Welcome to a world where Generative AI revolutionizes the field of cybersecurity.
Generative AI refers to the use of artificial intelligence (AI) techniques to generate or create new data, such as images, text, or sounds. It has gained significant attention in recent years due to its ability to generate realistic and diverse outputs.
When it comes to security operations, Generative AI can play

Welcome to a world where Generative AI revolutionizes the field of cybersecurity.

Generative AI refers to the use of artificial intelligence (AI) techniques to generate or create new data, such as images, text, or sounds. It has gained significant attention in recent years due to its ability to generate realistic and diverse outputs.

When it comes to security operations, Generative AI can play a significant role. It can be used to detect and prevent various threats, including malware, phishing attempts, and data breaches. Analyzing patterns and behaviors in large amounts of data allows it to identify suspicious activities and alert security teams in real-time.

Here are seven practical use cases that demonstrate the power of Generative AI. There are more possibilities out there of how you can achieve objectives and fortify security operations, but this list should get your creative juices flowing.

**1) Information Management**

Information security deals with a breadth of data that is constantly growing. Intake of new information is one challenge with managing information, but Generative AI can help distill that information. For example, there are a number of existing solutions for aggregating data, such as RSS feeds for news, but the problem of actually determining what information is useful and what isn't still poses a problem.

Generative AI models have shown promising capabilities in generating accurate and concise summaries of text. These models can be trained on large datasets of security-related information and learn to identify key information, extract important details, and generate a condensed summary.

Another task where these capabilities can be useful is creating new policies in your organization's language by providing existing documentation, such as policy documents.

**2) Malware Analysis**

Generative AI solutions, though they can't solve everything, are extremely useful for security teams in performing malware analysis. AI models 'learn' to detect and recognize patterns within different types of malware, thanks to the massive amounts of labeled data they are trained on. This acquired knowledge enables them to identify anomalies in previously unseen code, paving the way for more effective and efficient threat detection. Malware that is plaintext (such as a decompiled executable, or a malicious python script) is generally best suited for this.

In some cases, Generative AI is even capable of de-obfuscating common techniques such as encoding schemes. Enabling the Generative AI solution to use external tools for de-obfuscation greatly enhances its capabilities. When properly applied to malware analysis use cases, Generative AI can help security teams account for lack of coding knowledge and quickly triage potential malware.

leverage external tools de-obfuscate on its own significantly improves its potential.

**3) Tool Development**

Generative AI can also rapidly increase a security team's ability to produce useful and actionable tooling. Generative AI has shown a lot of potential for being capable of solving complex coding tasks. In general, with good prompting, it's far easier for a developer to debug AI generated code than architect and recreate code from scratch. With capable, state-of-the-art models, debugging the generated code may not even be needed.

**4) Risk Evaluation**

Generative AI models are great at emulating a variety of personas and sticking to them. With the application of proper prompting techniques, the focus or behavior of the model can be directed to take on a particular bias. From there, a model can evaluate a variety of risk scenarios by emulating multiple personas, providing insight with different perspectives. By using a number of perspectives, Generative AI can be leveraged to provide thorough risk assessments and are much more capable of being neutral evaluators (via persona emulation) than a human would be. One can debate a model with an opposing persona and ensure that scenarios being evaluated are thoroughly red teamed.

**5) Tabletops**

Generative AI can be leveraged for tabletops in a variety of mechanisms. For example, provide a model with information from a recently released news article covering a new threat scenario, then have it generate a scenario that is adapted to your organization and its risks.

Generative AI can also be used for secretarial duties in a tabletop scenario, like ingesting the calendars of various stakeholders and scheduling an appropriate meeting time to conduct the tabletop.

Chat models in particular are well suited for tabletops, they can process tabletop data live and provide real-time input and feedback.

**6) Incident Response**

Generative AIs are excellent tools for assisting with incident response. By creating workflows that include AI insights to analyze payloads associated with incidents, the mean time to resolve (MTTR) of incidents can be significantly reduced. It's critical to use retrieval augmentation in these scenarios, as it's likely impossible to train a model to account for every possible scenario. When you apply retrieval augmentation to additional external data sources, such as threat intelligence, you gain an automated workflow that is accurate and works to eliminate hallucinations.

**7) Threat Intelligence**

Using Generative AI to assist and enhance various threat intelligence tasks is an obvious application. Analyzing vast amounts of structured and unstructured data, such as indicators of compromise (IOCs), malware samples, and malicious URLs, generative AI can create insightful reports summarizing the current threat landscape, emerging trends, and potential vulnerabilities.

It can also synthesize reports on threat actor data with information about TTPs of various threat actors transforming data into actionable intelligence. For example, it can flag potential attack vectors, vulnerable systems, or specific detection mechanisms that could be implemented to mitigate those threats.

**What's Next**

Generative AI holds immense potential for the future of cybersecurity. By harnessing its ability to process and analyze vast amounts of data, it's capable of transforming how we detect, investigate, and respond to cyber threats. Read Understanding and Leveraging Generative AI in Cybersecurity to learn more.

_Note: This article was expertly written and contributed by Jonathan Echavarria, Principal Research Scientist at ReliaQuest._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

7 Uses for Generative AI to Enhance Security Operations

A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments.
"This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf

Ransomware / Vulnerability

A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments.

"This campaign marks the first documented instance \[...\] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf researchers Stefan Hostetler, Markus Neis, and Kyle Pagelow said.

The cybersecurity company, which said it's responding to "several instances" of exploitation of the software, noted that the attacks are likely taking advantage of three flaws that have been disclosed over the past three months -

*   **CVE-2023-41265** (CVSS score: 9.9) - An HTTP Request Tunneling vulnerability that allows a remote attacker to elevate their privilege and send requests that get executed by the backend server hosting the repository application.
*   **CVE-2023-41266** (CVSS score: 6.5) - A path traversal vulnerability that allows an unauthenticated remote attacker to transmit HTTP requests to unauthorized endpoints.
*   **CVE-2023-48365** (CVSS score: 9.9) - An unauthenticated remote code execution vulnerability arising due to improper validation of HTTP headers, allowing a remote attacker to elevate their privilege by tunneling HTTP requests.

It's worth noting that CVE-2023-48365 is the result of an incomplete patch for CVE-2023-41265, which along with CVE-2023-41266, was disclosed by Praetorian in late August 2023. A fix for CVE-2023-48365 was shipped on November 20, 2023.

In the attacks observed by Arctic Wolf, a successful exploitation of the flaws is followed by the abuse of the Qlik Sense Scheduler service to spawn processes that are designed to download additional tools with the goal of establishing persistence and setting up remote control.

This includes ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink. The threat actors have also been observed uninstalling Sophos software, changing the administrator account password, and creating an RDP tunnel via Plink.

The attack chains culminate in the deployment of CACTUS ransomware, with the attackers also using rclone for data exfiltration.

**The Ever-Evolving Ransomware Landscape**

The disclosure comes as the ransomware threat landscape has become more sophisticated, and the underground economy has evolved to facilitate attacks at scale via a network of initial access brokers and botnet owners who resell access to victim systems to several affiliate actors.

According to data compiled by industrial cybersecurity firm Dragos, the number of ransomware attacks impacting industrial organizations declined from 253 in the second quarter of 2023 to 231 in the third quarter. In contrast, 318 ransomware attacks were reported across all sectors for the month of October 2023 alone.

Despite ongoing efforts by governments across the world to tackle ransomware, the ransomware-as-a-service (RaaS) business model has continued to be an enduring and lucrative pathway to extort money from targets.

Black Basta, a prolific ransomware group that came onto the scene in April 2022, is estimated to have raked in illegal profits to the tune of at least $107 million in Bitcoin ransom payments from more than 90 victims, per new joint research released by Elliptic and Corvus Insurance.

A majority of these proceeds were laundered through Garantex, a Russian cryptocurrency exchange that was sanctioned by the U.S. government in April 2022 for facilitating transactions with the Hydra darknet marketplace.

What's more, the analysis uncovered evidence tying Black Basta to the now-defunct Russian cybercrime group Conti, which discontinued around the same time the former emerged, as well as QakBot, which was used to deploy the ransomware.

"Approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim," Elliptic noted, adding it "traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks

The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the clear_log() function. This makes it possible for unauthenticated attackers to clear the debug log via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5772: Debug Log Manager <= 2.2.0 - Cross-Site Request Forgery — Wordfence Intelligence

Amazon Web Services announced enhancements to several of its security tools, including GuardDuty, Inspector, Detective, IAM Access Analyzer, and Secrets Manager, to name a few during its re:Invent event.

Source: Techa Tungateja via Alamy Stock Photo

Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. As expected, the focus over the four days has been on artificial intelligence (AI) as AWS strives to show that its offerings can match – or surpass – those from Google Cloud and Microsoft Azure. But even beyond generative AI, AWS is highlighting enhancements to its threat detection, vulnerability assessment, and security policy tools.

First up: AWS has expanded Amazon GuardDuty with Amazon GuardDuty EC2 Runtime Monitoring and Amazon GuardDuty ECS Runtime Monitoring. GuardDuty EC2 Runtime Monitoring, now in preview, introduces runtime threat detection for Amazon Elastic Compute Cloud workloads to give security teams visibility into on-host, operating system-level activities. It also provides container-level context into threats. Amazon GuardDuty ECS Runtime Monitoring uses a lightweight security agent to extend threat detection for workloads running on EC2 and AWS Fargate.

AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets associated with the application. The BatchGetSecretValue API simplifies developer workflows. And administrators can now enter their own customer-specific security controls in AWS Security Hub to customize security posture monitoring.

**Generative AI to Security**

AWS is adding generative AI to its security tools Amazon Inspector and Amazon Detective. Amazon Inspector, a code-scanning tool for AWS Lambda functions, offers assisted code remediation using generative AI and automated reasoning and can provide in-context code patches for multiple vulnerability classes. Amazon Detective helps security investigations by using generative AI to analyze multiple activities related to potential security events and find group summaries.

Additionally, Amazon Inspector has agentless vulnerability scanning for Amazon Elastic Cloud Compute instances in preview. Amazon Detective now supports log retrieval from Amazon Security Lake and investigating AWS identity and access management entities for indicators of compromise.

**Identity and Access Announcements**

The AWS Identity and Access Manager (IAM) Access Analyzer continuously analyzes user accounts to identify unused access privileges and permissions to help administrators implement the principle of least privilege. Security teams can review the findings to prioritize which accounts need action. The tool also provides custom policy checks to validate that IAM policies adhere to the organization's security standards before systems are deployed.

Amazon EKS Pod Identity allows administrators to define required IAM permissions for applications in Amazon Elastic Kubernetes Service clusters. This allows the applications to connect with AWS services outside of the cluster.

Finally, AWS announced support for mutually authenticating clients presenting X509 certificates to Application Load Balancer. This helps administrators offload client authentication to the load balancer to ensure only trusted clients are able to access the organization's cloud applications.

**About the Author(s)**

Rundown of Security News From AWS re:Invent 2023

PRESS RELEASE

HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments. Kubernetes Exposure Management helps security teams protect critical assets running in Kubernetes clusters across public cloud, private cloud, and on-premises infrastructure.

The new solution delivers continuous visibility into vulnerabilities, risky permissions, and misconfigurations that could allow attackers to breach Kubernetes environments and access valuable data and applications. By extending XM Cyber's industry-leading XM Attack Graph Analysis™ to Kubernetes, organizations can now see integrated risks across hybrid environments and intelligently prioritize remediation based on potential impact to critical assets.

"We are early adopters of XM Cyber's new Kubernetes features in order to achieve full transparency into our customer environments", said Moritz Tuerk, Chief Product Owner Security for SAP Product Engineering. "With the comprehensive attack path view, we can enhance the security of the SAP cloud even further than what is currently possible."

Key benefits of XM Cyber's Kubernetes Exposure Management include:

*   360-Degree Visibility: Gain a comprehensive view of risks and excessive permissions across all Kubernetes assets.
    
*   Protection for Sensitive Resources: Ensure the security of vital Kubernetes resources like ConfigMaps and Secrets.
    
*   Cross-Environment Analysis that reduces remediation efforts: Perform multi-step attack modeling, risk assessment, and prioritization that considers the needs of multiple domains.
    
*   Rapid Time-to-Value: Initial deployment can be completed in hours to unlock actionable exposure insights from day one.
    

Security issues have caused 67% of companies to delay or slow down Kubernetes deployment. XM Cyber's Kubernetes Exposure Management capabilities are aimed at helping security teams tackle this emerging risk vector head-on.

"Kubernetes adoption is accelerating, but securing these highly complex environments remains a huge challenge," said Boaz Gorodissky, CTO at XM Cyber. "Our new Kubernetes Exposure Management equips security teams with the comprehensive visibility and automated control they urgently need to reduce attack surfaces and proactively protect critical container workloads."

To learn more about XM Cyber, please visit: https://xmcyber.com/solution-briefs/kubernetes-continuous-exposure-management/.

About XM Cyber

XM Cyber is a leading hybrid cloud exposure management company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, Asia Pacific and Israel.

You May Also Like

XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments

By Waqas
US Treasury Sanctions Sinbad.io for Laundering Millions in Stolen Funds Linked to North Korea's Lazarus Group.
This is a post from HackRead.com Read the original post: US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

According to the US government, Sinbad.io provided its services to the Lazarus group to launder money stolen from numerous data breaches, including those affecting Horizon Bridge, Axie Infinity, and Atomic Wallet.

The official domain of Sinbad.io, a popular Bitcoin “mixer” service has been seized by the United States government. The reason to seize the service given by the US Treasury is that the service apparently, was involved in laundering millions of dollars stolen by North Korean state-based notorious Lazarus group.

Those visiting Sinbad.io can now encounter a homepage uploaded by the government of the United States, announcing the following:

> _This service has been seized as part of a coordinated law-enforcement action between the Federal Bureau of Investigation, the Financial Intelligence and Investigation Service (FIOD), and the National Bureau of Investigation taken against the Sinbad.io cryptocurrency mixing service. The Federal Bureau of Investigation has seized the service in accordance with a seizure warrant pursuant to 18 U.S.C. 55 981 and 982 as part of a coordinated international law-enforcement operation._

In a press release dated November 29, 2023, the Treasury accused Sinbad.io of processing hundreds of millions of dollars worth of cryptocurrency obtained from various sources. These sources reportedly include large-scale data breaches, notably the $100 million hack affecting Horizon Bridge in June 2022, the $620 million from the Axie Infinity hack in March 2022, and the impact on customers of Atomic Wallet in June 2023.

What Sinbad.io’s homepage shows to visitors (Image credit: Hackread.com)

The US government further claimed that Sinbad.io is not only used for financial crimes but is also a tool employed by cybercriminals for “obfuscating transactions” associated with activities such as sanctions evasion, drug trafficking, purchasing child sexual abuse materials, and other illicit sales on dark web marketplaces.

The Lazarus group, operating under the control of the Democratic People’s Republic of Korea (DPRK), is infamous for its hacking activities. The US alleges that Sinbad.io serves as a “key money-laundering tool” for the already-sanctioned Lazarus group, which is believed to have stolen a staggering $2 billion worth of digital assets over its operational history.

According to the Q3 2023 Crypto Losses Report by Immunefi, a blockchain cybersecurity firm, the cryptocurrency industry incurred a loss of $685.5 million, marking the highest quarterly loss for the year.

The two largest exploits of the quarter were on Mixin Network and Multichain, which together accounted for 47.5% of all losses. The Lazarus Group, a North Korean state-sponsored hacking group, was responsible for $208.6 million in stolen funds, representing 30% of the total losses.

As for Sinbad.io, it operates on the Bitcoin blockchain and is considered by experts to be a successor to the previously sanctioned crypto mixer, Blender.io. The Office of Foreign Assets Control (OFAC) sanctioned Blender.io on May 6, 2022.

However, ddespite authorities shutting down the original Sinbad.io address, a mirrored site surfaced, registered in Moscow on November 18. A Google search for the original Sinbad.io now shows a copycat site, 1sinbadgo.com, as the second result. Notably, the copycat site, which also boasts a .Onion domain, claims to provide identical services to the original seized domain.

(Image credit: Hackread.com)

Nevertheless, the sanctions imposed by the US require the blocking and reporting of “all property and interests in property” belonging to Sinbad.io that are within the United States or under the possession or control of US persons, according to the press release.

****_RELATED ARTICLES_****

1.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
2.  **Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm**
3.  **Lazarus-Linked BlueNoroff APT Hits macOS with ObjCShellz Malware**
4.  **N. Korean Lazarus Group Suspected in $37.3M CoinsPaid Crypto Heist**
5.  **Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity**

US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

Guy Tytunovich, founder and CEO of CHEQ, says the days of a one-size-fits-all consent strategy are gone. Consider a two-pronged approach and use smart consent management technology to adapt to differing regulations.

Source: Formatoriginal via Alamy Stock Photo

COMMENTARY

Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).

Businesses weren't ready for GDPR, and many still aren't. So, what now?

**The Consent-Compliance Gap: How Businesses Are Falling Short**

Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.

The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.

This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.

**It's About to Get More Complicated**

In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.

In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.

These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.

Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.

What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.

This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.

On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.

In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.

**Compliance Is a Constant Effort in an Evolving Global Privacy Landscape**

For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.

As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.

Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.

But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.

**About the Author(s)**

Founder & CEO, CHEQ

Guy Tytunovich is the founder and CEO of CHEQ, the leader in Go-to-Market Security. Guy is a veteran of the Israeli Military cybersecurity and intelligence units and a founder of numerous tech companies in the space.

Thought GDPR Compliance Was Hard? Buckle Up

Organizations from the Middle East and Africa have typically escaped public ransoms, but that's changing amid heightened geopolitical conflicts and digitalization initiatives.

Source: Jne Valokuvaus via Shutterstock

Cybercrime — and especially ransomware — traditionally have had an uneven impact across the Middle East and Africa (ME&A), yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions.

South Africa saw a significant surge in attacks, with 78% of companies hit by ransomware in 2023, compared to 51% in 2022, according to the State of Ransomware 2023 report published by Sophos earlier this year.

However, the United Arab Emirates (UAE), for example, saw 70% fewer ransomware attacks in 2022, compared to the previous year, following greater international cooperation, according to statements by UAE government officials.

Cyber operations, including ransomware, will likely expand, as the ongoing conflict between Israel and Palestinians raises tensions in the region, much in the same way that Russia's invasion of Ukraine spurred greater attacks, says Jens Monrad, head of threat intelligence for the Europe, ME&A region at Google Mandiant.

"Cyber is now playing a role in any sort of geopolitical conflict, because it's a domain that ... comes with less cost and brings uncertainty, in terms of attribution," he says, adding that activity will likely continue to escalate. "We haven't really figured out how to draw a clear red line in the cyber domain. The line keeps being pushed, rather than somebody saying, now you've crossed the line."

Ransomware data continues to be scarce in the region. In its Digital Defense Report 2023, Microsoft noted that the top four ransomware families — Magniber, Lockbit, Hive, and Blackcat — accounted for two-thirds (65%) of all ransomware encounters and, of the four groups, only a single one, Blackcat, had extensive targets in a ME&A nation — in this case, Israel, which ranked fifth in that malware's targeted regions.

Two-thirds of attacks target Israel, the UAE, Saudi Arabia, or Jordan. Source: Microsoft Digital Defense Report 2023

The trend in the more general category of cyberattacks is clearer: two-thirds of cyberattacks in ME&A targeted either Israel, United Arab Emirates, Saudi Arabia, or Jordan, according to Microsoft's data collected prior to the current Israeli-Palestinian conflict. More than half of the attacks (52%) targeting the region focused on the education, government, information technology, and communications sectors — typical espionage targets.

**Regional Conflicts Spur Cyberattacks**

Surges in cyberattacks typically follow geopolitical conflict. The ME&A is experiencing that trend as well: Attacks conducted by Iran-linked actors, for example, focused on Israel between July 2022 and June 2023, a shift from the previous 12 months in which Iranian actors focused on the United States. The shift followed a highly sophisticated campaign of cyberattacks in 2021 and 2022 by an Israel-linked group, dubbed Predatory Sparrow, which had targeted Iran's critical infrastructure, including steel factories, state broadcasters, gas stations, and trains, Microsoft stated in its report.

"Iran's cyber-enabled influence operations have pushed narratives that seek to bolster Palestinian resistance, sow panic among Israeli citizens, foment Shi'ite unrest in Gulf Arab countries, and counter the normalization of Arab-Israeli ties," Microsoft stated in the report. "While specific narratives varied, the underlying goal was often the same. Tehran likely sought to retaliate against what it perceived were efforts by foreign actors to foment unrest in Iran."

Some of Iran's claimed attacks, however, have been exaggerated, according to Microsoft. And, while Iran-linked groups are some of the most active, the Palestinian-linked Molerats group recently used an improved downloader as part of its initial access operations.

Russian interests in ME&A may have a dampening effect on ransomware activity, since many ransomware groups operate out of Russia, says Mandiant's Monrad.

"I think it's a fair argument to say that these groups are also carefully vetting their victims to ensure that they don't endanger or put themselves at risk," he says. "If they engage in extortion schemes in countries where there are stronger diplomatic and trade relations ... you could potentially expect a political response to \[the victims\] asking Russia to do something."

**Manage Devices, Basic Hygiene**

Overall, companies in the region need to improve their cybersecurity maturity, says Brian Honan, CEO of BH Consulting, an independent cybersecurity and data-protection consulting firm based in Dublin that has clients in the Middle East.

"Where the Middle Eastern area struggles is their cybersecurity may not be as mature or have as much investment as in other regions," he says. "Many of the bigger organizations will have good cybersecurity in place, but in general, \[they are\] more vulnerable than their western counterparts."

Overall, 65% of CISOs in the Kingdom of Saudi Arabia and 47% in the UAE had a material loss of sensitive information in the past 12 months, according to the 2023 Voice of the CISO report published by security firm Proofpoint earlier this year.

Companies in the ME&A region are aiming to improve, however. Attacks on connected devices and cloud-related threats are the top cyberthreats for companies in the Middle East, according to a regional survey conducted for PricewaterhouseCoopers' Digital Trust Insights 2024 report. The worries are leading more than three-quarters of firms (77%) to increase their cyber budgets in 2024, according to the consultancy.

"Increasing digitization means companies are exposed to new digital vulnerabilities, making an effective approach to cybersecurity and digital trust more important than ever," PwC stated in the report, adding: "Middle East respondents revealed that loss of revenue — in terms of lost contracts, lost business opportunities — was the top concern for the outcomes of potential cyber attack in the next 12 months."

Companies still have to strive to do the cybersecurity basics. More than 80% of all compromised started with an unmanaged devices, Microsoft stated in its Digital Defense Report 2023.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Ransomware Could Surge in the Middle East & Africa

Red Hat Security Advisory 2023-7549-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7549.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2023:7549-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7549  
Issue date:         2023-11-28  
Revision:           01  
CVE Names:          CVE-2022-45884  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

* kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags (CVE-2023-3812)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: use-after-free due to race condition occurring in dvb_register_device() (CVE-2022-45884)

* kernel: use-after-free due to race condition occurring in dvb_net.c (CVE-2022-45886)

* kernel: use-after-free due to race condition occurring in dvb_ca_en50221.c (CVE-2022-45919)

* kernel: use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Random delay receiving packets after bringing up VLAN on top of VF with vf-vlan-pruning enabled (BZ#2240750)

* bpf_jit_limit hit again (BZ#2243011)

* HPE Edgeline 920t resets during kdump context when ice driver is loaded and when system is booted with intel_iommu=on iommu=pt (BZ#2244625)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-45884

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2148510  
https://bugzilla.redhat.com/show_bug.cgi?id=2148517  
https://bugzilla.redhat.com/show_bug.cgi?id=2151956  
https://bugzilla.redhat.com/show_bug.cgi?id=2154178  
https://bugzilla.redhat.com/show_bug.cgi?id=2224048  
https://bugzilla.redhat.com/show_bug.cgi?id=2240249  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924

Red Hat Security Advisory 2023-7549-01

Red Hat Security Advisory 2023-7539-01 - An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7539.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:7539-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7539  
Issue date:         2023-11-28  
Revision:           01  
CVE Names:          CVE-2022-40982  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)

* kernel: netfilter: potential slab-out-of-bound access due to integer underflow (CVE-2023-42753)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)

* kernel: use-after-free due to race condition occurring in dvb_register_device() (CVE-2022-45884)

* kernel: use-after-free due to race condition occurring in dvb_net.c (CVE-2022-45886)

* kernel: use-after-free due to race condition occurring in dvb_ca_en50221.c (CVE-2022-45919)

* kernel: Race between task migrating pages and another task calling exit_mmap to release those same pages getting invalid opcode BUG in include/linux/swapops.h (CVE-2023-4732)

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* kernel: use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Intel 8.8 BUG SPR IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221097)

* RHEL 8.9: intel_pstate may provide incorrect scaling values for hybrid capable systems with E-cores disabled (BZ#2223403)

* Bring MD code inline with upstream (BZ#2235655)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236514)

* ibmvnic: NONFATAL reset causes dql BUG_ON crash (BZ#2236701)

* PVT:1050:NXGZIP: LPM of RHEL client lpar got failed with error HSCLA2CF in 19th loops (BZ#2236703)

* xfs: mount fails when device file name is long (BZ#2236813)

* NFSv4.0 client hangs when server reboot while client had outstanding lock request to the server (BZ#2237840)

* i40e: backport selected bugfixes (BZ#2238305)

* Updates for NFS/NFSD/SUNRPC for RHEL 8.9 (BZ#2238394)

* SCSI updates for RHEL 8.9 (BZ#2238770)

* kernel: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (BZ#2239475)

* Random delay receiving packets after bringing up VLAN on top of VF with vf-vlan-pruning enabled (BZ#2240751)

* RHEL-8.9 RDMA/restrack: Release MR restrack when delete (BZ#2244423)

Enhancement(s):

* Intel 8.9 FEAT EMR power: Add EMR CPU support to intel_rapl driver (BZ#2230146)

* Intel 8.9 FEAT EMR tools: Add EMR CPU support to turbostat (BZ#2230154)

* Intel 8.9 FEAT EMR power: Add EMR support to the intel_idle driver (BZ#2230155)

* Intel 8.9 FEAT EMR RAS: Add EDAC support for EMR (BZ#2230161)

* Intel 8.9 FEAT general: intel-speed-select (ISST): Update to latest release (BZ#2230163)

* Intel 8.9 FEAT cpufreq: intel_pstate: Enable HWP IO boost for all servers (BZ#2232123)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-40982

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/7027704  
https://bugzilla.redhat.com/show_bug.cgi?id=2148510  
https://bugzilla.redhat.com/show_bug.cgi?id=2148517  
https://bugzilla.redhat.com/show_bug.cgi?id=2151956  
https://bugzilla.redhat.com/show_bug.cgi?id=2154178  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225201  
https://bugzilla.redhat.com/show_bug.cgi?id=2225511  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2236982  
https://bugzilla.redhat.com/show_bug.cgi?id=2239843

Tag

#intel