Tuesday, October 15, 2024

How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends

Written by: Casey Charrier, Robert Weiner


TTE 2023 executive summary

Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While we have previously seen and continue to expect a growing use of zero-days over time, 2023 saw an even larger discrepancy grow between zero-day and n-day exploitation as zero-day exploitation outpaced n-day exploitation more heavily than we have previously observed.

While our data is based on reliable observations, we note that the numbers are conservative estimates as we rely on the first reported exploitation of a vulnerability. Frequently, first exploitation dates are not publicly disclosed or are given vague timeframes (e.g., "mid-July" or "Q2 2023"), in which case we assume the latest plausible date. It is also likely that undiscovered exploitation has occurred. Therefore, actual times to exploit are almost certainly earlier than this data suggests.

Exploitation Timelines

Time-to-Exploit

Time-to-exploit (TTE) is our metric for defining the average time taken to exploit a vulnerability before or after a patch is released. Historically, our analyses have seen reduced times-to-exploit year over year. Through 2018 to 2019, we observed an average TTE of 63 days. From 2020 to the start of 2021, that number decreased to 44 days. Then, across all of 2021 and 2022, the average observed TTE dropped further to 32 days, already half of our first tracked TTE starting in 2018. In 2023, we observed the largest drop in TTE thus far, with an average of just five days. This is less than a sixth of the previously observed TTE. 

Our average TTE excludes 15 total data points, including two n-days and 13 zero-days, that we identified as outliers from a standard deviation-based statistical analysis. Without the removal of these outlier TTEs, the average grows from five to 47.

Zero-Day vs. N-day Exploitation

Prior to 2023, we had observed steady ratios of n-days to zero-days, being 38:62 across 2021–2022 and 39:61 across 2020 into part of 2021. However, in 2023, this ratio shifted to 30:70, a notable departure from what we had observed previously. Given that zero-day exploitation has risen steadily over the years, the shifting ratio appears to be influenced more from the recent increase in zero-day usage and detection rather than a drop in n-day usage. It is also possible that actors had a larger number of successful attempts to exploit zero-days in 2023. Future data and analyses will show whether this is the start of a noticeable shift, or if 2023 is a one-off in this regard.

2023 zero-day vs. n-day exploitation

N-Day Exploitation

Consistent with our last analysis, we found that exploitation was most likely to occur within the first month of a patch being made available for an already disclosed vulnerability. Twelve percent (5) of n-days were exploited within one day, 29% (12) were exploited within one week, and over half (56%) were exploited within one month. In our last report, 25%  of the n-day vulnerabilities were exploited after the six-month mark. In 2023, all but two (5%) n-days were exploited within six months.

N-day exploitation timeline

Disclosure to Exploit to Exploitation Timelines

Of the analyzed vulnerabilities, 41 (30%) were first exploited after the vulnerability's public disclosure. This section will focus on this subset of vulnerabilities. While we have pursued analysis of associations between exploit availability and exploitation timelines, Mandiant has continued not to observe a correlation between the two. It may be common to assume a relationship between the two data points; however, our longer-term analysis shows a distinct lack of association.

First exploit release prior to exploitation vs. after exploitation

For vulnerabilities with exploits available prior to exploitation, we observed a median of 7 days from the date of disclosure (DoD) to the first public exploit release, and a median of 30 days from the exploit's release date to the date of first known exploitation. The median time from disclosure to exploitation of these vulnerabilities was 43 days.

For vulnerabilities with exploits first made available after exploitation, we observed a median time of 15 days from disclosure to exploitation. The median time from exploitation to a publicly available exploit was observed to be four days, with a median timeline from disclosure to exploit release being observed as 23 days.

These statistics are consistent with our past analyses, which have expressed non-deterministic outcomes regarding the influence of existing exploits on in-the-wild exploitation. We continue to find this true while also noting that there are other factors that affect the exploitation timeline of a given vulnerability. Potential factors include, but are not limited to, exploitation value and exploitation difficulty. To highlight one of these factors, we note that of the vulnerabilities disclosed in 2023 that received media coverage, 58% are not known to be exploited in the wild, and for those with at least one public proof of concept (PoC) or exploit, 72% are not known to be exploited in the wild. The following are two specific examples we observed that demonstrate the variance in how much of an effect an exploit's release can have on the time to in-the-wild exploitation, and that illustrate other potential influences in exploitation.

CVE-2023-28121 Use Case

CVE-2023-28121 is an improper authentication vulnerability affecting the WooCommerce Payments plugin for WordPress. This vulnerability was disclosed on March 23, 2023, and did not receive its first proof of concept or even technical details until three and a half months later on July 3, when a blog was posted outlining how to create an Administrator user without prior authentication. This was followed quickly by a Metasploit module being released on July 4 with the ability to scan for the vulnerability and exploit it to create a new Administrator user. No exploitation activity was seen immediately following the release of this PoC or Metasploit module. Instead, exploitation activity is first known to have begun on July 14, soon after another weaponized exploit was released. This exploit was first released July 11, with an upgraded version then released on July 13. Both versions of this exploit have the capability to exploit an arbitrary number of vulnerable systems in order to create a new Administrator user. Wordfence later reported that the exploitation campaign began on July 14 and activity peaked on July 16 with 1.3 million attacks observed on that day alone.

CVE-2023-28121 timeline

This vulnerability's timeline highlights a period of over three months where exploitation did not occur following disclosure; however, large-scale exploitation began 10 days after the first exploit was released and only three days after a second exploit with mass-exploitation capabilities was released. In this case, we can see that there is likely an increased motivation for a threat actor to exploit this vulnerability due to a functional, large-scale, and reliable exploit being made publicly available.

CVE-2023-27997 Use Case

CVE-2023-27997, also known as XORtigate, is a heap-based buffer overflow in the Secure Sockets Layer (SSL) / virtual private network (VPN) component of Fortinet FortiOS. This vulnerability was disclosed on June 11, 2023, and immediately received significant media attention, being named XORtigate prior to Fortinet even releasing their official security advisory on June 12. The disclosure was quickly followed on June 13 with two blog posts containing PoCs, and one since-deleted non-weaponized exploit on GitHub. By June 16, proof-of-concept code, scanners, and weaponized exploit code were all publicly available. While exploitation could be expected to swiftly follow the immediate attention and exploits released, it was not until around four months after disclosure, on Sept. 12, that Mandiant first observed exploitation activity. Exploitation of this vulnerability is only known by Mandiant to be performed in relatively limited and targeted campaigns. In this case, we see that public interest and exploit availability did not appear to impact the timeline of exploitation.

CVE-2023-27997 timeline

Use Case Comparison

One of the most likely reasons for the difference in observed timelines we see here is the difference in the reliability and ease of exploitation between the two vulnerabilities. CVE-2023-28121, which was exploited soon after exploits became available, is quite simple to exploit, requiring just one specific HTTP header to be set on an otherwise normally formatted web request. This makes large-scale and automated exploitation campaigns more plausible. On the other hand, CVE-2023-27997 requires exploiting a heap-based buffer overflow against systems which typically have several standard and non-standard protections, including data execution prevention (DEP) and address space layout randomization (ASLR), as well as navigating the logic of a custom hashing and XORing mechanism. When considering the multiple complexities involved in addition to the fact that targeted systems would likely already have multiple mitigations in place, we can see how much less time-efficient and reliable exploitation of this vulnerability would be.

The other potential factor we identified is the difference in the value provided to an attacker by exploiting the affected products. FortiOS is a security-focused product that is typically deployed, oftentimes with significant privileges, within highly sensitive environments. Therefore, exploitation of CVE-2023-27997 could provide an attacker with those same privileges, furthering the potential damage an attacker could cause. WooCommerce Payments is one of the most popular WordPress plugins, and exploitation of CVE-2023-28121 can lead to complete access of the underlying web server that the plugin is running on. However, these web servers typically exist within demilitarized zones (DMZs) or other low-privileged network segments and thus present limited value to an attacker looking to exploit the larger organization that the plugin runs within. This suggests that intended utilization is a driving consideration for an adversary. Directing more energy toward exploit development of the more difficult, yet "more valuable" vulnerability would be logical if it better aligns with their objectives, whereas the easier-to-exploit and "less valuable" vulnerability may present more value to more opportunistic adversaries.

Exploited Vulnerabilities by Vendor

Exploited vendors continue to grow in both number and variety. In 2023, we saw a 17% increase from our previous highest exploited vendor count in 2021. In recent years, Microsoft, Apple, and Google have been the most exploited vendors year over year. However, their prominence in the overall number of exploited vendors has continued to decrease, falling just below 40% this past year. This is about a 10% drop from the just under 50% we saw from 2021 to 2022. Additionally, this is one of the first times in a while that one of the three has barely made a top spot. Google had eight vulnerabilities exploited, while Adobe, the fourth most exploited vendor, had six vulnerabilities exploited. Further, 31 of the 53 vendors (58%) had only one vulnerability exploited. Attackers are diversifying their targets and seeing success in doing so. As variance in targeted products continues to grow along with exploitation frequency, defenders must meet the challenge of protecting sprawling attack surfaces.

Number of vendors exploited by year

We note that the total number of vulnerabilities affecting a vendor does not directly relate to how secure or insecure a vendor's security posture is, nor does it signify that it is "less secure" than its competitors. Ubiquity of product use and the extent of a vendor's offered products both impact the numbers we see. Given the extent of today's challenges around defending such diversified systems and networks, learning from best practices across industries will lead to some of the best approaches for seeing successful exploitation prevention.

Implications

As the amount of discovered vulnerabilities grows over time, threat actors are provided with more opportunities to take advantage of these weaknesses. Mandiant has found that exploits, for both zero-days and n-days, have been the number one initial infection vector in Mandiant Incident Response (IR) engagements for 2020, 2021, 2022, and 2023. This is pushing defenders to provide efficient detection and response as well as to adapt to events in real time. Further, patching prioritization is increasingly difficult as n-days are exploited more quickly and in a greater variety of products. This increase in available technologies expands attack surfaces, reinforcing the importance of considering how a singular vulnerable technology could affect systems and networks laterally. Segmented architectures and access control implementations should be prioritized in order to limit the extent of impacted systems and data when exploitation does occur.

After multiple years of tracking our observed TTEs, we can see that the numbers fall drastically with each analysis. Just five to six years ago, we observed an average TTE of 63 days. That number has now fallen to five days. While we are aware that better and more common threat detection capabilities are likely an aspect of growing exploitation numbers, our data clearly shows that attackers are able to move quickly enough to beat patching cycles. As threat actors shorten TTEs and have more success with zero-day exploitation, delaying patching and exposing insufficiently protected attack surfaces heightens the chance of successful attacks.

Our data has continued to show that exploit release and media attention are not predictive of exploitation timelines. While in some cases these data points are correlated, the trends do not currently show that these factors should dictate prioritization or constitute an elevated response to a given vulnerability. Exploit release and the attention received by a vulnerability should be taken into account; however, they should be considered heuristic data points alongside other factors such as the difficulty of exploitation and the value exploitation may present.

Outlook

Based on our analyses, we know that zero-day exploitation remains a coveted approach for threat actors. If zero-day exploitation continues to outnumber n-day exploitation while n-day exploitation continues to occur more quickly following disclosure, we could expect the average TTE to fall further in the future. Additionally, because zero-day discovery is more difficult, there is room for growing numbers of exploited vulnerabilities over time as detection tools continue improving and become more widespread.

We do not expect n-day usage to drop significantly, nor for the number of targeted vendors to decrease over the coming years. We expect threat actors to continue using both n-days and zero-days as well as to expand exploitation across more vendors and products. Trends are expected to likely follow quicker exploitation timelines across a larger span of targets.

It is important to note that the increased ratio of zero-day exploitation and the generally shrinking timelines do not imply that threat actors will stop targeting n-days. We have seen, many times over, how threat actors will utilize vulnerabilities months or years after patches have been released.



from Threat Intelligence https://ift.tt/Y7wNVkL
via IFTTT

VMware vSAN Data Protection in ESA 8.0 U3 – deep snapshots, protection groups and more

vSAN ESA isn’t new, however with the latest 8.0 U3 which is part of VMware/Broadcom offerings in many packages such as VMware Cloud Foundation (VCF), VMware vSphere Foundation (VVF), there is a new functionality called VMware vSAN Data Protection in ESA 8.0 U3. WE have talked about other features of vSphere 8.0 U3 in our post on StarWind blog here, but VSAN wasn’t on part of it. That’s why an important update on vSAN today.

Early in January we have written about VMware vSAN MAX which is more advanced version of vSAN (in short), and has different topologies, including stretched clusters. VMware vSAN ESA 8.0U3 brings stretched-clusters technology as well.

Today, I’d like to focus on an important technology, important function, that everyone needs to be aware of. It is a new architecture in snapshot technology in vSAN ESA that allows to bring VMware vSAN Data Protection in vSAN 8.0 U3.

The information from the post is gathered from VMware EXPLORE Las Vegas session about VMware vSAN ESA Deep Dive: Your Storage Platform for VMware Cloud Foundation, by Pete Kohler and Duncan Epping. It’s freely available to watch when you have a VMware/Broadcom account.

VMware vSAN ESA 8.0 U3 Snapshot Architecture

Screenshot from the EXPLORE session

Screenshot from the EXPLORE session

 

The snapshot feature in vSAN ESA 8.0 Update 3 is built on a new B-tree snapshot architecture, which offers several advantages:

Snapshots on the metadata level – The snapshots are natively integrated into the vSAN ESA file system, ensuring minimal performance impact even with deep snapshot chains. You can imagine the speed increase in taking snapshots, deleting snapshots or so when you don’t need to create new objects or files, or copy any bits from one location to the other.

In fact, 8.0 U3 has a new mechanism allowing you to create deep snapshots (up to 200 snapshots per VM!!!). The snapshots are very fast. In this demo we could see that there is almost no decrease of performance or any latency increase while creating those snapshots but also when deleting snapshots (even Delete ALL snapshots which normally triggers large copies while consolidating files).

It is because of the nature of snapshots in vSAN ESA 8.0 U3. The snapshots are occurring at the metadata level so there is no copy of data anywhere or creation of new object or new file somewhere. This is a game changer.

Does not stun VMs – also, because of this new technology introduced, there is no more of stun VMs. You know when the VMs are “paused” for a short period of time allowing the snapshot creation. This also contributes to the speed of the technology.

Protection Groups

Protection Groups and Scheduling – are groups of VMs according to your choice, which are protected together. Administrators can create Protection Groups (PGs) that include multiple VMs. These groups can be defined by VM name patterns or selected manually.

Administrators can create Protection Groups (PGs) that include multiple VMs

 

Each PG can have up to 10 snapshot schedules, specifying the frequency of snapshot creation, retention periods, and immutability settings. Yes, VMware has a good reflex here to integrate immutability which is very important while facing today’s cybersecurity threads.

Snapshots are created in a crash-consistent manner, ensuring data integrity across all VMs in the PG.

Note: Those are not a consistency groups. The VMs will be snapshotted around the same time, but not EXACTLY at the same time!

Snapshots are created in a crash-consistent manner, ensuring data integrity across all VMs in the PG

 

Retention and Immutability – Snapshots can be retained for a specified number of days, until a fixed date, or indefinitely. Immutability settings prevent manual deletion of snapshots before the retention period expires, enhancing data protection.

Note: Once activated, you cannot modify the protection group anymore. You cannot edit or delete, change the VM membership, edit or delete snapshots.

Create Protection Group | General

 

Note: When you restore snapshot, it actually stops your VM and then put the VM in the time when the snapshot was created (it goes back in time), so you should be aware of that. This is the normal snapshot behavior we all know.

Instant Deletion and Recovery – Snapshots can be deleted instantly without impacting performance. VMs can be restored to any point-in-time snapshot or cloned from a snapshot, even if the original VM has been deleted from vCenter/ESXi. (This is certainly useful and allows quickly restore a full VM).

Compatibility?

Yes, snapshot feature is fully compatible with existing backup applications using VMware’s vSphere API for Data Protection (VADP). This compatibility ensures seamless integration with third-party backup solutions, providing additional layers of data protection.

With these enhancements, VMware vSAN ESA 8.0 Update 3 offers a robust and efficient solution for data protection, making it easier for administrators to manage and safeguard their virtual environments.

VMware vSAN ESA 8.0 U3 Data Protection Deployment

When you activate the vSAN ESA in your environment, the Data Protection is NOT active out-of-the box. No. The Data Protection is an appliance (a VM) that you must deploy. It is possible to download it from VMware/Broadcom customer portal. You’ll find it within “drivers and tools” within the VMware vSAN group there. It’s called VMware vSAN Snapshot Appliance and the latest filename is – “snapservice_appliance-8.0.3.0-24057802_OVF10.ova”.

The deployment is a bit tricky as your DNS must match exactly, there are certificates you must copy exactly, and all this without any reasonable output if somethings isn’t configured as it should. The appliance simply deploys, but does not show in your UI. Duncan Epping has a post talking about possible solutions, but then I stumbled across William Lam’s post which automates everything via PowerCLI script. The script needs to be modified to fit your environment, but even for me who is not a scripting guy, this was an easy way of trying out the Data Protection within my nested lab.

Simply do connect to your vCenter first with

Connect-VIServer cmdlet, and then launch the script you have previously downloaded from William’s Github.

Simply do connect to your vCenter first with

 

You wait just couple of minutes, the OVA is deployed, certificates are downloaded automatically, and then within the UI of your vSphere client, you should see the plugin deployments. (Which was not the case when I tried to deploy the OVF manually….)

Nask name | Target | Status

 

After that, when you go to you should see the Data Protection VM status as “Deployed”. (this wasn’t the case when I tried to do the manual deployment). Even if my DNS seems to be fine and I copied the text within the certificate as required for the deployment.

vSAN | Services

Final Words

VMware vSAN 8.0 Update 3 introduces significant enhancements in data protection, making it a robust solution for safeguarding virtual environments. Here’s a look at key features:

  • Deep-Snapshots – Scalable Snapshots: Leveraging the ESA (Express Storage Architecture), vSAN 8.0 U3 enables high-performance, scalable snapshots. These snapshots are designed to be efficient and quick, minimizing the impact on system performance.
  • Local Data Protection – The new update allows for capturing local snapshots using an intuitive UI, which can be stored directly on the vSAN datastore. Even if you need to re-deploy the Data Protection appliance VM, you still find your snapshots where they were before – on the vSAN datastore.
  • Snapshot Schedules – Users can define snapshot schedules, ensuring that data is backed up at regular intervals without manual intervention.
  • Data Protection Groups – allowing admins to define VM membership, snapshot schedules, retention policies, and immutability criteria. This helps in organizing and managing data protection more effectively.
  • Immutability Criteria – Ensuring that snapshots cannot be altered or deleted within a specified period, providing an additional layer of security against data tampering.

VMware keeps pushing the research, listening to their customers, and continuously improving their technology. It’s really good to see. These latest features and improvements collectively enhance the data protection capabilities of VMware vSAN 8.0 U3 ESA, making it a more reliable and efficient solution for modern virtual environments.

The question remains whether la vast majority of VMware clients are facing today, the VMware licensing renewal. And this is just another chapter that we will not write about today as we leave it to other analysts.



from StarWind Blog https://ift.tt/1eUK0fo
via IFTTT

HCP Waypoint now GA with enhancements to golden workflow capabilities

Initially announced at HashiConf 2023, HCP Waypoint templates and add-ons let platform teams abstract and share standardized application deployment patterns with developers, without making them worry about the infrastructure details. Today, we’re pleased to announce the general availability of HCP Waypoint as well as its templates and add-ons.

Alongside the GA announcement, we are releasing variable support in beta for HCP Waypoint actions — a Day 2+ capability first introduced in beta in June 2024. Variables in Waypoint actions allow platform teams to specify input variables and their values when creating actions. Platform teams can also choose which input values developers should provide. These variables give platform teams additional ways to customize actions to accommodate various use cases while accepting inputs from developers who trigger these actions. These input values can then be passed to the upstream APIs, operations, or CI/CD workflows.

New features in GA

During the beta period of HCP Waypoint templates and add-ons, we collected feedback from customers that led us to include new capabilities in the GA release:

  • Upgrade workflow for templates
  • API support

Upgrade workflow for templates

As part of the GA release, we are introducing a new upgrade workflow that enables platform teams to update golden patterns defined by Waypoint templates and send those updates to application developers, allowing them to upgrade their applications accordingly.

Platform engineers can use Waypoint templates that build on no-code ready modules, present in HCP Terraform to define golden patterns in their organization. As these golden patterns evolve, platform engineers update the underlying Terraform no-code module to reflect those changes. With HCP Waypoint templates’ new upgrade capability, these updates by platform engineers are pushed to any applications created using these templates.

Viewing

Template updates help application developers keep their applications up-to-date with the latest golden patterns in their organization. They also allow platform teams to give their application developers an upgrade path for their Waypoint-deployed applications.

HCP API support

In June 2024, we announced HCP CLI and Terraform provider support for HCP Waypoint to give users flexibility in how they interface with HCP Waypoint. We now support using the HCP API to access Waypoint resources such as templates, add-ons, and applications. This lets platform and development teams build on top of HCP Waypoint with even more flexibility.

Here is an example usage of the HCP API to list HCP Waypoint templates:

Variables support for actions (beta)

Waypoint actions (currently in beta) let platform teams seamlessly expose Day 2+ operations and workflows to their application developers, providing a push-button experience to enable operations such as build promotions, rollbacks, and modifying feature flags. Modifying each action for every use case can be slow and may cause duplication. Given the variety of Day 2+ use cases, platform teams need to parameterize these actions to ease customization and reusability.

Now, platform teams can specify local variables that allow them to parameterize Waypoint actions. The values of the variables can be set by the platform team or can be requested as input when an application developer runs an action. Variable inputs for actions also support sensitive values, allowing platform teams to designate certain values for variables, such as API tokens, as sensitive.

Entering

Variables in actions allow application developers to supply values when running Waypoint actions. These values are based on the variables that are being requested by the actions defined by the platform teams. Some examples of values that could be requested during action execution include:

  • Build IDs for build promotions or deployments
  • Feature flag details, such as name, when toggling feature flags

Overall, variable inputs enable better composability, customization, and end-to-end Day 2+ workflows for organizations that are tailored to meet the specific needs of application developers.

HCP Waypoint at US Venture

HCP Waypoint has already been making inroads at major firms. HCP Waypoint templates and add-ons are already providing value to customers. Andy Plamann, a Senior Solutions Architect of– Platform Engineering, at US Venture, says:

"We are currently in the process of developing a new internal development platform. After careful consideration, we have chosen the HashiCorp stack of tools due to their exceptional quality and ease of implementation. One aspect that was lacking was a portal for our development teams to use, in order to make the entire process completely self-service. Waypoint has effectively addressed this need." In addition, Plamann notes, "The flexibility of Waypoint has allowed us to create templates and add-ons that cover every pattern and middleware component in our platform in a fully automated, self-service manner, requiring minimal effort and time for setup. This has significantly expedited the platform's launch and its readiness for use by our development teams. And it has notably reduced the learning curve for our development teams in utilizing the platform.”

Get started with HCP Waypoint

HCP Waypoint templates and add-ons are available as part of HCP Terraform Plus, and we are excited for users to try them. HCP Waypoint actions are also available on a trial basis for HCP Terraform Plus customers. If you don’t already have one, we recommend getting started by creating an HCP account and giving HCP Waypoint a try.

Sign up for HCP Waypoint on the HCP portal. To learn more about HCP Waypoint, visit the HCP Waypoint product page, or refer to the HCP Waypoint documentation.



from HashiCorp Blog https://ift.tt/dseJMr0
via IFTTT

Google Shopping’s getting a big transformation

Google Shopping uses AI to help you find more relevant products, discover personalized options and find the lowest prices.

from AI https://ift.tt/mB0jQdo
via IFTTT

Quantifying Vulnerability Risk | Identify & Remediate CVEs with Exploit-Driven Prioritization

Organizations are grappling with an unprecedented influx of vulnerabilities in today’s rapidly evolving cybersecurity landscape. In 2024 so far, over 29,000 new Common Vulnerabilities and Exposures (CVEs) were reported to the National Vulnerability Database (NVD) – a staggering number even NIST struggles to keep up with. This overwhelming volume makes it virtually impossible for security teams to address every vulnerability, forcing them to prioritize effectively to protect their organization.

Vulnerability prioritization, however, is a complex challenge. Traditional scoring systems like the Common Vulnerability Scoring System (CVSS) highlight the severity of vulnerabilities but often lack critical context about real-world exploitability. This can lead to a misallocation of resources, where teams focus on high-severity vulnerabilities that pose minimal immediate threat while overlooking those actively exploited by attackers. Adding to the complexity is the scarcity of vulnerability remediation data. Even when high-priority vulnerabilities are identified, security teams may struggle to find practical solutions – such as patches or mitigation steps – delaying remediation efforts and increasing risk exposure.

This blog post covers how forward-thinking organizations are adopting data-driven approaches to incorporate threat intelligence and predictive analytics to navigate these challenges. We explore the Exploit Prediction Scoring System (EPSS) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog emerging as critical tools for understanding which vulnerabilities are being actively targeted by threat actors.

What is CISA KEV?

CISA’s KEV Catalog is a curated list of vulnerabilities actively exploited in real-world cyberattacks. Unlike traditional vulnerability databases that list all known vulnerabilities, the KEV Catalog focuses exclusively on those vulnerabilities that pose immediate and significant risks due to active exploitation. By providing this targeted information, the KEV Catalog helps security teams prioritize their patching and mitigation efforts effectively. CISA KEV enables organizations to move beyond theoretical risk assessments and focus on vulnerabilities being actively leveraged by attackers.

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model designed to estimate the probability that a specific vulnerability will be exploited in the real world. Developed by the Forum of Incident Response and Security Teams (FIRST), EPSS leverages statistical analysis and machine learning techniques to process vast amounts of data related to vulnerabilities and exploitation activities. This system combines multiple factors, including historical data and characteristics of the vulnerability itself, to predict (with proven success) the likelihood of future exploitation.

Unlike traditional risk scoring models that focus solely on the severity of a vulnerability, EPSS emphasizes exploitability potential. This means it assesses how severe a vulnerability is and how likely it is to be used in an attack. This predictive insight is invaluable for organizations aiming to enhance their vulnerability prioritization efforts. By incorporating EPSS into their security strategies, organizations can more effectively allocate resources, focusing on vulnerabilities that pose the highest risk of exploitation. This proactive approach enables security teams to avoid potential threats and significantly reduce their risk exposure.

Enhancing Risk Prioritization & Remediation

Integrating CISA’s KEV Catalog with the Exploit Prediction Scoring System (EPSS) provides organizations with a comprehensive threat landscape view. The KEV Catalog identifies vulnerabilities actively exploited in the real world, highlighting immediate risks that demand attention from security teams. EPSS complements this by predicting the likelihood of vulnerabilities being exploited in the near future. By combining these two powerful tools into their risk scoring, organizations can pinpoint exactly where to focus their remediation efforts. This integrated approach ensures that security teams prioritize vulnerabilities that pose the most significant threats, thereby maximizing the impact of their actions in reducing the overall attack surface.

Alongside the KEV Catalog and EPSS, remediation data also plays a significant role in further reducing noise from vulnerability assessments. When EPSS scores and CISA KEV information are combined with up-to-date remediation options, organizations can reduce the risk of vulnerabilities becoming breaches by focusing on vulnerabilities that are likely to be exploited and having viable mitigation strategies available.

Making Vulnerabilities Actionable with Singularity™ Platform

SentinelOne recognizes the imperative need for more innovative vulnerability management. We’re excited to announce the integration of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) Catalog support into Singularity Vulnerability Management. This enhancement empowers organizations to distinguish between potential threats and vulnerabilities that are actively or soon to be exploited. By leveraging these advanced vulnerability intelligence sources within Singularity, security teams can focus their efforts where it matters most – streamlining prioritization processes, reducing risk exposure, and making more informed decisions about vulnerability remediation.

Known exploited vulnerability in Microsoft Outlook 2013 with an EPSS Score of 88%

In addition, Singularity Vulnerability Management has launched a new vulnerability scoring system designed to provide a comprehensive assessment of vulnerabilities by incorporating multiple data sources. These include up-to-date threat intelligence, EPSS, CISA’s KEV Catalog, and insights on remediation options. This scoring approach goes beyond traditional metrics by factoring in the real-world likelihood of a vulnerability being exploited, as EPSS indicates, and whether it has been associated with known attacks listed in CISA’s KEV Catalog.

The scoring system helps organizations prioritize their response efforts effectively by including information on available patches or mitigation strategies. The result is a more accurate and actionable vulnerability score that enables security teams to focus on the most critical threats, enhancing overall risk management in the cybersecurity landscape.

Conclusion

Relying solely on traditional scoring systems without considering real-world exploitability exposes organizations to significant risks. By integrating advanced tools like the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) Catalog, security teams can prioritize threats more effectively, focusing on vulnerabilities that are not just severe but are likely to be, or already are, exploited by attackers.

Singularity Vulnerability Management elevates this strategy by incorporating these critical intelligence sources alongside up-to-date remediation data, providing a comprehensive assessment of each vulnerability so you can allocate resources where they matter most. Don’t let the overwhelming number of vulnerabilities compromise your security efforts – take control with vulnerability management solutions designed to keep you ahead of emerging risks.

Contact us today to find out how SentinelOne can transform your vulnerability management strategy and empower your security team to make informed, impactful decisions.

Singularity™ Vulnerability Management
Discover unknown network assets, close blind spots, and prioritize vulnerabilities using your existing SentinelOne agents.


from SentinelOne https://ift.tt/Ry9v0ON
via IFTTT

Nomad 1.9 adds NVIDIA MIG support, golden job versions, and more

HashiCorp Nomad is a simple and flexible orchestrator used to deploy and manage containers and non-containerized applications across multiple cloud, on-premises, and edge environments. It is widely adopted and used in production by organizations such as BT Group and Epic Games. Today, we are excited to announce that Nomad 1.9 is now generally available.

Here’s what’s new in Nomad 1.9:

  • Updated NVIDIA device driver for Multi-Instance GPU support
  • Quotas for device resources (Enterprise)
  • NUMA awareness for device resources (Enterprise)
  • exec2 task driver general availability
  • Golden job versions
  • libvirt task driver beta
  • Improved IPv6 support

Updated NVIDIA device driver for Multi-Instance GPU support

Nomad has supported the NVIDIA device driver for several years and we are excited to add support for Multi-Instance GPU (MIG). This will enhance Nomad’s ability to schedule workloads across your NVIDIA hardware and make full use of your GPU investment.

The NVIDIA device plugin uses NVML bindings to get data regarding available NVIDIA devices and will expose them via Fingerprint RPC. GPUs can be excluded from fingerprinting by setting the ignored_gpu_ids field (see below).

The plugin now detects whether the GPU has MIG enabled. When enabled, all instances will be fingerprinted as individual GPUs that can be addressed accordingly.

The plugin is configured in the Nomad client's plugin block:

plugin "nvidia" {
  config {
    ignored_gpu_ids    = ["uuid1", "uuid2"]
    fingerprint_period = "5s"
  }
}

Quotas for device resources (Enterprise)

Nomad has supported resource quotas since version 0.7 as a mechanism to let users specify CPU, memory, or network resource limits for their tasks. Quotas are namespace- and region-scoped, and are an Enterprise-only feature. We are excited to extend the quotas to allow limiting device resources.

The quota is applied to a region and the quota limit now supports a device block.

name        = "default-quota"
description = "Limit the shared default namespace"

# Create a limit for the global region. Additional limits may
# be specified in-order to limit other regions.
limit {
  region = "global"
  region_limit {
    cores      = 0
    cpu        = 2500
    memory     = 1000
    memory_max = 1000
    device "nvidia/gpu/1080ti" {
      count = 1
    }
  }
  variables_limit = 1000
}

NUMA awareness for device resources (Enterprise)

Introduced in Nomad 1.7, non-uniform memory access (NUMA) allowed for multi-core, latency-sensitive workloads to be scheduled by Nomad Enterprise. The NUMA-aware scheduling can greatly increase the performance of your Nomad tasks (For more information, see the Nomad CPU concepts documentation).

Nomad is able to correlate CPU cores with memory nodes and assign tasks to run on specific CPU cores so as to minimize any cross-memory node access patterns. With Nomad 1.9, we are expanding this functionality to also correlate devices to memory nodes and enable NUMA-aware scheduling to take device associativity into account when making scheduling decisions.

This jobspec block has been expanded to support listing a set of devices that must be scheduled with NUMA awareness.

resources {
  cores  = 8
  memory = 16384

  device "nvidia/gpu/H100" { count = 2 }

  device "intel/net/XXVDA2" { count = 1 }

  device "xilinx/fpga/X7" { count = 1 }

  numa {
        affinity = "require"
        devices = [
        "nvidia/gpu/H100",
        "intel/net/XXVDA2"
        ]
  }
}
This

exec2 task driver (GA)

Nomad has always provided support for heterogeneous workloads. The first Nomad exec task driver provided a simple and relatively easy way to run binary workloads in a sandboxed environment. Then Nomad 1.8 introduced a new exec2 task driver in beta. Today, the exec2 task driver becomes generally available with full support in Nomad 1.9.

Similar to the exec driver, the new exec2 driver is used to execute a command for a task. However, it offers a security model optimized for running “ordinary” processes with very short startup times and minimal overhead in terms of CPU, disk, and memory utilization. The exec2 driver leverages kernel features such as the Landlock LSM, cgroups v2, and the unshare system utility. With the exec2 driver, tasks are no longer required to use filesystem isolation based on chroot, which enhances security and improves performance for the Nomad operator.

Below is a task that uses the new exec2 driver. It must be installed on the Nomad client host prior to executing the task:

job "http" {
 group "web" {
   task "python" {
     driver = "exec2"
     config {
       command = "python3"
       args    = ["-m", "http.server", "8080", "--directory", "${NOMAD_TASK_DIR}"]
       unveil  = ["r:/etc/mime.types"]
     }
   }
 }
}

Golden job versions

Nomad 1.9 introduces a way to preserve and compare historical versions of a job. Prior to this, any change to a job would push older versions into garbage collection. Now, users can add a tag to versions of their jobs to prevent this. These tags also allow job versions to be compared by tag name, letting users see differences that may have taken place over time.

We’ve added new CLI commands nomad job tag apply and nomad job tag unset to add and remove VersionTags from job versions. They’re used like this:

nomad job tag apply -name="high-throughput" -description="Increased CPU and MEM settings" $jobID
nomad job tag unset -name="high-throughput" $jobID

We’ve also added -diff-version and -diff-name params to our nomad job revert command, letting users roll back a specified version:

nomad job revert difftester "high-throughput"

These same params have been added to the nomad job history command, making it possible to compare multiple versions to a version other than their predecessor.

nomad job history -p -diff-tag=$tagName $jobID

These CLI updates also have equivalent HTTP API endpoint changes and are reflected in the web UI.

Golden

We hope this feature gives users more confidence about prospective changes to a job and lets them observe the amount of “drift” that takes place among their long-running jobs.

Virt task driver (beta)

Nomad 1.9 introduces a new task driver for managing virtual machines based on the libvirt API, an open source API, daemon, and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESXi, QEMU, and other virtualization technologies. This new capability expands Nomad’s ability to run any workload anywhere, including virtual machines.

The new Virt task driver offers the following capabilities:

  • Start and stop a virtual machine and run a process on it
  • Assign a workload identity to the running task inside the virtual machine
  • Pass configuration values from Vault or other services using consul-template
  • Mount host directories into virtual machines to procure the allocation and task directories inside them
  • Configure port forwarding from the Nomad node to the virtual machine
  • Access the running task through the task API

This new task driver is in beta and we are actively seeking feedback. We’d like to hear more about your use cases.

Improved IPv6 support

Improvements have been made to support Nomad’s IPv6 capabilities. We have tested and resolved some known issues with server-to-server and server-to-client communications. Additionally, we have tested the Nomad CLI and UI service integrations with Consul and Vault, workload identity, service registration, host networking, bridge networking, and the Docker driver. More work will likely need to be done with IPv6 support as we explore integrations with Consul service mesh.

Deprecations

Nomad 1.9 deprecates the following:

  • Nomad has removed support for HCL1 job specifications and the -hcl1 flag on nomad job run and other commands. Refer to GH-20195 for more details.
  • Nomad has removed the tls_prefer_server_cipher_suites agent configuration from the TLS block.
  • Nomad has removed support for Nomad client agents older than 1.6.0. Older nodes will fail heartbeats. Nomad servers will mark the workloads on Nomad client agents older than 1.6.0 as lost and reschedule them normally according to the job's reschedule block.
  • The LXC task driver and ECS task driver projects have been archived with the release of Nomad 1.9 and are no longer supported. Both plug-ins are maintained separately from the Nomad core project and are not subject to the LTS program.

Getting started with Nomad 1.9

Nomad 1.9 adds a variety of new features and enhancements. We encourage you to try them out:



from HashiCorp Blog https://ift.tt/gGPMcBv
via IFTTT

The Rise of Zero-Day Vulnerabilities: Why Traditional Security Solutions Fall Short

In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented, making zero-days a potent weapon for cybercriminals.

A recent example is, for instance, CVE-2024-0519 in Google Chrome: this high-severity vulnerability was actively exploited in the wild and involved an out-of-bounds memory access issue in the V8 JavaScript engine. It allowed remote attackers to access sensitive information or trigger a crash by exploiting heap corruption.

Also, the zero-day vulnerability at Rackspace caused massive trouble. This incident was a zero-day remote code execution vulnerability in ScienceLogic's monitoring application that led to the compromise of Rackspace's internal systems. The breach exposed sensitive internal information, highlighting the risks associated with third-party software.

Why Traditional Solutions Fail

Traditional security solutions such as Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS), and Endpoint Detection and Response (EDR) often struggle against zero-day attacks. These tools usually rely on predefined rules, known signatures, or behavioral patterns to detect threats. However, zero-day attacks are inherently new, unknown, and unpredictable, so these reactive security measures are not enough.

The limitations of traditional security tools stem from their dependency on historical data and static detection mechanisms. For instance:

  • SIEM Systems: Aggregate and analyze log data based on predefined criteria. If an attack doesn't match a known signature, it goes unnoticed. The generation of a large number of false alarms in the SIEM also weakens the SOC team's effectiveness against "real" attacks.
  • IDS Tools: Monitor network traffic for suspicious activity using established patterns, and missing zero-day exploits that use new evasion techniques.
  • EDR Solutions: Rely on signatures and behavioral analysis, which are ineffective against zero-day vulnerabilities using novel attack vectors.

Their reactive approach often results in delayed detection—if it happens at all—leaving organizations exposed until after the damage is done. Moreover, advanced attackers increasingly use obfuscation, polymorphism, and file-less malware, which can bypass traditional security measures entirely.

You Need Proactive Security: Enter Network Detection and Response (NDR)

Given the limitations of traditional solutions, a proactive approach to security is essential. This is where Network Detection and Response (NDR) comes into play. Unlike conventional tools, NDR leverages machine learning and anomaly detection to identify irregular behaviors and suspicious activities, even without predefined rules.

By continuously analyzing network traffic and metadata, NDR can detect zero-day exploits early by identifying deviations from normal patterns. This approach significantly reduces the risk of severe impacts by providing early warnings and enabling faster incident response.

Key Features of an Effective NDR Solution

  • Real-Time Threat Detection: Continuous monitoring of network traffic metadata enables NDR to spot suspicious activities without relying on static signatures.
  • Advanced Machine Learning: Heuristic analysis and AI-driven algorithms identify novel attack vectors, minimizing the chances of missed detections.
  • Detailed Insights: NDR provides deep visibility into network activities, enabling security teams to respond swiftly and accurately to emerging threats.

For example, an NDR solution can detect a Command and Control (C2) channel set up by an intruder using a zero-day exploit by leveraging these key capabilities: first, the solution continuously monitors all network traffic, including metadata such as source and destination IPs, connection times and traffic volumes. If an intruder establishes a C2 channel, even if using encrypted channels, NDR can detect suspicious patterns such as unusual outbound traffic, unexpected spikes, or communication with rare or new external IPs. If a zero-day exploit is used to infiltrate the network, subsequent C2 communications will often show anomalous behavior such as beaconing, irregular-sized transfers, or specific timing (e.g. "phone home" signals).

Zero-Day Vulnerabilities

With the help of AI-driven algorithms, the NDR can analyze traffic patterns and detect even minor deviations from basic network behavior. When setting up a C2 channel, the tool can recognize atypical command sequences, traffic flows, or unusual communication protocols. Many C2 channels use techniques such as domain generation algorithms (DGA) or DNS tunneling to obfuscate communication.

An effective NDR solution with machine learning can detect such obfuscation by recognizing non-standard DNS queries or random domain patterns that differ from normal traffic. By correlating multiple indicators—such as unusual traffic after a system change (e.g. an unpatched zero-day exploit)—NDR can identify a potential C2 setup.

For example, if a device suddenly communicates with external hosts after executing a zero-day payload, this unusual activity would trigger alerts for further investigation. If an attacker uses a zero-day exploit to penetrate a system and establishes a C2 channel via a hidden technique such as DNS tunneling, the NDR solution can detect irregular DNS queries with patterns that deviate from typical query behavior (e.g., very long subdomain names, fast query intervals).

NDR also monitors connections to new or rare external IP addresses that the company has not previously interacted with and analyses anomalies in traffic that indicate attempts at data exfiltration or commands to compromised systems.

Protect Your Organization Against Zero-Day Threats!

Zero-day vulnerabilities represent one of the most challenging security threats today. Traditional solutions, designed for known threats, cannot keep up with the evolving tactics of cybercriminals. Adopting advanced solutions like NDR is essential for modern organizations seeking to stay ahead of these threats and protect their critical assets.

Discover how advanced Network Detection and Response (NDR) can provide proactive defense against sophisticated cyberattacks. Download our comprehensive APT Whitepaper now to learn how Exeon's AI-powered NDR solution can help you detect and mitigate emerging threats.

To see how NDR acts in your corporate network, and precisely how it detects and responds to advanced threats, watch our recorded threat detection video.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/wCQf831
via IFTTT

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Oct 15, 2024Ravie LakshmananThreat Detection / Malware

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates.

French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma.

Hijack Loader, also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive.

HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 -

  • A PowerShell script that leverages mshta.exe to execute code hosted on a remote server
  • A remotely-hosted PowerShell script that's directly executed via the Invoke-Expression cmdlet (aka iex)
  • A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL

The ZIP archive, for its part, includes a genuine executable that's susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that's to be loaded instead.

"The purpose of the sideloaded HijackLoader DLL is to decrypt and execute an encrypted file which is provided in the package," HarfangLab said. "This file conceals the final HijackLoader stage, which is aimed at downloading and executing a stealer implant."

The delivery mechanism is said to have changed from DLL side-loading to using several signed binaries in early October 2024 in an attempt to evade detection by security software.

It's currently not clear if all the code-signing certificates were stolen or intentionally generated by the threat actors themselves, although the cybersecurity firm assessed with low to medium confidence that it could be the latter. The certificates have since been revoked.

"For several issuing certificate authorities, we noticed that acquiring and activating a code-signing certificate is mostly automated, and only requires a valid company registration number as well as a contact person," it said. "This research underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness."

The development comes as SonicWall Capture Labs warned of a surge in cyber attacks infecting Windows machines with a malware dubbed CoreWarrior.

"This is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses, opening multiple sockets for backdoor access, and hooking Windows UI elements for monitoring," it said.

Phishing campaigns have also been observed delivering a commodity stealer and loader malware known as XWorm by means of a Windows Script File (WSF) that, in turn, downloads and executes a PowerShell script hosted on paste[.]ee.

The PowerShell script subsequently launches a Visual Basic Script, which acts as a conduit to execute a series of batch and PowerShell scripts to load a malicious DLL that's responsible for injecting XWorm into a legitimate process ("RegSvcs.exe").

The latest version of XWorm (version 5.6) includes the ability to report response time, collect screenshots, read and modify the victim's host file, perform a denial-of-service (DoS) attack against a target, and remove stored plugins, indicating an attempt to avoid leaving a forensic trail.

"XWorm is a multifaceted tool that can provide a wide range of functions to the attacker," Netskope Threat Labs security researcher Jan Michael Alcantara said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/itfAj1Q
via IFTTT

Monday, October 14, 2024

Ask a Techspert: What is on-device processing?

Here’s a breakdown of on-device processing and how we're working to make your devices better with local AI features.

from AI https://ift.tt/5i0uCH1
via IFTTT

Enhancing Security and User Experience: Mandating the Native Citrix Workspace App

As an admin responsible for managing the user experience across your organization, ensuring secure and reliable access to applications and desktops is one of your top priorities. However, you may be facing a significant challenge: users accessing Citrix apps through third-party browsers, exposing them to vulnerabilities.

You’ve likely put in significant effort encouraging your users to switch from third-party browsers to the native Citrix Workspace app. Despite your best efforts, many users continue to access Citrix apps through browsers, leaving them exposed to security risks and creating challenges for you in providing a consistent and reliable experience. The lack of an enforceable solution might have led you to give up on mandating this change—until now. With Citrix’s new capability to enforce the use of the native app, you have the power to ensure that your users access their apps and desktops securely and efficiently, without the vulnerabilities and inefficiencies of browser-based access.

This feature allows administrators to mandate the use of the native Citrix Workspace app, effectively eliminating the option for users to access the Citrix Workspace web client through browsers. This shift is designed for customers who want to leverage the full benefits of the native app, which include enhanced security, improved performance, better troubleshooting, and a seamless user experience.

How It Works

When this feature is enabled, users attempting to access their Citrix stores via a browser are prompted to open the native app instead. Users will be blocked from accessing and launching resources via the web client. The store URL is automatically added to the native app, facilitating an easier transition. This functionality is available across multiple platforms, including Windows, Mac, Android, and iOS, ensuring broad compatibility for users.

For customers using Linux and ChromeOS, manual store addition is required as automatic store addition is not supported on these platforms.

Configuration

Admins can enforce the use of the native Citrix Workspace app through Citrix Cloud by configuring key settings. To do this, navigate to Workspace Configuration > Customize > Preferences. Under the Store access section, select ‘Require end users to access their store from the Citrix client app. Additionally, you can enable ‘Prompt end users to download Citrix Workspace app’ to ensure users are guided to install the app if it’s not already installed on their device.

Image shows ‘Store access’ settings options. There are two options: ‘Require end users to access their store from the Citrix client app’ and ‘Allow end users to access their store from the Citrix client app or web browser’

Enforce native app configuration setting

Admins can also choose which version of the Citrix Workspace app users should download. You can either prompt them to download the latest version or provide a specific URL for a version suited to your organization’s needs. 

End User Experience

Once you mandate the use of the native Citrix Workspace app, users attempting to access Citrix via a browser will encounter a web page prompting them to transition to the native app. This ensures a streamlined and secure experience, as users will no longer be able to launch apps or desktops through third-party browsers.

Image shows a prompt page for users. The page states that the Citrix Workspace app is required to access resources. There is a button to open the Citrix workspace app.

End user prompt to use the native Citrix Workspace app

If the native Citrix Workspace app is already installed on their device, the app will open immediately, providing a seamless transition. If the app isn’t installed, users will see additional options, such as copying the store URL to manually add it to the native app or downloading the Citrix Workspace app, based on how you’ve configured the download settings.

Image shows a prompt page for users. The page states that the Citrix Workspace app is required to access resources. There is a button to open the Citrix workspace app. Below the button there is a section for if users already have the app installed. It prompts them to either copy the store URL, install the app, or open a step-by-step guide if the user is having issues.]

User prompt to download the Citrix Workspace app

For the automatic store addition feature to work seamlessly, Windows users need to have 2405(preview) and 2409(GA) and Mac users need to have version 2405 or later, while Android and iOS users require version 24.9 or later. 

More details around the configuration on the different clients and preview enablement on win 2405 can be found in our product documentation

Learn more

Mandating the use of the native Citrix Workspace app not only enhances security and performance for your users but also simplifies their access to applications and desktops. This feature is currently available for Citrix Cloud workloads, and will be available for Citrix Virtual Apps and Desktops workloads starting in 2411.

Your feedback is invaluable to us—please share your experiences, challenges, and any suggestions you may have regarding the enforcement of the native app. Together, we can continue to improve user experiences and strengthen security across your organization.


Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.



from Citrix Blogs https://ift.tt/e6mjbGR
via IFTTT

pfSense Software Takes Home 35 Awards in the G2 Fall 2024 Report

 

pfSense® software from Netgate® received 35 awards in the G2 Fall 2024 report. G2 is a technology review platform where businesses can find and compare software solutions based on user reviews and ratings. pfSense software has been recognized across various business segments and performance areas, with Enterprise, Mid-Market, and Small Business awards in categories such as Best Results, Best Relationship, Best Usability, and Most Implementable for both the Firewall Software and Business VPN groups.

G2 awards are based on reviews by real users. Our numerous awards indicate that we continue to provide high-performance and affordable firewall, VPN, and routing solutions. Placing first in many of these categories further validates that our work is important and appreciated. We are honored to receive these awards and grateful to our customers for your support. Thank you–we couldn't have done it without you!

G2 Fall 2024 - Transparent

Top pfSense Software Awards

  • #1 Small-Business Europe Regional Grid® Report for Business VPN 
  • #1 Small-Business Grid Report for Business VPN 
  • #1 Grid® Report for Business VPN 
  • #1 Implementation Index for Firewall Software 
  • #1 Small-Business Implementation Index for Firewall Software 
  • #1 Small-Business Relationship Index for Business VPN 
  • #1 Small-Business EMEA Regional Grid Report for Business VPN 
  • #1 Small-Business Relationship Index for Firewall Software 
  • #1 Relationship Index for Firewall Software 
  • #1 Small-Business Usability Index for Firewall Software 
  • #1 Small-Business Results Index for Business VPN 
  • #1 EMEA Regional Grid Report for Business VPN 
  • #1 Small-Business Results Index for Firewall Software 
  • #1 Europe Regional Grid Report for Business VPN 
  • #1 Relationship Index for Business VPN 
  • #1 Results Index for Firewall Software 
  • #1 Momentum Grid Report for Business VPN 
  • #1 Small-Business Grid Report for Firewall Software

Other Notable pfSense Software Awards

  • #2 Grid Report for Firewall Software 
  • #2 Mid-Market Grid Report for Firewall Software 
  • #2 Enterprise Grid Report for Business VPN 
  • #2 Implementation Index for Business VPN 
  • #2 Small-Business Implementation Index for Business VPN 
  • #2 Momentum Grid Report for Firewall Software 
  • #2 Mid-Market Results Index for Firewall Software 
  • #2 Results Index for Business VPN 
  • #2 Mid-Market Results Index for Business VPN 
  • #2 Usability Index for Firewall Software 
  • #2 Mid-Market Usability Index for Firewall Software 
  • #2 Small-Business Usability Index for Business VPN 
  • #2 Mid-Market Relationship Index for Firewall Software 
  • #2 Enterprise Relationship Index for Firewall Software 
  • #2 Mid-Market Relationship Index for Business VPN 
  • #2 Mid-Market Asia Regional Grid Report for Firewall Software 
  • #2 Mid-Market Asia Pacific Regional Grid Report for Firewall Software 
  • #2 EMEA Regional Grid Report for Firewall Software 
  • #2 Europe Regional Grid Report for Firewall Software

About pfSense Software

The world’s leading open-source-driven firewall, router, and VPN solution for network edge and cloud secure networking, pfSense software is the world’s most trusted firewall. The software has garnered the respect and adoration of users worldwide. pfSense software is made possible by open-source technology and made into a robust, reliable, dependable product by Netgate.

Get pfSense Plus Today

About Netgate

Netgate is dedicated to developing and providing secure networking solutions to businesses, government, and educational institutions worldwide. Netgate is the only provider of pfSense products, which include pfSense Plus and pfSense Community Edition software. TNSR® software extends the company’s open-source leadership and expertise into high-performance secure networking, capable of delivering compelling value at a fraction of the cost of proprietary solutions.



from Blog https://ift.tt/0dRr9Me
via IFTTT

Seize the Moment: Why Now is the Time to Automate Application Packaging

In the world of technology, change is the only constant. As Microsoft prepares to end support for Windows 10 and App-V (Application Virtualization), businesses face a critical crossroads. The end-of-life (EOL) announcements for these widely adopted technologies are not just technical milestones but a shift in how applications are packaged, managed, and deployed. This impending change is a convergence of events that present challenges and opportunities with the potential for significant transformation and growth.

Fortunately, this also presents an opportunity to embrace more efficient application management through modern technologies like Microsoft MSIX, automated packaging tools such as appCURE, and deployment solutions with Citrix App Packages. These solutions can help organizations navigate the upcoming EOLs while ensuring smoother, faster, and more secure application delivery. MSIX offers improved security, faster installation and update times, and better compatibility. Automated packaging tools like appCURE can significantly reduce the time and effort required for application packaging, making the transition to MSIX more manageable. Paired with Citrix App Packages, businesses can deliver apps to end users more efficiently, regardless of their device or platform.

Windows 10 and App-V End-of-Life: What You Need to Know

With Microsoft’s announcement that Windows 10 will reach end-of-life in October 2025, there is intense pressure to transition to Windows 11. This deadline is not a distant event, and it demands immediate attention. App-V, a long-standing pillar of virtualized application deployment, is also reaching its EOL, which adds to the urgency. The simultaneous end-of-life for Windows 10 and App-V creates a dual challenge that cannot be ignored:

  • Security vulnerabilities: Windows 10 and App-V will no longer receive patches after EOL, exposing systems to potential threats. 
  • Compatibility issues: As businesses move to Windows 11, applications packaged for App-V may no longer work seamlessly, creating operational disruptions.
  • Legacy Support: Maintaining older platforms becomes significantly more costly as support resources dwindle and new software requires updated environments. 

The potential risks of not modernizing are clear, and the time to act is now. But how do businesses efficiently convert their existing applications packaged with App-V to MSIX? This is where automation tools such as appCURE and deployment solutions like Citrix App Packages come in.

appCURE

appCURE simplifies the transition from legacy application formats such as .EXE, App-V, or MSI to MSIX. appCURE automates the packaging of applications into MSIX, drastically reducing the time and labor involved. Its automation capabilities allow IT teams to convert many applications at once, making it scalable for enterprises. appCURE can help businesses move their legacy app ecosystem to a modern format without service interruptions.

appCURE has recently added integration with Citrix DaaS and Citrix Virtual Apps and Desktops 2402 LTSR or later to appCURE Studio. This integration allows application packagers to create Citrix App Package Sources and upload MSIX and MSIX app-attach applications, simplifying the process.

A screenshot of the appCURE Studio interface showing options for Citrix integration, including profiles, server input, authentication, and configuration settings, is on the left, and an upload section is on the right.

appCURE Integration with Citrix DaaS and Citrix Virtual Apps and Desktops

Citrix App Packages

While appCURE helps with packaging and transforming applications, Citrix App Packages complement this by enhancing how those applications are delivered in virtual and hybrid environments. 

Why Citrix App Packages matter:

  • Seamless Integration with MSIX: Citrix App Packages can work with MSIX packages to ensure applications are delivered quickly and securely in virtualized environments. This makes it ideal for businesses transitioning from App-V to MSIX.
  • Enhanced User Experience: Citrix App Packages offer users a native-like experience when accessing applications through virtual desktops, regardless of the underlying infrastructure.
  • Scalability for Enterprise: Citrix App Packages are designed for scalability, making it easy to manage hundreds or thousands of virtual applications without compromising performance or security.
  • Simplified Management: By integrating Citrix with MSIX, businesses can streamline app deployment, update processes, and lifecycle management across diverse environments, including cloud and hybrid settings.

appCURE and Citrix App Packages Demo

In this demo, a set of applications were successfully packaged, remediated, secured, and deployed using a combination of appCURE CLI, appCURE Studio, and Citrix App Packages. This end-to-end workflow showcased the efficiency and security of modern application packaging and deployment processes designed to meet enterprise IT needs.

With Citrix App Packaging and appCURE, applications can be packaged quickly, securely, and seamlessly deployed to any Citrix resources. This process would significantly reduce the overhead for IT teams managing large application portfolios while ensuring that applications are secure, functional, and easy to maintain throughout their lifecycle.

Conclusion: Seize the Moment

The upcoming end-of-life for Windows 10 and App-V marks a pivotal moment for organizations that rely on these technologies. However, this also presents an opportunity to modernize IT infrastructure and embrace more efficient processes through automation and MSIX. By automating the application packaging process, businesses can accelerate their transition to MSIX, improve security, and streamline operations, all while preparing for the future of computing.

Now is the time to start planning. With the right tools and strategies, your business can navigate this transition and emerge stronger than ever.

Learn more about Citrix App Packages on our product documentation and take advantage of the capabilities to simplify your overall application management strategy! If you have any questions or feedback, please share them in the comments below or contact your Citrix representative.


Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.



from Citrix Blogs https://ift.tt/S4HXfor
via IFTTT