New EU Vulnerabilities Database | Using Gen AI as a bait for delivering malware
#186 - ENISA's response to the faltering CVE program | A new attack vector for social engineering based on the interest generated by new Gen AI tools
I did not follow the regular format of the newsletter for the last 3 weeks. Instead, it was about my experiment with generative AI for creating a policy on the usage of Gen AI. It was an interesting experiment with a lot of learning for me. You can follow the three-part series in my previous posts.
From this week we are back to the original structure.
🐞ENISA’s EUVD emerges as an alternative to the struggling CVE
A much needed BCP for the NVD!
You’ve got to keep track of the 🪲 bugs. And it looks like the slack left by the CVE team is being picked up by ENISA’s EUVD team.
This is the beta website for the EUVD (European Union Vulnerabilities Database).
The CVE database was notorious for a backlog of CVEs. The EUVD is updated near ⏱️ real-time.
Take Action:
Anyone with a profile of vulnerability management should use the EUVD as a backup database. Over time, if the US continues to reduce funding to CISA and cybersecurity, this could become the primary database we rely on.
How to deliver malware in the age of AI
Attackers are creating fake Gen AI tools that let you ‘create’ something that you can download. What you download is the malware.
Social engineers want you to install their malware on your systems. They try to find unique ways to deliver it to you. This one is the latest attack vector.
Attackers create a fake Gen AI website and publicize it as a cutting-edge AI model. They also offer free downloads - like image, video and file generation. The download contains the Noodlophile malware.
This blog post by Morphisec contains detailed research and even showcases websites that deliver this malware.
Take Action:
Update your training material to include this social engineering attack vector
Have a whitelist of Gen AI software as a part of your Gen AI policy