SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
The strange case of Great honeypot of China
Published: 2023-04-17
Last Updated: 2023-04-17 08:44:28 UTC
by Jan Kopriva (Version: 1)
Looking at changes that the internet as a whole goes through over time can be quite edifying. Since old servers are being decommissioned and new ones are being added all the time, the internet “landscape” can change significantly even over the course of a year or several months.
Because very few of us have ever had access to our own Carna botnet or other solution, which would enable us to periodically scan the entire public IP space, we have to depend on information provided to us by specialized services (e.g., Censys or Shodan), which conduct such scans on our behalf, to learn of these changes.
Since we are dependent on these third-party services, which are, from our viewpoint, basically “black boxes”, any large spikes that may be seen in data gathered from them may be the result of a real, rapid change in the public IP space, or the result of misconfiguration or error in some internal mechanism used by these services. And, unfortunately, it is not always easy to say which is which… Which holds true even for a recent spike in the number of honeypots that Shodan detected.
As I mentioned in some of my previous Diaries, I use my TriOp tool to periodically gather significant amounts of data from Shodan about the global internet landscape, as well as about the situation in different countries. Among other information, I use the tool to gather the number of devices that Shodan classifies as “medical” systems, which are accessible from the internet, and a few weeks ago, a script that I use to identify significant changes in the data started to generate daily notices about a sharp relative increase in such systems in China (and, several days later, about a corresponding relative increase on a global level).
Read the full entry:
https://isc.sans.edu/diary/The+strange+case+of+Great+honeypot+of+China/29750/
HTTP: What's Left of it and the OCSP Problem
Published: 2023-04-13
Last Updated: 2023-04-13 14:43:37 UTC
by Johannes Ullrich (Version: 1)
It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.
Looking at the top TCP ports in my network:
325900 443
38191 22
31006 23
25884 80
22025 53
HTTPS is by far the top port (and most of the 22/23 connections are likely for my honeypot, and so are many of the port 80 connections.)
So let's dive into a bit more detail on my zeek HTTP logs. I use the JSON format for zeek logs and will use the "jq" tool to parse them instead of the usual "zeek-cut" tool.
Read the full entry:
https://isc.sans.edu/diary/HTTP+Whats+Left+of+it+and+the+OCSP+Problem/29744/
UDDIs are back? Attackers rediscovering old exploits. (2023.04.18)
https://isc.sans.edu/diary/UDDIs+are+back+Attackers+rediscovering+old+exploits/29754/
Microsoft April 2023 Patch Tuesday (2023.04.11)
https://isc.sans.edu/diary/Microsoft+April+2023+Patch+Tuesday/29736/
Apple Patching Two 0-Day Vulnerabilities in iOS and macOS (2023.04.07)
https://isc.sans.edu/diary/Apple+Patching+Two+0Day+Vulnerabilities+in+iOS+and+macOS/29726/
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-29492 - Novi Survey before version 8.9.43676 allows remote code execution on the server in the context of the service account, without giving access to stored survey or response data.Product: Novi SurveyCVSS Score: 9.8** KEV since 2023-04-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29492NVD References: https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspxCVE-2023-28252 - Windows Common Log File System Driver Elevation of Privilege VulnerabilityProduct: Microsoft Windows 10 1507 CVSS Score: 7.8** KEV since 2023-04-11 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28252MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution VulnerabilityProduct: Microsoft Message QueuingCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21554MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554CVE-2023-28250 - Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityProduct: Microsoft Windows 10 1507CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28250MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28250CVE-2023-22897 - SecurePoint UTM before 12.2.5.1 allows authenticated users to retrieve uninitialized data via the firewall's endpoint /spcgi.cgi, leading to information disclosure of memory contents.Product: SecurePoint UTMCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22897ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8454NVD References: - http://packetstormsecurity.com/files/171928/SecurePoint-UTM-12.x-Memory-Leak.html- http://seclists.org/fulldisclosure/2023/Apr/8- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22897.txt- https://rcesecurity.comCVE-2023-2033 - Chromium: CVE-2023-2033 Type Confusion in V8Product: Google ChromeCVSS Score: 0** KEV since 2023-04-17 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2033MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2033NVD References: - https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html- https://crbug.com/1432210- https://www.debian.org/security/2023/dsa-5390CVE-2023-27497 - SAP Diagnostics Agent version 720 is vulnerable to code injection, allowing attackers to execute malicious scripts and compromise system confidentiality, integrity, and availability.Product: Sap Diagnostics AgentCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27497NVD References: - https://launchpad.support.sap.com/#/notes/3305369- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-28765 - SAP BusinessObjects Business Intelligence Platform (Promotion Management) versions 420, 430 allows attackers to compromise the application by accessing BI user passwords through a decrypted lcmbiar file.Product: Sap Businessobjects Business IntelligenceCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28765NVD References: - https://launchpad.support.sap.com/#/notes/3298961- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-26121 - Safe-eval package is vulnerable to Prototype Pollution via its safeEval function.Product: Safe-Eval Project CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26121NVD References: - https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9- https://github.com/hacksparrow/safe-eval/issues/28- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373062CVE-2023-26122 - Safe-eval is vulnerable to Sandbox Bypass and RCE through prototype pollution exploitation in functions like defineGetter and valueOf.Product: Safe-Eval Project CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26122NVD References: - https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce- https://github.com/hacksparrow/safe-eval/issues/27- https://github.com/hacksparrow/safe-eval/issues/31- https://github.com/hacksparrow/safe-eval/issues/32- https://github.com/hacksparrow/safe-eval/issues/33- https://github.com/hacksparrow/safe-eval/issues/34- https://github.com/hacksparrow/safe-eval/issues/35- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064CVE-2023-25950 - HAProxy versions 2.7.0 and 2.6.1 to 2.6.7 are vulnerable to HTTP request/response smuggling, allowing remote attackers to alter user requests and potentially cause a DoS condition or obtain sensitive information.Product: Haproxy CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25950NVD References: - https://git.haproxy.org/?p=haproxy-2.7.git;…
ncluding SOC 2, ISO 27001, GDPR, and HIPAA, you can stay compliant without the messy, manual work. Automate your compliance today. SANS members get 10% off Drata and waived implementation fees.
Calling ALL cybersecurity professionals! Cyber Solutions Fest 2023 | Spring kicks off on Friday, June 9th. Register today to join Matt Bromiley and Chris Dale as they chair our two new tracks: Zero Trust and Insider Threat, Phishing & Malware. We'll see you there! | Learn more:
Upcoming webcast on Thursday, May 4th at 1:00pm ET | 5 Automation Trends to Scale and Modernize Your InfoSec Compliance Program | Register now:
Join report authors Heather Mahalik and Lee Crognale on Wednesday, May 10th at 1:00pm ET as they dive into the 2023 Report: Digital Forensics | Register now: