7 Best Firewall Solutions for Enterprises in 2023

BY AMINU ABDULLAHI MAY 26, 2023

Enterprise firewall software is an essential component of network security infrastructure for organizations. These firewalls are designed to provide high availability and scalability to meet the needs of large and complex networks because they can handle high traffic volumes and accommodate the growth of network infrastructure.

By exploring the following top firewall solutions, enterprises can make an informed decision to fortify their network defenses and safeguard critical assets from ever-evolving cyber threats.

Palo Alto Networks: Best all-in-one enterprise firewall solution (Read more)
Check Point Quantum: Best for connected devices (Read more)
Fortinet FortiGate: Best for flexibility and scalability (Read more)
Juniper Networks: Best for logging and reporting (Read more)
Cisco Secure Firewall: Best for centralized management (Read more)
Zscaler: Best for businesses with cloud network infrastructure (Read more)
pfSense: Best open source firewall (Read more)

Best firewall solutions for enterprises: Comparison chart

	Best for	DLP capability	URL filtering	Reporting	Integration with third party solution	DNS filtering	Starting price
Palo Alto Networks	Overall	✔	✔	✔	✔	✔	Available on request
Check Point Quantum	Connected devices	✔	✔	✔	✔	✔	Available on request
Fortinet FortiGate	Flexibility and scalability	✔	✔	✔	✔	✔	Available on request
Juniper Networks	Logging and reporting capability	✔	✔	✔	✔	✔	Available on request
Cisco Secure Firewall	Centralized management	✔	✔	✔	✔	✔	Available on request
Zscaler	Businesses with cloud network infrastructure	✔	✔	✔	✔	✔	$72 per user per year
pfSense	Open source	✔	✔	✔	✔	✔	$0.01 per hour

Jump to:

Palo Alto Networks

Best overall enterprise firewall

Palo Alto is a leading network security provider of advanced firewall solutions and a wide range of network security services.

The company offers various firewall solutions for various enterprise use cases, including cloud next generation firewalls, virtual machine series for public and private clouds, container series for Kubernetes and container engines like Docker, and its PA-series appliances designed for data centers, network edge, service providers, remote branches and retail locations, and harsh industrial sites.

These firewalls provide enhanced visibility, control, and threat prevention capabilities to protect networks from various cyber threats, including malware, viruses, intrusions, and advanced persistent threats (APTs).

Pricing

Palo Alto doesn’t advertise its product pricing on its website. Our research found that the Palo Alto PA-series price range from $2,900 to $200,000 (more or less). To get the actual rates for your enterprise, contact the company’s sales team for custom quotes.

Standout features

Advanced threat prevention.
Advanced URL filtering.
Domain name service (DNS) security.
Medical IoT security.
Enterprise data loss prevention (DLP).
Up to 245 million IPv4 OR IPv6 sessions.

Pros

Provides visibility across IoT and other connected devices.
Provides visibility across physical, virtualized, containerized and cloud environments.
Offers a variety of products for different business sizes, from small businesses to large enterprises.
Easy-to-navigate dashboard and management console.

Cons

Complex initial setup.
Some users reported that the Palo Alto license is pricey.

Check Point Quantum

Best for connected devices

Check Point is an Israeli multinational company that develops and sells software and hardware products related to network, endpoint, cloud, and data security.

Check Point Quantum is designed to protect against advanced cyber threats, targeting Gen V cyber attacks. This solution encompasses various components to safeguard networks, cloud environments, data centers, IoT devices, and remote users.

Check Point’s SandBlast technology employs advanced threat intelligence, sandboxing, and real-time threat emulation to detect and prevent sophisticated attacks, including zero-day exploits, ransomware, and advanced persistent threats.

Pricing

Check Point does not publicly post pricing information on its website. Data from resellers shows that Check Point products can range from around $62 for a basic solution to over $50,000 for an enterprise-level solution. Contact the Check Point sales team for your actual quotes.

Standout features

URL filtering.
DLP.
Full active-active redundancy.
Zero-trust protection for IoT devices.
Check Point Quantum protects against GenV attacks.
Advanced threat protection.

Pros

24/7 customer service and support.
Easy to setup and use.
Management platform with automation features.
Sandblast protection for testing malware.

Cons

Users reported that the Check Point firewall is expensive.
Documentation can be improved.

Fortinet FortiGate

Best for flexibility and scalability

Fortinet offers various firewall products for different organization sizes, from home offices to large enterprises.

The FortiGate 7000 series (FG-7121F, FG-7081F, FG-7081F-2, FIM-7921F, FIM-7941F, and FPM-7620F) is an enterprise firewall product that provides high-performance network security. It is designed for organizations with high network traffic volumes and that have to manage large network infrastructures.

This firewall series is powered by a Security Processing Unit (SPU) of up to 520Gbps and also includes the latest NP7 (Network Processor 7) and CP9 (Content Processor 9).

Pricing

Fortinet’s FortiGate firewall tool pricing is available upon request. Pricing will depend on various factors, including the size of the network, the number of users, and the types of security features needed. Contact a Fortinet representative for pricing and product information.

Standout features

Protects IT, IIoT, and OT devices against vulnerability and device-based attack tactics.
FortiGate 7000F series provides NGFW, segmentation, secure SD-WAN, and mobile security for 4G, 5G, and IoT.
Offers various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
Zero Touch Integration with Fortinet’s Security Fabric Single Pane of Glass Management.

Pros

Integrations with over 500 third-party services.
AI-powered capabilities.
Users reported that the tool is user-friendly.

Cons

Support can be improved.
Its reporting feature can be improved.

Juniper Networks

Best for logging and reporting capability

Juniper Networks’ firewall helps enterprises protect their network edge, data center, and cloud applications.

The company is also known for its Junos operating system (OS), a scalable network OS that powers Juniper Networks devices. Junos provides advanced routing, switching, and security capabilities and allows for seamless integration with third-party software and applications.

Juniper Networks vSRX virtual firewall provides enhanced security for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, IBM Cloud, and Oracle Cloud environments, while its cSRX Container Firewall offers advanced security services to secure applications running in containers and microservices. The company’s SRX firewalls series is designed for various organization sizes, from small to large enterprises.

Pricing

Juniper Network pricing is available on request. However, they offer different license methods, including Pay-As-You-Go (PAYG) and Bring-Your-Own-License (BYOL) options for public clouds. Contact the company’s sales team for custom quotes.

Standout features

Juniper Network has various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
Public cloud workload protection, including AWS, Microsoft Azure, and Google Cloud Platform.
Logging and reporting capability.
Supports VMware ESXi, NSX, and KVM (Centos, Ubuntu).

Pros

Advanced threat prevention capability.
Deployable on-premises and cloud environments.

Cons

Support can be improved.
Users report that some Juniper Networks firewall products are expensive.

Cisco Secure Firewall

Best for centralized management

Cisco Secure Firewall combines firewall capabilities with advanced security features to protect networks from various threats, including unauthorized access, malware, and data breaches.

Cisco Secure Firewall integrates with Cisco Talos, a threat intelligence research team. This collaboration enables the firewall to receive real-time threat intelligence updates, enhancing its ability to identify and block emerging threats.

Cisco Secure Firewall can be centrally managed through Cisco Firepower Management Center (FMC). This management console provides a unified interface for configuration, monitoring, and reporting, simplifying the administration of multiple firewalls across the network.

Pricing

Contact Cisco’s sales team for custom quotes.

Standout features

IPS to protect against known threats.
Web filtering.
Network segmentation.
Centralized management.

Pros

Provides comprehensive visibility and control.
Efficient support team.
Highly scalable tool.

Cons

Support can be improved.
Complex initial setup.

Zscaler

Best for businesses with cloud network infrastructure

The Zscaler firewall provides cloud-based security for web and non-web traffic for all users and devices. Zscaler inspects all user traffic, including SSL encrypted traffic, with elastically scaling services to handle high volumes of long-lived connections.

One of the key advantages of Zscaler’s cloud-based approach is that it eliminates the need for on-premises hardware or software installations. Instead, organizations can leverage Zscaler’s infrastructure and services by redirecting their internet traffic to the Zscaler cloud. This makes scaling and managing security easier across distributed networks and remote users.

Pricing

Zscaler doesn’t advertise its rates on its website. However, data from resellers shows that its pricing starts from about $72 per user per year. For your actual rate, contact the Zscaler sales team for quotes.

Standout features

Centralized policy management.
Fully-integrated security services.
Real-time granular control, logging, and visibility.
User-aware and app-aware threat protection.
Adaptive IPS security and control.
File transfer protocol (FTP) control and network address translation (NAT) support.

Pros

Easy to use and manage.
AI-powered cyberthreat and data protection services.
Always-on cloud intrusion prevention system (IPS).
AI-powered phishing and C2 detection.

Cons

Complex initial setup.
Documentation can be improved.

pfSense

Best open-source firewall

pfSense is an open-source firewall and routing platform based on FreeBSD, an open-source Unix-like OS. It is designed to provide advanced networking and security features for small and large networks.

pfSense can be deployed as a physical appliance or as a virtual machine. pfSense offers many capabilities, including firewalling, VPN connectivity, traffic shaping, load balancing, DNS and DHCP services, and more.

Pricing

For pfSense cloud:

pfSense on AWS: Pricing starts from $0.01 per hour to $0.40 per hour.
pfSense on Azure: Pricing starts from $0.08 per hour to $0.24 per hour.

For pfSense software:

pfSense CE: Open source version available to download for free.
pfSense+ Home or Lab: Available at no cost for evaluation purposes only.
pfSense+ W/TAC LITE: Currently available at no charge, but the vendor may increase the rate to $129 per year in the future.
pfSense+ W/TAC PRO: $399 per year.
pfSense+ W/TAC ENT: $799 per year.

pfSense offers three hardware appliances tailored to the needs of large enterprises.

Netgate 8200: Cost $1,395. It has 18.55 Gbps IPERF3 and 5.1 Gbps IMIX traffic speed.
Netgate 1537: Cost $2,199. It has 18.62 Gbps(10k ACLs) IPERF3 and 10.24 Gbps (10k ACLs) IMIX traffic speed.
Netgate 1541: Cost $2,899. It has 18.64 Gbps(10k ACLs) IPERF3 and 12.30 Gbps(10k ACLs) IMIX traffic speed.

Standout features

NAT mapping (inbound/outbound).
Captive portal guest network.
Stateful packet inspection (SPI).

Pros

Free open-source version.
Community support.
Anti-spoofing capability.

Cons

Steep learning curve for administrators with limited experience.
GUI is old-fashioned and could be simplified.

Key features of enterprise firewall software

There’s a wide variety of capabilities that enterprise firewall software can provide, but some of the key features to look for include packet filtering, stateful inspection, application awareness, logging and reporting capabilities, and integration with your existing security ecosystem.

Packet filtering

Firewall software examines incoming and outgoing network packets based on predefined rules and policies. It filters packets based on criteria such as source/destination IP addresses, ports, protocols, and packet attributes. This feature enables the firewall to block or allow network traffic based on the configured rules.

Stateful inspection

Enterprise firewalls employ stateful inspection to monitor network connections’ state and analyze traffic flow context. By maintaining information about the state of each connection, the firewall can make more informed decisions about which packets to allow or block.

Application awareness

Modern firewall software often includes application awareness capabilities. It can identify specific applications or protocols within network traffic, allowing organizations to enforce granular policies based on the application or service used. This feature is handy for managing and securing web applications and controlling the use of specific services or applications.

Logging and reporting

Firewall software logs network events, including connection attempts, rule matches, and other security-related activities. Detailed logging enables organizations to analyze and investigate security incidents, track network usage, and ensure compliance with regulatory requirements. Reporting capabilities help generate comprehensive reports for auditing, security analysis, and compliance purposes.

Integration with the security ecosystem

Firewall software is typically part of a broader security ecosystem within an organization. Integration with other security tools and technologies, such as antivirus software, threat intelligence platforms, Security Information and Event Management (SIEM) systems, and network access control (NAC) solutions, allows for a more comprehensive and coordinated approach to network security.

Benefits of working with enterprise firewalls

Key advantages of enterprise firewall solutions include enhanced network security, threat mitigation, and access control, as well as traffic analytics data.

Network security: Firewalls act as a protective barrier against external threats such as unauthorized access attempts, malware, and other malicious activity. Enforcing access control policies and modifying network traffic helps prevent unauthorized access and protect critical data.
Threat mitigation: By combining intrusion prevention techniques, deep packet monitoring, and threat intelligence, a firewall can detect and block suspicious traffic, reducing the risk there that the network will be corrupted and damaged so
Access control: Firewall software allows administrators to restrict or allow access to network resources, applications, and services based on specific user roles, departments, or needs. This ensures that only authorized people or systems can access the screen and its accessories.
Traffic data and analytics: In addition to protecting your network, firewalls can also provide granular information about traffic and activity passing through your network, as well as its overall performance.

How do I choose the best enterprise firewall solution for my business?

When choosing the best enterprise firewall software for your business, consider the following factors.

Security: Assess your organization’s specific security needs and requirements.
Features: Evaluate the features and capabilities of firewall solutions, such as packet filtering, application awareness, intrusion prevention, VPN support, centralized management, and scalability. Consider the vendor’s reputation, expertise, and support services.
Compatibility: Ensure compatibility with your existing network infrastructure and other security tools.
Hands-on tests: Conduct a thorough evaluation of different firewall solutions through demos, trials, or proofs of concept to assess their performance, ease of use, and effectiveness in meeting your organization’s security goals.
Total cost of ownership (TCO): Consider the cost, licensing models, and ongoing support and maintenance requirements.

By considering these factors, you can make an informed decision and select the best enterprise firewall software that aligns with your business needs and provides robust network security.

Frequently Asked Questions (FAQ)

Is an enterprise firewall different from a normal firewall?

Although they share many characteristics, an enterprise firewall is not the same as a consumer-grade firewall. Enterprise firewalls are designed to meet large organizations’ security needs and network infrastructure challenges. They are robust, scalable, and can handle high network traffic volumes and sophisticated threats, compared to generic firewalls for home or small office environments.

What is the strongest type of firewall?

A firewall’s strength depends on various factors, and no universally dependable firewall exists. A firewall’s effectiveness depends on its materials, configuration, and how well it fits into the organization’s security needs.

That said, next-generation firewalls (NGFWs) provide improved security capabilities and are often considered the ideal firewall solution in today’s enterprise. NGFWs combine traditional firewall features with additional functionality such as application awareness, intrusion prevention, deep packet monitoring, and user-based policies. They provide advanced protection against modern threats with greater visibility and control over network traffic.

How do you set up an enterprise firewall?

Setting up an enterprise firewall involves several steps:

Determine your network topology.
Define security policies.
Plan firewall placement.
Configure firewall rules.
Implement VPN and remote access.
Test and monitor firewall performance.
Perform regular updates and maintenance.

We recommend engaging network security experts or reviewing vendor documentation and support materials for specific guidance in installing and configuring your enterprise firewall.

Methodology

The firewall solutions mentioned in this guide were selected based on extensive research and industry analysis. Factors such as industry reputation, customer reviews, infrastructure, and customer support were considered.

We also assessed the features and capabilities of the firewall solutions, including packet filtering, application awareness, intrusion prevention, DLP, centralized management, scalability, and integration with other security tools.

Also see

If you’re not sure one of the firewalls included here is right for your business, we also determined the best firewalls for SMBs, as well as the best software-based firewalls.

And once your firewall is in place, don’t neglect its maintenance. Here are the best firewall audit tools to keep an eye on its performance.

Source :
https://www.enterprisenetworkingplanet.com/security/enterprise-firewalls/

8 Best Network Scanning Tools & Software for 2023

BY KIHARA KIMACHIA
MAY 30, 2023

Network scanning tools are a critical investment for businesses in this era of increasing cyber threats. These tools perform an active examination of networks to identify potential security risks and help IT administrators maintain the health and security of their networks.

As businesses become more digital and interconnected, the demand for such tools has significantly increased. To help businesses sort through the plethora of these solutions available on the market, we’ve narrowed down the list to eight top products and their ideal use cases.

Here are our picks for the top network scanning software:

Burp Suite: Best for comprehensive web vulnerability scanning (Read more)
Detectify: Best for ease of use and automation (Read more)
Intruder: Best for cloud-based network security (Read more)
ManageEngine OpManager: Best for real-time network monitoring (Read more)
Tenable Nessus: Best for vulnerability analysis (Read more)
Pentest Tools: Best for penetration testing (Read more)
Qualys VMDR: Best for cloud security compliance (Read more)
SolarWinds ipMonitor: Best for large-scale enterprise networks (Read more)

Top network scanning tools and software comparison

	Vulnerability Scanning	Real-time Network Monitoring	Penetration Testing	Compliance Assurance	Integration with Other Tools	Ease of Use	Range of Vulnerabilities Detected	Scalability	Pricing (Starting)
Burp Suite	✔	✘	✔	✔	✔	Moderate	High	High	$1,999/yr
Detectify	✔	✔	✘	✔	✔	High	Moderate	High	$89/mo.
Intruder	✔	✔	✔	✔	✔	High	High	High	$160/mo.
Manage Engine OpManager	✔	✔	✘	✔	✔	Moderate	Moderate	High	$245
Tenable Nessus	✔	✘	✔	✔	✔	High	High	High	$4,990/yr
Pentest Tools	✔	✔	✔	✔	✔	Moderate	High	Moderate	$72/mo.
Qualys VMDR	✔	✔	✘	✔	✔	Moderate	High	High	$6,368/yr
SolarWinds ipMonitor	✔	✔	✘	✔	✔	High	Moderate	High	$1,570/yr

Jump to:

Burp Suite

Best for comprehensive web vulnerability scanning

Burp Suite is a trusted tool among IT professionals for its robust web vulnerability scanning capabilities. It identifies security holes in web applications and is particularly well-suited for testing complex applications.

Pricing

The vendor has three enterprise pricing options as follows:

Pay as you scan: This tier starts at $1,999 per year plus $9 per hour scanned. It includes unlimited applications and users.
Classic: This tier is priced at $17,380 per year and includes 20 concurrent scans, unlimited applications and unlimited users.
Unlimited: This is the superior plan and is priced at $49,999 per year. It includes unlimited concurrent scans, applications, and users.

Features

Out-of-band Application Security Testing (OAST) added to dynamic scans for accurate identification of vulnerabilities.
Easy setup with point-and-click scanning or trigger via CI/CD.
Recurring scanning options for daily, weekly, or monthly scans.
Out-of-the-box configurations for fast crawl or critical vulnerability audits.
API security testing for increased coverage of microservices.
JavaScript scanning to uncover more attack surfaces in Single Page Applications (SPAs).
Scalable scanning with the ability to adjust the number of concurrent scans.
Custom configurations available, including crawl maximum link depth and reported vulnerabilities.
Burp Scanner, a trusted dynamic web vulnerability scanner used by over 16,000 organizations.
Integration with major CI/CD platforms such as Jenkins and TeamCity.
API-driven workflow for initiating scans and obtaining results via the REST API.
Integration with vulnerability management platforms for seamless scanning and security reporting.
Burp extensions allow customization of Burp Scanner to meet specific requirements.
Multiple deployment options including interactive installer and Kubernetes deployment.
Integration with bug tracking systems like Jira with auto ticket generation and severity triggers.
GraphQL API for initiating, scheduling, canceling, and updating scans.
Role-based access control for multi-user functionality and control.
Compatible configurations from Burp Suite Pro can be manually integrated into the Enterprise environment.
Reporting features include graphical dashboards, customizable HTML reports, scan history metrics, intuitive UI, rich email reporting, security posture graphing, aggregated issue reporting, and compliance reporting for PCI DSS and OWASP Top 10.

Pros

Extensive vulnerability detection.
Can handle complex web applications.
Integration with popular CI/CD tools.

Cons

Steep learning curve for beginners.
Relatively higher pricing.

Detectify

Best for ease of use and automation

Detectify is a fully automated External Attack Surface Management (EASM) solution powered by a world-leading ethical hacker community. It can help map out a company’s security landscape and find vulnerabilities that other scanners may miss.

Pricing

The vendor has several pricing options as follows:

The full EASM package comes with a 2-week free trial. Pricing is custom and based on the number of domains, sub-domains, and web applications of the attack surface.
For organizations with a small attack surface, the vendor offers two pricing tiers that also come with a free 2-week trial:
- Surface Monitoring: Pricing starts from $289 per month (billed annually). This package includes up to 25 subdomains.
- Application Scanning: Pricing starts from $89 per month per scan profile (billed annually).

Features

The features of the full EASM solution are:

Continuous 24/7 coverage for discovering and monitoring your modern tech stack.
Crawling and fuzzing engine that surpasses traditional DAST scanners.
Ability to monitor large enterprise products and protect sensitive organizational data.
Accurate results with 99.7% accuracy in vulnerability assessments through payload-based testing.
SSO, API access, automatic domain verification, custom modules, and attack surface custom policies.
Identify risks before they are exploited by enriching assets with critical information like open ports, DNS record types, and technologies.
Integrates with popular tools such as Slack, Jira, and Splunk, and comes with an API that allows users to export results in the manner that best suits their workflows.

Pros

Simple and clean interface, easy to use.
Continuous automatic updates and scans.
Customizable reports and notifications.

Cons

Limited manual testing capabilities.
May generate false positives.

Intruder

Best for cloud-based network security

Intruder is a powerful cloud-based network security tool that helps businesses prevent security breaches by automating routine security checks. Each threat found is classified according to severity and a remediation plan proposed.

Pricing

Pricing is based on the number of applications and infrastructure targets with three pricing tiers: Essential, Pro and Premium. The Pro plan comes with a 14-day free trial.
Example pricing for 1 application and 1 infrastructure target is as follows:
- Essential: $160 per month, billed annually.
- Pro: $227 per month, billed annually.
- Premium: From $3,737 per year.

Features

Easy-to-use yet powerful online vulnerability tool.
Comprehensive risk monitoring across your stack, including publicly and privately accessible servers, cloud systems, websites, and endpoint devices.
Detection of vulnerabilities such as misconfigurations, missing patches, encryption weaknesses, and application bugs, including SQL injection, Cross-Site Scripting, and OWASP Top 10.
Ongoing attack surface monitoring with automatic scanning for new threats and alerts for changes in exposed ports and services.
Intelligent results that prioritize actionable findings based on context, allowing you to focus on critical issues like exposed databases.
Compliance and reporting with high-quality reports to facilitate customer security questionnaires and compliance audits such as SOC2, ISO27001, and Cyber Essentials.
Continuous penetration testing by security professionals to enhance coverage, reduce the time from vulnerability discovery to remediation, and benefit from vulnerability triage by certified penetration testers.
Seamless integration with your technical environment, with no lengthy installations or complex configurations required.

Pros

Cloud-based, eliminating the need for on-site servers.
Comprehensive vulnerability coverage.
Automated, regular security checks.

Cons

Dependency on automated scanning engines may result in occasional false positives or false negatives.

ManageEngine OpManager

Best for real-time network monitoring

ManageEngine OpManager is a comprehensive network monitoring application, capable of providing intricate insights into the functionality of various devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, virtual machines, printers, and storage systems. This software facilitates in-depth problem analysis to identify and address the core source of network-related issues.

Pricing

The vendor offers three editions with starting prices as follows:

Standard: $245 for up to 10 devices.
Professional: $345 for up to 10 devices.
Enterprise: $11,545 for 250 up to 250 devices.

Features

Capable of monitoring networks using over 2,000 performance metrics, equipped with user-friendly dashboards, immediate alert systems, and intelligent reporting features.
Provides crucial router performance data including error and discard rates, voltage, temperature, and buffer statistics.
Enables port-specific traffic control and switch port mapping for device identification.
Continuous monitoring of WAN link performance, latency, and availability, leveraging Cisco IP SLA technology.
Active monitoring of VoIP call quality across WAN infrastructure, facilitating the troubleshooting of subpar VoIP performance.
Automatic generation of L1/L2 network mapping, aiding in the visualization and identification of network outages and performance issues.
Provides monitoring for both physical and virtual servers across various operating systems such as Windows, Linux, Solaris, Unix, and VMware.
Detailed, agentless monitoring of VMware-virtualized servers with over 70 VMware performance monitors.
Utilizes WMI credentials to monitor Microsoft Hyper-V hosts and guest performance with over 40 in-depth metrics.
Enables monitoring and management of Host, VMs, and Storage Repositories of Citrix Hypervisor, providing the necessary visibility into their performance.
Allows for monitoring and management of processes running on discovered devices through SNMP/WMI/CLI.
Uses protocols like SNMP, WMI, or CLI for monitoring system resources and gathering performance data.
Provides immediate notifications on network issues via email and SMS alerts.
Facilitates the orchestration and automation of initial network fault troubleshooting steps and maintenance tasks.
Provides a centralized platform for identifying network faults, allowing for visualization, analysis, and correlation of multiple monitor performances at any instant.
Enables network availability, usage trend, and performance analysis with over 100 ready-made and customizable reports.
Employs a rule-based approach for syslog monitoring to read incoming syslogs and assign alerts.
Includes a suite of OpManager’s network monitoring tools to assist in first and second-level troubleshooting tasks.

Pros

In-depth network monitoring.
Easy-to-understand performance dashboards.
Supports both physical and virtual servers.

Cons

May be complex for beginners.
Cost can quickly escalate based on number of devices.

Tenable Nessus

Best for vulnerability analysis

Tenable Nessus is a vulnerability assessment tool that enables organizations to actively detect and rectify vulnerabilities throughout their ever-evolving attack surface. It is formulated to evaluate contemporary attack surfaces, expanding beyond conventional IT assets to ensure the security of cloud infrastructure and provide insights into internet-connected attack surfaces.

Pricing

Nessus offers a free 7-day trial. Customers can scan up to 32 IPs per scanner during the trial period.
After the trial, the product is available at a starting fee of $4,990 per year for an unlimited number of IPs per scanner.
Nessus Enterprise pricing is dependent on business requirements.

Features

Evaluates contemporary attack surfaces, extends beyond conventional IT assets, and provides insights into internet-connected environments.
Built with an understanding of security practitioners’ work, aiming to make vulnerability assessment simple, intuitive, and efficient.
Provides a reporting feature that prioritizes the top ten significant issues.
Nessus is deployable on a range of platforms, including Raspberry Pi, emphasizing portability and adaptability.
Ensures precise and efficient vulnerability assessment.
Offers visibility into your internet-connected attack environments.
Ensures the security of cloud infrastructure before deployment.
Focuses on the most significant threats to enhance security efficiency.
Provides ready-to-use policies and templates to streamline vulnerability assessment.
Allows for customization of reports and troubleshooting procedures.
Provides real-time results for immediate response and rectification.
Designed for straightforward and user-friendly operation.
Provides an organized view of vulnerability assessment findings for easy interpretation and analysis.

Pros

Broad vulnerability coverage.
Easy integration with existing security systems.
User-friendly interface.

Cons

Relatively higher pricing.

Pentest Tools

Best for penetration testing

Pentest Tools is a suite of software designed to assist with penetration testing. Pentest Tools provides the necessary capabilities to effectively carry out penetration tests, offering insights into potential weak points that may be exploited by malicious actors.

Pricing

The vendor offers four pricing plans as follows:

Basic: $72 per month, billed annually, for up to 5 assets and up to 2 parallel scans.
Advanced: $162 per month, billed annually, for up to 50 assets and up to 5 parallel scans.
Teams: $336 per month, billed annually, for up to 500 assets and up to 10 parallel scans.
Enterprise: For more than 500 assets and more than 10 parallel scans, plan pricing varies.

Features

Initially built on OpenVAS, now includes proprietary technology to assess network perimeter and evaluate a company’s external security posture.
Uses proprietary modules, like Sniper: Auto Exploiter, for a comprehensive security scan.
Provides a simplified and intuitive interface for immediate scanning.
Conducts in-depth network vulnerability scans using over 57,000 OpenVAS plugins and custom modules for critical CVEs.
Includes a summarized report of vulnerabilities found, their risk rating, and CVSS score.
Each report offers recommendations for mitigating detected security flaws.
Prioritizes vulnerabilities based on risk rating to optimize manual work and time.
Generates customizable reports with ready-to-use or custom templates.
Provides a complete view of “low hanging fruit” vulnerabilities, enabling focus on more advanced tests.
Allows testing of internal networks through a ready-to-use VPN, eliminating the need for time-consuming scripts and configurations.
Identifies high-risk vulnerabilities such as Log4Shell, ProxyShell, ProxyLogon, and others.
Assists in running vulnerability assessments necessary to comply with various standards like PCI DSS, SOC II, HIPAA, GDPR, ISO, the NIS Directive, and others.
Facilitates thorough infrastructure tests, detecting vulnerabilities ranging from weak passwords to missing security patches and misconfigured web servers.
Third-party infrastructure audit that’s useful for IT services or IT security companies, providing reports for client assurance on implemented security measures.

Pros

Broad coverage of penetration testing scenarios.
Easy to use, with detailed reports.
Regular updates and enhancements.

Cons

Proprietary technology can also limit interoperability with other tools or platforms.
New users may experience a steep learning curve.

Qualys VMDR

Best for cloud security compliance

Qualys VMDR is a top choice for businesses looking for cloud-based network security software. It provides automated cloud security and compliance solutions, allowing businesses to identify and fix vulnerabilities.

Pricing

Prospective customers can try out the tool for free for 30 days.
Pricing starts at $199 per asset with a minimum quantity of 32 (i.e., $6,368 total starting cost).
Flexible pricing for larger packages based on business needs.

Features

Qualys is a strong solution for businesses seeking cloud-based network security software, providing automated cloud security and compliance solutions.
Utilizes TruRisk™ to quantify risk across vulnerabilities, assets, and asset groups, enabling proactive mitigation and risk reduction tracking.
Automates operational tasks for vulnerability management and patching with Qualys Flow, saving valuable time.
Leverages insights from over 180,000 vulnerabilities and 25+ threat sources to provide preemptive alerts on potential attacks with the Qualys Threat DB.
Detects all IT, OT, and IoT assets for a comprehensive, categorized inventory with detailed information such as vendor lifecycle.
Automatically identifies vulnerabilities and critical misconfigurations per Center for Internet Security (CIS) benchmarks, by asset.
Integrates with ITSM tools like ServiceNow and Jira to automatically assign tickets and enable orchestration of remediation, reducing Mean Time To Resolution (MTTR).

Pros

Cloud-based, reducing on-premise hardware needs.
Comprehensive vulnerability and compliance coverage.
Powerful data analytics capabilities.

Cons

Can be complex for small businesses.
Pricing is high and can be prohibitive for smaller organizations.

SolarWinds ipMonitor

Best for large-scale enterprise networks

SolarWinds ipMonitor is an established network monitoring solution ideal for monitoring servers, VMware hosts, and applications on large-scale enterprise networks. It offers deep performance insights and customizable reports.

Pricing

SolarWinds ipMonitor has three pricing editions, each with a 14-day free trial:

500 monitors for $1,570
1000 monitors for $2,620
2500 monitors for $5,770

Features

The monitoring tool provides over a dozen notification types including alerts via email, text message, or directly to Windows Event Log files.
Facilitates the monitoring of common ports with key protocols.
Ensures IT environment functionality by continuously monitoring database availability.
Enhances end user network experience monitoring capabilities.
Offers monitoring of network equipment health in tandem with network infrastructure.
Confirms the ability of a web server to accept incoming sessions.
Provides critical insights into the overall IT environment.
Offers an affordable tool for network monitoring.
Utilizes VM ESXi host monitors to track the health and performance of your virtual environment.
Enables monitoring of Windows services and applications..

Pros

Extensive scalability for large networks.
Deep insights and comprehensive reporting.
Wide range of integrated applications.

Cons

Can be overly complex for smaller networks.
The pricing model may not suit smaller businesses.

Key features of network scanning tools and software

Vulnerability scanning is central to all network scanning tools, but other features, such as real-time monitoring, penetration testing, and integrability, should not be overlooked.

Vulnerability scanning

This is the most critical feature buyers typically look for in network scanning tools. Vulnerability scanning helps identify potential security threats and weak spots within the network.

The tools do this by scanning the network’s devices, servers, and systems for known vulnerabilities such as outdated software, open ports, or incorrect configurations.

This feature matters because it provides an overview of the network’s security posture, enabling users to take corrective measures promptly.

Real-time network monitoring

Real-time network monitoring allows for continuous observation of the network’s performance, detecting any issues or anomalies as they occur.

This feature is vital because it can significantly reduce downtime and address performance issues before they impact business operations.

Penetration testing

Penetration testing (or pentesting) simulates cyberattacks on your network to test the effectiveness of your security measures and identify potential vulnerabilities that may not be detectable through standard vulnerability scanning.

Penetration testing is essential for businesses as it offers a more proactive approach to cybersecurity than standard vulnerability scans.

Compliance assurance

Compliance assurance ensures that the organization’s network aligns with various regulatory standards, such as HIPAA for healthcare or PCI DSS for businesses that handle credit card information.

Compliance assurance is critical because non-compliance can result in hefty fines and damage to the company’s reputation.

Integration with other tools

Integration capabilities are an often overlooked but essential feature of network scanning tools. The ability to integrate with other IT management and security tools allows for a more streamlined and efficient workflow.

For example, integrating a network scanning tool with a ticketing system could automatically create a ticket when a vulnerability is detected.

This feature is vital as it enables businesses to enhance their overall IT infrastructure management and improve response times to potential threats.

How to choose the best network scanning software for your business

Selecting the best network scanning tool for your business involves several key considerations:

Identify your needs: The first step is to understand what you need from a network scanning tool. Do you require real-time network monitoring, pentesting, compliance assurance, or more? The type of network you’re operating and the size of your business can heavily influence your needs.
Consider the ease of use: The usability of the software is an important factor depending on the size and expertise of your IT team. If it’s too complex, it may be challenging for your team to use effectively. Look for software that has a user-friendly interface and offers good customer support.
Examine the features: Look for software that offers the features that match your specific requirements. If you’re unsure what features you might need, consulting with an IT professional can be beneficial.
Evaluate scalability: Your business is likely to grow, and so will your network. The network scanning tool you choose should be able to scale along with your business without losing efficiency.
Check for regular support and updates: Good network scanning software should provide reliable support and regular updates to address emerging security threats. Check whether the software is frequently updated and if technical support is readily available.
Review pricing: Lastly, consider the pricing and your budget. Keep in mind that while some software might be more expensive, it could offer more features or better support, leading to better value for your business in the long run.

Frequently Asked Questions (FAQs)

What are the benefits of network scanning tools?

Network scanning tools offer a multitude of benefits, including:

Security enhancement: Network scanning tools identify vulnerabilities and security risks within a network, allowing businesses to address these issues proactively and bolster their security posture.
Compliance assurance: Many of these tools help ensure that your network aligns with various regulatory and industry standards, reducing the risk of non-compliance penalties.
Real-time monitoring: By providing real-time network monitoring, these tools allow for immediate detection and mitigation of issues, thereby reducing network downtime and improving performance.
Resource optimization: Network scanning can identify underutilized resources, aiding in more efficient resource allocation and cost savings.
Improved network management: With a thorough understanding of the network infrastructure, administrators can make more informed decisions regarding network planning and expansion.

Who should use network scanning software?

Network scanning software is beneficial for a variety of roles and industries, including:

Network administrators: These professionals can use network scanning tools to monitor and manage the health of the network, consistently optimizing its performance.
IT security professionals: These tools are crucial for IT security staff in identifying potential vulnerabilities and mitigating security risks.
Managed Service Providers (MSPs): MSPs can utilize network scanning tools to manage and monitor their clients’ networks, ensuring they are secure and comply with relevant regulations.
Regulated industries: Businesses within industries that must adhere to strict data security standards, such as healthcare, finance, and e-commerce, can benefit significantly from these tools to ensure compliance and protect sensitive data.

What are the types of network scanning?

Network scanning can be categorized into several types based on their function:

Port scanning: This type identifies open ports and services available on a network host. It can help detect potential security vulnerabilities.
Vulnerability scanning: This process involves identifying known vulnerabilities in the network, such as outdated software or misconfigurations, that could be exploited.
Network mapping: This type of scanning identifies the various devices on a network, their interconnections, and topology.
Performance scanning: This form of scanning monitors network performance, identifying potential issues that could affect the speed or reliability of the network.
Compliance scanning: This type checks the network’s compliance with certain regulatory or industry standards, helping avoid potential legal issues.

Methodology

The selection, review, and ranking of the network scanning tools in this list was carried out through a comprehensive and structured methodology, which involved several key steps: namely, requirement identification, market research, feature evaluation, user reviews and feedback, ease of use, pricing, and scalability.

By combining these steps, we have aimed to provide a balanced and comprehensive overview of the top network scanning tools of 2023, thereby enabling potential buyers to make an informed decision that best suits their specific needs and circumstances.

Bottom line: Managing vulnerabilities with network scanning tools

Network scanning tools are essential for any organization striving to maintain a secure and efficient IT environment. From identifying vulnerabilities to ensuring compliance and enhancing overall network performance, these tools play a pivotal role in successful network management.

The eight tools discussed in this article offer a variety of features and capabilities, catering to different needs and business sizes. However, choosing the right tool should be guided by an organization’s unique requirements, budget, and the tool’s ability to scale alongside the growth of the business.

By doing so, businesses can foster a more secure, compliant, and reliable IT network, boosting operational efficiency and business resilience.

Knowing your network’s vulnerabilities is just the beginning. Here are the best vulnerability management tools to keep your data locked up safe.

Source :
https://www.enterprisenetworkingplanet.com/security/network-scanning-tools/

ChatGPT vs. Bing Chat: Which AI chatbot should you use?

By Elena Alston · May 16, 2023

I’ve been using ChatGPT ever since OpenAI launched it in 2022. It’s helped me write meta descriptions for blog posts, create simple code snippets, and generate outlines. Heck, I’ve even used it to plan a trip to Portugal.

Try Zapier’s new ChatGPT plugin

Learn more

But I’ve been keen to try out Microsoft’s new Bing AI chatbot to see if it lives up to the hype. With Bing Chat, you’re able to chat, compose content, generate images, and get summarized answers to complex questions—all in one interface. It’s supposed to be a far more advanced version of ChatGPT, so I was excited to see how their features stack up.

Here are the main differences I discovered while comparing ChatGPT vs. Bing Chat.

ChatGPT vs. Bing Chat at a glance

If you want free access to GPT-4 (OpenAI’s most advanced and more powerful language model), Bing Chat is currently the way to go. You can access GPT-4 via ChatGPT Plus, which is a paid subscription, but Bing Chat gives you free access via Microsoft Edge. Beyond that, here’s the main difference:

Bing Chat is built into Microsoft Edge, so it’s a more integrated, tailored way of searching for answers. That makes it a powerful research assistant.
ChatGPT—though a more isolated experience—can be accessed on any browser and has more powerful integrations and plugins. It’s better suited as a personal assistant than a research assistant.

I’ll walk through some of the core differences between ChatGPT and Bing Chat in depth in the coming sections, but here’s a quick breakdown of how they compare.

	Bing Chat	ChatGPT
Language model	OpenAI’s GPT-4	OpenAI’s GPT-3.5 (ChatGPT Plus: GPT-4)
Platform	Integrated with Microsoft’s search engine	Standalone website or API
Internet access	Can perform web searches and offer links and recommendations	Browsing feature for ChatGPT Plus users
Image generation	Can generate creative content, including images using DALL·E	Can only generate text
Best used as	A research assistant	A personal assistant
Usage limits	Users get to ask 20 chats per session and 200 total chats per day	Unlimited conversations per day; ChatGPT Plus users get 25 GPT-4 messages every 3 hours
Pricing	Free	Free; ChatGPT Plus available for $20/month

Bing Chat is part of search, while ChatGPT is an isolated interface

Both ChatGPT and Bing Chat use OpenAI’s language models, which means that, for the most part, they generate very similar results.

The biggest difference between them is that Bing Chat is also powered by Microsoft’s Prometheus, a model that integrates Bing Search with the AI tool.

Marketed as a “co-pilot” for the web, Bing Chat distills the latest information from across the web and summarizes it when answering your prompts. It even cites its sources and generates a list of relevant links (as well as pulling in visuals). This is what it looks like within the Bing Chat web interface.

ChatGPT, on the other hand, doesn’t pull in current results from the internet as it’s only been trained on information up until 2021. There’s a simple workaround, though: you can access OpenAI’s native web browser plugin, available on ChatGPT Plus.

The web browser can look through web results and share them with you like Bing can, but I’ve found that it doesn’t integrate visuals like Bing does. The result is a more text-heavy experience, but no less effective.

The downside is that when it comes to researching facts, news stories, or historical events, ChatGPT doesn’t always cite its sources. It doesn’t seem to have a problem citing weather reports, but for other information, it can be a bit hit or miss—unless you specifically instruct it to provide sources. (Which, by the way, I’d recommend, given its tendency to hallucinate.)

In addition to being more reliable with its citations, Bing offers recommendations on what to search for next.

Bing Chat's suggestions for what to search next

And, if you scroll down on the chat page, Microsoft will return you to its regular search page, with a link to the most recent question you asked the chat.

Bing Chat showing your recent chats in the search

ChatGPT, on the other hand, feels more mechanical: it doesn’t offer follow-up recommendations, and the web browser you’re using ChatGPT with will have no memory of what you’ve been asking it.

As a whole, Bing AI feels a lot more like a search tool that’ll summarize complex answers for you—giving you the sources if you want to dig deeper into any topic. All without having to search through multiple pages yourself.

You get that same ease with ChatGPT, but it’s a much more isolated experience—it definitely feels like a chatbot, not a search tool.

Bing is integrated into a web browser, which allows for more tailored outputs based on what you’re doing

Bing is integrated into a sidebar, called Discover, on the Microsoft Edge browser, and it includes a few features, called Chat, Composition, and Insights.

Chat

You can chat with Bing Chat directly from the sidebar, without having to go to the Bing Chat webpage. The best part is that when you’re on a website full of information, it answers questions from that page contextually.

Reading a complex article and want the key takeaways? Done. Need to understand a complex concept in simpler terms? Done.

Bing Chat showing takeaways from the current web page you're on

This can be pretty helpful when you need an AI assistant while going through information-dense internet research.

You can still do this with ChatGPT Plus—just feed it a link and ask it to summarize the information—but it’s not seamlessly integrated into the same page you’re on.

ChatGPT summarizing an article based on a link

The difference just depends on how you like to search for information. But if you don’t mind doing your research in Microsoft Edge, Bing AI is hard to beat for a tailored AI experience.

Insights

Bing has an Insights tab that’ll give you even more information about the page you’re on. It surfaces things like a Q&A, key points, page topics, and related articles.

Scroll all the way down, and you can also get a quick overview of analytics about the website you’re visiting (like domain name, hosting service, and even traffic rank). This is something that ChatGPT doesn’t have, as it’s primarily focused on text generation.

Composition

With ChatGPT, you have to be extremely specific in your prompts; otherwise, the output will be pretty vague and most likely won’t tick all your boxes.

Bing’s Composition feature steers you more toward getting the specific output you want, by giving you ready-made options. Inside the text box, you can write out your prompt, set the tone you’re after, select the format (blog post, email, etc.), and set the length. It feels more like an AI writing generator in that way.

This is pretty handy if you’re not sure how to create prompts that will get you what you’re after, but you can just tell ChatGPT these same things in your prompt, and it’ll do a decent job.

ChatGPT has more powerful integrations and plugins, transforming it into a highly efficient assistant

While Bing Chat is a powerful search tool and a more sophisticated web browser, ChatGPT offers a whole suite of plugins that let you combine AI with other apps to unlock more varied use cases.

For example, with the Expedia plugin, I just tell ChatGPT about a trip I’m thinking of booking, and it’ll immediately surface the cheapest flights it can find via the travel site, along with the link, airport details, duration of flight, and most importantly, the pricing.

It’s so much easier than going through travel sites yourself, adjusting filters, and comparing sites side-by-side. (The hassle.)

Not only that, but the AI will also offer lodgings or other area-specific activities for you to explore. It’s a completely different ballgame compared to its web browser plugin, which refuses to offer any follow-up recommendations.

ChatGPT offering more suggestions from the Expedia plugin

The best part is you can install a number of ChatGPT plugins to work in tandem. For example, you can ask the AI for a recipe recommendation, get an accurate count of calories (using the Wolfram plugin), and then ask it to create a shopping list (with the Instacart plugin).

Using the Wolfram and Instacart plugins on ChatGPT

It’s practically like having a personal assistant—ideal for those who hate planning ahead for anything. (Ahem.)

Travel and food aside, you can also install the Zapier plugin to automate workflows directly inside the ChatGPT interface. Need the AI to write an email, then save it as a draft? It’ll do it within a matter of seconds.

ChatGPT also integrates with Zapier outside of the plugin, so you can connect it to thousands of other apps and access ChatGPT from the apps you use most. Here are some examples of tasks you can automate.

Create Notion tasks using ChatGPT conversations generated from new Slack reactions

Try it

Slack, ChatGPT, Notion

Slack + ChatGPT + NotionMore details

Start a conversation with ChatGPT when a prompt is posted in a particular Slack channel

Try it

Slack, ChatGPT

Slack + ChatGPTMore details

Zapier is the leader in no-code automation—integrating with 5,000+ apps from partners like Google, Salesforce, and Microsoft. Build secure, automated systems for your business-critical workflows across your organization’s technology stack. Learn more.

Bing AI can generate images using DALL·E, but ChatGPT is better at generating long-form content

One of the best—and most surprising—things about Bing is that it can generate images for you inside the chat function. That’s without you having to go through another AI image generator, so you can literally do everything—search, create copy, get images—all in the same interface.

Imagine you’re a travel writer. This could be a workflow you follow: You ask Bing about popular spots in New York using the chat feature. Then you ask the composition feature to create a blog post about New York. After that, you can ask Bing to create a blog hero image. That’s not a super nuanced example, but you get the gist.

Bing Image Creator making a picture of New York in a cartoon style

In that regard, ChatGPT can’t really compare, as it’s purely text-based.

But while we’re talking about strengths, ChatGPT is a lot better at providing longer-form content like articles or case studies. No matter how I tweaked the prompt, whenever I asked Bing to create a 1,000-word blog post, it repeatedly ignored those instructions and created a piece under 500 words.

ChatGPT doesn’t have that problem. It’s a good listener.

Bing Chat vs. ChatGPT: Which should you use?

Both ChatGPT and Bing can be handy writing tools and informative chatbots—but the better one depends on your actual use case.

If you want a powerful research tool that’s integrated with a web browser (and which shines in terms of in-depth page insights, image generation, and citing reputable sources), Bing Chat is your best bet.

If, however, you want to have an AI-powered personal assistant that can perform actions for you in different apps, there’s no contest: ChatGPT wins because of its suite of plugins.

The best way to know what works for you? Try them both out.

Netgear Routers’ Flaws Expose Users to Malware, Remote Attacks, and Surveillance

As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution.

“Successful exploits could allow attackers to monitor users’ internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic,” Claroty security researcher Uri Katz said in a report.

Additionally, a network-adjacent threat actor could also weaponize the flaws to access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks.

The list of flaws, which were demonstrated at the Pwn2Own hacking competition held at Toronto in December 2022, is as follows –

CVE-2023-27357 (CVSS score: 6.5) – Missing Authentication Information Disclosure Vulnerability
CVE-2023-27368 (CVSS score: 8.8) – Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27369 (CVSS score: 8.8) – Stack-based Buffer Overflow Authentication Bypass Vulnerability
CVE-2023-27370 (CVSS score: 5.7) – Device Configuration Cleartext Storage Information Disclosure Vulnerability
CVE-2023-27367 (CVSS score: 8.0) – Command Injection Remote Code Execution Vulnerability

A proof-of-concept (PoC) exploit chain illustrated by the industrial cybersecurity firm shows that it’s possible to string the flaws — CVE-2023-27357, CVE-2023-27369, CVE-2023-27368, CVE-2023-27370, and CVE-2023-27367 (in that order) — to extract the device serial number and ultimately obtain root access to it.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.Save My Seat!

“These five CVEs can be chained together to compromise affected RAX30 routers, the most severe of which enable pre-authentication remote code execution on the device,” Katz noted.

Users of Netgear RAX30 routers are advised to update to firmware version 1.0.10.94 released by the networking company on April 7, 2023, to address the flaws and mitigate potential risks.

Source :
https://thehackernews.com/2023/05/netgear-routers-flaws-expose-users-to.html

Why High Tech Companies Struggle with SaaS Security

It’s easy to think high-tech companies have a security advantage over other older, more mature industries. Most are unburdened by 40 years of legacy systems and software. They draw some of the world’s youngest, brightest digital natives to their ranks, all of whom consider cybersecurity issues their entire lives.

Perhaps it is due to their familiarity with technology that causes them to overlook SaaS security configurations. During the last Christmas holiday season, Slack had some private code stolen from its GitHub repository. According to Slack, the stolen code didn’t impact production, and no customer data was taken.

Still, the breach should serve as a warning sign to other tech companies. Stolen tokens allowed threat actors to access the GitHub instance and download the code. If this type of attack can happen to Slack on GitHub, it can happen to any high-tech company. Tech companies must take SaaS security seriously to prevent resources from leaking or being stolen.

App Breaches: A Recurring Story#

Slack’s misfortune with GitHub wasn’t the first time a GitHub breach occurred. Back in April, a stolen OAuth token from Heroku and Travis CI-maintained OAuth applications were stolen, leading to an attacker downloading data from dozens of private code repositories.

MailChimp, a SaaS app used to manage email campaigns, experienced three breaches over 12 months spanning 2022-23. Customer data was stolen by threat actors, who used that data in attacks against cryptocurrency companies.

SevenRooms had over 400 GB of sensitive data stolen from its CRM platform, PayPal notified customers in January that unauthorized parties accessed accounts using stolen login credentials, and Atlassian saw employee data and corporate data exposed in a February breach.

Clearly, tech companies aren’t immune to data breaches. Protecting their proprietary code, customer data, and employee records that are stored within SaaS applications should be a top priority.

Reliance on SaaS Applications#

A strong SaaS posture is important for any company, but it is particularly important for organizations that store their proprietary code in SaaS applications. This code is especially tempting to threat actors, who would like nothing more than to monetize their efforts and ransom the code back to its creators.

Tech companies also tend to rely on a large number and mix of SaaS applications, from collaboration platforms to sales and marketing tools, legal and finance, data warehouses, cybersecurity solutions, and many more – making it even more challenging to secure the entire stack.

Tech employees heavily depend on SaaS apps to do their day-to-day work; this requires security teams to strictly govern identities and their access. Moreover, these users tend to log into their SaaS apps through different devices to maintain efficiency, which may pose a risk to the organization based on the device’s level of hygiene. On top of this, tech employees tend to connect third-party applications to the core stack without thinking twice, granting these apps high risk scopes.

Learn how Adaptive Shield can help you secure your entire SaaS stack.

Controlling SaaS Access After Layoffs#

The high-tech industry is known for periods of hyper-growth, followed by downsizing. Over the past few months, we’ve seen Facebook, Google, Amazon, Microsoft, LinkedIn, Shopify and others announce layoffs.

Deprovisioning employees from SaaS applications is a critical element in data security. While much of the offboarding of employees is automated, SaaS applications that are not connected to the company directory don’t automatically revoke access. Even those applications that are connected may have admin accounts that are outside the company’s SSO. While the primary SSO account may be disconnected, the user’s admin access through the app’s login screen is often accessible.

Organic Hyper Growth and M&As#

At the same time, the industry is ripe with mergers and acquisition announcements. As a result of M&As, the acquiring company needs to create a baseline for SaaS security and monitor all SaaS stacks of merged or acquired companies, while enabling business continuity. Whether the hyper growth is organic or through an M&A, organizations need to be able to ensure access is right-sized for their users, at scale and rapidly.

Identity Threat Detection & Response#

The majority of data breaches impacting tech companies stem from stolen credentials and tokens. The threat actor enters the system through the front door, using valid credentials of the user.

Identity Threat Detection and Response (ITDR) picks up suspicious events that would otherwise go unnoticed. An SSPM (SaaS Security Posture Management) solution with threat detection engines in place will alert when there is an Indicator of Compromise (IOC). These IOCs are based on cross-referencing of activities such as user geolocation, time, frequency, recurring attempts to login, excessive activities and more.

Securing High Tech’s SaaS#

Maintaining a high SaaS security posture is challenging for high tech companies, who may mistakenly believe they are equipped and well trained to prevent SaaS attacks. SaaS Security Posture Management is essential to preventing SaaS breaches, while an SSPM with ITDR capabilities will go a long way toward ensuring that your SaaS data is secure.

Learn how Adaptive Shield can help you secure your entire SaaS stack.

Source :
https://thehackernews.com/2023/05/why-high-tech-companies-struggle-with.html

Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability

Advisory ID:
cisco-sa-spa-unauth-upgrade-UqhyTWW
First Published:
2023 May 3 16:00 GMT
Version 1.0:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCwe50762
CVSS Score:
Base 9.8
Base 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.Cisco has not released firmware updates to address this vulnerability. There are no workarounds that address this vulnerability.This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

Affected Products

Vulnerable ProductsThis vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.Products Confirmed Not VulnerableOnly products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has not released and will not release firmware updates to address the vulnerability that is described in this advisory. Cisco SPA112 2-Port Phone Adapters have entered the end-of-life process. Customers are advised to refer to the end-of-life notice for the product:End-of-Sale and End-of-Life Announcement for the Cisco SPA112 2-Port Phone Adapter and SPA122 ATA with RouterCustomers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter.When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the new device will be sufficient for their network needs and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

Cisco would like to thank CataLpa of Dbappsecurity Co., Ltd. Hatlab, for reporting this vulnerability.

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

Revision History

VersionDescriptionSectionStatusDate1.0Initial public release.-Final2023-MAY-03

Source :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

Ubiquiti UniFi – Storage Replacement (HDD/SSD/SD Cards)

You may need to replace a storage disk when upgrading to a larger storage capacity, or if your current disk has naturally degraded over time, as discussed in our article on Disk Health. UniFi OS makes this process incredibly simple.

Before Replacing a Disk

Back up your UniFi OS Host.
Obtain a compatible disk.
Export any recordings you want to keep (all recordings on the disk will be lost).

How to Replace a Disk

All UniFi Hosts with removable disks can be opened and the disks swapped with ease.

Hosts with HDDs and SSDs (i.e., Dream Machines & Video Recorders): Simply press the disk tray to open it. Then take out and replace the disk in the same orientation.
Hosts with microSD cards (i.e., Dream Router & Dream Wall): Carefully pull the tray out of its slot, then replace the card in the same orientation.

Cloud Key Gen2 Plus and Devices “Managed by Other”

The Cloud Key Gen2 Plus is unique, because it operates entirely off its external storage. Replacing this disk will result in a new database. Any connected devices (i.e., Cameras & Access Points) will still be associated with the old database, and will appear as “Managed by Other.”

In this case, restoring from a backup will resync the devices with your Cloud Key. If you did not make a backup before replacing the storage, you will need to factory reset and readopt your device(s).

Ensure the following when replacing a disk in your CK G2 Plus:

No security devices are connected to the security slot on the side.
Your Cloud Key has been shut down from UniFi OS > Console Settings and is unplugged.
- The HDD should not be removed or installed while the CK is powered on.

Replacing a Disk in an Array

The Network Video Recorder and Network Video Recorder Pro can maximize data protection by creating storage arrays across multiple disks. For more information, see Storage Protect and Data Redundancy

Remember:

Always replace a failed disk first before replacing an at-risk disk.
Replace one disk at a time, allowing storage to fully repair before replacing the next disk.
Repairing a disk takes significant work, and will impact overall performance.

Source :
https://help.ui.com/hc/en-us/articles/12257010646679-UniFi-Storage-Replacement-HDD-SSD-SD-Cards-

RSA Report: Cybersecurity is National Security

The role of government in stopping supply chain attacks and other threats to our way of life.

By Amber Wolff
April 26, 2023

How governments play a vital role in developing regulations, stopping supply chain attacks, and diminishing other threats to our way of life.

While new issues are always emerging in the world of cybersecurity, some have been present since the beginning, such as what role cybersecurity should play in government operations and, conversely, what role government should play in cybersecurity. The answer to this question continues to shift and evolve over time, but each new leap in technology introduces additional considerations. As we move into the AI era, how can government best keep citizens safe without constraining innovation and the free market — and how can the government use its defensive capabilities to retain an edge in the conflicts of tomorrow?

The day’s first session, “Cybersecurity and Military Defense in an Increasingly Digital World,” offered a deep dive into the latter question. Over the past 20 years, military conflicts have moved from involving just Land, Air and Sea to also being fought in Space and Cyber. While superior technology has given us an upper hand in previous conflicts, in some areas our allies — and our adversaries — are catching up or even surpassing us. In each great technological leap, companies and countries alike ascend and recede, and to keep our edge in the conflicts of the future, the U.S. will need to shed complacency, develop the right policies, move toward greater infrastructure security and tap the capabilities of the private sector.

SonicWall in particular is well-positioned to work with the federal government and the military. For years, we’ve helped secure federal agencies and defense deployments against enemies foreign and domestic, and have woked to shorten and simplify the acquisition and procurement process. Our list of certifications includes FIPS 140-2, Common Criteria, DoDIN APL, Commercial Solutions for Classified (CSfC), USGv6, IPv6 and TAA and others. And our wide range of certified solutions have been used in a number of government use cases, such as globally distributed networks in military deployments and federal agencies, tip-of-the-spear, hub-and-spoke, defense in-depth layered firewall strategies and more.

Because Zero Trust is just as important for federal agencies as it is for private sector organizations, SonicWall offers the SMA 1000, which offers Zero Trust Network Architecture that complies with federal guidelines, including the DoDIN APL, FIPS and CSfC, as well as the U.S. National Cybersecurity Strategy.

This new strategy was at the center of the day’s next session. In “The National Cyber Strategy as Roadmap to a Secure Cyber Future,” panelists outlined this strategic guidance, which was released just two months ago and offered a roadmap for how the U.S. should protect its digital ecosystem against malicious criminal and nation-state actors. The guidance consists of five pillars, all of which SonicWall is in accord with:

Pillar One: Defend Critical Infrastructure
SonicWall offers several security solutions that align with Pillar One, including firewalls, intrusion prevention, VPN, advanced threat protection, email security, Zero-Trust network access and more. We’re also working to align with and conform to NIST SSDF and NIST Zero Trust Architecture standards.
Pillar Two: Disrupt and Dismantle Threat Actors

SonicWall uses its Email Security to disrupt and mitigate the most common ransomware vector: Phishing. And in 2022 alone, we helped defend against 493.3 million ransomware attacks.

Pillar Three: Shape Market Forces to Drive Security and Resilience

This pillar shifts liability from end users to software providers that ignore best practices, ship insecure or vulnerable products or integrate unvetted or unsafe third-party software. And as part of our efforts to aign with the NIST SSDF, we’re implementing a Software Bill of Materials (SBOM).

Pillar Four: Invest in a Resilient Future

Given CISA’s prominence in this guidance, any regulations created will likely include threat emulation testing, and will likely be mapped to threat techniques, such as MITRE ATT&CK. SonicWall Capture Client (our EDR solution) is powered by SentinelOne, which has been a participant in the MITRE ATT&CK evaluations since 2018 and was a top performer in the 2022 Evaluations.

Pillar Five: Forge International Partnerships to Pursue Shared Goals

An international company, SonicWall recognizes the importance of international partnerships and works to comply with global regulations such as GDPR, HIPAA, PCI-DSS and more. By sharing threat intelligence and collaborating no mitigation strategies, we work with governments and the rest of the cybersecurity community to pursue shared cybersecurity goals.

And with the continued rise in cybercrime, realizing these goals has never been more important. In “The State of Cybersecurity: Year in Review,” Mandiant CEO Kevin Mandia summarized findings from the 1,163 intrusions his company investigated in 2022. The good news, Mandia said, is that we’re detecting threats faster. In just ten years, we’ve gone from averaging 200 days to notice there’s a problem, to just 16 days currently — but at the same time, an increase in the global median dwell time for ransomware shows there’s still work to be done.

Mandia also outined the evolution of how cybercriminals are entering networks, from Unix platforms, to Windows-based attacks, and from phishing, to spearphishing to vulnerabilities — bringing patch management once again to the fore.

Deep within the RSAC Sandbox, where today’s defenders learn, play and test their skills, panelists convened to discuss how to stop attackers’ relentless attempts to shift left. “Software Supply Chain: Panel on Threat Intel, Trends, Mitigation Strategies” explained that while the use of third-party components increases agility, it comes with tremendous risk. More than 96% of software organizations rely on third-party code, 90% of which consists of open source—but the developers of this software are frequently single individuals or small groups who may not have time to incorporate proper security, or even know how. Our current strategy of signing at the end isn’t enough, panelists argued—to truly ensure safety, signing should be done throughout the process (otherwise known as “sign at the station”).

Israel provides an example of how a country can approach the issue of software supply chain vulnerability — among other things, the country has created a GitHub and browser extension allowing developers to check packages for malicious code — but much work would need to be done to implement the Israel model in the U.S. AI also provides some hope, but given its current inability to reliably detect malicious code, we’re still a long way from being able to rely on it. In the meantime, organizations will need to rely on tried-and-true solutions such as SBOMs to help guard against supply chain attacks in the near future.

But while AI has tremendous potential to help defenders, it also has terrible potential to aid attackers. In “ChatGPT: A New Generation of Dynamic Machine-Based Attacks,” the speakers highlighted ways that attackers are using the new generation of AI technology to dramatically improve social engineering attempts, expand their efforts to targets in new areas, and even write ransomware and other malicious code. In real time, the speakers demonstrated the difference between previous phishing emails and phishing generated by ChatGPT, including the use of more natural language, the ability to instantly access details about the target and the ability to imitate a leader or colleague trusted by the victim with a minimum of effort. These advancements will lead to a sharp increase in victims of phishing attacks, as well as things like Business Email Compromise.

And while there are guardrails in place to help prevent ChatGPT from being used maliciously, they can be circumvented with breathtaking ease. With the simple adjustment of a prompt, the speakers demonstrated, ransomware and other malicious code can be generated. While this code isn’t functional on its own, it’s just one or two simple adjustments away — and this capability could be used to rapidly increase the speed with which attacks are launched.

These capabilities are especially concerning given the rise in state-sponsored attacks. In “State of the Hack 2023: NSA’s Perspective,” NSA Director of Cybersecurity Rob Joyce addressed a packed house regarding the NSA’s work to prevent the increasing wave of nation-state threats. The two biggest nation-state threats to U.S. cybersecurity continue to be Russia and China, with much of the Russian effort centering around the U.S.’ assistance in the Russia/Ukraine conflict.

As we detailed in our SonicWall 2023 Cyber Threat Report, since the beginning of the conflict, attacks by Russia’s military and associated groups have driven a massive spike in cybercrime in Ukraine. The good news, Joyce said, is that Russia is currently in intelligence-gathering mode when it comes to the U.S., and is specifically taking care not to release large-scale NotPetya-type attacks. But Russia also appears to be playing the long game, and is showing no signs of slowing or scaling back their efforts.

China also appears to be biding its time — but unlike Russia, whose efforts appear to be focused around traditional military dominance, China is seeking technological dominance. Exploitation by China has increased so much that we’ve become numb to it, Joyce argued. And since these nation-state sponsored attackers don’t incur much reputational damage for their misdeeds, they’ve become increasingly brazen in their attacks, going so far as to require any citizen who finds a zero-day to pass details to the government and hosting competitions for building exploits and finding vulnerabilities. And the country is also making efforts to influence international tech standards in an attempt to tip scales in their favor for years to come.

The 2023 RSA Conference has offered a wealth of information on a wide variety of topics, but it will soon draw to a close. Thursday is the last day to visit the SonicWall booth (#N-5585 in Moscone North) and enjoy demos and presentations on all of our latest technology. Don’t head home without stopping by — and don’t forget to check back for the conclusion of our RSAC 2023 coverage!

Source :
https://blog.sonicwall.com/en-us/2023/04/rsa-report-cybersecurity-is-national-security/

Preventing and Detecting Attacks Involving 3CX Desktop App

In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.

By: Trend Micro Research
March 30, 2023
Read time: 7 min (1870 words)

Updated on:

April 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in the linked PDF.
April 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.
April 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll‘s abuse of CVE-2013-3900 to make it appear legitimately signed.
April 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search for potential threats associated with the 3CX desktop app.
March 31, 11:07 p.m. EDT: We added technical details, an analysis of the info-stealer payload, and information on Trend Micro XDR capabilities for investigating and mitigating risks associated with the 3CX desktop app.
March 31, 3:00 a.m. EDT: We added the execution flow diagram, a link to Trend Micro support page, and a list of Mac IOCs and detection names.

In late March 2023, security researchers revealed that threat actors abused a popular business communication software from 3CX — in particular, the reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was being employed to target 3CX’s customers as part of an attack.

On its forums, 3CX has posted an update that recommends uninstalling the desktop app and using the Progressive Web App (PWA) client instead. The company also mentioned that they are working on an update to the desktop app.

For a more comprehensive scope of protection against possible attacks associated with the 3CX Desktop App, the Trend Micro XDR platform can help organizations mitigate the impact by collecting and analyzing extensive activity data from various sources. By applying XDR analytics to the data gathered from its native products, Trend Micro XDR generates correlated and actionable alerts.

Trend Micro customers can also take advantage of Trend Micro Vision One™ to search for and monitor potential threats associated with the 3CX Desktop App, and to better understand observed attack vectors. For more information on how to utilize Trend Micro Vision One features, you may download the PDF guide here.

Additional guidance for Trend Micro customers including help with protection and detection can be found on our support page.

What is the compromised application?

The 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its users, including video conferencing, live chat, and call management. The app is available on most major operating systems, including Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and iOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their browsers.

The issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 and 18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416).

According to the company’s website, more than 600,000 businesses and over 12 million daily users around the world use 3CX’s VoIP IPBX software.

How does the attack work?

The attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop app. Based on initial analysis, the MSI package (detected by Trend Micro as Trojan.Win64.DEEFFACE.A and Trojan.Win64.DEEFFACE.SMA) is the one that is compromised with possible trojanized DLLs, since the .exe file has the same name.

The infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll (detected as Trojan.Win64.DEEFFACE.A andTrojan.Win64.DEEFFACE.SMA). Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll (detected as Trojan.Win64.DEEFFACE.A and Trojan.Wind64.DEEFACE.SMD3D).

The decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an ICO file (detected as Trojan.Win32.DEEFFACE.ICO) containing the encrypted C&C server that the backdoor connects to in order to retrieve the possible final payload. In addition, d3dcompiler_47.dll also abuses CVE-2013-3900 to make it appear that it is legitimately signed.

As part of its attack routine, it contacts the servers noted in the list of indicators of compromise (IOCs) at the end of this blog entry. These domains are blocked by the Trend Micro Web Reputation Services (WRS).

Execution flow

Upon execution, the MSI package installer will drop the following files that are related to malicious behavior. Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.300.40 can detect these files as Trojan.Win64.DEEFFACE.A.

3CXDesktopApp.exe: A normal file that is abused to load the trojanized DLL
ffmpeg.dll: A trojanized DLL used to read, load, and execute a malicious shellcode from d3dcompiler_47.dll
d3dcompiler_47.dll: A DLL appended with an encrypted shellcode after the fe ed fa ce hex string

Some conditions are necessary for execution. For example, the sleep timestamp varies depending on the following conditions: First, it checks if the manifest file is present, as well as if it is using a specified date. If the file is not present or if it is using the specified date, the timestamp will generate a random number and use the formula rand() % 1800000 + current date + 604800 (604,800 is seven days). After the date is computed, the malware will continue its routine.

Upon execution of 3CXDesktopApp.exe, ffmpeg.dll, which seems to be a trojanized or patched DLL, will be loaded. It will still contain its normal functionalities, but it will have an added malicious function that reads d3dcompiler_47.dll to locate an encrypted shellcode after the fe ed fa ce hex strings.

Figure 2. Reading "d3dcompiler_47.dll" and locating the “fe ed fa ce” hex string — Figure 2. Reading “d3dcompiler_47.dll” and locating the “fe ed fa ce” hex string

Upon decryption of the malicious shellcode using RC4 with the key, 3jB(2bsG#@c7, the shellcode will then try to access the GitHub repository that houses the ICO files containing the encrypted C&C strings that use Base64 encoding and AES + GCM encryption at the end of the image.

These B64 strings seem to be C&C domains that the shellcode tries to connect to for downloading other possible payloads. However, we were unable to confirm the exact nature of these payloads since the GitHub repository (raw.githubusercontent[.]com/IconStorages/images/main/) had already been taken down at the time of this writing. Note that the process exits when the page is inaccessible.

Figure 3. Code snippet showing the hard-coded GitHub repository

Figure 4. An ICO file from the GitHub repository

The above description applies to the Windows version. The behaviour of the Mac version is broadly similar, although it only uses a subset of the Windows C&C domains.

Info-stealer payload analysis

Based on our ongoing analysis of attacks on 3CX and the behaviors observed, the following section details what we know so far about the payload’s attack vector.

Payloads in investigated 3CX attacks are detected as TrojanSpy.Win64.ICONICSTEALER.THCCABC. Upon analysis of the payload named ICONIC Stealer, we discovered that if it is executed using regsvr32.exe as the DLL loader, it will display the following system error:

Figure 5. Error displayed upon executing the sample using "regsvr32.exe" — Figure 5. Error displayed upon executing the sample using “regsvr32.exe”

Meanwhile, if rundll32.exe is used as the DLL loader, it encounters a WerFault error and displays the following pop-up message:

Figure 6. Error displayed if "rundll32.exe" is used as the DLL loader — Figure 6. Error displayed if “rundll32.exe” is used as the DLL loader

This indicates that the sample must be loaded by a specific application to proceed to its malicious routine.

ICONIC Stealer then checks for a file named config.json under the folder “3CXDesktopApp.”

Figure 7. Checking for "config.json" — Figure 7. Checking for “config.json”

ICONIC Stealer was then observed to steal the following system information:

HostName
DomainName
OsVersion

The gathered data will then be converted into a text-string format.

Figure 8. Converting gathered data into a text-string format

ICONIC Stealer then proceeds to its last behavior, which steals browser data. It uses the function shown in Figure 9 to traverse the infected system using predefined directories related to the browser’s history and other browser-related information.

Figure 9. Function for traversing the infected system

The following figure shows a list of predefined strings:

The system directories on the following list compose the targets identified in the partial analysis of the ICONIC Stealer’s behavior. More information will be provided as this blog is updated.

AppData\Local\Google\Chrome\User Data
AppData\Local\Microsoft\Edge\User Data
AppData\Local\BraveSoftware\Brave-Browser\User Data
AppData\Roaming\Mozilla\Firefox\Profiles

Browser	Target information
Chrome	History
Edge	History
Brave	History
Firefox	places.sqlite

^{Table 1. The targeted section of each browser. Note that “places.sqlite” stores the annotations, bookmarks, favorite icons, input history, keywords, and the browsing history of visited pages for Mozilla Firefox.}

ICONIC Stealer was also found with the capability to limit the retrieved data to the first five hundred entries to ensure that the most recent browser activity is the data that is retrieved:

Figure 11. Limiting data to the first 500 entries

“UTF-16LE”, ‘SELECT url, title FROM urls ORDER BY id DESC LIMIT

“UTF-16LE”, ‘500’,0

“UTF-16LE”, ‘SELECT url, title FROM moz_places ORDER BY id DESC

“UTF-16LE”, ‘LIMIT 500’,0

Figure 12. Retrieved results stored on an allocated buffer

The gathered data will be passed to the main loader module to POST then back to the C&C server embedded in the main module.

What is its potential impact?

Due to its widespread use and its importance in an organization’s communication system, threat actors can cause major damage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this software.

What can organizations do about it?

Organizations that are potentially affected should stop using the vulnerable version if possible and apply the patches or mitigation workarounds if these are available. IT and security teams should also scan for confirmed compromised binaries and builds and monitor for anomalous behavior in 3CX processes, with a particular focus on C&C traffic.

Meanwhile, enabling behavioral monitoring in security products can help detect the presence of the attack within the system.

Indicators of Compromise (IOCs)

SHA256	File name / details	Detection name
dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc Installer: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868	3cxdesktopapp-18.12.407.msi (Windows)	Trojan.Win64.DEEFFACE.A
fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 Installer: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983	(Windows)	Trojan.Win64.DEEFFACE.A
c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02	ffmpeg.dll	Trojan.Win64.DEEFFACE.A
7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896	ffmpeg.dll	Trojan.Win64.DEEFFACE.A
11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03	d3dcompiler.dll	Trojan.Win64.DEEFFACE.A
4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f		Trojan.Win32.DEEFFACE.ICO
8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423	Stealer	TrojanSpy.Win64.ICONICSTEALER.THCCABC

Here is the list of IOCs for Mac users:

SHA256	File name	Detection name
5a017652531eebfcef7011c37a04f11621d89084f8f9507201f071ce359bea3f	3CX Desktop App-darwin-x64-18.11.1213.zip	Trojan.MacOS.FAKE3L3CTRON.A
5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290	3CXDesktopApp-18.11.1213.dmg	Trojan.MacOS.FAKE3L3CTRON.A
fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7	libffmpeg.dylib	Trojan.MacOS.FAKE3L3CTRON.A
5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a	child macho file of libffmpeg.dylib	Trojan.MacOS.FAKE3L3CTRON.A
e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec	3CXDesktopApp-18.12.416.dmg	Trojan.MacOS.FAKE3L3CTRON.A
a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67	libffmpeg.dylib	Trojan.MacOS.FAKE3L3CTRON.A
87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c	child macho file of libffmpeg.dylib	Trojan.MacOS.FAKE3L3CTRON.A

The following domains are blocked by Trend Micro Web Reputation Services (WRS)

akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
dunamistrd[.]com
glcloudservice[.]com
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
visualstudiofactory[.]com
zacharryblogs[.]com

Trend Micro XDR uses the following filters to protect customers from 3CX-related attacks:

Filter	ID	OS
Compromised 3CX Application File Indicators	F6669	macOS, Windows
DLL Sideloading of 3CX Application	F6668	Windows
Web Reputation Services Detection for Compromised 3CX Application	F6670	macOS, Windows
Suspicious Web Access of Possible Compromised 3CX Application	F6673	Windows
Suspicious DNS Query of Possible Compromised 3CX Application	F6672	Windows

Trend Micro Malware Detection Patterns for Endpoint, Servers (Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security with anti-malware, among others), Mail, and Gateway (Cloud App Security, ScanMail for Exchange, IMSVA):

Starting with Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.200.40, known trojanized versions of this application are being detected as Trojan Win64.DEEFFACE.A.
The Mac version of this threat is detected as Trojan.MacOS.FAKE3L3CTRON.A.

Source :
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html

Friday Long Read: What To Do About AI

This is a Friday long-read, so grab a warm cup of something and kick back because we’re going to take our time on this. The world is about to profoundly change. I know you’re nervous – perhaps excited and optimistic, but if you’ve been paying attention and have been watching the trajectory of this thing, the rational reaction is to be nervous. In this post I’d like to unpack in practical and tangible terms what AI is, where it came from, and the state of play, and then I’ll show you a path that will give you a pretty good shot at surviving the coming revolution.

Who am I? I’m Mark Maunder and I founded Wordfence in 2011 and wrote the early versions of the product until 2015 when Matt Barry took over as lead developer and I morphed into a tech executive running Defiant Inc, which makes Wordfence. We have over 4 million customers using our free product and a large number of paying customers using our various paid WordPress security products. I’ve been a technologist since the early 90s and a kid hacker in my teens in the 80s and 90s. I started my career in mission-critical operations for companies like Coca-Cola, Credit Suisse (now UBS), and DeBeers and then went over to do dev for companies like the BBC and eToys which was one of the biggest dot-com busts. I created the first job meta-search called WorkZoo in the UK around 2001 which later competed with Indeed, launched after us, and which I sold in 2005 but which made Time Magazine and NYTimes. I subsequently launched a Geoblogging platform, inline comments via JS, an ad network, real-time analytics, a localized news website, and more. You could say I’ve been in the innovation game for a minute, and I’m in it for life. I’m based in the USA these days in case you’re curious – moved over here in 2003.

Examining Bubbles

My apologies for the long bio, but what I’d like to illustrate is that I’ve seen tech come and go. The hype cycles I’ve seen typically include:

Outlandish claims about how the tech will solve everything from slicing bread to world peace and everything in between.
Commercial vendors jumping on the emerging mega-trend to surf the wave with proprietary technologies of their own which they position as standards, or at the very least the default choice.
Nascent technologies implementing the tech, that are immature, unstable, rapidly changing, and may very well be abandoned in a few months or a few years.
The press contracting a bad case of rabies and foaming at the mouth about the tech, amplifying the most extreme aspects and use cases and creating a lot of noise, which makes it hard for implementors to sift for the truth and the fundamentals around the technology.
The investment community pouring cash into the space with little focus. This creates an extremely adversarial environment for tech practitioners who are building fundamental value, who now have to compete with powerful VC-backed marketing machines.
As Warren Buffet says, the Innovators, the Imitators, and the Swarming Incompetents enter the space in that order. I’d add that they have a pyramid structure with each successive wave being at least an order of magnitude bigger than the last. Things get crowded for a while.
Then you have the typical bust cycle which cleans house and makes the tech uncool again, but also makes it interesting to the true believers. The VC’s go away and stop making noise that innovators have to compete against. The imitators and swarming incompetents drift off to imitate and mess up something else. The businesses not creating fundamental value fail. Some creating fundamental value fail too but the talent and tech are sometimes reincarnated into something else useful.

So who prospers, and what tech survives after a bust? Sometimes none of it, but helpful derivative technologies are created, like Java Applets in the 90s that inspired Flash which inspired standards-based rich content web browsers.

A technological phoenix rising from the ashes

Sometimes out of the ashes, an Amazon is born, as with the dot-com boom. And sometimes you have incredible innovation where the innovators never see large-scale commercial success, but others do, as with Igor Sysoyev who created Nginx which eliminated the need for a data center full of web servers to handle large-scale websites. Igor has a commercial thing, but the real winners were companies like Cloudflare who based their global infrastructure on Nginx, reverse proxying massive numbers of connections to origin servers with rules about what gets proxied. Hey, I benefited too. Nginx saved our behinds when Kerry and I were running Feedjit.com from 2007 to 2011 because it let us handle over 1 billion application requests per month on just 6 servers. Thanks Igor!

Blockchain technology is in a bust cycle and you can map the characteristics I defined above to blockchain. It looks eerily similar to the dot-com bust and you’ll see an Amazon emerge from the ashes about a decade from now. It might be Coinbase if they survive the over 80% dive in market cap that may continue, but who knows?

Derivative Versus Fundamental Technology Innovation

I’ve mentioned a few tech bubbles so far and it’s really the first step in pulling us out of the trees so that we can examine the various forests out there. Now let’s go a little more meta and talk about which forests matter. Some technology is derivative. Examples of derivative tech are new stuff that runs inside a browser, for example, Websockets.

Websockets are awesome because they let a browser keep a connection open and get push notifications without doing the old TCP three-way handshake to establish a new connection every time the browser wants to check if there’s data waiting on a chat server or whatever. We used to call this long-polling and I wrote a web server to do long polling which was a clumsy but necessary approach, so when Web Sockets came along we all breathed a sigh of relief and I happily retired my web server glad that no one would see my nasty source code which worked quite well mind you.

Another derivative technology – and you’re not going to like this – is blockchain. It’s a useful and novel implementation of hashing algorithms and a few other cryptographic tricks, but honestly, we should have disintermediated banking at least two decades ago and the fact that blockchain has still failed to do that is both disappointing and illustrative that it is just a set of derivative applications built on a tower of fundamentals that has a way to go before it matures. The hype cycle and speculative bubble around it was simply humans making human noise.

So that’s derivative tech. In addition to derivative tech, you have what I’d like to call fundamental tech. Electricity is fundamental. It’s cornerstone technology that transformed the world in our ability to use and transport energy which has enabled an industrial and technological revolution the likes of which the world has never seen. The microprocessor is also fundamental tech for similar reasons. You have algorithms that are fundamental tech like the RSA algorithm which allows us to establish a secure communication channel while a bad person is listening in the whole time – the kind of tech that could have changed the outcome of World War II.

The Internet is fundamental tech. It connected the world and gave us the ability to build applications on top like HTTP and the web which are derivative tech.

Oh I know you want to have a bar fight with me at this point and we’ll do that if you’re attending Wordcamp EU – a collegial and metaphorical barfight, that is – but hopefully, you’re picking up what I’m putting down here in a general sense: There is fundamental tech that profoundly enables and changes the world and which many other things are built on top of, and there is derivative tech that gets a lot of attention but isn’t quite as transformative in a historical sense if you’re thinking in terms of centuries. And there’s the big fat grey area in between.

Neural nets sitting at desks in a classroom learning math

AI is fundamental tech. For decades we have been programming by writing functions by hand. We’ve gotten quite good at structuring our code using metaphors like object-oriented programming to create logical structures that make sense in a human world, and help us organize large code bases. But fundamentally the way we define logic in a program hasn’t changed for a long time. Until now. For the first time in all of history, we can create functions in programming by training them, rather than writing them by hand. In other, slightly more technical words, we can infer a function from observations and then use it. Like babies and toddlers do. This is historic, it’s transformative and it is a fundamental breakthrough.

Funny thing is that until quite recently – around 2015 – AI had suffered many so-called “AI Winters” where there was significant interest in the field that catalyzed investment dollars, and then a setback usually caused by a reality check, that caused a winter in funding and interest. Does anyone remember the “expert systems” of the 80s? By the early 2000s AIs name had been dragged through the mud so many times that anyone doing serious research in the field used different words to describe their work, like “machine learning” or “informatics” or “knowledge systems”.

A few hardcore true believers like Yann Lecun, Yushua Bengio and Geoffrey Hinton powered through like Bilbo and Sam across The Dead Marshes and went on to win the Turing Award, which is basically the Nobel Prize of computer science and which I had the privilege of attending when Rivest, Adleman and Shamir won theirs for public key crypto. The Turing Award is a very big deal and well deserved considering how adversarial the AI environment was for a while.

So what changed? Well for one thing you’re reading this post because it’s about AI and you’re interested. And you’re interested because you recently used GPT-4, MidJourney, Dall-E or another model to create something. You’re seeing tangible results. And the reason you’re seeing results is that GPU hardware, algorithms, and an interest in the field have brought us to an inflection point where the technology is delivering results that are jaw-dropping enough to catalyze more funding, more research, and more jaw-dropping results. This cycle really picked up steam in 2015, and with the release of GPT-4 recently, has entered a phase of what I would describe as true and consistent exponential growth.

According to NVidia “LLM sizes have been increasing 10X every year for the last few years”. In two years that’s 100X. Three years from now that’s 1000X and so on. Extrapolate that out and be afraid. Or optimistic if your mind isn’t for rent and you are hopeful yet discontent. Rush lyrics aside, that pace should give you an idea of how quickly this thing is coming. And now that we’ve reached the point of inflection I mentioned, where the hardware and algorithms seem to have overcome the cycle of disappointment that AI has been stuck in for decades, I predict that you’ll see consistent and exponential growth in the field in capabilities for the foreseeable future, with a financial bubble and bust in there that won’t be of much consequence to the fundamental value of the technology.

“Thanks for the history lesson Maunder, but you brought us here with promises of telling us what to do about AI. So?”

What to do about AI

So far we’ve discussed what boom cycles look like and the kind of noise and bear traps you should be aware of. We’ve defined what AI is in fundamental terms – a function that you can train rather than hand code. And we’ve hopefully agreed that we’ve entered a period of consistent and exponential growth in the field. Now we’ll chat about how to survive and prosper in a world that looks a lot like when electricity was invented and commercialized, or the microprocessor, or the Internet.

Goldman estimates that AI will add 7% to global GDP at a rate of about 1.5% growth per year. They also estimate that roughly two-thirds of US occupations are exposed to some degree of automation by AI. You can extrapolate this globally. That kind of global disruption is matched only by the industrial revolution or the entire recent tech revolution as a whole starting from 1980. From the same publication, “A recent study by economist David Autor cited in the report found that 60% of today’s workers are employed in occupations that didn’t exist in 1940.”. So on an optimistic note, this kind of disruption isn’t a new thing and we’ve been disrupting and adapting for some time now.

Perhaps you’re reading this because you are running a WordPress website, perhaps secured by my product, Wordfence. Which means you’re a creator of some kind. Perhaps you’re a writer, an artist, or perhaps you’re an entrepreneur creating a business out of thin air. [Yes my fellow entreps, you get to hang with the other cool creator kids too!!]. If you don’t plan on adapting at all, that makes you far more vulnerable to this coming wave than say a chef who runs a restaurant, or someone who manages real estate and rentals. And that really is the key: adaptation. So how can we adapt?

If you’re a creator, you need to become a user of AI. You’re probably already using GPT to write copy for your product catalogs on your e-commerce website, or using MidJourney (MJ) or Dall-E to create art for ad campaigns. If you’re a designer or artist, you may feel the kind of resentment this Blender artist does in the Blender subreddit.

“My Job is different now since Midjourney v5 came out last week. I am not an artist anymore, nor a 3D artist. Rn all I do is prompting, photoshopping and implementing good looking pictures. The reason I went to be a 3D artist in the first place is gone. I wanted to create form In 3D space, sculpt, create. With my own creativity. With my own hands.”

“It came over night for me. I had no choice. And my boss also had no choice. I am now able to create, rig and animate a character thats spit out from MJ in 2-3 days. Before, it took us several weeks in 3D. The difference is: I care, he does not. For my boss its just a huge time/money saver.”

While I sympathize with how hard change and disruption can be, it’s been a constant for the past couple of centuries in many fields. MidJourney has a long way to go before it can match a real-world artist, unless you’re just churning out images and letting the AI guide the design choices and are happy to work around the bugs. For MidJourney and other generative AIs to produce exactly what we want, they’re going to have to get better at understanding what exactly we want to create. And that’s where the skill comes in. You’re already seeing this with a document that someone has created listing famous photographers and examples of their look. This can be used in MJ prompts to say “in the style of” to get a specific look, but it is an incredibly rudimentary approach.

Another way to guide the MJ AI in particular is to blend photos it has generated. Again, super rudimentary, but it’s the start of having the ability to tightly specify exactly what you want and get that out of MJ. And if you need a reminder of how basic it still is, try to get MJ to generate hands. It still sucks, even at version 5.

So if you’re a creator, start getting good at using the tools now, understand their limitations, and evolve as the products evolve until you’re an expert at guiding the AI to create exactly what you want. This will help you guide your customers in explaining the limits of the current state of AI to them and where you add value, let you take immediate advantage of the use that the current tools have, and ramp up your productivity as the tools get better at taking instructions from you.

This applies to writers, artists, designers, filmmakers, photographers, screenwriters, and anyone with creative output. Get good at the tools. Get good at them now. Do it with an open mind. Know that changes aren’t permanent and that change is. (Again with sneaking in the Rush lyrics)

Adapting as a Dev

Coders! My people! We have a problem. Most of you have become users of AI. You’re users of GPT-4 via their API. You’re plugging into other generative AIs via an API. You aren’t rolling your own. And rolling your own is where all the fun is!!

Ever heard of transfer learning? You can grab a pre-trained model from Hugging Face, chop off the head – aka the final layer in the layers of neural nets, substitute it with random weights, and train the pre-trained model with your own data to take advantage of the sometimes millions of dollars that someone else already spent training their model. In fact Facebook’s LLAMA model which is one of the largest LLM’s in the world was leaked via Torrent recently.

The most important thing you need to do right now as a developer is to stop being a user of AI and become a dev of AI. GPT-4 is a shiny ball that the world will have forgotten about in a year, but it’s a very shiny and attractive ball right now that is fueling many a late-night dev chat. Remember that stat I gave you above? That LLM’s have been increasing in size at 10X per year. The current state of the art will be accessible to you on a desktop in a few years and you need to get ready for that world today.

I’m going to just go ahead and tell you what you need to do to get your AI stuff together, fast.

Ignore the math. Trust me on this. Most people including devs are not good at math and it intimidates the hell out of them. AI is just matrix multiplication and addition using GPU cores to parallelize the ops. Expressing this as code is easy. Expressing it as math will make you hide under your bed and cry. Ignore the math. If you can code, you’ll get it.
Learn Python. Everything in AI is Python. It’s a beautiful little language that you’ll come to appreciate very quickly if you’re already a dev. It’s like coming over to Aikido if you’re already a black belt. OK the MMA scene kinda messed up my metaphor proving that Aikido is actually worthless, but whatever.
Then go do the Practical Deep Learning for Coders course at fast.ai. It’s how we get our guys up to speed fast in the field and it’s brilliant. Jeremy Howard does a spectacular job of getting you up to speed fast in the field by immediately getting you productive and then unpacking the details in a fun non-mathy way.
As you progress in the course, definitely get up to speed using Jupyter Notebooks and I’d recommend Kaggle for this. They were bought by Google a few years ago and kind of compete with Google’s own notebook system called Colab, but I prefer Kaggle. You get GPU access by simply verifying your email address and it’s free which is kind of amazing. So you can use a rich text environment on Kaggle to write your code, see the output and run it on some fairly decent GPUs. Kaggle GPU’s perform at about 20% of the speed of my laptop RTX 4090 in case you’re curious about benchmarks.

The course teaches fundamentals, how to use pre-trained models, how to create Jupyter Notebooks or fork others, how to create Hugging Face Spaces, and how to share your models and their output with the world. It is the fastest way right now to transform yourself from an AI user into an AI dev and get drinks bought for you at parties by folks that have not yet made the leap.

Alright, this went long but that was the plan. We’ll talk more about AI. Go forth, be brave, learn, and create!

Mark Maunder – Founder & CEO – Wordfence and Defiant Inc.

Footnotes: All images on the page were created with MidJourney and if you’d like to see the prompt I used, simply view the image in a new tab and the image name is the prompt, all except for the heavy metal hands image which a colleague created. I’ll be in the comments in case there’s discussion.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2023/04/friday-long-read-what-to-do-about-ai/