Skip to content

GREYCORTEX MENDEL 3.7 NOW AVAILABLE

GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7.0 brings important features and improvements. The main features in Mendel 3.7.0 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.

ENHANCED INTEGRATION WITH YOUR INFRASTRUCTURE

Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.

MORE EFFICIENT OPERATIONS 

New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).

OT/ICS/SCADA

Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/blacklists operations inside OT protocols like IEC104, MMS and many others.

ALL FEATURES – IT

CISCO ISE user identity integration and response
CISCO Firepower incident response
SNMP appliance monitoring & SNMP trap
Upgrade management over appliances
AWS, MS Azure and Google cloud deployability
High-speed disk utilization within multi-tier storage
False positives for limited time period
Trigger based PCAP recording
Processing netflow data with NAT information
Switch flow errors  from flags to real calculation
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector
User Documentation available via GUI
Time validity of false positives
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector 

FEATURES – OT / ICS

Asset Discovery
Parsing MQTT, COAP and Profinet protocols
Detection of LoRaWAN protocol

ENHANCEMENTS

Process VMware ESXi NSX-T IPFIX format
Add support for storing Suricata Variables in DB
Enhance update server update data sources
Semi-automated restoration of SMB backup
IDS signatures using the detected application
Display the logged-in user name on all pages
False positive change Priority field Default text
False positive not applicable into past by default
Import new JA3 hash codes from ja3er.com
Add description field into data exports
Hide user from managerial/security reports and email
Added assignee, reporter and date of last updated to Incident exports (PDF)
Reworked Firewall settings with new location in UI
Better explanation over data transfer between hosts in peers graph
Evaluate and add IPv6 multicast address into monitored subnets
System logs in mshell
CAT tool for ME localization 

OFFICIAL MENDEL PRODUCT SUPPORT

With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

The vulnerability of the Sudo APP in Linux

In the late 1960s, AT&T Bell Labs launched Unix, its operating system. The new system, which uses a command-line interface, or CLI, soon became popular in companies around the world for having open source, in addition to allowing easy modification and good portability. Almost three decades later, in 1991, Linus Torvalds, a software engineer at the University of Helsinki, created his own operating system, which he called Linux. The origin of the name of this new system would be exactly the name of its developer associated with the word Unix, on which the Linux kernel is based.

Today, both operating systems are present all over the world, in addition to several types of devices: from embedded systems of automobiles and mobile phones to network devices and web servers. Additionally, Linux-based operating systems have been sought by IT application developers. Many technologies associated with the DevOps universe, such as containers and cloud environments, are built around Linux.

However, along with the growth in its use, the threats associated with Unix and Linux-based operating systems are also greater. According to IBM in its X-Force Threat Intelligence Index report, in 2020 alone, hackers have created 56 categories of viruses for Linux, a 40% increase from 2019. Malicious attackers also take advantage of the growing use of Linux/Unix to discover and exploit vulnerabilities in these systems.

One of the most powerful and fundamental tools for Linux and Unix users is Sudo, or SuperUser DO, and is found in all distributions of these operating systems. And when a vulnerability is found in Sudo, the problem is certainly very critical. That’s because Sudo is a command used to access privileged files and operations on Unix-based operating systems. By default, these operating systems restrict access to certain parts of the system, allowing sensitive files to be compromised by users. Thus, the Sudo command temporarily elevates the user’s privileges, allowing the execution of administrative tasks without the user having to authenticate as an administrator or root. 

In early 2021, Qualys discovered and disclosed another critical vulnerability associated with Linux Sudo. The CVE-2021-3156 heap overflow vulnerability, also known as Baron Samedit, was addressed in the update to Sudo version 1.9.5p2, released in late January. 

CVE-2021-3156, which would have been present in the operating system for at least 10 years, allows a malicious attacker with a common, low-privileged user to gain privileged access, even if their account is not listed in /etc/Sudoers – a configuration file that controls which users have access to the Sudo command. 

To give you an idea, in the last two years, two other vulnerabilities in the Sudo command have been found, but none as serious and dangerous as the discovery by the Qualys’ security team, considering the scope and impact of the newly discovered vulnerability. This is mainly because this vulnerability is found in several Linux-based operating systems and distributions, such as Ubuntu 20.04, Debian 10, and Fedora 33. 

One way to mitigate the risks associated with this vulnerability is to update Sudo on your Linux servers to version 1.9.5p2. Besides, if the Sudo and Sudoedit binaries are not in use, we suggest that they be excluded from the servers. Finally, it is recommended to use senhasegura.go for Linux to control the elevation of privileges on devices.

By using senhasegura.go on devices, one can temporarily elevate user privileges for executing commands and applications, allowing control of the administrative privileges of the credentials managed by the solution. Through a local agent installed on workstations, senhasegura.go allows you to start applications and execute commands by injecting credentials automatically. Other features offered by senhasegura.go include:

  • It is possible to use lists of authorized, blocked, and notified actions for execution;
  • In addition to working on Sudo, senhasegura.go also offers an additional layer of 

security over tools such as ACS, PAM, and SELinux, without the need to update the kernel, acting as LSM (Linux Security Machines);

  • Logging of all actions performed through privileged credentials, bringing maximum visibility to actions performed by users, reducing the effort of auditing privileged activities;
  • Complete integration with the senhasegura PAM platform.

To learn more about how the senhasegura.go solution for Linux can help your organization mitigate the risks associated with elevating privileges on servers, request a demo today.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

IPEVO Whiteboard: 為分享想法和遠距學習提供數位畫布的新方法

隨著日常生活中對科技依賴的程度不斷提高,許多讓生活更輕鬆的工具被開發出來。例如在平板上能夠展示畫面和註記的功能, IPEVO 愛比科技讓溝通變得更容易了。

作為一間致力開發生產視覺溝通工具的公司,愛比科技持續朝著這個目標開發產品。IPEVO WHITEBOARD是一款針對平板電腦的應用程式,為分享想法和遠距學習提供數位畫布。

如何充分運用 IPEVO Whiteboard 應用程式?

如果在教室或簡報中使用 iPad 或平板電腦,IPEVO 的解決方案可以增進學習效率── IPEVO WHITEBOARD 是一款能擴展「無線」自由的軟體。

透過 WiFi 連接無線實物攝影機,在 iPad 或 Android 平板上使用 IPEVO WHITEBOARD 白板軟體,展示、標記、畫線、塗鴉和幾何圖形都難不倒它。也可以拍照或錄影,影音注釋也沒有問題。此外,透過現有的投影機、Apple TV 或 Chromecast 等裝置,將iPad或Android平板的即時影像投影至大型的投影布或投影牆上,變成大型的互動白板,省去擾人的線材接法、長度限制等問題。

使用IPEVO WHITEBOARD 專業版為 iPad 做更多工作

IPEVO WHITEBOARD 徹底改變展示簡報的方式,隨著 iOS 的更新,IPEVO WHITEBOARD 功能變得更強大。使用 Apple Pencil 可以在 iPad 螢幕上繪製形狀並註記,IPEVO WHITEBOARD 專業版並提供客製化 Apple Pencil 的顏色以及筆觸類型。橡皮擦工具可以修正檔案,輕點手指即可繼續。

IPEVO WHITEBOARD 專業版另一個功能是檔案管理:建立新的白板頁面、匯入影像和建立文字檔。新的升級功能讓管理文件更方便。使用 IPEVO WHITEBOARD 專業版最安全的地方在於,使用軟體前不需要提供個人資訊。所以不需要任何註冊即可開始使用。拍攝的所有圖片和影片也儲存在使用的 iPad 內,如果不再需要使用該應用程式,可以輕易地解除安裝。

使用 IPEVO WHITEBOARD PRO (適用於iPad) 提高註記技巧

  •  20 個背景範本

IPEVO WHITEBOARD 應用程式的專業版本提供多達 20 個背景範本,每個專案可以選擇不同背景,再也不用被迫使用預設背景。

  •  消失墨水

使用消失墨水功能做臨時註記時,不會影響簡報流程,因為墨水幾秒鐘後便消失。

  •  瀏覽視窗

在IPEVO WHITEBOARD 專業版應用程式中,使用瀏覽器視窗工具,無需關閉簡報文稿即可存取網路,世界盡在手中。

  •  新增地圖

IPEVO WHITEBOARD 專業版上的地圖工具可在簡報文稿中展示位置資訊。

  •  子母畫面

需要快速觀看影片、同時追蹤簡報文稿?請參考子母畫面工具。

  •  雷射筆

雷射筆工具透過彩色光點在簡報時凸顯想強調的部分,在簡報過程中更容易精確定位特定的文字和圖像。

  •  匯出和共享白板專案

透過 IPEVO WHITEBOARD 專業版本,可以匯出專案,並輕鬆與他人共享,讓他們對你的白板專案嘆為觀止。

IPEVO WHITEBOARD 應用程式適用於 iOS 和 Android,與無線實物攝影機或 IPEVO iDocCam 應用程式配合使用,能達到最完美效果。

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

關於IPEVO
IPEVO源自於PChome Online硬體事業部門,2007年7月正式獨立。自2004年於台灣營運Skype網絡電信服務,使台灣成為Skype全球發展中最成功的市場。2005年起以IPEVO品牌推出一系列Skype專屬硬件產品,將Skype虛擬服務轉化為使用者實質經驗。IPEVO以簡單、實際且具有價值的經驗為產品目標,其簡潔俐落的產品風格呼應著IPEVO的核心思考與產品精神。目前已研發之產品包括:Skype有線USB話機、Skype無線話機、Skype會議系統、Skype視訊設備、Stand-alone免電腦Skype話機。

Number of APT groups exploiting the latest Exchange vulnerabilities grows, with thousands of email servers under siege, ESET discovers

BRATISLAVA, MONTREAL – ESET Research has discovered that more than ten different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers. ESET has identified more than 5,000 email servers that have been affected by malicious activity related to the incident. The servers belong to organizations – businesses and governments alike – from around the world, including high-profile ones. Thus, the threat is not limited to the widely reported Hafnium group.

In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities. The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.

“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign. However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” says Matthieu Faou, who is leading ESET’s research effort into the recent Exchange vulnerability chain. ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released. “This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,” adds Faou.

ESET telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries.

ESET hourly detections for webshells dropped via CVE-2021-26855 – one of the recent Exchange vulnerabilities

Proportion of webshell detections by country (2021-02-28 to 2021-03-09)

ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organization.

The identified threat groups and behavior clusters are:

  • Tick – compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.
  • LuckyMouse – compromised the email server of a governmental entity in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero day.
  • Calypso – compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe.
  • Websiic – targeted seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. ESET named this new cluster of activity as Websiic.
  • Winnti Group – compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.
  • Tonto Team – compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
  • ShadowPad activity – compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.
  • The “Opera” Cobalt Strike – targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.
  • IIS backdoors – ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy.
  • Mikroceen – compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.
  • DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.

“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” advises Faou.

For more technical details about these attacks exploiting the recent Exchange vulnerabilities, read the blogpost “Exchange servers under siege from at least 10 APT groups” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×