We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it.

Friday, February 10, 2023 13:02

We're back with the final year in review focused episode. This time the focus is on the ever broadening ransomware landscape and the commodity malware loaders that often support it. I'll be joined by one of the researchers from the year in review report, Aliza Johnson to talk about what we saw on the ransomware landscape over the last year as well as how threats like Qakbot, IcedID, and Trickbot have changed and evolved over the last year. We'll also cover how these threats overlap and how LoLBins are yet again an area of concern.

All episodes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 128: Year in Review - Ransomeware and Commodity Loaders Edition

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 10 February 2023 at 16:30 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability.

Security researchers warned that it might be possible to set up a trigger that exports everything from the KeePass database in cleartext, before syphoning off secret data. The vulnerability – whose seriousness is disputed – is being tracked as CVE-2023-24055.

As Bleeping Computer reports, KeePass maintains the issue only comes into play in cases where an attacker already has control of a compromised account – in which case it’s ‘game over’ already.

Issues in password managers have been a particular focus for security researchers since a mishandled security incident involving LastPass last year that eventually prompted the vendor to admit encrypted password vaults had leaked.

Master keys for these vaults were not exposed, limiting the scope for harm, but the affair was nonetheless troubling.

The US Cybersecurity and Infrastructure Security Agency (CISA) is pushing plans to require technology manufacturers to make their products secure by design.

CISA director Jen Easterly and executive assistant director Eric Goldstein outlined the proposals in an essay published by Foreign Affairs magazine.

On Thursday, developers of the OpenSSL project released patches covering a variety of vulnerabilities in the encryption library, including a high impact flaw (tracked as CVE-2023-0286). The flaw meant that sophisticated attackers might be able to either read system memory or cause a denial of service on affected systems.

Thursday also brought news that a sysadmin on Reddit had fallen victim to a phishing attack. The social news site admitted that attackers had “gained access to some internal documents, code, and some internal business systems” while stating that it reckoned “Reddit user passwords and accounts are safe”.

The Daily Swig also recently reported that Google has developed proposals to mitigate the impact of prototype pollution (a class of JavaScript vulnerability), how a security researcher hacked into Toyota’s supplier management network, and on a privacy storm involving a new host of popular pen testing tool XSS Hunter since the last edition of Deserialized. You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web Vulnerabilities**

*   Cisco devices / Technology to deploy application containers/virtual machines directly on devices was flawed because user input for the ‘DHCP Client ID’ option wasn’t sanitized / Disclosed with patch on February 1
*   Dompdf / Critical / URI validation failure on SVG parsing / URI validation can be bypassed on SVG parsing, potentially leading to arbitrary object unserialize on PHP, through the phar URL wrapper / disclosed with patch last week
*   F5 BIG-IP / High / Format string flaw in iControl SOAP allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially, execute arbitrary code / Disclosed with a patch on February 1
*   Jira Service Management Server and Data Center / Critical / Broken authentication / vendor alert and patch issued on February 1
*   Skyhigh Security Secure Web Gateway / High / XSS in single sign-on plugin / Disclosed with a patch on January 26

**Research and attack techniques**

*   A detailed analysis of a remote source disclosure vulnerability in PHP development server offers pointers towards necessary follow-up work. The flaw – which meant that the source code of PHP files was exposed as if they were static files – was resolved, but even so “Shodan queries reveal many exposed instances of the built-in server”, the researchers warn
*   A vulnerability in Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation – dubbed SAML ShowStopper – leaves enterprise-based SSO (Single-Sign-On) deployments at a heightened risk of attack. Security researcher Khoa Dinh offers a detailed analysis of flaw in warning that any vendors (not just ManageEngine) relying on older versions of xmlsec and xalan might be at similar risk
*   A blog post by Skylight Cyber details common misconfigurations in the SaltStack IT orchestration platform, as encountered in the wild, as well as detailing a “novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server”.
*   Proofpoint has discovered that attackers are using malicious third-party OAuth apps to infiltrate organizations’ cloud environments. “Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft ‘verified publisher’ status,” the security researchers report
*   Researchers from Ermetic have discovered an RCE vulnerability impacting services such as Function Apps, App Service and Logic Apps on Azure cloud. The EmojiDeploy vulnerability was sprung through CSRF against source control management service (SCM) Kudu
*   Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets. The work allows interested parties to decode their own tickets with a web tool developed by the researcher

**Bug bounty / vulnerability disclosure**

*   Google has expanded its OSS-Fuzz project, a free platform for continuous fuzzing to critical open source projects. The technology, which has helped to identify 8,800 vulnerabilities across 850 projects since its launch in 2016, is getting a boost through the offer of higher financial rewards for contributors that integrate new projects into OSS-Fuzz.
*   Security researcher Youssef Sammouda claimed a $44,500 payout after discovering a security flaw that made it possible to take over Facebook/Oculus accounts. As explained in a technical write-up by Sammouda, the hack relied on First-Party access\_token stealing.

**New open source infosec/hacking tools**

*   Checkmarx has put together a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. The utility – dubbed c{api}tal – is designed to be a learning and training resource focused on API security.
*   Ronin 2.0 offers a revamped version of a free and Open Source Ruby toolkit for security research and development. The latest version of Ronin, enhanced with new API libraries, contains many different CLI commands and Ruby libraries optimized to carry out a range of tasks including scanning for web vulnerabilities and running exploits.
*   Developers have released a new version of EMBA – an embedded device firmware security analyzer geared to the needs of penetration testers. Its functionality is explained on a GitHub page.
*   SH1MMER, an exploit capable of completely unenrolling enterprise-managed Chromebooks.

**For devs**

*   Developers should check out an informative post on integrating Nuclei, an open-source tool for scanning web applications, into their GitHub CI/CD pipelines
*   SBOM Scorecard offers a tool that helps developers to quantify what a well-generated SBOM looks like, accessing the richness of metadata that can later be queried
*   The precloud utility offers an open source CLI that runs checks on infrastructure as code to catch potential deployment issues. The tool, which offers dynamic tests for infrastructure-as-code, works by “comparing resources in CDK diffs and Terraform Plans against the state of your cloud account”

**More industry news**

*   US standards body NIST (National Institute of Standards and Technology) has launched a new voluntary framework for the management of AI-associated risk. NIST’s AI Risk Management Framework is designed towards “improving the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems”.
*   Scammers are buying ads on Google promoting fraudulent sites that pose as login portals for password management tool Bitwarden.

**For fun**

Codebreakers have decoded a cache of more than 500 encoded letters written by Mary, Queen of Scots, during her years of captivity between 1578 and 1584.

The code – made up only of graphical symbols – was cracked using a combination of “computerized cryptanalysis, manual code-breaking, and linguistic and contextual analysis”, Ars Technica reports.

The letters were relayed by secret couriers, principally to the French ambassador, Michel de Castelnau. However Elizabeth I’s spymaster, Francis Walsingham, had a mole in the French embassy who gave the spy access to decoded copies of the correspondence.

A paper on the codebreaking work, likely to help historians researching the period, was published by specialist journal Cryptologia.

PREVIOUS EDITION Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations.

Thursday, February 9, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help people so far removed from us.. As a security practitioner it’s my duty to remind you that criminals will exploit your empathy and this situation for their own profit. Be acutely aware of phishing scams, malvertising, and typosquats that will leverage your kindness for their gain. Give freely but take a moment when you do to ensure that you are donating to sources that can help and that above all you aren’t padding the pockets of cybercriminals.

**The one big thing**

Ransomware and commodity loaders remain at the forefront of the threat landscape. The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022 and this activity is highlighted in the Ransomware and Commodity Loader Topic Summary Report.

**Why do I care?**

Understanding the most recent trends in ransomware, including the goals, victimology, and TTPs will increaser your ability to defend, understand, and react to these events. We've seen seismic shifts in how state sponsored actors attack and this will migrate to every level of threat actor.

**So now what?**

Education is key and continuing to follow the research that Talos releases and validating your environment against that research is critical.

**Top security headlines of the week**

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.( DarkReading)

Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. (Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/ransomware-and-commodity-loader-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: A9CE7F0974.tmp

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: software.Scr

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423

MD5: 954a5fc664c23a7a97e09850accdfe8e

Typical Filename: teams15

Claimed Product:  n/a

Detection Name: Gen:Variant.MSILHeracles.59885

Threat Source newsletter (Feb. 9, 2023): Don't let criminals exploit your empathy

Anonymized numbers of bug discoveries swiftly deleted after pushback

Adam Bannister 09 February 2023 at 17:12 UTC  
Updated: 09 February 2023 at 17:44 UTC

Anonymized numbers of bug discoveries swiftly deleted after pushback

The maintainers of a new version of popular hacking tool XSS Hunter have been criticized for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

The contentious communication from Truffle Security, which launched a new fork of the open source tool last week after its deprecation by original creator Matthew Bryant, was tweeted yesterday.

“Wow,>1000 XSS Reports since we launched our flavor of XSSHunter last week,” it said.

Read more of the latest hacking tools news and analysis

“∼20 of them have their .git directory exposed”, it continued, adding “∼15 of them have cloud credenitals exposed and >100 have CORS issues!”

This provoked consternation among bug hunters and security researchers on Twitter, including hacker and pen tester Julien Ahrens. “Sounds like someone is looking at your data closely...” he tweeted. “Protip: Host your own instance of xsshunter-express or ezxss to avoid leaking potentially sensitive data to this company.”

**‘Anonymized stats’**

Truffle Security responded to the social media storm by deleting the offending tweet and acknowledging the pushback: “We posted some anonymized stats about XSSHunter (similar to Hackerone’s public anonymized reports), and members of the community voiced privacy concerns, so we took it down. Thank you for reposting it, totally fair to hold us accountable.”

However, ‘@Th3MadHacker’ countered: “This is not the same as hackerone, Programs on hackerone give consent to share metrics.”

In response to queries from The Daily Swig, Truffle Security co-founder Dylan Ayrey echoed the comments posted from his company’s Twitter account and sought to assuage privacy concerns, adding: “No one’s raw reports were viewed by employees”.

Colin Winhall, meanwhile, urged bug bounty platforms to “provide in-house solutions for bXss and fork their own version of XSSHunter”.

YesWeHack, the Paris-based bug bounty platform, highlighted its own such solution for self-hosting out-of-band tools, PwnMachine.

Bug bounty programs often prohibit the use of hacking tools hosted by third party platforms, because of the risk of sensitive data leaks that could empower malicious hackers, as appears to now be the case with AWS.

**Privacy motives**

XSS Hunter was launched as a managed service last week after Bryant, aka ‘Mandatory’, announced he would no longer be maintaining the application.

The new version of the service, which is hosted on San Francisco-based Truffle Security’s domain, is an open source fork of the original code.

Bryant remains the maintainer of the xsshunter-express repository, through which users can self-host their own instance, and other forks are available to migrate to.

Privacy concerns were seemingly a motive in launching the new XSS Hunter service and development of new features, such as the blurring of screenshots captured by the platform.

Speaking to The Daily Swig previously about the relaunch, Truffle Security’s Ayrey said that “many users of XSS Hunter would accidentally send sensitive data to the platform”. He also expressed concern that post-deprecation, “another tool might have come along to replace it with operators that may have had different intentions \[to Mandatory\] with the data collected.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities,” Ayrey added.

Bryant told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service”, and said “Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

New XSS Hunter host Truffle Security faces privacy backlash

Latest release gives small and mid-sized enterprises AI-driven analysis tools and unified visibility across IT environments for stronger ransomware protection.

**SAN FRANCISCO****,** **Feb. 8, 2023** **/PRNewswire/ —** ActZero®, a leading cybersecurity provider for small and mid-sized enterprises, announced the release of its next-generation Managed Detection and Response (MDR) platform. The ActZero MDR platform leverages its defense ingenuity and precision AI-detection to give customers an industry-leading ransomware block rate of 90 percent. Within this initial launch, security teams will gain unified real-time visibility across their environment with correlated threat insights, AI-driven tools to surface information faster for better decision making, and continuous protection against emerging ransomware threats.

Ransomware attacks are expected to cost businesses $30 billion in damages worldwide by this year. The speed and sophistication of these attacks are increasing, with adversaries now able to achieve breakout in under 43 minutes on average. ActZero successfully contains and eradicates ransomware threats within 17 minutes, compared to 98 minutes, based on assessments by an independent third-party evaluation platform. Speed to defend against a cyber threat is critical to saving a company's data, reputation, and business.

"Relying on a cybersecurity partner to protect against threats takes trust. With attackers frequently retooling to evade defenses, it's not enough to verify once; you need to continuously verify that systems are properly defended to build that trust. We thrive on that accountability," said ActZero President and Chief Revenue Officer Chris Finan. "Today, we are excited to announce the newest release of the ActZero MDR platform, making it easier for customers to continuously measure outcomes and interface seamlessly with our expert analysts. When every second counts, you need to have complete trust that your security partner will stop the threats to your business."

The newly designed ActZero MDR platform dashboard gives customers a real-time and holistic picture of their IT ecosystem and users. Critical metrics such as the ransomware block rate and average mean-time-to-first-response rate, along with real-time reporting provide the actionable intelligence for validating the cybersecurity team investment and continuous efforts to improve security.

"Businesses today need to operate at machine-speed to stop advanced cyber threats, but IT leaders and security teams also need complete visibility of their environment, which legacy SIEM and MDR approaches fail to deliver," said ActZero Chief Security Officer Adam Mansour. "We designed this new generation of our platform to give IT security teams the benefits of our market-leading, AI-driven detection, and response with purpose-built visibility and investigative tooling to empower them with complete control."

**About ActZero**

ActZero is a Gartner-recognized provider of Managed Detection and Response (MDR) services that delivers a powerful and affordable cybersecurity service to protect small and mid-sized enterprises against ransomware attacks. By  continuously testing defenses against the latest attack techniques and variants, ActZero ensures AI-detections and human threat hunters quickly stop threats. The company brings deep roots and expertise in cybersecurity to deliver measurable ransomware defense, reducing false alerts and responding quickly on a customer's behalf. Combined with exceptional service, ActZero empowers businesses with confidence that the company and customers are protected.

For more information on ActZero, please visit actzero.com.

SOURCE ActZero

ActZero Unveils Next-Generation MDR Platform

Join host Mitch Neff and special guests Aliza Johnson, Azim Khodjibaev, and Nick Biasini as they discuss Talos' findings and experiences monitoring ransomware and commodity loaders in 2022.

Wednesday, February 8, 2023 14:02

Did you miss our livestream covering the ransomware and commodity loader section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Aliza Johnson, Azim Khodjibaev, and Nick Biasini as they discuss Talos' findings and experiences monitoring ransomware and commodity loaders in 2022.

 Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Ransomeware & Commodity Loaders Livestream Replay

**SAN FRANCISCO, Feb. 8, 2023 --** Corelight, the leader in open network detection and response (NDR), today announced it has expanded its partnership with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data. Under the agreement, CrowdStrike will have the ability to deploy Corelight NDR technology in customer engagements when delivering Incident Response, Compromise Assessment, and Network Security Monitoring services.

"We are honored to enter into this expanded partnership with CrowdStrike, a brand that's trusted and respected throughout the security space," said Brian Dye, CEO of Corelight. "We share a passion for using evidence to help customers find and disrupt advanced attacks, and we are excited about delivering this benefit to customers."

CrowdStrike Services will have the ability to leverage Corelight's NDR solution to enhance visibility, accelerate investigations, expand threat hunting, and understand the mechanism of advanced attacks across the full spectrum of endpoints, cloud platforms and the network – including unmanaged devices.

CrowdStrike Services delivers industry-leading incident response, technical assessments, training, and advisory services that help organizations prepare to defend against advanced threats, respond to widespread attacks, and enhance cybersecurity practices and controls. Harnessing the power of the CrowdStrike Security Cloud and the CrowdStrike Falcon platform, Services help protect critical areas of enterprise risk and hunt for threats using adversary-focused cyber threat intelligence to identify, track and prevent attacks from impacting our customer's business and brand.

"Corelight is a natural and highly complementary technology partner," said Thomas Etheridge, chief global professional services officer at CrowdStrike. "Better security outcomes require world-class and timely data. Because Corelight also seamlessly integrates with a range of CrowdStrike products, including CrowdStrike Falcon XDR and CrowdStrike Falcon LogScale, our mutual customers can hunt for unknown attacks, close visibility gaps, and even disrupt future threats faster by seeing everything that matters on the network – including unmanaged endpoints and IoT devices."

The agreement is the latest evidence of ongoing collaboration between the two companies: CrowdStrike's Falcon Fund is an investor in Corelight, and CrowdStrike was recently named Corelight's Apex Awards Alliance Partner of the Year for Innovation.

**About Corelight**

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility and create powerful analytics. Corelight's global customers include Fortune 500 companies, major government agencies, and large universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, visit https://corelight.com or follow @corelight\_inc.

Corelight Expands Partnership With CrowdStrike to Provide Network Detection and Response Technology for CrowdStrike Services

Omdia has learned that Gigamon sold its ThreatInsight NDR business to Fortinet for approximately $31 million. The deal highlights what may be a pivot point for the NDR market.

Gigamon has exited the network detection and response (NDR) business, selling its NDR solution to a former competitor, Omdia has learned.

The Santa Clara, California-based network visibility and IT observability vendor quietly sold its ThreatInsight NDR business to Fortinet at the end of last year. Omdia research indicates the acquisition price was approximately $31 million.

The sale also encompassed the staff dedicated to ThreatInsight, including Gigamon’s former threat intelligence group. Omdia research indicates that approximately 30 to 50 Gigamon employees moved to Fortinet in the transaction.

**Gigamon Shifts to NDR Enabler**

Gigamon entered the NDR market in 2018 when it acquired NDR startup Icebrg. Seen at the time as a strong complement to its portfolio of network visibility solutions, which includes network traffic decryption, ThreatInsight never lived up to Gigamon's commercial expectations, in part because enterprise buying centers for visibility and observability tend to differ from those related to threat detection, investigation, and response (TDIR).

One of the difficulties of selling point products is that they tend to have very specific buying centers. This is highlighted by the position that Gigamon found itself in with NDR. While it continues to have success selling its broader portfolio by targeting CISOs and security architecture teams, NDR sales are typically evaluated and funded within incident response groups, which require a different sales motion.

While security remains an important use case for Gigamon’s visibility portfolio generally, Gigamon increasingly saw itself as better positioned as an ecosystem enabler of NDR solutions through partnership with leading NDR vendors.

By eliminating any competitive conflicts, the deal should immediately make Gigamon a more attractive partner with a variety of NDR vendors with which it formerly competed. Additionally, the company can re-emphasize its renewed focus on network and hybrid cloud observability, this following its recent pivot to relabel its core platform as a Deep Observability Pipeline solution.

**Fortinet Doubles Down on NDR**

Fortinet will rebrand the ThreatInsight technology as FortiNDR Cloud and sell it as a cloud-based addition to its existing on-premises FortiNDR product (formerly known as FortiAI).

Fortinet introduced FortiAI in 2020 as an AI/ML appliance for network detection and response. The company has seen strong demand for NDR as customers shift focus to what Fortinet calls advanced and early detection. The growing adoption of a zero-trust philosophy is also driving additional interest as organizations treat internal east-west traffic with increased scrutiny.

**NDR Market Evolution**

The move also highlights the NDR market’s continuing evolution. As enterprises increasingly seek to unify their TDIR product architectures, interest is growing in NDR solutions that can not only detect and respond to network-specific threats but can also provide insight to and integration with broader solution sets, such as XDR and other security operations platforms.

This evolution is playing out in several ways. For example, NDR vendors are continuing to expand their functional footprint to include additional network security capabilities, such as a broader set of detection capabilities. Of course, the flip side to that trend is network security appliance vendors potentially adding NDR as an additional feature.

Fortinet is a case in point. While FortiNDR Cloud will be available as a stand-alone product, and one that requires no Fortinet hardware, NDR functionality is sure to find its way into broader network security solutions such as next-generation firewalls (NGFWs). This trend will shift the competitive landscape in NDR, which is currently dominated by pure plays such as Darktrace, ExtraHop, and Vectra.

NDR solutions are also increasingly expected to integrate across emerging open XDR ecosystems. This, of course, requires significant investment as the number of integration requests can be large, even if initially just focusing on EDR vendors. Omdia believes success in NDR would have required a significant new investment from Gigamon.

Ironically, given the increased partnership opportunities, Omdia believes this divestiture might well grow Gigamon’s overall share of security dollars, as security teams are either stakeholders or outright buyers of the network observability capabilities that Gigamon offers. More broadly, the company is betting that customers will be shopping for a comprehensive observability platform across hybrid environments.

Omdia's most recent global NDR market outlook indicates the NDR market is worth $0.95 billion as of the end of 2021 and is expected to grow to $1.98 billion by the end of 2027. However, Omdia forecasts that growth in the stand-alone NDR market will slow in 2023 due to macroeconomic headwinds but will rebound and continue to show reasonable growth for the foreseeable future. That said, consolidation of detection and response functionality across digital domains is an important trend.

More broadly, and as importantly, security buyers are looking to consolidate security functionality from a smaller group of larger providers. While best-of-breed security point products will never disappear, suite vendors such as Palo Alto Networks, Fortinet, and Cisco, among others, are well positioned for current vendor consolidation.

Gigamon Exits NDR Market, Sells ThreatInsight Business to Fortinet

Debian Linux Security Advisory 5341-1 - Multiple vulnerabilities have been discovered in the WebKitGTK web engine. Francisco Alonso discovered that processing maliciously crafted web content may lead to arbitrary code execution. YeongHyeon Choi, Hyeon Park, SeOk JEON, YoungSung Ahn, JunSeo Bae and Dohyun Lee discovered that processing maliciously crafted web content may lead to arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5341-1                   security@debian.orghttps://www.debian.org/security/                           Alberto GarciaFebruary 06, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : wpewebkitCVE ID         : CVE-2022-42826 CVE-2023-23517 CVE-2023-23518The following vulnerabilities have been discovered in the WebKitGTKweb engine:CVE-2022-42826    Francisco Alonso discovered that processing maliciously crafted    web content may lead to arbitrary code execution.CVE-2023-23517    YeongHyeon Choi, Hyeon Park, SeOk JEON, YoungSung Ahn, JunSeo Bae    and Dohyun Lee discovered that processing maliciously crafted web    content may lead to arbitrary code execution.CVE-2023-23518    YeongHyeon Choi, Hyeon Park, SeOk JEON, YoungSung Ahn, JunSeo Bae    and Dohyun Lee discovered that processing maliciously crafted web    content may lead to arbitrary code execution.For the stable distribution (bullseye), these problems have been fixed inversion 2.38.4-1~deb11u1.We recommend that you upgrade your wpewebkit packages.For the detailed security status of wpewebkit please refer toits security tracker page at:https://security-tracker.debian.org/tracker/wpewebkitFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmPhHcsACgkQAAyEYu0C2AIS9xAAkj8s01WZ1BEJrdImERtEANtzX1khiwTM2loUEuzgSU10mTvkl1u5vP3fb2rXPRIBdH7rvdSKAHvfyHbCikvVx48noF6iyLfpqcNdReJ0erSSJzptyMDcuapmrCBP2Y+pnTkEPXQ3x79NtA4PNTEbQX9av54Hm/HRMeAc5XlYFm0dyTjjLu5kh0jFoqgoJkQLhZn13YOdiWpKwk8VbKmU4Wdj/kFHAxU4M/MzgqJj1Ep9DCaJv0NQNBdmyMVJn/o/c9dLn7wmoFb0Mi4nyD7M1ftdCpPg7RkCeNmBfUBejMKz2poFGtcC33Zk5hh9B9AF0joOt0fJGaIT21Lkh2hT3mjV2ayUzIgcNrFzs8gnL7M4ivc/C52HpjScz4E+rmfd6TrZwDYa8yTSMNOyAlb2Bwo5tj+6mtPPF62bh9ViZ3ShdU+g/stvP06oXdTdNwHGpDfERITvqQJQp4LEJmmlfWMzZdCnwqyQ4JbI5IE65h9FDNscoFUFAsVRUMjOg61L74d37/tpAfN51E2fjVSlvtHy/11E866T/6l9o1a/9OTm8fpJf0Bvsjuz8Osiu90Z7SCImbB5RP4V7liLklekQqOLjaf3n7JjcVvPO/SyDg9xjgHE+QozC41yb/FTR6QYlOYOxnteeeNMvA1+eZnxQyvvX6K07KrDtJzXs7SlKX8==Tfnd-----END PGP SIGNATURE-----

Debian Security Advisory 5341-1

A denial of service vulnerability exists in the web server functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP message header can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**SDS-3008 Series Multiple Web Vulnerabilities**

*   Security Advisory ID: MPSA-230101
*   Version: V1.0
*   Release Date: Feb 02, 2023
*   Reference:
    *   NVD CVE 2022-40693 (mitre.org)
        
    *   NVD CVE-2022-40224 (mitre.org)
        
    *   NVD CVE-2022-41311 (mitre.org)
        
    *   NVD CVE-2022-41312 (mitre.org)
        
    *   NVD CVE-2022-41313 (mitre.org)
        
    *   NVD CVE-2022-40691 (mitre.org)
        

The SDS-3008 Series web server is affected by multiple vulnerabilities.   
\-    A remote attacker may disclose unauthorized information or perform a denial-of-service attack.  
\-    A remote attacker may execute arbitrary script code in the browser of an unsuspecting user.

The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Cleartext Transmission of Sensitive Information (CWE-319)  
CVE-2022-40693

A cleartext transmission vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted network sniffing tool can lead to disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

2

Insufficient Resource Pool (CWE-410)  
CVE-2022-40224

A denial-of-service vulnerability exists in the web server functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP message header can lead to a denial-of-service attack. An attacker can send an HTTP request to trigger this vulnerability.

3

Improper Neutralization of Input During Web Page Generation (CWE-79)  
CVE-2022-41311, CVE-2022-41312, CVE-2022-41313

A stored cross-site scripting vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to arbitrary JavaScript code being executed. An attacker can send an HTTP request to trigger this vulnerability.

4

Information Exposure (CWE-200)  
CVE-2022-40691

An information disclosure vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

SDS-3008 Series

Firmware Version 2.1 or lower

**Solutions:**

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series

Solutions

SDS-3008 Series

Please contact Moxa Technical Support for the security patch.

**Acknowledgment:**

We would like to express our appreciation to Cisco Talos team for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Feb 2, 2023

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

You have some items waiting in your bag; click here to finish your quote!

Feedback

Tag

#cisco