What You Need to Know About ESET

	ESET PROTECT is an endpoint security platform offering different tiers of detection and response functionality. Through its extended detection and response (XDR) solution, ESET PROTECT Elite, customers receive email, network, and server protection.
Overall Rating: 4.4/5 • Pricing: 4.5/5 • Core features: 4.1/5 • Advanced features: 3.9/5 • Ease of use: 4.5/5 • Administration: 4.3/5 • Customer support: 5/5	Pros	Cons
	Multiple tiers for growing teams	Lacks some features that its competitors have
	Multiple support channels	Poor MITRE independent testing results
	On-prem and cloud deployment options	Limited customer training videos

Continue reading my ESET review for more information about the PROTECT platform, or skip down to see how I evaluated ESET and its features, pricing, and administrative capabilities.

Who Should Use ESET?

ESET is a strong choice for businesses looking for a comprehensive cybersecurity platform and multiple support channels. It’s also a good option if you want to scale your organization’s endpoint protection capabilities over time.

Consider ESET if you’re one of the following:

• Organizations needing the full package: Through ESET LiveSense, the PROTECT platform offers features like threat hunting, rogue device management, machine learning, and sandboxing.
• Teams that want plenty of support channels: ESET offers phone, email, and live chat support, which is rare for vendors in the endpoint detection and response market.
• Businesses that need to scale: If you’re a smaller organization and don’t need full XDR capabilities yet, consider ESET — once you’re able to scale, you can upgrade your plan as needed.

Who Shouldn’t Use ESET?

While ESET is a strong EDR and XDR solution, it may not be an ideal choice if you’re looking for one of the major players in the endpoint security field. It’s also not the best for advanced security policies or quarantine features.

Consider other options if you fall into one of these categories:

• Customers looking for a top-five EDR: If you’re a large enterprise hoping to purchase the likes of Palo Alto or a higher scorer in independent testing like MITRE, you may want to look elsewhere.
• Security teams that want training videos: ESET doesn’t offer as many training videos for new users as some of its competitors.
• Admins that need advanced quarantine capabilities: ESET can quarantine files, but it may lack further endpoint isolation options.

If you’d like to see a broad selection of security vendors, read our list of the best cybersecurity companies in the industry, which includes Rapid7 and Proofpoint.

ESET Pricing

If you need the most basic protection for endpoint devices and servers, ESET PROTECT Entry should be sufficient. But if your business wants features like mobile defense or cloud app protection, look at the Advanced or Complete plans. Elite adds XDR, and finally, ESET PROTECT MDR provides the most intensive support with managed detection and response. ESET is a great solution for SMBs that want to scale their endpoint security over time.

5 Key Features of ESET

In this ESET review, I looked at five XDR features, including vulnerability management, protection for cloud apps, security policies, dashboards, and LiveGuard Advanced for examining malicious samples.

Vulnerability & Patch Management

Offered in ESET PROTECT Complete and higher, the vulnerability and patch management module helps security teams track vulnerabilities within their business. The module categorizes vulnerabilities by the severity of risk presented, and it shows how recently computers have been scanned for issues. The module also shows security admins, which of the applications they use are the most vulnerable. ESET also allows you to configure automatic software patching.

Cloud Application Security

ESET’s Cloud Office Security module offers features like anti-spam, sandboxing, and email and file quarantine for Microsoft 365 and Google Workspace environments. Security teams can view which users receive the most spam emails and malware. ESET also shows teams whether users are unprotected, so they can immediately work with those users. Cloud Office Security can be purchased separately or used as a module within the PROTECT platform.

Security Policy Management

ESET PROTECT allows security admins to create policies that determine how their business handles firewall rules, problematic endpoint devices, and logging. Policies are one of the most useful tools for cybersecurity management because they help teams customize exactly how stringent their security will be. ESET PROTECT supports a variety of policies and lets teams create their own in its web console.

Dashboard & Charts

Visualizing threat patterns and endpoint weaknesses is critical for security teams, especially ones overwhelmed by manual work, and ESET PROTECT’s dashboard will help you track the concrete steps you need to take. Its charts provide an overview of the devices within your organization and whether they’re updated to the most recent software version. The dashboard shows tabs for different modules and features so you can easily navigate amongst them.

ESET LiveGuard Advanced

ESET LiveGuard Advanced is an automated cloud-based sandbox that performs behavioral analysis and inspection of malware. This tool directly counters zero-day threats and ransomware strains by investigating suspicious traffic before it enters the network. The sandbox simulates actual machine behavior for all physical and virtual hosts, giving malicious files the chance to launch in an isolated environment while critical segments stay protected.

ESET Ease of Use

ESET earned a high score from me because it offers multiple usability features, including product documentation for PROTECT and a single pane of glass management console. ESET also works on all three major computer operating systems, as well as Android and iOS devices. I took off points for no customer training videos, which could be a downside for inexperienced teams or security personnel who have never used an EDR solution before.

ESET Customer Support

Its selection of customer support channels is where ESET really stands out. It offers phone, live chat, and email to customers, which is unusual for a major EDR vendor. Both of ESET’s premium support tiers are available 24/7, but critical severity response time will be the fastest, with a two-hour response time. Recent customer reviews have overall positive comments about the support team’s general helpfulness and responsiveness.

	ESET Premium Support Essential	ESET Premium Support Advanced
Support Hours of Availability	24/7	24/7
Phone
Email
Live Chat
Dedicated Account Manager

Alternatives to ESET PROTECT

ESET is a good choice for many businesses, but it might not be the best for your organization’s needs. If you want a different platform, consider Sophos Intercept X, Bitdefender GravityZone, CrowdStrike Falcon, or Trend Micro Vision One. These are all strong endpoint detection and response platforms, and they’re more well known than ESET, if you’re looking for a chart-topping security platform.

Sophos Intercept X

Sophos Intercept X is an endpoint security and XDR solution that, like ESET, is ideal for smaller organizations, with features like device encryption. However, it still offers advanced capabilities for larger businesses, including behavioral analytics and threat hunting. Sophos is widely regarded as an easy-to-use security platform, which makes it a good choice for less experienced teams.

Sophos doesn’t provide direct pricing for Intercept X on its website; potential buyers can request a quote. Sophos also offers a 30-day free trial for Intercept X.

Bitdefender GravityZone

Bitdefender GravityZone is a threat prevention and remediation solution for businesses that includes incident analysis and forensics capabilities. While it’s not presented as an XDR solution, GravityZone offers some features comparable to ESET’s, including risk management and sandboxing.

GravityZone costs around $570 per year for 10 devices, which is most comparable to ESET PROTECT Advanced. For more than 100 devices, Bitdefender requires potential customers to submit a pricing request.

CrowdStrike Falcon

CrowdStrike Falcon is a popular endpoint security platform that offers features like automated remediation, behavioral analytics, and quarantine. Like ESET, you can start with a tier that offers more basic endpoint protection features, or you can go all the way to Falcon Insight, CrowdStrike’s XDR solution.

CrowdStrike’s most basic plan, Falcon Go, starts at $59.99 per year and includes next-gen antivirus and device control. The third plan, Falcon Enterprise, starts at $184.99 per device annually and adds EDR coverage and threat intelligence. CrowdStrike offers a 15-day free trial for the Falcon platform.

Trend Micro Vision One

Trend Micro’s Vision One platform combines XDR and attack surface management in a comprehensive platform. It helps protect email, networks, cloud, and container environments. It’s a good choice for both smaller businesses and large enterprises, with a managed service offering that will benefit teams that don’t have a lot of experience.

Trend Micro offers pricing for the Vision One platform through resellers, including the Amazon Web Services Marketplace, which prices it by credits. A single credit on a 12-month contract costs $1.05.

If none of these sound like the right fit, check out our guide to the best business antivirus solutions, which also includes Malwarebytes and Microsoft.

How I Evaluated ESET PROTECT

To evaluate ESET as an endpoint security solution, I developed a product scoring rubric to review the PROTECT platform. I chose six major categories that are important for an EDR platform, which were my main rubric criteria. Each category had multiple subcriteria, which included individual features and pricing plans. How well ESET PROTECT met all of my subcriteria earned it an overall score of 4.4 out of 5.

Evaluation Criteria

I first looked at ESET’s core EDR and threat features, like device control, vulnerability management, and incident quarantine. Then I considered ease of use, including documentation and operating system support. I also examined pricing, including ESET’s different plans, and administrative features like dashboards and APIs. I evaluated ESET’s customer support channels, and finally, I looked at advanced features like forensics and sandboxing.

• Core features (25%): This category evaluated ESET’s major XDR features, including threat intelligence, risk scoring, and cloud application protection.
  • Score: 4.1/5
• Ease of use (20%): I analyzed usability features like a knowledge base, training videos, and the availability of a managed service.
  • Score: 4.5/5
• Pricing (15%): This category covered ESET’s different pricing tiers, as well as the availability of a free trial.
  • Score: 4.5/5
• Administration (15%): I evaluated features like dashboards and charts, APIs, identity management integrations, and deployment options.
  • Score: 4.3/5
• Customer support (15%): I looked at ESET’s customer support channel options, including phone, email, and live chat, as well as product demos.
  • Score: 4.5/5
• Advanced features (10%): I considered ESET’s nice-to-have security features, like custom detection rules, automated remediation, and forensics.
  • Score: 3.9/5

Bottom Line: Consider ESET as an Endpoint Security Platform

ESET is a strong choice for businesses that want to start with an endpoint security solution that only has a few modules, with the option to scale to an XDR or MDR plan later. The PROTECT platform offers a variety of advanced security capabilities and helps businesses secure their digital infrastructure, including cloud applications and networks. Consider which security features are most critical for your business’s needs before selecting an ESET PROTECT tier.

If you’re interested in a product focused on analytics, check out our list of enterprise user and entity behavioral analytics tools.

The post ESET PROTECT Review: Prices, Features & Benefits appeared first on eSecurity Planet.

• Norton 360: Better solution for ease of use and customer support ($29.99+ for a single device)
• McAfee Total Protection: Better for privacy and data cleanup features ($29.99+ for a single device)

Norton vs McAfee at a Glance

The following table covers Norton’s and McAfee’s similarities and differences, looking specifically at pricing plans, features, and operating system support.

Annual Price	• Norton Antivirus Plus: $29.99 (1 device) • Norton 360 Standard: $39.99 (1 device) • Norton 360 Deluxe: $49.99 (5 devices) • Norton 360 with LifeLock: $99.99 (10 devices)	• McAfee Basic: $29.99 (1 device) • McAfee Essential: $39.99 (5 devices) • McAfee Premium: $49.99 (unlimited) • McAfee Advanced: $89.99 (unlimited) • McAfee Ultimate: $199.99 (unlimited)
Supported Operating Systems	Windows, Mac, Android, iOS	Windows, Mac, Android, iOS
Number of Devices Supported	1-10 (depending on plan)	1-unlimited (depending on plan)
Ransomware Protection	Yes	No
VPN Feature or Add-On	Yes	Yes
Identity Theft Monitoring	Yes	Yes
	Visit Norton	Visit McAfee

Through my comparison of the two, I found that Norton is the better overall solution, with plenty of device and identity security features, training videos for customers, and multiple support channels. However, McAfee is still a solid choice, especially if you’re looking for plenty of financial and credit monitoring features. Continue reading to learn more about each product, or skip down to see how I compared Norton and McAfee.

Norton Overview

Better for Ease of Use & Customer Support

Overall Rating: 4.2/5

• Pricing: 3.7/5
• Core features: 3.5/5
• Advanced features: 4.3/5
• Ease of use and admin: 4.4/5
• Customer support: 5/5

Norton Antivirus and Norton 360 are antivirus and security plans for consumers to protect up to 10 devices, including phones and tablets. Aside from antivirus, Norton offers ransomware and hacking protection, privacy monitoring, and a VPN. On the usability side, it supports Mac, Windows, Android, and iOS devices. Norton has multiple training videos and help articles for using the software, and it offers phone, email, and chat options for customer support.

Pros & Cons

Key Features

• Dark web monitoring: Norton scans the dark web for customers’ personal information in case it’s been exposed.
• Parental controls: A good feature for families, Norton’s controls allow parents to set internet time limits for children and filter the web content they can see.
• Password manager: Norton generates strong passwords and syncs logins across all your protected devices.
• Privacy monitoring: Norton searches data broker websites for your personal data so you know where you can request to opt out of having your data exposed.
• Credit and financial protection: The most expensive plan offers credit monitoring coverage for one credit bureau and limited reimbursement for stolen funds.

If you’re looking to protect your entire home network, learn more about overall network security.

McAfee Overview

Better for Privacy & Data Cleanup Features

Overall Rating: 3.8/5

• Pricing: 4.7/5
• Core features: 3.3/5
• Advanced features: 4.3/5
• Ease of use and admin: 2.9/5
• Customer support: 4.4/5

McAfee Total Protection is a set of five consumer security plans that include antivirus, web protection, and safety scores. Even McAfee’s most basic plan includes a VPN, identity monitoring, and text scam detection. I recommend McAfee if you’re looking for features like social media privacy, personal data monitoring, and scans of old internet accounts. It helps consumers manage their data privacy and remove information that doesn’t need to be exposed.

Pros & Cons

Key Features

• McAfee Protection Score: Total Protection gives you an overall cybersecurity safety score and recommendations to improve your cyber health.
• Social Privacy Manager: McAfee helps you quickly adjust your privacy settings on social media based on your frequency of use.
• Bank transaction monitoring: McAfee sends customers alerts if it finds suspicious activity in their accounts.
• Credit monitoring: Users receive monthly credit score updates and monitoring through one credit bureau, as well as temporary security freezes as needed.
• Data cleanup: McAfee searches for your information on data broker sites to help you request removal from the sites.

Better for Pricing: Tie

Basic Plan	Norton Antivirus Plus: $29.99	McAfee Basic: $29.99
Mid-Range Plans	• Norton 360 Standard: $39.99 • Norton 360 Deluxe: $49.99	• McAfee Essential: $39.99 • McAfee Premium: $49.99
Highest-Priced Plans	Norton 360 with LifeLock: $89.99	• McAfee Advanced: $89.99 • McAfee Ultimate: $199.99
Free Trial	7 days	30 days
	Visit Norton	Visit McAfee

Winner: Norton and McAfee have extremely similar pricing for their antivirus plans.

Norton’s standard plan, Antivirus Plus, includes basic AV features for one device. Norton 360 Deluxe is only $10 more expensive per year than Norton 360 Standard; because it adds privacy monitoring and parental controls, it may be worth it to spring for that Deluxe. Finally, Norton 360 with LifeLock is where Norton’s identity monitoring features come into play. For its antivirus and 360 plans, Norton offers a seven-day free trial.

McAfee Essential offers web browsing protection, VPN, and identity monitoring. McAfee Premium adds data cleanup features. For basic identity needs, McAfee Essential or Premium should be sufficient. But if you want more, McAfee Advanced adds identity theft coverage, credit card transaction monitoring, and credit score updates. McAfee Ultimate has the largest feature bundle, but most users will find that Advanced covers their needs.

Better for Core Features: Norton

Antivirus	Yes	Yes
Anti-Ransomware	Yes	No
Web Browsing Protection	Unclear	Yes
Dark Web Monitoring	Yes	Yes
Data Cleanup	No	Yes
Parental Controls	Yes	No
Webcam Threat Detection	Limited	No
Text Scam Detection	No	Yes
	Visit Norton	Visit McAfee

Winner: Both plans offer a comparable number of features, but Norton gets the slight edge in my evaluation for offering customers just a bit more.

Norton 360 offers basic antivirus and ransomware protection, as well as parental controls and dark web monitoring. Norton also offers web browsing protection, but it’s not particularly clear about which product the feature belongs to. If you need to detect or remove rootkits, check out Norton Power Eraser — it’s not part of Norton 360, but it’s a completely free tool. Norton 360 lacks text scam detection, but again, Norton does offer a free detection tool, Genie.

McAfee’s key features include antivirus, web browsing protection, and dark web monitoring. Other features to highlight are data cleanup, which sends requests to online services to take down your personal information, and text scam detection. McAfee is unclear about ransomware protection features, and it also doesn’t seem to offer ad blocking or anti-tracking. It doesn’t specify which plans offer parental controls.

Better for Advanced Features: Tie

VPN	Yes	Yes
Password Manager	Yes	Yes
Privacy Management	Privacy monitoring	Social Privacy Manager
Identity Theft Monitoring	Yes	Yes
Anti-Spyware	No	No
Security Assessments	Unclear	No
	Visit Norton	Visit McAfee

Winner: Norton and McAfee offer comparable integrations and advanced antivirus capabilities.

Norton has a password manager in all of its Antivirus plans, and all the 360 plans also have a VPN. Other nice-to-have features include privacy monitoring and identity theft monitoring. For advanced consumer identity protection, Norton is a great choice — it also offers fraud detection features. Norton doesn’t have spyware protection; I recommend looking at business antivirus products if that’s a priority for you.

McAfee’s selection of integrations and advanced features is very similar. Like Norton, the Total Protection plans include a VPN and password manager. McAfee’s Social Privacy Manager is a particularly good option for customers who use social media frequently and want to protect their online presence; I recommend this for freelancers who work with social channels. McAfee also doesn’t offer spyware detection.

Better for Ease of Use & Administration: Norton

Supported Computer Operating Systems	Windows and macOS	Windows and macOS
Supported Mobile Operating Systems	iOS and Android	iOS and Android
Number of Devices	Up to 10	Unlimited
Documentation	Yes	Limited
Training Videos	Yes	No
	Visit Norton	Visit McAfee

Winner: Norton wins here for its consumer support articles and training videos.

You can install Norton’s antivirus and 360 plans on Windows and Mac computers and iOS and Android devices. The most extensive plan, Norton 360 with LifeLock, supports up to 10 devices. Norton also offers support articles, which provide instructions ranging from VPN installation to renewing an expired subscription. And Norton’s training videos could be especially helpful for users who aren’t as tech-savvy or have never installed an antivirus solution before.

McAfee can be installed on Windows and Mac computers and iOS and Android phones, like Norton. Its Advanced and Ultimate plans support unlimited devices for a single user; this is especially helpful for freelancers who use a lot of different devices. I didn’t see much user documentation or training videos in my evaluation of McAfee; it might be a bit more challenging for some users to learn without that extra visual aid.

Better for Customer Support: Norton

Phone	Yes	Yes
Email	Yes	No
Live Chat	Yes	Yes
24/7 Support	Yes	Yes
Community Forum / Support Center	Yes	Yes, but check for outages
	Visit Norton	Visit McAfee

Winner: Norton’s three support channels gave it the edge in my comparison.

Norton offers phone support and estimates a five-minute wait for calls. It also has email and live chat options; live chat is reportedly available 24/7. Providing all three major support channels is impressive, particularly for a consumer product. Norton has a support community forum as well; users can submit questions or issues they’re having with their products, and other users or Norton experts can answer.

McAfee’s main support channels are phone and live chat. Both are available 24/7. While McAfee doesn’t appear to offer email support, phone and live chat tend to be faster channels and more useful in outages or emergencies. McAfee does seem to have an online support community, but it’s currently taken down for improvements without a clear end date, so take that into consideration if an active forum is important to you.

Who Shouldn’t Use Norton or McAfee

Norton and McAfee are both strong antivirus options for consumers and freelancers. But they aren’t the best fit for all users, especially businesses.

Who Shouldn’t Use Norton?

Consider other antivirus tools if you’re one of the following:

• Users looking for anti-spyware or anti-tracking: Consider other antivirus or device protection products if you need spyware or tracking protection.
• Small or large businesses: While freelancers and contractors will benefit from Norton’s protection, it’s not designed for multiple users.
• Families with more than three users: Norton 360 with LifeLock only supports 10 devices, and Norton 360 doesn’t offer a family-specific plan.

Who Shouldn’t Use McAfee?

Look at other options if you fall into one of these categories:

• All businesses: While McAfee offers business protection for five users, it’s marketed as being for Dell products and won’t support anything larger than a few employees.
• Parents who want to manage kids’ security: McAfee doesn’t have parental controls in its Total Protection plans.
• Users looking for walk-through videos: McAfee doesn’t offer much in the way of training videos, so users that need a visual walkthrough may have a little trouble.

Top 3 Alternatives to Norton & McAfee

If neither Norton nor McAfee sound like the right fit for you, check out one of the following solutions instead. Bitdefender, PC Matic, and Malwarebytes all offer comparable antivirus plans.

Pricing	• Individual: $59.99/year (5 devices) • Family: $84.99/year (25 devices)	• Security: $50/year (5 devices) • Personal: $100/year (5 devices) • Family: $199/year	• Individual: $4.17/month (2 devices) • Duo: $6.67/month (5 devices) • Family: $10.83/month (10 devices)
Ransomware Prevention	Yes	Yes	Yes
VPN	Yes	Yes	No
Identity Monitoring/Protection	Limited — data breach detection	Yes	No
	Visit Bitdefender	Visit PC Matic	Visit Malwarebytes

Bitdefender Total Security

Bitdefender Total Security is an anti-malware solution for individuals and families. Its features include ransomware protection, scam prevention, and cryptomining protection. Like Norton and McAfee, Bitdefender also offers a VPN and a password manager through Total Security.

The Individual plan supports up to 5 devices and costs $59.99 per year. The Family plan supports up to 5 accounts and 25 devices total and costs $84.99 per year. Total Security can be installed on Windows, macOS, iOS, and Android.

PC Matic

PC Matic is an antivirus and endpoint security solution for both individual users and families. It offers features like malware protection, a VPN, and identity theft protection. PC Matic also provides 24/7 phone support.

PC Matic’s Security plan offers the most basic protection – antivirus and anti-malware – for $50 per year and up to five devices. The Personal plan, at $100 per year, covers all of a single user’s devices and adds identity theft protection. The Family plan protects every household device and costs $199 per year. PC Matic is a bit more expensive than Norton and McAfee, but supporting large families sets it apart.

Malwarebytes Premium

Malwarebytes Premium is a device protection and scam prevention solution for both individuals and families. It offers protection from virus, ransomware, Trojans, and spyware, as well as scam protection from texts and phishing accounts.

Malwarebytes’ Individual plan supports two devices and starts at $4.17 per month, billed annually. The Duo plan, for two users, supports five devices and starts at $6.67 per month. Finally, the Family plan includes up to 10 of your family’s devices for $10.83 per month. Malwarebytes is also a bit more expensive than Norton and McAfee, so keep that in mind while shopping.

How I Compared Norton & McAfee

I used a product scoring rubric, which had five key categories, to compare Norton and McAfee. The five categories covered major criteria of antivirus solutions, and I weighted each based on importance. Each category also had multiple subcriteria, like individual features, which received their own weighting. My rubric examined Norton and McAfee’s pricing plans, major AV features, advanced capabilities, overall usability, and customer support options.

Pricing – 20%

I looked at Norton and McAfee’s pricing plans, from basic options with a smaller selection of features to more comprehensive options. I also scored them based on the availability and length of a free product trial.

Core Features – 30%

I evaluated Norton and McAfee based on their selection of consumer security features, including antivirus and ransomware prevention but also additional options like dark web monitoring and scam detection. I also looked at features like parental controls and anti-tracking.

Advanced Features & Integrations – 15%

I considered advanced security features like anti-spyware, device assessments, and identity theft monitoring. Additionally, I scored Norton and McAfee based on the availability of VPNs and password managers, which consumer antivirus software often provides. 

Ease of Use & Administration – 20%

I evaluated administrative features, including the operating systems Norton and McAfee support, and also looked at the number of devices each plan supports. Then I considered whether training videos and product documentation were available.

Customer Support – 15%

I scored Norton and McAfee based on the number of support channels they offered, including email, phone, and live chat. Additionally, I looked at the hours the support team was available and whether the vendors offered a customer forum or support center.

Bottom Line: Norton vs McAfee

Norton and McAfee are both good antivirus solutions for consumers, particularly freelancers looking to secure multiple devices. Norton is great if you’re looking for plenty of support channels, and it also provides helpful tools like videos if you’re worried about learning to use the solution. McAfee is an especially strong choice for individuals working in social media or consumers who want to better protect their online presence.

If your small business is looking for an antivirus solution, I’d recommend checking out these top business AV products for options more suitable for teams.

The post Norton vs McAfee: Compare Antivirus Software 2025 appeared first on eSecurity Planet.

Also, Microsoft hasn’t yet developed a fix for Windows 11 downgrade attacks, which were first announced this summer at the Black Hat conference. If your business runs Windows operating systems (as most do), check system files for strange activity and any downgrades to older, more vulnerable OS versions.

October 26, 2024

Windows 11 Downgrade Vulnerability Is Still Wide Open

Type of vulnerability: Admin code execution privileges leading to operating system downgrades.

The problem: This summer, researcher Alon Leviev revealed a downgrade attack vulnerability in Windows, the exploit for which he named Downdate. The Windows update process could be overtaken, and a threat actor could execute undetectable and irreversible downgrades to Windows system components, Leviev said. He demonstrated the downgrade at Black Hat 2024, reverting fully patched Windows machines back to previous vulnerable states.

Leviev recently published an update to the summer’s information, showing that Microsoft’s decision not to fix an Administrator privilege makes Windows 11 still vulnerable. Because an admin gaining kernel code execution privileges isn’t considered breaking an official security boundary or vulnerability, Microsoft has opted not to fix it. Microsoft has recently reported it’s actively working on a fix, though it hasn’t provided a deadline or specific details.

The fix: Monitor your Windows operating system behavior, including log files, and look for any downgrade procedures. Microsoft has no published fix for the threat yet, since it doesn’t consider it an official vulnerability. 

I also recommend scanning regularly for vulnerabilities, on an automated basis if possible. Check out our top vulnerability scanning tools for some ideas if your security team needs more consistent monitoring.

October 30, 2024

Sysdig Report Reveals Major Theft of Cloud Credentials

Type of vulnerability: Misconfigured cloud services and exposed Git files.

The problem: Sysdig reported a widespread credential theft operation that preys on exposed Git configuration files. Sysdig refers to the global attack as EMERALDWHALE. EMERALDWHALE uses private software tools to abuse misconfigured web services, which helps threat actors steal cloud credentials from cloud services’ source code. Threat actors can also clone private Git repositories.

The threat actors then stash any stolen data in a previous victim’s S3 bucket. They’ve stolen over 10,000 cloud credentials thus far, Sysdig reports.

Sysdig discovered the threat when it found in its cloud honeypot a strange bucket using a compromised account. “While investigating this bucket, we discovered malicious tools and over a terabyte of data, which included compromised credentials and logging data,” Sysdig said. Through the bucket, Sysdig uncovered an extensive scanning campaign exploiting Git configurations.

Two of the major tools that attackers use to exploit the Git config files are MZR V2 and Seyzo-v2, which require a list of targets like IP addresses or previously scanned domains. The tools are found on underground marketplaces.

The fix: Use encryption for all your Git configuration; avoid committing sensitive data, including credentials; and set strict access requirements for your repositories.

October 31, 2024

CISA Flags Mitsubishi Vulnerabilities in Halloween Notice

Type of vulnerability: Missing authentication for critical function and unsafe reflection.

The problem: CVE-2023-6943, a Mitsubishi vulnerability that was publicized in January, has been updated and highlighted through the CISA. The vulnerability has a critical score of 9.8 and affects components like EZSocket, MELSOFT Navigator, and MT Works2.

On Halloween, the CISA released a set of advisories for three of the Mitsubishi vulnerabilities and the Rockwell Automation bug listed below. The advisories are considered to be a broad industrial control warning. These flaws could particularly affect smart devices in manufacturing and supply chain environments.

“Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products,” the CISA said regarding CVE-2023-6943, the critical Mitsubishi vulnerability. A remote unauthenticated threat actor could execute code using paths to a malicious library when it’s connected to any of the Mitsubishi products listed above.

The CISA listed the affected versions of each product:

• EZSocket: Versions 3.0 and later
• GT Designer3 Version1(GOT1000): All versions
• GT Designer3 Version1(GOT2000): All versions
• GX Works2: Versions 1.11M and later
• GX Works3: Versions 1.106L and prior
• MELSOFT Navigator: Versions 1.04E and later
• MT Works2: All versions
• MX Component: Versions 4.00A and later
• MX OPC Server DA/UA (Software packaged with MC Works64): All versions

The fix: For GX Works3, Mitsubishi Electric advises customers to upgrade to version 1.110Q or later.

Rockwell Automation Bug Also Gets CISA Warning

Type of vulnerability: Missing authentication for critical function and out-of-bounds read.

The problem: A critical Rockwell Automation bug allows an attacker with network access to send specially crafted messages to the Rockwell device. This could potentially lead to database manipulation. The vulnerability is tracked as CVE-2024-10386 and specifically affects Rockwell FactoryTalk ThinManager.

The CISA released a notice for the vulnerability and warns that potential messages sent to the Rockwell device could also lead to a denial-of-service (DoS) attack.

The vulnerability affects the following software versions:

• ThinManager: Versions 11.2.0 to 11.2.9
• ThinManager: Versions 12.0.0 to 12.0.7
• ThinManager: Versions 12.1.0 to 12.1.8
• ThinManager: Versions 13.0.0 to 13.0.5
• ThinManager: Versions 13.1.0 to 13.1.3
• ThinManager: Versions 13.2.0 to 13.2.2
• ThinManager: Version 14.0.0

The fix: Rockwell has provided fixes for ThinManager; download the most recent version available for your environment.

November 1, 2024

qBittorrent Solves 14-Year-Old SSL Certificate Issue

Type of vulnerability: Insufficient SSL certificate validation, potentially leading to remote code execution.

The problem: qBittorrent has a recently discovered and patched vulnerability that went unidentified for 14 years. Versions 3.2.1 through 5.0.0 of the software, a torrent client that helps with sequential downloading, are susceptible to a severe security issue. If exploited, the vulnerability allows threat actors to run remote code on computer systems with an affected version installed.

The flaw existed in qBittorrent’s DownloadManager class. It didn’t deal with SSL certificate validation errors, which leaves website connections vulnerable.

The fix: Version 5.0.1 of qBittorrent fixes the issue, and all vulnerable versions should be upgraded.

Google’s Big Sleep Framework Identifies Vulnerability Early

Type of vulnerability: Stack buffer overflow.

The problem: Google Project Zero recently announced that Big Sleep, a vulnerability research project supported by large language models, discovered its first vulnerability. The flaw lies within SQLite, a database engine, and is a stack buffer overflow vulnerability that Google reported to SQLite’s developers, who fixed it that day. Because the devs fixed the issue before it was announced, it didn’t impact SQLite users.

This is an exciting discovery for Google Project Zero because it heralds the future of identifying vulnerabilities before they’re even publicly available to exploit within software. This significantly reduces threat actors’ opportunities to attack.

The fix: Upgrade SQLite to the most recent version.

Read next:

• Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 11/4/24 – Fourteen-Year Bug Finally Gets Patched appeared first on eSecurity Planet.

Here are the best six XDR platforms: 

• Microsoft Defender XDR: Best overall XDR solution
• Trend Micro Vision One: Best for combined detection and response
• CrowdStrike Falcon Insight: Best for a mix of features and support options
• Palo Alto Cortex XDR: Best for enterprise security needs
• SentinelOne Singularity: Best XDR with forensics for junior teams
• Cybereason Defense Platform: Best for detailed attack lifecycle management

Top XDR Solutions Compared

The following table compares my top vendors based on their important detection and response features and the availability of a free trial.

	Device Controls	Automated Response	Custom Detection Rules	Free Trial
Microsoft Defender XDR				90 days
Trend Micro Vision One				30 days
CrowdStrike Falcon Insight				15 days
Palo Alto Cortex XDR
SentinelOne Singularity				30 days
Cybereason Defense Platform

= Yes    = No   = Add-on

Based on my comparison, Microsoft Defender XDR is the best XDR platform, but all six of my top choices are industry-topping detection and response solutions. Continue reading to learn more about them, or skip down to see how I evaluated the top platforms.

Microsoft Defender XDR – Best Overall XDR Solution

Visit Website

Overall Reviewer Score

4.2/5

Pricing

3.4/5

Features

4.1/5

Usability and coverage

4.5/5

Administration

4.8/5

MITRE ratings

5/5

Customer support

3/5

Microsoft Defender XDR is a cloud-native XDR solution for enterprises. Microsoft’s XDR capabilities include coverage of all network components and environments, priority alerts, and threat response coordination. Defender XDR has plenty of features, like email protection and threat hunting, and it also offers integrations with SIEM and identity management solutions so you can further centralize your security. I recommend it for teams of all sizes.

Pros

• Extensive XDR coverage
• Thorough documentation
• SIEM and IAM integrations

Cons

• Unclear whether 24/7 support is available
• Limited incident quarantine features
• Unclear whether you can deploy on premises

Pricing

• Contact for quote: Custom pricing available
• Free trial: 90 days

Key Features

• Query-based threat hunting: Security teams can create custom queries and use them to explore 30 days’ worth of raw log data for specific threat searches.
• Automated self-healing: Defender XDR automates simple healing tasks, like device cleaning, and allows teams to develop customized auto-responses to common alerts.
• Entra ID integration: Defender XDR helps you protect apps and identities by integrating with Entra ID, Microsoft’s IAM solution.
• Copilot: Microsoft’s tool for security assistance answers natural-language questions and gives you options for resolving threats, allowing you to view policies and get device info.

Screenshot

Trend Micro Vision One – Best for Combined Detection & Response

Visit Website

Overall Reviewer Score

4.1/5

Pricing

3.6/5

Features

4.3/5

Usability and coverage

3.8/5

Administration

4.7/5

MITRE ratings

4/5

Customer support

4.1/5

Trend Micro Vision One is a broad security solution offering threat intelligence, attack surface management, and XDR. Vision One’s coverage includes servers, email platforms, cloud environments, and user identities. The platform produces an XDR data lake that collects data like metadata, logs, and telemetry, helping reduce security data silos. For SIEM and SOAR integrations, Trend Micro partners include Splunk, Microsoft, and Palo Alto.

Pros

• Platform covers multiple security functions
• Protection for cloud workloads and email
• Customizable policies and reports

Cons

• Log retention is only 30 days
• Limited SIEM integrations
• No technical account manager option

Pricing

• Contact for quote: Custom pricing available
• Free trial: 30 days

Key Features

• Vulnerability management: Vision One helps you track vulnerabilities’ CVEs and the meantime to patch them.
• Sandbox analysis: Analysts can send suspicious files to Vision One’s sandbox and isolate possible threats during an examination.
• Role-based dashboards: Specific organizational roles — like CIOs or IT operations personnel — receive custom dashboards based on their responsibilities.
• Custom reports: Vision One customers can create out-of-the-box or custom risk reports tailored to the specific reports you need to give.

Screenshot

CrowdStrike Falcon Insight – Best for a Mix of Features & Support Options

Visit Website

Overall Reviewer Score

4/5

Pricing

3.8/5

Features

4.1/5

Usability and coverage

3.3/5

Administration

3.7/5

MITRE ratings

5/5

Customer support

4.7/5

CrowdStrike Falcon is an endpoint protection solution with multiple software plans and capabilities, including Falcon Insight, its XDR segment of the platform. CrowdStrike has features like advanced antivirus, threat intelligence and threat hunting, firewall management, endpoint detection, and incident response. CrowdStrike offers multiple tiered plans, standalone licenses for specific solutions, and multiple support channels like phone and live chat.

Pros

• Great for advanced threat response needs
• Email and cloud workload protection
• Phone and chat support options

Cons

• Limited info on data retention policies
• Network sources unclear
• Unclear how much documentation is available

Pricing

• Falcon Pro: $99.99 per device year
• Falcon Enterprise: $184.99 per device per year
• Falcon Elite: Contact for quote; Falcon Insight XDR falls under this plan
• Free trial: 15 days
• Free demo: Contact to schedule

Key Features

• Zero trust assessments: Falcon Insight’s ZTAs assess business-wide endpoint health and let you know what OS settings and policies make you vulnerable.
• Incident workbench: Security teams can view an attack from beginning to end to better understand its process.
• CrowdScore: Your organization receives an overall threat score and an incident dashboard that triages alerts for you.
• Data ingestion: Falcon Insight XDR users receive 10GB of free third-party ingested data daily through CrowdStrike Falcon Next-Gen SIEM.

Screenshot

Palo Alto Cortex XDR – Best for Enterprise Security Needs

Visit Website

Overall Reviewer Score

3.8/5

Pricing

2.4/5

Features

3.4/5

Usability and coverage

3.2/5

Administration

4.2/5

MITRE ratings

5/5

Customer support

4.7/5

Palo Alto Networks’ Cortex XDR platform is an advanced detection and response solution that combines endpoint, network, and cloud data insights to reduce admins’ manual work. Its key features include ML-based behavioral analysis, custom detection rules, and threat hunting and intelligence through PAN’s Unit 42 team. While Cortex XDR could be complex for inexperienced teams, it’s a fantastic choice for advanced users and enterprise security needs.

Pros

• One of the strongest providers in the industry
• Outstanding results in independent testing
• Threat research available through Unit 42

Cons

• Can be complex for less experienced teams
• No free trial
• Email protection capabilities unclear

Pricing

• Contact for quote: Custom pricing available
• Free demo: Contact to schedule

Key Features

• Custom rules: Cortex XDR offers rules based on indicators of compromise (IOCs), like IP addresses, file names, and event correlation rules.
• Cloud lateral movement analytics: Palo Alto finds strange patterns in cloud services based on usage, identifying behavior that’s typically used to move laterally.
• Response actions: Teams can isolate endpoints, remediate malicious changes, and search for and destroy malicious files on a device.
• XSOAR integration: Cortex XDR and Cortex XSOAR integrate closely, allowing you to ingest incidents from Cortex XDR into XSOAR playbooks automatically.

Screenshot

SentinelOne Singularity – Best XDR With Forensics for Junior Teams

Visit Website

SentinelOne Singularity is a comprehensive XDR solution offering an easy-to-use automation ecosystem, enhanced SOAR functionality, and machine speed containment. The Singularity platform also includes RemoteOps Forensics for digital forensics needs. SentinelOne receives generally glowing reviews from users, including for its support team, so I recommend it to less experienced teams, particularly if you’re looking for digital forensics capabilities.

Pros

• Consistently strong user reviews
• Forensics available through Enterprise plan
• IoT support through SentinelOne Ranger

Cons

• Security policy creation features are unclear
• Lacks triage features
• Documentation is challenging to find

Pricing

• Singularity Core: $69.99
• Singularity Control: $79.99
• Singularity Complete (includes XDR): $159.99
• Singularity Commercial (includes XDR): $209.99
• Singularity Enterprise (includes XDR): Contact for quote
• Free trial: 30 days; only for Singularity Control
• Free demo: Contact to schedule

Key Features

• RemoteOps Forensics: Singularity Enterprise customers can set automatic evidence collection to be triggered by threats and customize specific forensics profiles.
• Role-based access control: SentinelOne offers six predefined roles and also allows admins to create custom roles and permission settings.
• Network discovery: SentinelOne Network Discovery fingerprints IP-enabled devices on customers’ networks and identifies vulnerable endpoints.
• Firewall control: Singularity lets you perform native firewall control for Windows, Linux, and macOS operating systems.

Screenshot

Cybereason – Best for Detailed Attack Lifecycle Management

Visit Website

Cybereason Defense Platform is a detection and response solution renowned for analyzing malicious operations, or MalOps. If you’re looking for top-tier threat visualization, Cybereason shows the complete attack lifecycle. It also offers features like incident triage and custom detection rules. Cybereason is a great choice for teams that need thorough attack lifecycle management and want to investigate a threat’s full picture.

Pros

• Great for visualizing attack lifecycles
• One of the top performers in MITRE evals
• Plenty of IAM integrations

Cons

• Unclear network and IoT device coverage
• Quarantine features seem limited
• No free trial

Pricing

• Contact for quote: Custom pricing available
• Free demo: Contact to schedule

Key Features

• MalOps: Cybereason tracks the history and behavior of a specific threat from its first entry into the network until its attempted attack.
• Incident triage: Cybereason’s incident response prioritizes your business’s most critical assets, so you’re responding to the most important issues first.
• Threat hunting: Teams can search for threat evidence, conduct investigations, and use custom detection rules based on their business.
• Device controls: Cybereason Endpoint Controls help you manage endpoints from one screen.

Screenshot

5 Key Features Of XDR Solutions

While it’s challenging to determine exactly which features your security team needs, core XDR capabilities are a good starting checklist to use while searching. Look for broad security coverage, incident response, automated workflows, threat intelligence, and security integrations.

Central Visibility

One of the major selling points of XDR is its comprehensive view of enterprise assets, not just endpoints. Aside from company devices, XDR platforms should also cover networks, email, and cloud environments. This is beneficial for teams that want to reduce security silos and correlate incidents that show up in different places but might actually be from the same threat.

Just ensure the vendor can demonstrate how this works in the platform and that it isn’t an empty claim.

Incident Management & Response

Teams should not only be able to view the history of an incident — where the threat first originated and its progress through the network — but also have resources to mitigate it. Incident response includes halting executable processes and quarantining compromised applications. It’s one of the most important capabilities of XDR and encompasses multiple XDR features, like device control.

Customizable Workflows & Automation

While “workflows” might first seem like an industry buzzword, it just means the ability to design response patterns for your security teams that make sense for your security infrastructure. If your XDR solution notices a particular behavior, it follows alert and response steps according to the workflow your team already developed. Ideally, these workflows are automated — security teams can’t be everywhere simultaneously, and automated responses are often faster.

Threat Intelligence

XDR platforms should draw data about vulnerabilities and threats from multiple locations. Good solutions offer varied threat intelligence sources or feeds so your security team receives plenty of threat data. It’s also important for any threat intelligence to be trustworthy, clean data so you’re operating based on accurate information.

Integrations With Other Security Products

XDR solutions shouldn’t be entirely locked into one particular vendor. They should offer integrations within a vendor’s infrastructure and provide connections with other products. Without third-party integrations, XDR will silo threat data and prolong businesses’ security challenges because they still don’t have all the information they need in one place.

How I Evaluated the Best XDR Solutions

I created a product scoring rubric to compare XDR platforms and evaluated industry-leading solutions using six major criteria and individual subcriteria. The six categories I selected, like features and support, are significant for buyers to consider when purchasing an XDR platform. I weighted each criterion based on importance, and weighted all the subcriteria, too. How each solution met the criteria I set, as well as criteria weighting, determined the platform’s total score.

Evaluation Criteria

First I considered product features, including device controls and automated response, which are the backbone of XDR. I also looked at usability and product coverage, like documentation and device support, and administration, including APIs and deployment options. Next I evaluated customer support options, like phone and 24/7 channels, and MITRE ratings, which test vendors’ real-world capabilities. Finally, I considered free trials and pricing transparency.

• Features (25%): This category covered important XDR capabilities like threat hunting, detection rules, and email and cloud protection.
  • Criterion winner: Trend Micro Vision One
• Usability and coverage (20%): I considered features that contribute to ease of use, like managed services, and product coverage, including network and IoT protection.
  • Criterion winner: Microsoft Defender XDR
• Administration (15%): This category included APIs, security policy management, and dashboards, as well as other subcriteria that ease administrative work.
  • Criterion winner: Microsoft Defender XDR
• Customer support (15%): I evaluated support channels like email, phone, and chat, as well as the availability of demos, community forums, and technical account managers.
  • Criterion winner: Multiple winners

• MITRE ratings (15%): Vendors’ independent security testing scores help show their product’s true abilities.
  • Criterion winner: Multiple winners
• Pricing (10%): I looked at XDR platforms’ pricing information and the availability of free product trials.
  • Criterion winner: CrowdStrike Falcon Insight

Frequently Asked Questions (FAQs)

What’s the Advantage of XDR?

Because XDR solutions ideally combine threat insights from multiple sources in your business’s infrastructure, they’re more comprehensive than standalone EDR or NDR solutions. However, they must be properly configured and used by your IT and security teams to gain the most accurate and useful information.

What’s the Difference Between XDR & EDR?

While EDR mainly deals with endpoint security and incident response, XDR extends to other infrastructure components, including networks and email accounts. Many EDR solutions have XDR capabilities and vice versa, which can make buying decisions confusing — you’ll see a lot of overlap. But if you’re searching for an XDR product, look for protective features for network and cloud assets, not just endpoints.

What’s the Difference Between XDR & MDR?

MDR is a managed service for businesses that want threat intelligence, insights, and incident response handled by an external team. Vendors offering MDR perform threat analysis and handle security incidents for their customers, which is a good choice for businesses with limited IT or security teams. MDR can cover both EDR and XDR services — it just depends on the capabilities of each MDR offering. All of my XDR picks offer a managed version.

Bottom Line: The Best XDR Solutions

Extended detection and response helps businesses manage various security assets, not just endpoints. In addition to greater ease of management, knowing how threats connect within different parts of your infrastructure helps security teams better understand how incidents originate and develop.

It’s also important to remember that XDR won’t automatically catch and detain all threats. It must be configured and studied over time before becoming a consistent and effective tool for your organization. It should also work well with any existing security tools so your business can improve its overall security posture.

If your business is debating which type of security platform to choose, read about the differences between XDR, SIEM, and SOAR next.

The post Top 6 XDR Solutions & Vendors appeared first on eSecurity Planet.

We’ll also look at increased phishing attacks, a couple of different Cisco flaws, and a Fortinet vulnerability that took some time to get its own CVE. As always, set a patching cadence for your organization so fixes aren’t pushed to the back burner, and make sure your newer security personnel understand the importance of immediate patching.

October 21, 2024

VMware Re-Patches September Vulnerability

Type of vulnerability: Heap overflow and privilege escalation.

The problem: VMware released patches for its vCenter Server software, which manages vSphere virtual computing environments. One of the patches is for a vulnerability that I mentioned in a recap last month, a critical heap overflow issue. The flaw wasn’t completely solved in the first patching round and must be addressed further. The bug could lead to RCE if exploited through a specially crafted packet.

This vulnerability is tracked as CVE-2024-38812 and has a base score of 9.8.

The related vCenter flaw, CVE-2024-38813, allows a threat actor to escalate their privileges to root using a specially created network packet. Broadcom also mentioned the patches for this vulnerability in its security bulletin and recommended patching. Broadcom also released patches for the 8.0 U2 line of vSphere for customers who already use that version.

The fix: Download the appropriate fixed version, based on your existing version of vCenter Server, from Broadcom’s list of patched software. 

October 22, 2024

Samsung Zero-Day Could Allow Privilege Escalation

Type of vulnerability: Use-after-free.

The problem: A zero-day use-after-free vulnerability in Samsung Mobile Processor’s m2m scaler driver could lead to privilege escalation. Google researchers Xingyu Jin and Clement Lecigene recently provided exploit information on the bug as part of Google’s Project Zero.  According to NIST, the vulnerability also affects Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920.

The flaw is tracked as CVE-2024-44068.

The fix: Samsung patched the vulnerability earlier in October. Upgrade your Samsung device to the most recent fixed version to prevent exploitation.

SharePoint Flaw Added to CISA KEV Catalog

Type of vulnerability: Deserialization.

The problem: A Microsoft SharePoint vulnerability initially made public in July was just added to the CISA’s Known Exploitable Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must fix it by November 12. Proofs of concept for the exploit are also available, increasing the danger of an attack.

The attacker must be authenticated and have Site Owner permissions to conduct the attack, but with those, they could inject and execute arbitrary code in SharePoint Server contexts.

The flaw is tracked as CVE-2024-38094 and has a 7.2 base score.

The fix: Download one of Microsoft’s provided security updates. 

Feeling overwhelmed by all the bugs you have to keep track of? Consider using a vulnerability scanning tool to identify issues your team might not know about.

October 23, 2024

Cisco Patches Flaw That Could Lead to DoS Attacks

Type of vulnerability: Resource exhaustion, potentially resulting in denial of service.

The problem: Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) both have a vulnerability in their Remote Access VPN service. The vulnerability is a resource exhaustion issue that could lead to a denial-of-service (DoS) attack when a threat actor sends excess VPN authentication requests to the service. Remote, unauthenticated threat actors can exploit the flaw.

The vulnerability is tracked as CVE-2024-20481 and has a base score of 5.8. In its security advisory for the issue, Cisco has provided indicators of compromise that customers can use to look for a potential attack. 

The fix: All users should consult Cisco’s Security Advisories page to determine which recent software version they should upgrade their product.

More Cisco News, This Time for a Critical Flaw

Type of vulnerability: Command injection.

The problem: The same day Cisco published the advisory for CVE-2024-20481, it also notified about a critical flaw in the Cisco Secure Firewall Management Center. The software’s web-based management interface has a vulnerability that could allow a remote threat actor to execute arbitrary code as root on the operating system.

The vulnerability stems from flawed input validation for HTTP requests. If a threat actor specifically creates an HTTP request targeted at a certain device, they could then perform RCE.

Valid user credentials are required to exploit a read-only Security Analyst role. It’s also possible that a threat actor could execute remote code on Cisco Firepower Threat Defense devices.

The fix: Download the appropriate fixed version from Cisco’s Security Advisories page. 

Netskope Reports Increase in Webflow Phishing Pages

Type of attack: Phishing and subsequent credential theft.

The problem: Netskope has reported a significant uptick in traffic to Webflow-based phishing web pages. Netskope Threat Labs observed this increase from April to September 2024 and found that the main targets are crypto wallets like Coinbase and credentials to webmail platforms like Microsoft 365.

“Attackers abuse Webflow in two ways: Creating standalone phishing pages and using Webflow pages to redirect victims to phishing pages hosted elsewhere,” said Jan Michael Alcantara, one of Netskope’s researchers and the post’s author.

Custom subdomains, one of Webflow’s features, can be exploited to falsify login pages, and the threat actors use Webflow’s legitimate link or form blocks to steal credentials once they’re entered. Some attackers could build a phishing page and steal credentials without writing any code.

Alcantara and his colleagues used a Webflow free account to test how easy it was to create a phishing page and were able to make one within five minutes.

“If the situation requires, Webflow also provides the means to redirect stolen credentials to a separate attacker-controlled website,” Alcantara said. “Webform will forward the filled-up form using the URL added to the submit button action field.” 

The fix: Check URLs for the malicious domain *.webflow.io, which indicates a phishing site. Additionally, Netskope recommends that organizations inspect all HTTP and HTTPS traffic and use remote browser isolation technology to avoid malicious websites.

Mysterious Fortinet Vulnerability Finally Receives a CVE

Type of vulnerability: Missing authentication leading to RCE.

The problem: Security researcher Kevin Beaumont learned that a formerly undisclosed Fortinet vulnerability, with no CVE, affected the FortiGate to FortiManager protocol. He waited for some time to post his public blog about the flaw, trying to give Fortinet time to manage the threat before it was widely known. Beaumont dubbed the vulnerability FortiJump and noted it’s supposedly been used by nation-state actors. 

On October 23, Fortinet released a security notice for the vulnerability and labeled it CVE-2024-47575. The issue is a missing authentication for critical function vulnerability. It could allow an unauthenticated threat actor to execute remote code using crafted requests if exploited.

The fix: Fortinet provides the following table of affected software versions and their appropriate upgrades:

Read next:

• Vulnerability Recap 10/21/24 – Immediate Patching is Critical
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/28/24 – Phishing, DoS, RCE & a Zero-Day appeared first on eSecurity Planet.

Here are the five best rootkit scanning and removal solutions:

• Malwarebytes
• Avast One
• AVG Antivirus
• GMER
• Sophos Rootkit and Bootkit Detection and Removal

Rootkit Scanners Compared

The following table briefly overviews my five top rootkit scanners’ features and pricing options.

	Rootkit Removal	Ransomware Protection	Anti-Tracking Functionality	Pricing
Malwarebytes				• Basic rootkit scanner: Free • Paid plans: Starting at $3.75/month
Avast One				• Basic: Free • Silver: Starting at $2.99/month
AVG Antivirus				• Basic rootkit scanner: Free • AVG Internet Security: Starting at $4.99
GMER				• Rootkit scanner: Free
Sophos Rootkit and Bootkit Detection and Removal				• Plan: Starting at $44.99/year

An important note of caution for all businesses: Most rootkit scanners are designed for personal device use. An enterprise-level network security tool for removing malware will be more advanced. If your business is considering a rootkit scanner, investing in business-grade anti-malware technology, like advanced antivirus software or endpoint detection and response (EDR) is better. This will be the case for most teams of over 10 employees.

Startups with limited personnel may find that a rootkit scanner with multiple features fits their security needs. But if your business plans to scale, buying a more advanced security tool up front typically makes more sense. This guide also covers some paid antivirus plans that are a natural next step after a free rootkit scanner.

Malwarebytes

Visit Website

Malwarebytes’ anti-rootkit scanner is a free solution that detects and removes rootkits and provides proactive system protection. The scan report lists detected threats and reveals whether Malwarebytes quarantined any detections. If you want further protection, consider Malwarebytes Premium, which offers antivirus, antimalware, a VPN, and alerts. Premium has personal, family, and team plans depending on your device needs.

Pros

• Feature-rich personal and family plans
• Free trial available

Cons

• Teams plan is a little expensive
• System recovery capabilities are unclear

Pricing

• Standard: $3.75 per month for personal devices
• Plus: $5 per month for personal devices
• Ultimate: $10 per month for personal devices
• Family Device Security: $10 per month for 10+ devices
• Ultimate Family Protection: $19.37 per month for 10+ devices
• Teams: $119.97 for three devices per year; up to 20 devices

Key Features

• Rootkit scanning: You can run both manual and automated scans on your devices.
• Ad blocking: Malwarebytes blocks ads and removes adware on customer computers.
• Free trial: Malwarebytes offers a 14-day trial for Malwarebytes Premium.
• Brute force protection: The Teams plan shields Windows devices from ransomware.

Avast One

Visit Website

Avast One is an all-in-one service that provides comprehensive protection with antivirus, device cleanup, identity monitoring, and virtual private network (VPN) tools. It’s an affordable rootkit and antivirus product for Windows, Mac, Android, and iOS devices. Avast One’s Platinum plan offers protection for up to 30 devices, making it a valid choice for businesses of under five employees or for individual contractors and freelancers.

Pros

• Extensive identity monitoring functionality
• Platinum plan allows up to 30 devices

Cons

• Limited support channel options
• Automated scanning capabilities are unclear

Pricing

• Basic: Free
• Silver: $2.99-$6.67 per month
• Gold: $6.99-$14.99 per month
• Platinum: $9.99-$24.99 per month

Key Features

• Rootkit removal: Avast One detects rootkits and prevents future rootkit damage.
• Identity monitoring: Avast notifies you if your identity has been compromised online.
• VPN: The Gold plan offers a VPN with over 50 server locations and unlimited data.
• Money-back guarantee: All Avast One’s paid plans offer a 30-day money-back option.

AVG Antivirus

Visit Website

AVG AntiVirus FREE is a robust rootkit scanner that detects and removes rootkits from your system and prevents threats like unsafe internet downloads and email attachments. AVG also offers paid plans. AVG Ultimate, the most extensive plan, only protects 10 devices, so it won’t be a good choice for teams of more than five people. However, freelancers managing their websites and email marketing will benefit from its email and internet security features.

Pros

• Reasonable pricing
• Free scanner is lightweight

Cons

• Reports only for AVG Business
• Ultimate plan supports only 10 devices

Pricing

• AVG Internet Security: $4.99-$8.33 per month
• AVG Ultimate: $4.99-$11.67 per month

Key Features

• PC scanning: AVG looks for performance issues on your computer.
• Mobile support: Aside from Windows and Mac, AVG also supports Android and iOS.
• AVG Tuneup: Part of the Ultimate plan, the Tuneup feature cleans your device of junk.
• Wi-Fi verification: AVG inspects your network for weak Wi-Fi security.

GMER

Visit Website

GMER is a free rootkit scanner and removal tool that is ideal for simple scans on Windows computers. It also offers kernel-level inspection. However, GMER is an older tool and doesn’t run on any Apple devices. If you want to scan many sections of an older Windows computer, GMER is a good choice. But if you’re a freelancer or you need software for your home office technology, it’s probably best to look for a solution with more features.

Pros

• Completely free
• Kernel-level inspection available

Cons

• Hardly any additional features
• Only works on Windows

Pricing

• Free download: For Windows XP/VISTA/7/8/10

Key Features

• Kernel level inspection: GMER identifies kernel-level rootkits on Windows computers.
• Registry key scans: GMER looks for hidden registry keys on your computer system.
• Inline hook scans: The rootkit remover also hunts for modified code within a program.
• File and service hunting: GMER scans for hidden files, services, and modules.

Sophos Rootkit & Bootkit Detection & Removal

Visit Website

Sophos’ solution for rootkit removal helps individuals and small and home offices find the rootkits that traditional antivirus software might not uncover. It protects both Windows and Mac machines and permits remote access for family computers in other locations. This is a beneficial feature for people who work for themselves but travel frequently or want to protect their remote assistant’s devices.

Pros

• Offered by a standout cybersecurity vendor
• Community forum available to customers

Cons

• Lacks some of its competitors’ extra features
• No mobile support

Pricing

• One user’s personal devices: $44.99-$59.99 per year

Key Features

• Web and social blockers: Sophos allows you to block specific categories by device.
• Malware scans: The rootkit product looks for malware and cleans it from your computer.
• Parental controls: Sophos provides web filtering for parents to apply to family devices.
• AI detection: Sophos Home Premium uses AI to identify suspicious behavior.

Selecting a Rootkit Scanner

Before selecting one of these solutions, ask yourself the following questions:

• Am I protecting only personal devices or work devices too? Even if you’re a contractor or have your own startup, personal computers and phones that you rely on for all work processes still count as work machines.
• If I employ other people, how many devices in total need protection? If your team has multiple phones, computers, and tablets, you might exceed a device limit quickly.
• How much am I willing to pay? If you can afford to pay $8 a month or $50 a year, this might be more helpful for protecting all your devices.
• Am I trying to fit an inexpensive rootkit scanner into my SMB? If you have more than 10 employees, a small business endpoint protection plan is probably a better call.
• Which extra features do I need? Consider whether add-ons like VPN functionality or email security are critical for you alongside basic rootkit detection and removal features.

Make sure you’ve answered these questions and know exactly what scanning features you need, either for your home devices or work machines, before beginning the buying process. This will help you narrow down the options and find a suitable solution.

Frequently Asked Questions (FAQs)

Why Is a Rootkit So Difficult to Detect?

Rootkit software is developed to blend in with legitimate software and look like it’s supposed to be there. Some rootkits affect the computer’s user level, affecting applications that run atop the operating system, but others run at the kernel level. Firmware rootkits linger within a computer’s memory. Kernel-level and firmware rootkits can be particularly hard to detect because they are so deeply embedded within the computer system.

Where Do Rootkits Hide?

Rootkits hide in multiple locations, depending on the type and where attackers install them. They can reside in computer memory, like random access memory (RAM), or in specific applications on your computer. They can also reside at the kernel level of your device or within the firmware itself. Some rootkits attack your device’s bootloader, which loads your operating system, and is known as bootkits.

How Do I Know if I Have a Rootkit?

A rootkit scanner is the ideal way to identify rootkits, but if one of your applications is behaving oddly, you might notice the existence of a rootkit before it’s scanned. However, you may be unable to tell what kind of malware affects the application unless you’re familiar with specific rootkit behaviors. You can also perform a memory dump, or a RAM dump, to see if a rootkit is executing code.

Bottom Line: Rootkit Scanner or Next-Gen Antivirus?

Rootkit scanners are beneficial tools for individuals and very small startups, helping you debug your computer systems of malware and improve device performance. But keep in mind that they’re not for most businesses. Larger startups and offices will likely need a more comprehensive endpoint security solution, especially if they plan to scale in the next few years. This can include a next-gen antivirus product or a full endpoint detection and response platform.

Is your business looking for a more advanced endpoint tool? Check out my picks for the top endpoint detection and response (EDR) solutions next.

The post 5 Best Rootkit Scanners and Removers: Anti-Rootkit Tools appeared first on eSecurity Planet.

October 10, 2024

GitHub Flaw Allows Authentication Bypass

Type of vulnerability: Improper verification of cryptographic signature.

The problem: GitHub published a security update for Enterprise Server due to a high-severity vulnerability that allows an attacker to bypass SSO authentication. The flaw results from improper verification of a cryptographic signature, and without SSO authentication required, a threat actor could gain access to the server instance and provision other users.

The threat actor would need direct network access and a signed SAML response or metadata document to exploit the flaw. They’d also need the encryption assertions feature to be enabled before an exploit, according to NIST’s National Vulnerability Database. The flaw is tracked as CVE-2024-9487. It affects all GitHub Enterprise Server versions before 3.15.

GitHub fixed the issue in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. Other flaws fixed in 3.14.2 include a vulnerability in the management console, which exposed sensitive data in HTML forms, and a medium-severity information disclosure flaw involving malicious URLs.

The fix: Upgrade to one of the fixed versions immediately.

Does your business need a more streamlined version of identifying vulnerabilities? Are you trying to find them manually? We recommend using a vulnerability scanning tool to simplify this process. Check out our guide to the best vulnerability scanners next.

October 15, 2024

Previously-Patched Roundcube Webmail Flaw Has Been Exploited

Type of vulnerability: Cross-site scripting.

The problem: Russian-based Positive Technologies discovered and announced an attempted exploit of a patched vulnerability in Roundcube Webmail. Roundcube Webmail is an open-source email solution written in PHP. The vulnerability, CVE-2024-37383, is a stored cross-site scripting vulnerability that permits a threat actor to run JavaScript code on a victim’s web page. It was fixed in May 2024 after CrowdStrike researchers identified it.

Positive Technologies has since noticed exploit attempts through an email with tags that decode and run JavaScript. The email was sent to a governmental organization within a Commonwealth of Independent States (CIS) member nation. Positive Technologies hasn’t been able to link the threat to a specific threat actor group. Still, it’s noticed that government agencies are a major target since they tend to use Roundcube Webmail.

Roundcube client versions earlier than 1.5.6 or 1.6 to 1.6.6 are vulnerable to the Roundcube flaw if not yet patched.

The fix: Update any affected versions of Roundcube Webmail immediately. 

Positive Technologies provides a couple of network indicators to look for if you’re concerned about a potential exploit.

Proxmox-Developed Kubernetes Images Are Vulnerable to Attack

Type of vulnerability: Enabled default credentials.

The problem: A vulnerability in Kubernetes Image Builder enables default credentials during the image build process. According to Joel Smith, virtual machine images that use Proxmox, an open-source option for image building, don’t have disabled default credentials. Threat actors could then exploit the Kubernetes nodes that use those images and potentially gain root access if they used the default credentials.

The flaw only affects Kubernetes clusters that host VMs created with Image Builder when Proxmox is the virtualization provider.

The vulnerability has a severity rating of 9.8 and is tracked as CVE-2024-9486. It affects Kubernetes Image Builder versions v0.1.37 and earlier.

The fix: Upgrade Kubernetes Image Builder to version 0.1.38.

October 17, 2024

Grafana Releases Patches for Critical SQL Vulnerability

Type of vulnerability: SQL expression, potentially leading to command injection and local file inclusion.

The problem: Grafana released patches for version 11.0.x, 11.1.x, and 11.2.x due to a critical SQL expression vulnerability.

“The vulnerability was in an experimental feature named SQL Expressions that allows for data source query output to be post-processed by executing one or more SQL queries,” Grafana said. It passes the query and data to the DuckDB CLI, which executes the SQL against the DataFrame data.

Because the SQL queries weren’t sanitized, Grafana said, a command injection and local file inclusion vulnerability resulted.

Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API. However, to be exploitable, the DuckDB binary must be accessible through the PATH of the Grafana process environment.

Feature flags, which allow users to enable and disable software, aren’t implemented correctly, so SQL Expressions is enabled by default for the API. However, Grafana’s process environment must have the DuckDB binary accessible through PATH for a threat actor to exploit this vulnerability. Your system won’t be vulnerable without DuckDB, Grafana explained.

An attacker could use this vulnerability to access any file on Grafana’s host machine, which includes passwords stored in the files without encryption. Viewer permissions, or any higher permissions, are sufficient for the attack; it’s not restricted to admins. The flaw is tracked as CVE-2024-9264.

The fix: Download one of Grafana’s security fixes based on the product you use. Grafana also mentions removing the DuckDB binary from PATH or your entire environment; it’s unnecessary for any other Grafana feature. 

ClickFix Campaign Uses Google Meet as Attack Vector

Type of vulnerability: Phishing and malware installation.

The problem: Security provider Sekoia published a blog detailing its findings on the ClickFix campaign, which uses falsified Google Meet pages to install infostealers on Windows and Mac computers. ClickFix performs social engineering to impersonate popular websites like Google Chrome to get users to click on fake sites.

“By pivoting on the text elements in ClickFix messages displayed to users, such as the phrase “Press the key combination” or “CTRL+V”, we discovered several websites masquerading as the homepage of a Google Meet video conference,” Sekoia researcher Quentin Bourgue said. According to Bourgue, the fake sites showed pop-ups falsely indicating that the microphone and headset had issues, encouraging victims to click buttons to resolve the issue.

Sekoia provides the following examples of domain names, as well as an IP address that they attribute to the ClickFix cluster using fake Google Meet sessions:

The fix: No specific fix is available.

October 18, 2024

Apple Fixes Flaw Reported by Microsoft in New Sequoia Release

Type of vulnerability: Authorization bypass.

The problem: Microsoft’s Threat Intelligence team discovered a vulnerability within macOS related to its Transparency, Consent, and Control (TCC) technology. The flaw could allow a threat actor to bypass TCC and access the victim’s data. Microsoft dubbed the vulnerability HM Surf and reported it to Apple. Apple has since fixed the flaw in Sequoia 15. 

The new macOS update fixes issues within other Apple features, including Kernel, Sandbox, and Shortcuts. The TCC flaw is tracked as CVE-2024-44133. Microsoft has already noticed behaviors from Defender for Endpoint that suggest Adload, a macOS threat family, is exploiting the vulnerability.

The fix: Upgrade your Mac devices to macOS Sequoia 15.

Read next:

• Vulnerability Recap 10/15/24 – Patch Tuesday Posts 117 Vulnerabilities
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/21/24 – Immediate Patching Is Critical appeared first on eSecurity Planet.

October 1, 2024

CISA Releases Notice About Optigo Switch Vulnerability

Type of vulnerability: Improper filename control and weak authentication.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) is recommending mitigation actions for Optigo Networks customers regarding the ONS-S8 – Spectra Aggregation Switch. The switch’s vulnerabilities include improper filename control for include/require statements in the PHP program (or PHP Remote File Inclusion) and weak authentication.

The vulnerability has a critical CVSS score of 9.3. It affects versions 1.3.7 and earlier of the switch.

The fix: In the absence of a patch or dedicated fix, CISA lists Optigo Networks’ suggested mitigations for the vulnerabilities:

• “Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
• Set up a router firewall with a white list for the devices permitted to access OneView.
• Connect to OneView via secure VPN.”

Watch for any potential future notifications from Optigo Networks about a dedicated fix in case it develops one. 

October 8, 2024

Patch Tuesday Clocks a Whopping 117 Vulnerabilities

Type of vulnerability: Multiple, including elevation of privilege and remote code execution.

The problem: For this month’s patch Tuesday, Microsoft announced 117 vulnerabilities. Only two had a CVSS score of 9.0 or above — a Windows Netlogon EoP flaw, CVE-2024-38124, and a Microsoft Configuration Manager RCE vulnerability, CVE-2024-43468. Other products addressed in October’s Patch Tuesday include Microsoft Hyper-V, Windows Kernel, Azure Monitor, Microsoft Office SharePoint, and Excel.

The fix: Check Microsoft’s Patch Tuesday rundown for any products your business uses and follow any mitigation or patch instructions.

If your security team is overwhelmed by manual vulnerability tracking, consider using one of the top vulnerability scanning tools, Tenable, Invicti, and Wiz.

October 9, 2024

GitLab Updates Vulnerable Community & Enterprise Versions

Type of vulnerability: Multiple, including running pipelines and template disclosure.

The problem: GitLab released updated versions of GitLab Community and Enterprise to fix eight vulnerabilities. The one critical flaw allows attackers to run pipelines on arbitrary project branches. It exists in versions 12.5 before 17.2.9, starting from 17.3, before 17.3.5, and starting from 17.4 before 17.4.2.

There are four high-severity flaws, two medium, and one low. Check GitLab’s security notice for the specific versions where these vulnerabilities exist.

The fix: GitLab has released versions 17.4.2, 17.3.5, and 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). 

Time to Upgrade Mozilla Firefox

Type of vulnerability: Use-after-free.

The problem: Mozilla has fixed a critical vulnerability in Firefox versions Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Damien Schaeffer of ESET reported the vulnerability to Mozilla.

“An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines,” Mozilla said in its security advisory. The vendor has received reports of active exploitation.

The fix: Upgrade Firefox to the most recent version available.

October 10, 2024

Ransomware is Actively Exploiting Critical Veeam Flaw

Type of attack: Ransomware exploit.

The problem: A critical vulnerability I mentioned in a recap a few weeks ago is now being exploited. CVE-2024-40711, a flaw in Veeam Backup and Recovery, has seen Akira and Fog ransomware attacks, according to Sophos. Sophos X-Ops, the vendor’s MDR and incident response service, has been tracking exploits of the Veeam vulnerability over the past few weeks.

Sophos found that the attackers initially used compromised VPN gateways to access their targets in each studied case of a ransomware attack.

“Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe,” Sophos X-Ops said on Mastodon. “The exploit creates a local account, “point,” adding it to the local Administrators and Remote Desktop Users groups.”

The fix: Upgrade Veeam Backup and Replication to version 12.2.0.334, which fixes the flaw.

October 11, 2024

Fortinet Updates Critical February Vulnerability

Type of vulnerability: Format string vulnerability.

The problem: A Fortinet bug from February was updated in October due to potential wild exploitation cases. The flaw is an externally controlled format string bug in fgfmd that could lead to remote code execution if an attacker made specially crafted requests. The flaw is tracked as CVE-2024-23113 and has a critical severity rating.

According to FortiGuard Labs’ Advisories list, the flaw affects the following software versions:

• FortiOS 7.4.2, 7.4.1, 7.4.0, 7.2.6, 7.2.5
• FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3
• FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7
• FortiWeb 7.4.2, 7.4.1, 7.4.0  

The fix: Upgrade to the most recent version of the affected software.

Ivanti CSA Vulnerabilities Have Already Been Exploited

Type of vulnerability: Multiple, including path traversal and command injection.

The problem: Fortinet’s FortiGuard Labs has found that threat actors — suspected nation—state attackers—exploit a previously discovered vulnerability in Ivanti Cloud Services Appliance, an authenticated access flaw. The exploits affect versions 4.6 and prior of the software. FortiGuard Labs was called to investigate when a customer’s network was communicating a malicious IP address, and FortiGuard tracked the issue to Ivanti CSA.

The vulnerability, CVE-2024-8190, came to light in September, and Fortinet has seen threat actors use it in conjunction with two other CSA flaws, a path traversal and a command injection vulnerability. Neither of the two additional flaws is publicly known. They affect the PHP front-end of CSA.

Fortinet says the exploits are an example of threat actors chaining zero-days together.

The fix: If you haven’t yet done so, upgrade Ivanti Cloud Services Appliance to version 5.0.

Read next:

• Vulnerability Recap 10/8/24 – Thousands of Routers & Servers at Risk
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/15/24 – Patch Tuesday Posts 117 Vulnerabilities appeared first on eSecurity Planet.

Here are the six best Enpass alternatives:

• 1Password: Best overall password manager
• Dashlane: Best for features
• Bitwarden: Best for self-hosting and administration
• Keeper: Best for security add-ons
• RoboForm: Best for basic password management needs
• NordPass: Best for a mix of cost and usability

Enpass Alternatives Compared

The following table compares and contrasts the six best alternative Enpass options, including password management features and product pricing.

	Single Sign-On	Password Health Checks	Dark Web Monitoring	Price of Mid-Range or Business Plan
1Password				$7.99/user/month
Dashlane				$8/user/month
Bitwarden				$6/user/month
Keeper				$3.75/user/month
RoboForm				$2.50-$3.00/user/month
NordPass				$3.99/user/month

= Yes    = No   = Add-on

Based on my analysis, 1Password is the best overall alternative to Enpass due to its selection of features and robust security posture. However, all of the products on this list are great alternative solutions, particularly the more cost-effective ones. Continue reading to learn more, or jump down to learn how I compared Enpass’s competitors against each other.

1Password – Best Overall Password Manager

Visit Website

Overall Reviewer Score

4.2/5

Pricing

2.9/5

Key features

4.7/5

Advanced features

4.2/5

Security

4.8/5

Administration

5/5

Customer support

4.2/5

1Password is an enterprise-grade password management solution ideal for teams of all sizes, particularly those looking for more features than Enpass offers. Aside from standard PM capabilities like password health checks and reports, it offers extras like guest accounts and travel mode. 1Password is also renowned for its overall cybersecurity posture, and it’s extremely transparent about regular audits, even allowing customers to read its audit reports.

Pros

• Offers advanced features and perks
• Widespread OS and browser support
• Developer solution available for dev teams

Cons

• More expensive than most competitors
• Some features may be difficult to learn
• No integrations with cloud storage products

Pricing

• Teams Starter Pack: $19.95 for up to 10 users per month
• Business: $7.99 per user per month
• Enterprise: Contact for quote
• Free trial: 14 days
• Free demo: Contact to schedule

Key Features

• Team security policies: Owners and admins can develop rules to manage 1Password usage, configure identity provider integrations, and deny IP addresses.
• Travel mode: When you leave on a trip, 1Password allows you to remove certain vaults from your devices except the ones you want to stay on the devices.
• Guest accounts: 1Password lets you share specific passwords with people outside your organization, like contractors and third-party vendors.
• Dark web monitoring: 1Password’s Watchtower feature combs data breaches for customers’ personal information and alerts them if it finds any compromised data.

Gallery

Alternative

1Password is one of the best password managers and a strong alternative to Enpass, but it’s expensive. If you’re looking for something more affordable with plenty of features and robust security, check out Bitwarden.

Read our full review

Dashlane – Best for Its Many Features

Visit Website

Overall Reviewer Score

4.1/5

Pricing

3.3/5

Key features

4.9/5

Advanced features

4.5/5

Security

4.3/5

Administration

4.4/5

Customer support

3.3/5

Dashlane is a full-featured password manager ideal for businesses and has many core and advanced PM capabilities. Its plans offer tools ranging from basic activity logs and account recovery to phishing alerts and SIEM integrations. It may be expensive for startups and SMBs on a budget, but it’s an excellent choice for businesses looking for an alternative to Enpass with a wide range of features.

Pros

• Wide range of basic and advanced features
• Multiple resources for developers
• VPN add-on available

Cons

• Pricing for Business plan is high
• Limited reporting functionality
• Not very transparent about vendor audits

Pricing

• Standard: $20 per month for up to 10 users
• Business: $8 per user per month
• Business Plus: $3 per user per month; for new customers only
• Enterprise: Contact for quote
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Developer tools: Dashlane offers features for developers, such as available Android source code and a command line interface.
• Splunk integrations: Dashlane’s CLI can send audit log data to Splunk, which is a security information and event management (SIEM) solution.
• Account recovery through biometrics: Using facial recognition or fingerprints, you can access your PM account if you forget the master password.
• Password health checks: Users receive a password health score out of 100 and recommendations for improving their password security.

Gallery

Alternative

While Dashlane is an excellent choice for teams that want plenty of features, it can be expensive for tiny businesses. If you’re looking for more affordable options, check out RoboForm instead.

Read our full review

Bitwarden – Best for Self-Hosting & Administration

Visit Website

Overall Reviewer Score

4.1/5

Pricing

3.2/5

Key features

4.5/5

Advanced features

2.5/5

Security

4.8/5

Administration

5/5

Customer support

4.2/5

Bitwarden is a password manager that can be hosted either by Bitwarden or on your organization’s servers. Its key features include account recovery, event log monitoring, and passwordless single sign-on. Unlike Enpass, Bitwarden offers developer tools like APIs and a command line interface. It’s a great choice for businesses with the hardware and security expertise to manage a PM product and want more control over the solution.

Pros

• Option to self-host on your business’s servers
• Widespread browser and OS support
• Developer tools like CLI available

Cons

• Teams plan might be too expensive for SMBs
• No phone for customer support
• Free trial is shorter than competitors’

Pricing

• Teams: $4 per user per month
• Enterprise: $6 per user per month
• Custom pricing for larger teams: Contact for quote
• Free trial: 7 days
• Free demo: Contact to schedule

Key Features

• User groups: Bitwarden’s groups feature allows admins to set specific policies for entire departments, teams, or sub-teams.
• Enterprise policy management: Business admins can enforce mandatory two-factor authentication and determine user password character requirements.
• Vault health reports: Bitwarden notifies you if users are doubling up on passwords or if their account passwords are weak.
• Encrypted file attachments: Bitwarden users can add items like files to a vault, such as a scanned version of a sensitive document.

Gallery

Alternative

Bitwarden is an excellent solution for organizations that want to self-host, but its Teams plan may be too expensive for some startups and tight budgets. If you’re looking for something even more cost-effective, check out NordPass.

Read our full review

Keeper – Best for Security Add-Ons

Visit Website

Overall Reviewer Score

4.1/5

Pricing

4/5

Key features

4.1/5

Advanced features

3.6/5

Security

3.8/5

Administration

5/5

Customer support

4/5

Keeper is a password manager and security solution for both SMBs and enterprises. Some of its features include passkeys, biometrics, and a command line interface for enterprise customers. It also offers multiple add-ons, like Secrets Manager, Advanced Reporting and Alerts, and BreachWatch. I recommend Keeper to larger businesses looking for an alternative to Enpass that offers some additional protection on top of their password manager.

Pros

• Full OS and extensive browser support
• Plenty of add-on products available
• Multiple support channels

Cons

• Some SSO options only in Enterprise plan
• Not transparent about audits
• Lacks a few extras and perks

Pricing

• Business Starter: $2.00 per user per month
• Business: $3.75 per user per month
• Enterprise: Contact for quote

Key Features

• Master password recovery: By setting up an account recovery phrase at the beginning and storing it safely, users have that available in case they forget their master password.
• Biometrics: Keeper supports Windows Hello, touch ID, and face ID as biometric login options.
• Secrets Manager: Keeper offers an add-on product for protecting items like API keys, certificates, and database passwords.
• Command line interface: Commander CLI allows developers to use the command line to a significant portion of Keeper’s platform.

Gallery

Alternative

Keeper is a strong choice for large businesses and teams looking for extra security, but its Business Starter and Business plans have limited SSO functionality. If you’re looking for full SSO in a more affordable plan, consider RoboForm.

Read our full review

RoboForm – Best for Basic Password Management Needs

Visit Website

Overall Reviewer Score

3.9/5

Pricing

4.2/5

Key features

4/5

Advanced features

3.1/5

Security

4/5

Administration

4.5/5

Customer support

2.7/5

RoboForm is a password manager that is ideal for small organizations because of its affordable pricing and its core set of features for each plan. It offers key password management capabilities like secure sharing, single sign-on, and touch ID. While it lacks a few of its competitors’ advanced features, RoboForm is an excellent choice for basic PM needs. It’s also one of the least expensive solutions on our list, making it an excellent alternative for customers who want Enpass’s prices.

Pros

• Very inexpensive pricing
• Supports all the major operating systems
• Offers policy management for administrators

Cons

• Lacks a few advanced features
• Doesn’t have a Safari browser extension
• No command line interface

Pricing

• 1-10 users: $3.33 per user per month (annual billing)
• 11-25 users: $3.00 per user per month
• 26-100 users: $2.91 per user per month
• 101-1000 users: $2.50 per user per month
• Over 1,000 users: Contact for quote
• Free trial: 14 days for up to 30 users

Key Features

• Security policy management: Company admins can enforce rules like master password complexity, using 2FA, and permitted IP address ranges.
• Automated user provisioning: RoboForm offers integrations with identity providers like Okta, so you can more easily provision users in the password manager.
• Biometrics: Customers can enable Windows Hello to log into RoboForm and enable Touch ID on Mac devices.
• SCIM integrations: RoboForm offers integrations with identity providers like Okta, Microsoft, and OneLogin so you can sync user data between the solutions.

Gallery

Alternative

Although RoboForm is a great choice for small teams and businesses looking for the most basic password management features, it may not have enough advanced capabilities for some organizations. If this sounds like your team, consider Dashlane instead.

Read our full review

NordPass – Best for a Mix of Cost & Usability

Visit Website

Overall Reviewer Score

3.9/5

Pricing

4.4/5

Key features

4/5

Advanced features

0.7/5

Security

4/5

Administration

4.8/5

Customer support

4.1/5

NordPass is a newer password management solution with pricing that’s comparable to Enpass’s. Its features include password health checks, biometrics, and single sign-on with Okta and Azure Active Directory. It offers straightforward documentation and ample browser and operating system support. I recommend NordPass to organizations seeking an affordable and widely usable password manager.

Pros

• Supports major browsers and OSs
• Pricing is on the inexpensive side
• Both email and live chat support available

Cons

• Lacks a number of PM features
• Doesn’t use AES-256 encryption
• Unclear reporting functionality

Pricing

• Teams: $1.99 per user monthly
• Business: $3.99 per user monthly
• Enterprise: $5.99 per user monthly
• Free trial: 14 days
• Free demo: Contact to schedule

Key Features

• Company-wide password settings: Admins can set password policies or enable auto-lock for their entire business domain.
• Email masking: This tool masks your true email address whenever you submit your email to a website.
• Group management: NordPass allows you to create user groups to set policies for specific departments or teams more easily and share credentials within a group.
• Recovery code: NordPass generates a 24-symbol code that you can use to recover your account if you ever forget your master password.

Gallery

Alternative

NordPass is a strong password manager, but it uses xChaCha20 encryption, a relatively new algorithm predicted to become popular, rather than AES-256. If you’re looking for a PM solution that uses AES-256 encryption, consider Bitwarden instead.

Read our full review

5 Key Features of Enpass Alternatives

The best password managers and alternative solutions to Enpass offer features like 2FA, reports, SSO, data imports and exports, and security policy management.

Two-Factor Authentication

Two-factor and multi-factor authentication require users to provide multiple methods of authentication — a master password and another item. Additional authentication methods include SMS codes and fingerprint and eye scans. Requiring multiple known items for authentication makes a hacker’s job significantly more challenging because they’d also need to have access to your phone. And with biometrics required, hacking a vault is almost impossible.

Reporting

Password management solutions typically offer reporting features to your organization’s administrators so they can view business-wide data or information specific to certain users. It’s useful to report on overall password and vault health and any security events.

Single Sign-On

Many password managers integrate with identity providers like Okta, Microsoft, and OneLogin so you can perform single sign-on for your PM solution. While this may not always simplify the login process — password managers may still require your master password — it helps with session security and may help you streamline application login processes.

Importing & Exporting Passwords

Password managers typically provide import and export functionality to move saved credentials between products. If a Bitwarden customer decides to move their organization to Keeper, they’ll be able to export files that contain the contents of their Bitwarden vault and import the contents of the vault into Keeper. This prevents teams from needing to recreate all their usernames and passwords.

Policy Management

It’s helpful for administrators to set security policies to control how the password manager will be used in the business. Admins may want to set master password complexity for the entire organization or require 2FA for a specific department. Policies are helpful because they allow businesses to manage how strict their login security is.

Password management is just one part of a greater security strategy. To learn more about protecting your entire network, check out our guide to network security.

How I Compared the Best Enpass Alternatives

I scored Enpass’s main competitors using a rubric with the six main categories potential buyers should consider when shopping for a password manager. I weighted each category based on importance and assigned multiple subcriteria to each; each subcriterion also received its weight. Each product’s overall score was determined by how well it met each subcriteria.

Evaluation Criteria

I first considered core password management features like 2FA and password health checks, then security strength, including encryption algorithms and a zero-knowledge format. I also looked at pricing plans and how much they cost compared to Enpass. Next, I considered usability and administration, including browser and operating system support, and customer support options. Finally, I looked at advanced features like alerts and dark web monitoring.

• Core features (25%): I considered the most important password management features like 2FA, secure sharing, and single sign-on.
  • Criterion winner: Dashlane
• Security (20%): I looked at the information password managers publicize regarding types of encryption used, audits performed, and breach history.
  • Criterion winner: Multiple winners
• Pricing (20%): I compared PM products’ pricing plans and considered the length of their free trials.
  • Criterion winner: NordPass
• Usability and administration (15%): This category included overall usability, like supported browsers and operating systems, as well as available documentation.
  • Criterion winner: Multiple winners
• Customer support (10%): I looked for support channels like phone and email, product demos, and community forums.
  • Criterion winner: Multiple winners
• Advanced features (10%): This category considered extras, perks, and advanced capabilities like guest accounts, secrets management, and dark web monitoring.
  • Criterion winner: Dashlane

Your business’s network must be protected by multiple other layers, not solely a password manager. Read our guide to the major categories of network security to get a better idea of comprehensive protection.

Frequently Asked Questions (FAQs)

Is It Safe to Use Enpass?

Enpass is a relatively secure password manager, with a clean breach history like many competitors. Issues with its autofill feature have left some customers searching for easy-to-use alternatives. Enpass is still a solid PM choice, but other options will serve businesses better, particularly large organizations or teams looking for a more intuitive product.

Is Enpass Cloud-Based?

Enpass doesn’t store passwords in its own cloud for security purposes; instead, it stores them within customers’ cloud storage accounts, like Dropbox or Google Drive. Enpass also allows you to store your passwords offline rather than in the cloud, syncing between devices using an internet connection instead.

Is LastPass No Longer Safe?

While LastPass is a popular and easy-to-use password manager, you may have noticed it didn’t make my list because it scored low in the rubric’s security category. LastPass has great password management features and is renowned for its overall usability. However, a few security breaches have occurred in the last few decades, so multiple businesses have moved to other password managers.

To learn more about it, check out our breakdown of alternatives to LastPass, especially if your organization is already considering making the switch.

Bottom Line: Selecting the Best Password Manager for Your Business

Password management solutions play an essential role in organizations’ security strategy, blocking many initial attempts to access sensitive applications and data. If you’ve looked at Enpass, but it isn’t the best option for your business, consider one of the products on this list. Consider your budget, the features your admins most want, and the vendor’s security posture before purchasing.

If you need more help choosing a PM solution, check out our buyer’s guide to the best password managers next.

The post Top 6 Best Enpass Alternatives: Features & Reviews appeared first on eSecurity Planet.

October 2, 2024

Zimbra Email Servers Could See RCE Attacks

Type of attack: Remote code execution.

The problem: In late September, researchers from Proofpoint uncovered attempted exploits of Zimbra email servers. Using Zimbra Collaboration’s post-journal service, an unauthenticated threat actor could execute commands remotely on the email server.

Affected versions include:

• Joule: version 8.8.15
• Kepler: version 9.0.0
• Daffodil: versions 10.0.x before 10.0.9
• Daffodil: version 10.1.0

The vulnerability is already being exploited, and download and exploit instructions are already available on GitHub, so you should immediately patch your Zimbra installation before threat actors can follow proofs of concept.

This flaw is tracked as CVE-2024-45519 and has a critical base score of 9.8.

The fix: Apply the most recent patch that’s available for your version of Zimbra as soon as you can.

If your security team needs a more consistent method of tracking vulnerabilities, check out our guide to the best vulnerability scanning tools next.

New LiteSpeed Cache Vulnerability Allows Privilege Escalation

Type of vulnerability: Cross-site scripting.

The problem: Months after a LiteSpeed Cache flaw that could be used to escalate privileges, researcher TaiYou found a new vulnerability in the popular WordPress plugin. The flaw is an unauthenticated stored cross-site scripting vulnerability.  The researcher reported it to Patchstack’s bug bounty program and worked with Patchstack on an article covering the vulnerability. 

“It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” said Patchstack.

It occurs “because the code that handles the view of the queue doesn’t implement sanitization and output escaping,” according to Patchstack.

The fix: Update your version of the LiteSpeed Cache plugin to 6.5.1 or higher.

Thousands of DrayTek Routers Vulnerable to Attack

Type of vulnerability: Multiple, including OS command injection and stack-based buffer overflow.

The problem: DrayTek routers have several vulnerabilities that researchers just discovered, including two flaws with critical scores. The fourteen vulnerabilities together expose more than 704,000 DrayTek routers in 168 countries, say researchers from Vedere Labs, the research arm of cyber risk management provider Forescout Technologies.

The researchers released a report on the vulnerabilities named Dray: Break. While most of the risk affects the United Kingdom and European Union, Asia, the Middle East, Australia, New Zealand, and North and Latin America are also at risk. 

The two critical flaws include CVE-2024-41585, which could lead to OS command execution, and CVE-2024-41592, which is vulnerable to buffer overflow and could lead to RCE. 

The fix: Each vulnerability has a patch available from DrayTek, so your security team should apply those immediately. Additionally, Forescout recommends disabling remote access on the routers and enabling access control lists to reduce potential exposure.

October 3, 2024

Apple Flaws Fixed in New iOS & iPadOS Versions

Type of vulnerability: Audio capture and password exposure.

The problem: Apple recently patched a vulnerability in its iOS and iPadOS software. If exploited, the iOS vulnerability could allow audio messages to capture seconds of audio input prior to activation of the microphone indicator. This vulnerability is tracked as CVE-2024-44207 and has a base CVSS score of 4.3.

In iPadOS, the flaw allowed VoiceOver to read a user’s saved passwords out loud. Apple addressed the flaw, which was reportedly a logic issue, by improving validation.

This issue is tracked as CVE-2024-44204 and has a base score of 5.5.

The fix: Apple has released version 18.0.1 for both operating systems, which fixes the issue.

Perfectl Malware Threatens Thousands of Linux Servers

Type of attack: Malware.

The problem: Aqua Security researchers posted on their blog about attempted Linux server exploits through a type of malware dubbed perfctl. The malware has been active for the last few years, and the researchers warn that it’s possible every Linux server could be at risk.

According to the report, perfctl malware uses rootkits to avoid discovery and remains dormant while a user is active on the server. Aqua Security’s researchers observed that attackers used the perfctl malware to run a cryptominer and, occasionally, proxy-jacking software. The malware’s name could look legitimate if found running on a system because it combines perf, a Linux monitoring tool, with ctl, a common CLI command for control.

“After exploiting a vulnerability (as in our case) or a misconfiguration, the main payload is downloaded from an HTTP server controlled by the attacker,” researchers Assaf Morag and Idan Revivo said. 

The fix: While this malware has no patch, the researchers provide multiple indicators of compromise (IOCs) at the end of their report that you can use to identify a potential exploit. 

Ivanti Vulnerability from This Spring Is Being Actively Exploited

Type of vulnerability: SQL injection. 

The problem: In a June vulnerability recap, I addressed a critical vulnerability in Ivanti Endpoint Manager that would allow unauthenticated attackers to execute commands on the software. Now, the vulnerability is being actively exploited, and the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog. 

The vulnerability is tracked as CVE-2024-29824 and has a critical base score of 9.8. 

“The specific flaw exists within the implementation of the RecordGoodApp method,” said a May security notice from the Zero Day Initiative. “The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.”

The fix: If you haven’t yet patched your instance of Ivanti EPM, immediately upgrade it to the most recent product version. 

October 4, 2024

Okta Urges Users to Review System Logs for Unexpected Authentication

Type of vulnerability: Configuration bypass.

The problem: Okta recently notified customers of a potential vulnerability affecting instances of Okta Classic as of July 17, 2024. Certain configurations of Okta could allow a threat actor with valid user credentials to bypass configurations for specific applications’ sign-on policies, Okta said.

The vendor resolved the issue on October 4 in its production environment.

The fix: Okta published the following recommendation:

“Customers who were on Okta Classic as of July 17, 2024, and who meet the above conditions are advised to review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as “unknown” between July 17, 2024 and October 4, 2024 using the following query: outcome.result eq “SUCCESS” and (client.device eq “Unknown” OR client.device eq “unknown”) and eventType eq “user.authentication.sso”.”

Okta also suggested that customers watch applications with default policy rules that can’t be configured and check for deviant user behavior like strange geolocation data or IP addresses. 

Read next:

• Vulnerability Recap 10/1/24 — NVIDIA, Ivanti & Newcomer KIA See Issues
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 10/8/24 – Thousands of Routers & Servers at Risk appeared first on eSecurity Planet.