Elements Security Center
Changes to the Elements Security Center
On 30th January 2024, we published changes to the Elements Security Center, bringing the Endpoint Protection and Endpoint Detection and Response functionality closer together.
This is an important part of our overall design vision to make Elements Security Center more user-focused for day to day tasks, bringing related functionality together and reducing the number of pages where similar functionality is used for the different parts of WithSecure Elements.
You can find out more details about the changes in our dedicated article.
Elements Endpoint Protection
Elements Mobile Protection update for Android (23.5.0022639)
An update to the WithSecure Elements Mobile Protection app for Android (23.5.0022639) has been released
The app now supports the following security parameters:
- Detection for network using a proxy
- Detection for available disk space
Elements Agent for Windows and Server
A new version of the endpoint clients is available. This release makes the Elements Agent version 24.1 available (internal version 24.1.85), and the endpoints automatically upgrade without a reboot.
More visibility about the problems if endpoint is missing the ACS dependencies
This release adds more visibility about the problems if endpoint is missing the ACS (Azure Code Signing) dependencies.
For more information see the separate article on ACS dependencies
Improved Connectivity tool report view
The Connectivity Tool report view has improved user experience. It's now possible to select and copy listed URLs to Clipboard.
New system event in System Events detection
A new system event (EventID 865, SoftwareRestrictionPolicies) will be available in system events detection.
This event is triggered (if enabled in profile) when user attempted to run a program that is not allowed by the policy.
Pre-Notification: Upcoming changes to WithSecure Elements Mobile Protection
During the first quarter of 2024, we will be releasing a new version of this product, and we want to let you know in advance so you can make your end-users aware.
These changes will bring Elements Mobile Protection close to the rest of the Elements product family, in terms of functionality. We are modernizing how we protect network traffic, and at the same time providing more visibility into the security of the device. These are essential for modern B2B applications.
Changes in a nutshell:
- Improve the overall user experience and reliability when browsing traffic is being protected.
- Network Gateway to protect network traffic, also utilizing the WithSecure Security Cloud for seamless fast and reliable scanning
- Introduce a Browsing Protection plugin for Safari on iOS
- Providing visibility to Elements Mobile Protection events in the Elements Security Center.
- Network Gateway on the device will replace the current VPN functionality
To improve the reliability and security of browsing traffic, we will be implementing a “Network Gateway” on the device. This will replace the current VPN functionality of the mobile clients, which routes all device network traffic to an external “VPN exit node”. With the Network Gateway, you will no longer be able to select a VPN exit node, but you will benefit from more comprehensive protection of your browsing traffic. Please note that network traffic will not be encrypted with this new functionality.
The user will not need to install a new application.
We are currently finalizing the changes for these new clients, and we will provide an update once we have a firm release date. At the same time, we will provide a link to more information on the changes and any steps partners or customers should be aware of.
Elements Endpoint Detection and ResponseEDR: Process tree
We have enabled new Process Tree view in Elements Detection and Response.
This is a proof-of-concept using completely new components and lots of refactored code, so we would greatly appreciate feedback to improve it further.
Please, report all bugs and possible performance issues. It does not provide all functionality of "old" tree, but missing elements will be added soon.
We hope that this will help our users to investigate Broad Context Detections on deeper level using new version of EDR BCD Details.
Note: The Old process tree view is still available.
Elements Vulnerability Management
EVM: Portal Changes
Summary report configurator updated to correctly display values of selected assets and scans.
Integrations
Elements API
Statistics of Security Events
The Elements API client can read statistics from query endpoint. When a request contains the HTTP header
Accept: application/vnd.withsecure.aggr+json
the Elements API selects all events matching query parameters, groups events by selected property. In response client receives number of items in each group.
Example
curl -v -X POST
-H "Accept: application/vnd.withsecure.aggr+json" -d "count=engine"
-d "engineGroup=epp -d "persistenceTimestampStart=2024-01-01T00:00:00Z"
""
Example cURL reads statistics for EPP security events that have been created after 2024-01-01. Client uses parameter count=engine to group events by property engine.
{
"items" : [{
"engine" : "manualScanning",
"count" : 10
}, {
"engine" : "tamperProtection",
"count" : 143
}, {
"engine" : "firewall",
"count" : 17
}, {
"engine" : "deepGuard",
"count" : 22
} ]
}
The received response contains information that API found 10 events from manualScanning, 143 events from tamperProtection, 17 from firewall and 22 events from deepGuard
Elements API Cookbook contains example statistic request implemented in Python.
Other items of interest
Monthly Threat Highlights Report: December 2023
- Significant data breaches affecting US telecoms provider Xfinity, US mortgage lender MrCooper, and DonorView, a provider of a cloud-based charitable donation platform
- Active exploitation of the zero-click Outlook/Exchange exploit by Russian APT, identified as Unit 26165 of the Russian GRU.
- Analysis of exploit data focusing on changes over time in WithSecure and VirusTotal detection data, including fluctuations in the use of specific CVEs.
- Ongoing events surrounding Israel and Palestine with associated hacktivist proxies active in the cyber arena for both sides.
- Continuation of ransomware attacks, albeit in lower numbers than previous months, and signs of potential return of Qakbot after being taken down by Law Enforcement Agencies.
- Exploration of interesting vulnerabilities, both old and new, with a different approach to analyzing the data on these vulnerabilities.
Significant Data Breaches
- Xfinity: The US telecoms provider Xfinity experienced a significant data breach, with the Personally Identifiable Information (PII) of 35 million people stolen. The breach was attributed to a server vulnerable to CitrixBleed that was left unpatched for 2 weeks, allowing attackers to compromise it.
- MrCooper: The US mortgage lender MrCooper had the PII of 15 million individuals stolen. The data compromised included that of every current and former customer of the company or its sister brands, potentially even including individuals who have applied for a loan through MrCooper.
- DonorView: A cloud-based charitable donation platform, DonorView, experienced a breach resulting in the exposure of PII, including payment information, as well as details of children, their medical conditions, and attending doctors. The data was accessible from an unsecured Internet-connected database.
Active Exploitation of Zero-Click Outlook/Exchange Exploit by Russian APT
Microsoft identified CVE-2023-23397 as being actively exploited by the Russian state-sponsored actor known as APT28, Forest Blizzard, or Fancy Bear, identified by the US and UK as Unit 26165 of the Russian GRU. This activity was ongoing in December 2023, and Microsoft worked with Polish Cyber Command to identify and mitigate the techniques used by the attacker.
Analysis of Exploit Data
The report analyzes exploit data, focusing on changes over time in WithSecure and VirusTotal detection data. It highlights fluctuations in the use of specific CVEs, including significant increases in detections for vulnerabilities in Microsoft Office, Oracle Java JVM, and a specific set of drivers from MalwareFox AntiMalware. The report also notes a spike in exploit attempts for CVE-2023-23397, possibly related to the activity described by Microsoft or caused by other actors following Microsoft's reporting.
Ongoing Hacktivist Activity
The report mentiones ongoing events surrounding Israel and Palestine, with associated hacktivist proxies active in the cyber arena for both sides.
Ransomware Trends and Notable Reports
The report highlights a sharp decrease in ransomware activity from November 2023, with several law enforcement actions possibly impacting the numbers. However, tracked ransomware activity in December 2023 was still significantly higher than December 2022, with a 41.51% increase in victims. The report also provides insights into specific ransomware brands and trends observed throughout 2023.
Stay informed about the latest cybersecurity threats and trends.
Download report
In case you missed it
New client releases and related changes
We will soon be releasing new versions of our clients for Windows, Mac, and mobile devices.
For ALL clients
Server address changes
One of the more significant changes is that we are taking into use backend services that are completely distinct from the services used by F-Secure products. This will allow us to control what happens in our backend systems to fully focus on the needs of our business customers and partners. The earlier systems had to also cope with consumer use-cases.
As some of our Elements partner and customers have strict rules on outgoing network connections (also known as “egress firewall rules”), we have published an up to date list of all the servers our clients connect to. You can find the list in this Community article.
New Download Locations
Customers using automated deployment systems to install the Elements clients, for example Remote Monitoring and Management (RMM) systems, should take care to update their processes to use the new installation package download locations. The only supported locations are those which are used in the Elements Security Center’s “Download” section, and any other location such as download.sp.f-secure.com are deprecated.
Browser Extensions
All clients will also use WithSecure browser extensions. These can be found at:
Chrome Webstore
Microsoft Edge Add-ons
Firefox Browser Add-ons
Please note that all Windows EPP versions will switch to using these new WithSecure extensions from early March.
For Windows Clients
All Windows clients now need Microsoft ACS support to correctly function. This was previously announced in February 2023. From client version 24.1, the client will not install updated to newer versions without the required ACS support, and will remain at 24.1 level. Once the devices are patched, they will be upgradable to newer versions.
For Mac Clients
We have just published a dedicated article on the changes coming with the next release for macOS. This includes MDM changes, as well as network addresses and browser extensions.
For Mobile Clients
Please see the section in Endpoint Protection “Pre-Notification: Upcoming changes to WithSecure Elements Mobile Protection”
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
