Editor’s Highlights
Our apologies for the late publication of What's New in Elements this month, we aim to be back on a more regular schedule next month.
Extended Detection and Response
Endpoint Protection
We have recently made some small but important changes to the Endpoint Protection.
Install software updates remote operation would fail from the Devices view
This has now been fixed to ensure that the operation does not fail
"Computers by operating system" widget
This widget in the "Devices" system view would occasionally display data for mobile devices in the My report page. This has now been resolved
Include rollback into default security event view "infections"
Endpoint Detection and Response
“Not equals” filter added to the Event Search view
This new filter helps admins easily exclude specific events, making it simpler to find exactly what they are looking for. This should help admins enjoy a more streamlined and efficient search experience!
“Timeline” section added to the BCD details view
This feature lists detections in a table format for another alternative view to assist investigation in understanding sequence of events across multiple hosts.
Email and Collaboration Protection
Updated MFA detection methods for compromised accounts
Existing customers would need to re-authenticate Exchange in order to have the MFA status working (the old way of MFA detection was deprecated by Microsoft and therefore this update was needed). A banner will appear for customers who need to re-authenticate.
Exposure Management
The Status of a Recommendation can be set from Recommendation details page
The status is saved to the Recommendation for further tracking. e.g The status appearing on Home → Exposure widget.
In addition to Status, Notes can be added to each recommendation e.g to give reason about why user has decided to set a specific status to a Recommendation
Vulnerability Management
EVM Portal
User creation has been disabled in Vulnerability Management
As part of the overall consolidation of user account management in WithSecure Elements, the ability to create users within Elements Vulnerability Management has been removed.
The Action button now redirects to Management → Organization Settings → Security Administrators view instead.
In addition, the related Vulnerability Management API endpoints have been marked with “End of Life” attribute.
EVM System Scan
The following products have new or updated detection capabilities within Authenticated Scanning for Windows:
- Apache MINA SSHD
- Apache CFX
- Spring Cloud Skipper
- Spring Security
In addition, we have improved detection of the Microsoft Cumulative Updates. It will now detect not only the missing of the newest security update packages, but it will report every cumulative update since the last time host was updated. This may cause significant raise of critical level vulnerabilities related to Windows Updates.
During scans, the MAC address of the target host is now ignored if it belongs to well known "popular" MAC addresses to avoid unwanted asset merge.
Cloud Security Posture Management
Elements Cloud Security Posture Management: Changelog
A new version of Elements Cloud Security Posture Management was released, bringing the following main changes:
- A fix for the cloud scanner sometimes not completing
- Better names for some cloud assets instead of just the IDs
- New rules for detecting potentially vulnerable MFA configurations using Security Defaults, Conditional Access Policies and individual user settings
Elements Foundations
Elements Security Center
ESC: "Partner" column added to Subscriptions view
A new column 'Partner' has been added to the Management → Subscriptions view for SOP level users. When a Solution Provider (SOP) user is logged in, the column indicates which Service Partner (SEP) organization a company subscription belongs to:
ESC: Adjustments to Exposure Management roles
With the introduction of the Exposure Management capability into Elements, the corresponding user roles will be grouped into a single column and details section on the Security Administrators screen. This applies to the Exposure and Vulnerabilities (formerly Vulnerability Management) roles:
“Vulnerability Management - Admin” role has been renamed to “Exposure Management - Vulnerabilities - Management”.
“Vulnerability Management - Read-only team member” role has been renamed to “Exposure Management - Vulnerabilities - Read-only”.
ESC: Elements IAM role granted to self-registering companies
The Identity and Access Management (IAM) role is now visible in the Security Administrators view. This new role is authorized to grant and revoke all Elements permissions for security administrators within the IAM administrator’s organization and affiliated entities.
Currently, this role is granted to self-registering companies, and only other IAM administrators can assign this role to additional users.
We are about to begin the migration process, during which existing users who already have equivalent IAM permissions will be able to claim the IAM role. For more details, refer to the User Guide: Elements Identity and Access Management role | Welcome to WithSecure Elements | Latest | WithSecure User Guides.
Integrations
Elements API: Retrieve Latest Database Versions
We have introduced a new endpoint in the WithSecure Elements API that allows users to retrieve the latest versions of various databases. This endpoint provides up-to-date information on the current versions of databases used within the WithSecure Elements platform.
Endpoint: GET /databases/v1/latest-versions
Details:
- Purpose: Check the latest versions of databases
- Response: Returns a list of databases along with their latest version numbers.
- Usage: Ideal for ensuring that your systems are using the most current database versions for optimal security and performance.
For more information, please refer to the API documentation.
Other items of interest
Threat Highlight Reports: October
Threat Advisory: BlackBasta Internal Helpdesk Social Engineering
WithSecure MDR would like to bring to your attention a new attack type. Ranked as top 20 Ransomware Groups 2024, BlackBasta has been observed using social engineering to trick end-users. Threat actors (TA) via Microsoft Teams are posing as internal helpdesk, contacts employees to assist with ongoing spam, which is perpetrated by BlackBasta itself. During the assistance call the TA requests users to install Remote Monitoring and Management (RMM) tools, such as Anydesk or TeamViewer and starts to download and execute malicious tools on the target.
Threat Advisory: Lumma Stealer Malware
Lumma stealer is currently an active threat, with the malware operators employing multiple initial access techniques, and developers actively enhancing the malware’s capability. In September, it was reported that Lumma’s authors have implemented detailed measures to bypass Chrome’s recently implemented anti-infostealer defenses.
Throughout September, Lumma was reported as being delivered using a paste-and-run technique. A phishing email would direct victims to a CAPTCHA-prompt, which gives instructions for the users to enter Windows keyboard shortcuts that would open a terminal, then paste and run a malicious command inserted into the clipboard by the phishing site
The command causes the victim machine to retrieve and execute a malicious Lumma stealer binary.
Lumma is not exclusively propagated through email. In September, Lumma was also observed being pushed through Github comments masquerading as bug fixes
Threat Advisory: Windows downgrade attack, Kernel driver protection bypass
The technique abuses the windows update process to revert windows components on an up-to-date machine to older versions without the operating system changing the fully patched status.
The technique allows attackers to downgrade security features in the windows kernel, to bypass Driver Signature Enforcement (DSE), and deploy rootkits on fully patched systems
You can sign up to receive the monthly Threat Reports, with full details, at https://www.withsecure.com/en/expertise/research-and-innovation/research/monthly-threat-highlights-report
In case you missed it
Elements Portal: Federated Single Sign-On is now available
We have now introduced support for Federated Single Sign-On (FSSO) to WithSecure Elements.
This will allow users to authenticate and access several applications or services across different domains or organizations without the need to log in separately for each.
For more details of FSSO in WithSecure Elements, please see our dedicated article.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
