RSS
icon-deception.svg
Deception

Release Upgrade Summary (2024)

This article provides a summary of all new features and enhancements for Zscaler Deception .

The illusionblack.com cloud represents all clouds, and updates to specific clouds might take a few weeks to deploy. Some functions are not available until deployment completes.

The following service updates were deployed to illusionblack.com on the following dates.

December 04, 2024
  • Feature Available

    • Adding Safe Processes to Process Tree Check

      You can configure a program as a safe process and include it as part of the process tree check for generating events. Decoy interactions that involve process trees with these safe processes do not generate events.

      To learn more, see About Safe Processes and Configuring a Safe Process.

    • Blocklist Enhancements

      On the Blocklists page (Deceive > Deceive Settings > Blocklist), you can create blocklists in bulk where the blocklist rule is applied to all decoy IP addresses on multiple Decoy Connectors.

      To learn more, see Creating Blocklists.

    • Deploy Strategy User Interface Enhancements

      The following user interface enhancements were made to the Deploy Strategy page (Deceive > Deploy Strategy):

      • If the ZPA decoy type was selected when creating a strategy, the ZPA and Landmine toggles in the Deploy Network Strategy window are enabled by default. Also, all of the ZPA domains are automatically selected.

      • The Copy icon was added on the Network Decoys and Threat Intelligence (TI) Decoys tabs to copy the hostnames.

      • The default network strategy naming convention was changed to <Strategy name> <Date and time>.

      • The Create Decoys button appears only when there are decoys that are already deployed in the Zscaler Deception Admin Portal. This button allows you to just create the decoys and deploy them later without retriggering the deployment automatically at the time of decoy creation.

      To learn more, see Deploying a Strategy.

    • Generative AI Decoys

      Enterprises are increasingly adopting generative AI (Gen AI) technologies, such as large language models (LLMs) in their products, services, and internal operations. These systems have become a growing attack surface for adversaries. Threat actors target generative AI infrastructure for data exfiltration, asset compromise, organizational intelligence gathering, etc. Attackers target datasets for data poisoning and data exfiltration. They also use interactive attacks such as prompt injection to target AI systems and extract valuable data.

      To address these emerging risks, Zscaler Deception provides high-interaction generative AI decoys that mimic assets like chatbots, LLM servers, APIs, etc. These decoys swiftly detect attacks and deflect the attacker from compromising the real assets. The generative AI decoy's capability extends advanced threat detection and mitigation to generative AI attack factors and prepares your organization to deal with the new rise of targeted attacks.

      You can create interactive and file-based generative AI decoys.

      Interactive Generative AI Decoys

      Interactive generative AI decoys mimic common web-based generative AI infrastructure such as chatbots, LLM servers, APIs, etc. You can deploy these decoys by configuring generative AI services and AI-based high-interaction or static application datasets. You can configure these decoys according to your organization’s use case and generate responses based on the attacker’s intent. You can deploy interactive generative AI decoys on Zero Trust Networks via Zscaler Private Access (ZPA) decoys, customer-managed internal networks via Internal Decoys, and the internet via Threat Intelligence (TI) decoys.

      To learn more, see Deploying Interactive Generative AI Decoys and Configuring Generative AI Services on a Network Decoy.

      The following application datasets were added to create interactive generative AI decoys:

      ApplicationType
      GenAI OpenWebUIHigh-interaction
      Apache AirflowStatic
      Bento-FrontendStatic
      ClearMLStatic
      GitLab GenAIStatic
      JupyterHubStatic
      MetaFlowStatic
      MLFlowStatic
      RayServeStatic

      To learn more, see About Static Application Datasets and About High-Interaction Containers.

      File-Based Gernerative AI Decoys

      File-based generative AI decoys mimic the resources used to set up local LLMs. You can lure attackers by deploying these decoy file resources to one of the following assets:

      In addition, you can configure session lures via landmine polices to point to any file-based generative AI decoys.

      The following new file datasets were added to create file-based generative AI decoys:

      File DatasetDescription
      Falcon-7bAn LLM developed by the Technology Innovation Institute (TII) for use in summarization, text generation, and chatbots.
      GPT-2 LargeAn LLM developed by OpenAI optimized for generating high-quality, context-aware text across diverse applications.

      To learn more, see About File Datasets.

      Enhancements to Landmine Policies

      The following lure modules in landmine polices were updated to support generative AI decoys:

      Lure ModuleEnhancements
      Browser LuresAbility to add web-based generative AI decoys as target decoys
      Session LuresAbility to add web-based and file-based generative AI decoys as target decoys
      File DecoysAbility to deploy file-based decoys to endpoints or add a web-based decoy as a target decoy for credential file decoys

      To learn more, see About Landmine Policies.

      Generative AI Network Personality

      Deception provides a generative AI decoy personality that serves as templates to deploy generative AI decoys via network decoys. You can use this personality when configuring network decoys, or use them in a deception strategy to create decoys.

      To learn more, see About Network Decoy Personalities.

      ThreatParse Details and Event Logs

      When an adversary compromises an endpoint and attempts a data exfiltration attack to find credentials to an internally hosted LLM application, which is a generative AI decoy, Deception detects the attack and generates event logs. It also captures the prompt and automatically categorizes it as malicious, etc., for further investigation using the generative AI Malicious Input Prompt ThreatParse rule.

      In the Gen AI Malicious Input Prompt ThreatParse rule, the classification of whether the prompt is malicious and the categorization are determined by enriching data using Deception AI. Hence, the values for the gen ai malicious and gen ai malicious category fields might be inaccurate. Verify the details for accuracy or completeness before making any decisions.

      After the threat is detected, the configured orchestration rules automatically contain the attack and block the compromised user from accessing any private applications in the environment.

      The responses or content generated by the Deception AI is for information purposes only. The content is prone to inaccuracy and AI hallucinations. Verify the details for accuracy or completeness before making any decisions.

      To learn more, see Viewing ThreaParse Details and About Event Logs.

    • New Datasets

      A static dataset for Ivanti Virtual Traffic Manager (vTM) was added. Ivanti vTM is a software-based application delivery controller (ADC) that optimizes web application performance, security, and scalability through load balancing, traffic shaping, and acceleration in virtual, cloud, or container environments.

      To learn more, see About Static Application Datasets.

    • New ThreatParse Rules

      The following datasets for different application vulnerabilities were added:

      ApplicationCVE IDDescription
      Ivanti Virtual Traffic Manager (vTM)CVE-2024-7593A flawed authentication algorithm in Ivanti Virtual Traffic Manager (vTM), except in versions 22.2R1 and 22.7R2, enables remote unauthenticated attackers to bypass admin panel authentication, potentially granting unauthorized access and control over the system.
      Adobe Commerce and MagentoCVE-2024-34102Improper Restriction of XML External Entity Reference (XXE) vulnerability that can result in arbitrary code execution in Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.

      To learn more, see About ThreatParse Rules.

    • Support for Target Decoys in Credential File Decoys

      While configuring credential file decoys using landmine policies, you can select specific Threat Intelligence (TI) or network decoys as target decoys from the Target Decoys drop-down menu. Credentials to access the selected decoys are generated and placed in the credential files.

      To learn more, Configuring the File Decoys Module and About Landmine Policies.

August 14, 2024
  • Feature Available

    • Changes to the Force Apply Option in Edge Lures

      Due to changes in the deployment of browser lures on endpoints, the Force Apply option for Edge browsers does need not be enabled for landmine agent or agentless versions later than 4.23. The Force Apply option was used to deploy landmine policies when the Startup Boost option was enabled in Edge browsers. For older versions (up to 4.23) of landmine agent and agentless, the Force Apply option is required to apply the policies if the Startup Boost option is enabled in Edge browsers.

      To learn more, see Configuring the Browser Lures Module.

    • Force Delete Cloud Deception Settings

      The option to force delete Cloud Deception settings was added for both Azure and AWS configurations. This can be used when the deployment script fails to remove the entries of the cloud resources from the Zscaler Deception Admin Portal.

      For Azure Cloud Deception, the Force Delete option was added to Deceive > Cloud Deception > Azure > Settings.

      To learn more, see Deleting Azure Deception Settings.

      For AWS Cloud Deception, the Force Delete option was added to Deceive > Cloud Deception > AWS > Settings.

      To learn more, see Deleting AWS Deception Settings.

    • New Datasets

      The following datasets for different application vulnerabilities were added:

      ApplicationCVE IDDescription
      CData API ServerCVE-2024-31848Path Traversal vulnerability in the Java version of CData API Server up to version 23.4.8844 while running with the embedded Jetty server. The vulnerability could be exploited by any unauthenticated remote attacker to gain complete administrative access to the application.
      GitLab ServerCVE-2023-7028Account Takeover vulnerability in GitLab Server Community Edition and Enterprise Edition affecting all versions from 16.1 to 16.1.6, 16.2 to 16.2.9, 16.3 to 16.3.7, 16.4 to 16.4.5, 16.5 to 16.5.6, 16.6 to 16.6.4, and 16.7 to 16.7.2. By exploiting this vulnerability, an attacker can take over any GitLab account using the password reset feature, as tokens and password reset links could be delivered to an unverified email address without authentication.
      ServiceNowCVE-2024-4879, CVE-2024-5178, and CVE-2024-5217A vulnerability chain containing improper input validation and unauthenticated remote code execution vulnerabilities in the Vancouver and Washington DC Now Platform releases. CVE-2024-4879 involves a Jelly Template Injection flaw in ServiceNow UI Macros, and CVE-2024-5178 relates to an authorization bypass. The combined exploitation of these vulnerabilities poses a high security risk with a CVSS score up to 9.8.
      Check Point Quantum GatewayCVE-2024-24919Information Disclosure vulnerability that can allow an attacker to access certain information on internet-connected gateways which have been configured with IPSec VPN, remote access VPN, or mobile access software blade.
      Atlassian Confluence Server and Data CenterCVE-2024-21683Remote Code Execution vulnerability was introduced in version 5.2 of Confluence Server and Data Center. This vulnerability has a CVSS Score of 7.2; allows an authenticated attacker to execute arbitrary code which has a high impact on confidentiality, integrity, and availability; and requires no user interaction.
      Zyxel NAS326Not applicableNetwork Access Storage solution from Zyxel.
      Atlassian JiraNot applicableA comprehensive tool for tracking bugs, issues, and agile project management from Atlassian.
      GitHub EnterpriseNot applicableA collaborative software development and version control solution tailored for enterprises and businesses from GitHub.

      To learn more, see About Vulnerable Application Datasets (CVE Datasets).

    • New ThreatParse Rules

      The following ThreatParse Rules that detect exploits of different application vulnerabilities were added:

      ApplicationCVE IDDescription
      CData API ServerCVE-2024-31848Path Traversal vulnerability in the Java version of CData API Server up to version 23.4.8844 while running with the embedded Jetty server. The vulnerability could be exploited by any unauthenticated remote attacker to gain complete administrative access to the application.
      GitLab ServerCVE-2023-7028Account Takeover vulnerability in GitLab Server Community Edition and Enterprise Edition affecting all versions from 16.1 to 16.1.6, 16.2 to 16.2.9, 16.3 to 16.3.7, 16.4 to 16.4.5, 16.5 to 16.5.6, 16.6 to 16.6.4, and 16.7 to 16.7.2. By exploiting this vulnerability, an attacker can take over any GitLab account using the password reset feature, as tokens and password reset links could be delivered to an unverified email address without authentication.
      PHP-CGICVE-2024-4577Argument Injection vulnerability in PHP that allows any adversary to remotely execute malicious commands on any server hosting PHP systems. The vulnerability is exploited through the PHP-CGI script engine, even if PHP is not configured in CGI mode, and can be exploited in all versions of PHP for Windows.
      ServiceNowCVE-2024-4879, CVE-2024-5178, and CVE-2024-5217A vulnerability chain containing improper input validation and unauthenticated remote code execution vulnerabilities in the Vancouver and Washington DC Now Platform releases. CVE-2024-4879 involves a Jelly Template Injection flaw in ServiceNow UI Macros, and CVE-2024-5178 relates to an authorization bypass. The combined exploitation of these vulnerabilities poses a high security risk with a CVSS score up to 9.8.
      Check Point Quantum GatewayCVE-2024-24919Information Disclosure vulnerability that can allow an attacker to access certain information on internet-connected gateways which have been configured with IPSec VPN, remote access VPN, or mobile access software blade.
      Atlassian Confluence Server and Data CenterCVE-2024-21683Remote Code Execution vulnerability was introduced in version 5.2 of Confluence Server and Data Center. This vulnerability has a CVSS Score of 7.2; allows an authenticated attacker to execute arbitrary code which has a high impact on confidentiality, integrity, and availability; and requires no user interaction.

      To learn more, see About ThreatParse Rules.

    • OS Upgrade on Decoy Connectors

      The operating system on Decoy Connectors was upgraded to FreeBSD 14.1.

June 05, 2024
  • Feature Available

    • Dedicated User Profiles for Deploying Chrome Lures

      For deploying browser lures in Chrome browsers, a new user profile is created instead of using the default user profile. The new profile is maintained as a hidden profile and exists alongside the default user profile. The browser lures in the Chrome browser are no longer visible from the default user profile.

      To learn more, see Configuring the Browser Lures Module.

    • New Datasets

      The following datasets for different application vulnerabilities were added:

      ApplicationCVE IDVulnerability Description
      Adobe ColdFusionCVE-2024-20767Improper Access Control vulnerability in certain versions of ColdFusion, including 2023.6, 2021.12, and earlier. This vulnerability could be exploited by an attacker without any user interaction to read sensitive files on the system and perform unauthorized file system write operations.
      JetBrains TeamCityCVE-2024-27199Authentication Bypass vulnerability in JetBrains TeamCity version 2023.11.4 or earlier that allows for path traversal and thereby enables the attacker to perform a limited set of administrative actions. This vulnerability could be exploited by an attacker to access and manipulate files and perform certain administrative tasks beyond their authorized privileges.
      pyLoadCVE-2024-21644Configuration File Disclosure vulnerability in pyLoad that allows any unauthenticated user to access a specific URL and expose the Flask configuration, including the SECRET_KEY variable. The SECRET_KEY is a critical component used for cryptographic operations and should remain confidential.
      JetBrains TeamCityCVE-2024-27198Authentication Bypass vulnerability in JetBrains TeamCity version 2023.11.4 or earlier that allows unauthorized users to perform administrative actions. This vulnerability could allow attackers to gain access to administrative functionalities without providing proper authentication credentials.
      Cisco IOS XECVE-2023-20198Privilege Escalation vulnerability that allows an attacker to gain initial access and then elevate their privilege and create a local user. Subsequently, the attacker exploits another web UI component, leveraging the new local user to elevate privilege to root and write an implant to the file system.

      To learn more, see About Vulnerable Application Datasets (CVE Datasets).

    • New ThreatParse Rules

      The following ThreatParse Rules that detect exploits of different application vulnerabilities were added:

      ApplicationCVE IDVulnerability Description
      Adobe ColdFusionCVE-2024-20767Improper Access Control vulnerability in certain versions of ColdFusion, including 2023.6, 2021.12, and earlier. This vulnerability could be exploited by an attacker without any user interaction to read sensitive files on the system and perform unauthorized file system write operations.
      MetabaseCVE-2023-38646Pre-Authentication Remote Code Execution vulnerability in Metabase Open Source version 0.46.6.6 or earlier and Metabase Enterprise version 1.46.6.1 or earlier that allows attackers to execute arbitrary commands on the server with the same privileges as the server itself. This vulnerability can be exploited without requiring authentication.
      pyLoadCVE-2024-21645Log Injection vulnerability in pyLoad that allows any unauthenticated actor to inject arbitrary messages into the logs collected by pyLoad. This vulnerability posed a risk as the forged or corrupted log files could be utilized to conceal an attacker's activities or falsely implicate another party.
      JetBrains TeamCityCVE-2024-27198Authentication Bypass vulnerability in JetBrains TeamCity version 2023.11.4 or earlier that allows unauthorized users to perform administrative actions. This vulnerability could allow attackers to gain access to administrative functionalities without providing proper authentication credentials.
      JetBrains TeamCityCVE-2024-27199Authentication Bypass vulnerability in JetBrains TeamCity version 2023.11.4 or earlier that allows for path traversal and thereby enables the attacker to perform a limited set of administrative actions. This vulnerability could be exploited by an attacker to access and manipulate files and perform certain administrative tasks beyond their authorized privileges.
      pyLoadCVE-2024-21644Configuration File Disclosure vulnerability in pyLoad that allows any unauthenticated user to access a specific URL and expose the Flask configuration, including the SECRET_KEY variable. The SECRET_KEY is a critical component used for cryptographic operations and should remain confidential.
      Cisco IOS XECVE-2023-20198Privilege Escalation vulnerability that allows an attacker to gain initial access and then elevate their privilege and create a local user. Subsequently, the attacker exploits another web UI component, leveraging the new local user to elevate privilege to root and write an implant to the file system.
      D-Link Network Attached StorageCVE-2024-3273Remote Code Execution vulnerability in D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403 that affected an unknown function of the /cgi-bin/nas_sharing.cgi file in the HTTP GET Request Handler component. The manipulation of the argument system leads to command injection. This vulnerability allows attackers to launch the attack remotely.
      IBM Operational Decision ManagerCVE-2024-22320Java Deserialization vulnerability in IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, and 8.12.0.1 that allows a remote authenticated attacker to execute arbitrary code on the system. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM.
      Apache AirflowCVE-2022-24288OS Command Injection vulnerability in Apache Airflow version 2.2.4 or earlier due to some Directed Acyclic Graphs that could not properly sanitize user-provider parameters, making them susceptible to command injection from the web UI.
      WordPress RSVPCVE-2022-1054Missing Authorization vulnerability that reveals sensitive information such as first name, last name, and email address of users registered for events.
      Sophos FirewallCVE-2022-1040Authentication Bypass vulnerability in Sophos Firewall version 18.5 MR3 or earlier that allows a remote attacker to execute code in the User Portal and Webadmin.
      Atlassian JiraCVE-2022-0540Authentication Bypass vulnerability in Jira Seraph that allows an unauthenticated attacker to remotely send specially created HTTP requests to Jira Server and Data Center (versions 8.13.18 or earlier, 8.14.0 to 8.20.6, and 8.21.0 to 8.22.0) and Jira Service Management Server and Data Center (versions 4.13.18 or earlier, 4.140 to 4.20.6, and 4.21.0 to 4.22.0).
      MicroweberCVE-2022-0281Information Disclosure vulnerability in Microweber that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11.
      D-Link D-ViewCVE-2023-5074Authentication Bypass vulnerability in D-Link D-View 8 v2.0.1.28 due to the use of a static key to protect a JWT token used in user authentication.
      WordPress WPQACVE-2022-1598Improper Access Control vulnerability in WordPress WPQA plugin versions prior to 5.5 due to lack of authentication in a REST API endpoint. An attacker can potentially discover private questions sent between users on the site.

      To learn more, see About ThreatParse Rules.

    • Proxy Awareness in Standalone Landmine Agents for Windows

      Standalone landmine agents for Windows include support for proxy awareness. This functionality allows the agents to automatically detect and apply the proxy configurations if they are already available in the system.

      To learn more, see Installing a Landmine Agent on Windows.

April 17, 2024
  • Feature Available

    • Containment Integration for Identity Threat Protection with Okta AI

      You can integrate Zscaler Deception with Okta to push user risk scores by leveraging the Shared Signals Framework (SSF). With this integration, Deception pushes user risk scores to Okta for Zscaler Client Connector users based on the events generated when users interact with decoys. Based on the risk score and Okta policies, Okta can end the user’s sessions, prompt a Multi-Factor Authentication (MFA) challenge, or invoke a workflow to restore your organization's security posture.

      To learn more, see Containment Configuration Guide for Identity Threat Protection with Okta AI.

    • New Datasets

      The following new datasets for different application vulnerabilities were added:

      ApplicationCVE IDDescription
      Ivanti Connect SecureCVE-2024-22024XML External Entity (XXE) vulnerability in the SAML component of Ivanti Connect Secure (versions 9.x and 22.x). This vulnerability allows malicious actors to exploit the system and gain unauthorized access to restricted resources. By leveraging the XXE vulnerability, attackers can bypass authentication mechanisms and retrieve sensitive information or perform unauthorized actions within the affected systems.
      JenkinsCVE-2024-23897Jenkins versions 2.441 and earlier, as well as LTS versions 2.426.2 and earlier, contain a security vulnerability related to the Command Line Interface (CLI) command parser. This vulnerability allows unauthenticated attackers to read arbitrary files on the file system of the Jenkins controller. The vulnerability stems from a feature in the CLI command parser that replaces a specific pattern: an '@' character followed by a file path in an argument, with the contents of the referenced file. Due to the lack of proper authentication checks, an adversary can exploit this feature to retrieve sensitive information from any file accessible to the Jenkins controller.
      Atlassian ConfluenceCVE-2023-22527Template Injection vulnerability in Atlassian's Confluence Server and Data Center that enables unauthenticated attackers to inject OGNL (Object-Graph Navigation Language) expressions. Exploiting this vulnerability grants adversaries the ability to execute arbitrary code, including system commands, which can lead to the compromise of affected Confluence instances. The flaw allows attackers to manipulate templates within Confluence, injecting malicious OGNL expressions that are then executed by the application.
      Citrix ShareFileCVE-2023-24489Improper Access Control vulnerability in the customer-managed ShareFile storage zones controller that enables unauthenticated attackers to compromise the customer-managed ShareFile storage. As a result, sensitive data stored within the affected storage zones can be exfiltrated or tampered. The vulnerability arises from a lack of proper access controls, allowing unauthorized individuals to gain remote access to the customer-managed ShareFile storage. After access is obtained, attackers can manipulate or steal data, potentially leading to unauthorized disclosure, data breaches, or other malicious activities.
      Adobe ColdFusionCVE-2023-26360Improper Access Control vulnerability that allows adversaries to drop malware onto a system using HTTP POST commands. By exploiting this vulnerability, attackers can bypass proper access controls and execute arbitrary code remotely. This is achieved through a request containing an injected cfexecute tag, enabling the adversaries to compile and save a malicious file on the targeted system. The vulnerability arises due to inadequate access control mechanisms, allowing unauthorized individuals to send HTTP POST commands with malicious intent. By injecting the cfexecute tag into the request, attackers can execute arbitrary commands and potentially drop malware onto the compromised system. This can lead to unauthorized access, data theft, system compromise, and other malicious activities.

      To learn more, see About Vulnerable Application Datasets (CVE Datasets).

    • New ThreatParse Rules

      The following new ThreatParse Rules that detect exploits of different application vulnerabilities were added:

      ApplicationCVE IDDescription
      Ivanti Connect SecureCVE-2024-22024XML External Entity (XXE) vulnerability in the SAML component of Ivanti Connect Secure (versions 9.x and 22.x). This vulnerability allows malicious actors to exploit the system and gain unauthorized access to restricted resources. By leveraging the XXE vulnerability, attackers can bypass authentication mechanisms and retrieve sensitive information or perform unauthorized actions within the affected systems.
      JenkinsCVE-2024-23897Jenkins versions 2.441 and earlier, as well as LTS versions 2.426.2 and earlier, contain a security vulnerability related to the Command Line Interface (CLI) command parser. This vulnerability allows unauthenticated attackers to read arbitrary files on the file system of the Jenkins controller. The vulnerability stems from a feature in the CLI command parser that replaces a specific pattern: an '@' character followed by a file path in an argument, with the contents of the referenced file. Due to the lack of proper authentication checks, an adversary can exploit this feature to retrieve sensitive information from any file accessible to the Jenkins controller.
      Atlassian ConfluenceCVE-2023-22527Template Injection vulnerability in Atlassian's Confluence Server and Data Center that enables unauthenticated attackers to inject OGNL (Object-Graph Navigation Language) expressions. Exploiting this vulnerability grants adversaries the ability to execute arbitrary code, including system commands, which can lead to the compromise of affected Confluence instances. The flaw allows attackers to manipulate templates within Confluence, injecting malicious OGNL expressions that are then executed by the application.
      Citrix ShareFileCVE-2023-24489Improper Access Control vulnerability in the customer-managed ShareFile storage zones controller that enables unauthenticated attackers to compromise the customer-managed ShareFile storage. As a result, sensitive data stored within the affected storage zones can be exfiltrated or tampered. The vulnerability arises from a lack of proper access controls, allowing unauthorized individuals to gain remote access to the customer-managed ShareFile storage. After access is obtained, attackers can manipulate or steal data, potentially leading to unauthorized disclosure, data breaches, or other malicious activities.
      Adobe ColdFusionCVE-2023-26360Improper Access Control vulnerability that allows adversaries to drop malware onto a system using HTTP POST commands. By exploiting this vulnerability, attackers can bypass proper access controls and execute arbitrary code remotely. This is achieved through a request containing an injected cfexecute tag, enabling the adversaries to compile and save a malicious file on the targeted system. The vulnerability arises due to inadequate access control mechanisms, allowing unauthorized individuals to send HTTP POST commands with malicious intent. By injecting the cfexecute tag into the request, attackers can execute arbitrary commands and potentially drop malware onto the compromised system. This can lead to unauthorized access, data theft, system compromise, and other malicious activities.
      SysAidCVE-2023-47246Path Traversal vulnerability leading to code execution after an attacker writes a file to the Tomcat webroot using this exploit. This vulnerability allows an attacker to write a file to the Tomcat webroot directory using a specific exploit. After the file is successfully written, the attacker can execute arbitrary code on the affected system. The vulnerability occurs due to insufficient input validation, allowing attackers to manipulate file paths and access files outside of the intended directory. By exploiting this flaw, an attacker can traverse the directory structure and write a malicious file to the Tomcat webroot. Subsequently, the attacker can execute arbitrary code, potentially leading to unauthorized access, data compromise, and other malicious activities.

      To learn more, see About ThreatParse Rules.

    • Removal of Phone and Text Message Notifications

      Zscaler Deception no longer supports phone and text message notifications. As a result, the following changes were made across the Zscaler Deception Admin Portal:

    • User Interface Changes and Enhancements

      On the Agent Update Groups page in the Zscaler Deception Admin Portal (Settings > Endpoint Settings > Agent Update Groups), the Agent Group window was renamed to Agent Update Group Details.

      To learn more, see About Agent Update Groups.

February 14, 2024
  • Feature Available

    • Configure Safe Processes Using Regular Expressions

      You can add safe processes to Zscaler Deception using regular expressions. This allows you to configure a single safe process that accommodates multiple different processes by matching a specific pattern of strings in the process names.

      To learn more, see Configuring a Safe Process.

    • New Datasets

      The following new datasets for different application vulnerabilities were added:

      ApplicationCVE IDVulnerability Description
      JetBrains TeamCity < 2023.05.4CVE-2023-42793Authentication Bypass vulnerability that allows unauthenticated remote code execution against a vulnerable JetBrains TeamCity servers. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue.
      SysAidCVE-2023-47246Path Traversal vulnerability leading to code execution after an attacker writes a file to the Tomcat webroot using this exploit.
      D-Link D-ViewCVE-2023-5074Hard-coded JWT Authentication Bypass vulnerability in D-Link D-View 8 v2.0.1.28.
      Ivanti Connect Secure (Authentication Bypass)CVE-2023-46805Authentication Bypass vulnerability in Ivanti Connect Secure (9.x and 22.x) which allows attackers to access restricted resources by bypassing control checks. Additionally, when combined with another exploit (CVE-2024-21887), attackers can achieve remote code execution.

      Ivanti Connect Secure (Server-Side Request Forgery)

      		CVE-2024-21893

      Server-Side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure (9.x and 22.x) which allows attackers to access restricted resources without authentication. It can also be combined with another vulnerability (CVE-2024-21887) to gain remote code execution (RCE) capabilities.

      Ivanti Connect Secure (Command Injection)CVE-2024-21887Command Injection vulnerability in the web components of Ivanti Connect Secure (9.x and 22.x) which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the targeted appliance. Attackers exploiting this vulnerability can gain unauthorized access and potentially manipulate the system beyond its intended functionality.

      To learn more, see About Vulnerable Application Datasets (CVE Datasets).

    • New ThreatParse Rules

      The following new ThreatParse Rules that detect exploits of different application vulnerabilities were added:

      ApplicationCVE IDVulnerability Description
      Ivanti Connect Secure (Authentication Bypass)CVE-2023-46805Authentication Bypass vulnerability in Ivanti Connect Secure (9.x and 22.x) which allows attackers to access restricted resources by bypassing control checks. Additionally, when combined with another exploit (CVE-2024-21887), attackers can achieve remote code execution.

      Ivanti Connect Secure (Server-Side Request Forgery)

      		CVE-2024-21893

      Server-Side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure (9.x and 22.x) which allows attackers to access restricted resources without authentication. It can also be combined with another vulnerability (CVE-2024-21887) to gain remote code execution (RCE) capabilities.

      Ivanti Connect Secure (Command Injection)CVE-2024-21887Command Injection vulnerability in the web components of Ivanti Connect Secure (9.x and 22.x) which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the targeted appliance. Attackers exploiting this vulnerability can gain unauthorized access and potentially manipulate the system beyond its intended functionality.

      To learn more, see About ThreatParse Rules.

    • Option to Force Apply Lures for Edge Browsers

      In the landmine policy configuration window, a Force Apply toggle was added in the Browser Lures module for Microsoft Edge lures. This toggle can enable or disable the Startup boost option in the Edge browser settings.

      • If Force Apply is enabled, the Startup boost option in the Edge browser settings gets disabled.
      • If Force Apply is disabled, the Startup boost option in the Edge browser settings gets enabled.

      When configuring lures for Microsoft Edge browser, you can select the Force Apply option to disable the Startup boost option in the browser settings. When the Startup boost option is enabled in the browser settings, the browser runs in the background with minimal processes to improve performance. However, this can prevent landmine policies from being applied to the browser. By default, the Force Apply option is disabled.

      To learn more, see Configuring the Browser Lures Module.

    • User Interface Changes and Enhancements

      The following user interface changes and enhancements were made to the Zscaler Deception Admin Portal.

      • Under Settings, a new section "Endpoint Settings" was added, and certain options from Deceive > Landmine were moved to this new section with some UI label changes. The following table compares the UI changes before and after this update:

        OldNew
        Deceive > Landmine > AgentsSettings > Endpoint Settings > Agents
        Deceive > Landmine > SettingsSettings > Endpoint Settings > Agent Configuration
        Deceive > Landmine > Update phase groupsSettings > Endpoint Settings > Agent Update Groups
        Deceive > Landmine > Safe ProcessesSettings > Endpoint Settings > Safe Processes

        To learn more, see About Settings.

      • On the Agents page (Settings > Endpoint Settings > Agents), a Show all agents toggle was added under the Actions drop-down menu. This toggle allows you to show or hide inactive agents from the Agents table. As a result, this toggle affects the list of options shown in the Version drop-down menu in the Agents table.

        To learn more, see About Landmine Agents and Agentless.

      • Under Deceive > Landmine > Policy, the ITDR-Active Directory module was removed from the landmine policy configuration window.

    • ZPA App Connector Dashboard in Deception

      In the Zscaler Deception Admin Portal, ZPA App Connectors hosted by Zscaler are used to deploy Zero Trust Network decoys in the Zero Trust Exchange (ZTE) environment. The App Connectors create a secure interface between the Decoy Connector and the ZTE via Zscaler Private Access (ZPA).

      You can view the App Connector details on the ZPA App Connectors page (Settings > Topology > ZPA App Connector). You can also view and download the update and debug logs of the App Connector.

      To learn more, see About ZPA App Connectors in Deception.

Related Articles
Release Upgrade Summary (2025)Release Upgrade Summary (2024)Release Upgrade Summary (2023)Release Upgrade Summary (2022)