem likely to survive the cut. As a result, there was a lot of speculation, but nobody exactly knows what is going to happen. The NIS Implementation Act is scheduled to be announced in March 2024 and then come into force in October 2024 if everything goes as planned.

To anyone who I had the pleasure of meeting at IT-SA, I hope you had a successful event and let’s meet again some time.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

The hot topics from Europe's largest trade fair for IT security

Amid the burgeoning war, Israel's tech sector is focused on resilience. Ofer Schreiber, senior partner at YL Ventures, weighs in on the conflict, funding for cybersecurity startups, overblown valuations, and what the future holds.

Israel has a strong start-up legacy of incubating cybersecurity vendors who have gone on to expand to global success. Investors have invested billions of dollars into these companies, and Tel Aviv last year was named one of the world's best technology ecosystems.

One of the more active investment firms in the region is YL Ventures, which funds early-stage Israeli cybersecurity start-ups. Its senior partner and head of the Israeli office is Ofer Schreiber, who oversees the firm's investment processes and due diligence, portfolio companies management, and value-add initiatives — and he has seen companies emerge from some challenging times recent years.

Dark Reading sat down with Schreiber to discuss the current state of investment in Israel's tech community, and how the events of the Israel-Hamas war could affect the start-up sector's outlook.

_**Dark Reading: How has the Israeli cybersecurity market been in the past few years, and are new companies still emerging?**_

_**Ofer Schreiber:**_ Cybersecurity innovation coming out of Israel is not stopping, but I think it's much harder today to build a new cybersecurity company compared to the last few years. One of the positive

    

Ofer Schreiber, senior partner at YL Ventures. Source: YL Ventures

things here is that from our perspective, the amount of entrepreneurial theory in Tel Aviv and Israel who are passionate about starting a new company to disrupt some of the industry's categories is not decreasing. There are great teams working on interesting ideas and the entrepreneurial spirit is as strong as in the past few years, that's for sure.

_**DR: What do you think the increasing challenges have been in the past few years?**_

_**OS:**_ The environment has changed, and it's harder to raise capital with good valuations compared to the past couple of years. You still see quite a lot of security startups that found themselves with very high valuations, and raised a lot of capital, but with not a lot of market traction to show for it.

We will start seeing more and more M&A activity during the next six or 12 months. The consolidation wave has already begun, and there's increased pressure on the entire industry from customers who are more interested in consolidation; they're interested in working with fewer vendors. They're expecting their big players to have wider suite of products and services, but \[users\] are drawn more to young and innovative startups, so that adds more pressure on younger vendors.

_**DR: How is the current Israel-Hamas conflict affecting the technology scene?**_

_**OS:**_ What is certain is that Israel is probably experiencing its biggest crisis in its short history. There is an analogy that we use about the Israeli tech ecosystem and its resilience, agility, and innovation. You can just see it across the entire country: we have been hit hard, but we are coping and we are regrouping.

There are so many initiatives from both the government and private sectors to support civilians that got hurt, and support the troops. The tech ecosystem is no different, everybody's doing something. A lot of the entrepreneurs and employees of our portfolio companies are in reserve duties in the intelligence core, and the ones who have not been recruited are spending a lot of time in private civilian initiatives. Everybody's using their skills.

There's always this cliche about the Israeli people, that we're constantly fighting with each other. But whenever there's an adversary, or whenever there is a crisis, we all put all our differences aside and we unite.

_**DR: What about from an investment point of view, does the conflict change the way businesses operate?**_

_**OS:**_ It would be foolish to say that it has no effect, just for the basic fact that a lot of people are \[busy\] in reserve duty or other civilian initiatives. If you think about Israeli startups, some of them have non-Israeli operations as well. Many are actually headquartered in the US, or they have departments outside of Israel, so those departments are almost unaffected.

For almost 100% of Israeli tech companies, they are definitely affected to some degree. What I can stay for certain, as with any other crisis that has happened in Israel, is that I think it's a very short-term impact on our industry. Like with every other bad thing that happened in Israel, we got hurt, but we show a lot of resilience, and I'm pretty sure that like any other negative event that happened in Israel, we will come out of it even stronger and more united as a country, and as a business ecosystem.

If I try to be an optimist, I'll say that it will have even a positive impact as we will get out of it stronger and more resourceful, and more united.

_**DR: Back to the valuation conversation — Do you see a lot of companies who literally launched with the view to being acquired within three years**__?_

_**OS:**_ I don't think that's the original intent of the vast majority of entrepreneurs. Entrepreneurs are optimistic in nature, that's why they're entrepreneurs, so they always have to be extremely visionary, but you have to be quite pragmatic at one point \[in\] the journey.

Most entrepreneurs aim to become a category leader, in whatever category they choose, and to build a sustainable business. Most of them will not succeed in doing that because that's just the reality of the start-up world in general, and definitely in cybersecurity, which is just a very big market with a lot of problems to be solved.

_**DR: Was there more investment after the COVID-19 pandemic started to slow down?**_

_**OS:**_ There were companies that raised ridiculous amounts of capital with ridiculous valuations, and investors who paid massive premiums just to invest and be a shareholder of a hot startup, and this basically pushed the valuations up.

I used to say that we were partying for two years, and now we're in the hangover stage. During 2021, the party was massive, and now we don't feel so well. So we have a headache but it will go away, it's a temporary situation. We need to realize that.

If you focused on building sustainable companies \[with\] sustainable growth, and focused on solving real problems and growing your area responsibly, you'll be fine.

Tag

#intel