Red Hat Security Advisory 2024-10379-03 - An update for pam is now available for Red Hat Enterprise Linux 8. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10379.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pam security updateAdvisory ID:        RHSA-2024:10379-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10379Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2024-10041====================================================================Summary: An update for pam is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.Security Fix(es):* pam: libpam: Libpam vulnerable to read hashed password (CVE-2024-10041)* pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass (CVE-2024-10963)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-10041References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2319212https://bugzilla.redhat.com/show_bug.cgi?id=2324291https://issues.redhat.com/browse/RHEL-23018

Red Hat Security Advisory 2024-10379-03

Red Hat Security Advisory 2024-10289-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10289.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: container-tools:rhel8 security updateAdvisory ID:        RHSA-2024:10289-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10289Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2021-4024====================================================================Summary: An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)* podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024)* Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-4024References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=1989575https://bugzilla.redhat.com/show_bug.cgi?id=2026675https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-10289-03

Red Hat Security Advisory 2024-10282-03 - An update for the kernel-rt:4.18.0 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10282.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: kernel-rt:4.18.0 security updateAdvisory ID:        RHSA-2024:10282-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10282Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2024-27043====================================================================Summary: An update for the kernel-rt:4.18.0 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: media: edia: dvbdev: fix a use-after-free (CVE-2024-27043)* kernel: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (CVE-2024-38564)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27043References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2278445https://bugzilla.redhat.com/show_bug.cgi?id=2293429

Red Hat Security Advisory 2024-10282-03

Red Hat Security Advisory 2024-10281-03 - An update for the kernel:4.18.0 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10281.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel:4.18.0 security updateAdvisory ID:        RHSA-2024:10281-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10281Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2024-27043====================================================================Summary: An update for the kernel:4.18.0 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: media: edia: dvbdev: fix a use-after-free (CVE-2024-27043)* kernel: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout (CVE-2024-27399)* kernel: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (CVE-2024-38564)* kernel: mptcp: pm: Fix uaf in __timer_delete_sync (CVE-2024-46858)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27043References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2278445https://bugzilla.redhat.com/show_bug.cgi?id=2280462https://bugzilla.redhat.com/show_bug.cgi?id=2293429https://bugzilla.redhat.com/show_bug.cgi?id=2315210

Red Hat Security Advisory 2024-10281-03

Red Hat Security Advisory 2024-10275-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10275.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel-rt security updateAdvisory ID:        RHSA-2024:10275-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10275Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2022-48773====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48773References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2298109

Red Hat Security Advisory 2024-10275-03

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert…

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert advisories to mitigate these critical security risks.

In a recent presentation at SANS HackFest Hollywood 2024, cybersecurity researchers at London, England-based firm AmberWolf have revealed critical security vulnerabilities in widely used corporate Virtual Private Network (VPN) clients allowing attackers to target macOS and Windows systems.

These vulnerabilities, found in both traditional SSL-VPN clients and modern Zero Trust solutions, could be exploited by attackers to gain remote code execution and elevated privileges on end-user devices.

The researchers found that VPN clients, while essential for secure remote access, often have deep system access. This makes them attractive and possibly a lucrative target for hackers.

The main problem lies in how these clients trust VPN servers. Attackers can create malicious VPN servers that exploit this trust, allowing them to run commands and gain administrator-level access to a user’s computer with little to no user interaction.

****NachoVPN****

To help the security community understand and mitigate these risks, the researchers have released NachoVPN, an open-source tool that simulates the attack scenarios discussed in their presentation. This tool acts as a malicious VPN server and shows how it can exploit weaknesses in different VPN clients. NachoVPN is designed to be easy to use and can be adapted to test for new vulnerabilities as they are discovered.

_“_NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities, AmberWolf researchers wrote in their blog post. _“_It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution._“_

Alongside NachoVPN, the researchers have published detailed advisories documenting the specific vulnerabilities disclosed during their presentation. These advisories provide technical descriptions, attack vectors, and mitigation recommendations to help organizations protect themselves against these threats.

****Vulnerabilities****

The vulnerabilities affect popular corporate VPN clients, including Palo Alto GlobalProtect and SonicWall NetExtender for Windows. The advisories, identified as CVE-2024-5921 and CVE-2024-29014, highlight the risks of remote code execution and privilege escalation via malicious VPN servers.

****NachoVPN on GitHub****

For more information about NachoVPN and the disclosed vulnerabilities, interested parties can visit the project’s **GitHub** repository and review the detailed advisories. The researchers’ presentation from SANS HackFest Hollywood 2024 is also available on the SANS YouTube channel, providing further insights into their findings and recommendations.

1.  ASUS and NordVPN Partner to Integrate VPN into Routers
2.  Hackers Calling Employees to Steal VPN Logins from Firms
3.  Ivanti VPN Flaws Exploited by DSLog Backdoor, Crypto Miners
4.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws
5.  Hackers Use Stolen VPN Access against Ivanti Users Despite Patches

AmberWolf Launches NachoVPN Tool to Tackle VPN Security Risks

Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Script Kiddie Assembles Massive DDoS Botnet

GenAI's 30%-50% coding productivity boost comes with a downside — it's also generating vulnerabilities. Veracode's Chris Wysopal talks about what he finds out in this News Desk interview during Black Hat USA.

It's faster, for sure, but generative artificial intelligence (GenAI) is learning how to code just like a human developer would — and that means picking up mistakes along the way.

GenAI and large language models (LLMs) learn how to code based off of open source models, which themselves are flawed, explained Chris Wysopal, CTO and co-founder of Veracode, at this year's Dark Reading News Desk at Black Hat USA 2024.

"\[GenAI\] can write a lot more code a lot faster," he said. "So what you end up with is more code and more vulnerabilities per unit of time."

The trick then becomes finding and fixing vulnerabilities at the same pace.

In his research presented at the conference, "From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era" (a titled itself written by an LLM), Wysopal proposes the best way forward is using AI to find and fix the vulnerabilities in AI-generated software code. But we're not there yet.

According to research, the current model that can write code the best is an LLM called StarCoder. That's not to say it writes code completely free of vulnerabilities, but it's the best thing going. ChatGPT 4.0 and ChatGPT 2.5 were also found to be fairy adept at writing secure code.

"A general purpose LLM can fix some security bugs, but it turns out it's not great at it," Wysopal says. "And so we're seeing specialized LLMs that are trained just to secure code."

Wysopal and his team at Veracode are working on that, as well as other companies, he adds.

News Desk 2024: Can GenAI Write Secure Code?

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor.
That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024.
"In this attack,

APT-C-60 Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor

With a focus on creating technologies for other markets, Israel continues to be a valued destination for venture capital in cybersecurity outside the US and Europe.

Source: thinkhubstudio via Shutterstock

Though funding for cybersecurity startups began slowing globally in late 2022, Israeli startups continue to win significant cybersecurity investments, even with the nation's ongoing military operation in Gaza and escalating regional tensions.

The continued investment shows that Israel continues to be one of the strongest hubs for tech innovation in the US outside of Silicon Valley, says Or Shoshani, CEO and co-founder of Tel Aviv-based Stream.Security. His company, a cloud detection and response firm, garnered its first round of funding — a $26 million Series A — in March 2022 at the tail end of the boom. Earlier this month, the company was awarded a Series B round for $30 million.

"I've been traveling more than I've been doing in the last four years. Why? Just to show that we are here to support our customers, and we have built a business that is truly resilient, regardless of where we are and regardless of the state \[of affairs\] Israel is experiencing."

Following a two-year drought, cybersecurity startup companies are seeing an uptick in investment internationally, with the value of deals expected to grow by 45% in 2024 — a reversal of fortunes compared to the 40% decrease in 2022 and 49% drop in 2023, according to data from cybersecurity investment-advisory firm Altitude Cyber.

Related:Microsoft VS Code Undermined in Asian Spy Attack

Following a peak in Q4 2021, investment in cybersecurity firms tapered off for two years. It's starting to return. Top: Number of deals. Bottom: Value of deals in billions of US$. Source: Altitude Cyber

The investment focus of Altitude Cyber's clients, for example, remains the US, Israel, and Europe, followed by the rest of the world, says Dino Boukouris, founder and managing partner at the firm.

"We don't anticipate that trend will change any time soon," he says. "Even with the geopolitical climate we're in, Israel has continued to deliver, the US cyber market remains as strong as ever, and Europe \[and the\] UK continue to innovate and produce really great cyber companies."

**Cybersecurity Springs Back**

Israel's research and development centers took off during the US regulatory assault on encryption in the 1990s and the migration of chip design to many of the technology parks around Tel Aviv and Haifa during the past two decades. On the cybersecurity side, the nation has developed "outsized" capabilities, according to a recent history of Israel's evolution in cybersecurity.

Similar to Silicon Valley, going out for a cup of coffee often means running into two or three entrepreneurs that are going to tell you about their latest idea, says Jacques Benkoski, general partner at US Venture Partners, an investor in Stream.Security.

With the country's focus on cybersecurity and the density of talent and education available in a small area, innovation naturally follows, he says. 

Related:Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

"When you look at the history of venture capital, you have nodes of innovation that are characterized by a catalytic density of talent — you look at places like Silicon Valley, you look at places like Tel Aviv, and you just have a lot of people that are focused on the same thing," he says. "And from the acceleration through dialogues and the collisions \[of ideas\] between those people comes more innovation" than other parts of the world.

Yet, one aspect of Israel's venture-capital scene is that investors do not want to fund companies solving local problems. Instead, the focus is on creating technologies and businesses that address issues in the US, Europe, and worldwide, Benkoski say.

"We typically invest in companies that see the US as their primary market — it's actually an investment condition," he says. Second rounds of venture capital for companies like Stream.Security are often to develop a stronger presence in their primary market, he adds.

**Broadening Out Cybersecurity Investment**

While the country's cybersecurity ecosystem certainly has its adherents, other investors see a focus on local ecosystems to be desirable. Ukraine has historically had a strong cybersecurity community — albeit mixed with its share of cybercriminal groups — and that could see a resurgence if Russia ends its war, says Ron Gula, president of Gula Tech Adventures, an investment firm.

Related:Software Productivity Tools Hijacked to Deliver Infostealers

"I'm hopeful that the Ukraine war will end soon, and believe the tech ecosystem there will emerge as a rival to the Israeli ecosystem," he says.

Other areas of the world also offer substantial benefits for investment. In addition to expanding its investment into Israel, Forgepoint Capital plans to focus on Latin America and the Asia-Pacific regions, where the mobile-first ecosystem requires a tailored approach to cybersecurity, managing director J. Alberto Yépez says.

"Other geographies have more of a built-in enterprise industry infrastructure to support local innovation, with established institutions taking an active role to drive collaboration and better anticipate and address their customers' needs," he says, adding that the firm has partnered with global financial institutions to help innovate. "We aim to address a critical gap in growth funding for startups in Europe while expanding our purview into Latin America and Israel," he says.

One overhyped technology for investors? AI. While artificial intelligence has technology giants spending heavily — and nearly every cybersecurity firm boasts of AI features — the impact of AI startups on cybersecurity remains modest, says Altitude's Boukouris. But there have been some significant financing deals for AI-cybersecurity companies in past few years, including Protect AI ($60 million in Series B funding, HiddenLayer ($50 million, Series A), Witness AI ($28 million, Series A), and Cranium ($25 million, Series A), he says.

"Vendors specifically focused on security for AI/ML are still primarily in the early stages in terms of funding," he says. "We've only seen one significant M&A event so far, with Robust Intelligence being acquired by Cisco for around $300 million, which indicates that we are still in the early stages of security for AI."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#vulnerability