SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 37
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Internet Wide Multi VPN Search From Single /24 Network
Published: 2023-09-18
Last Updated: 2023-09-18 12:54:47 UTC
by Johannes Ullrich (Version: 1)
Brute-forcing passwords for VPN access has become a standard technique for various actors to access corporate networks to exfiltrate data later or deploy ransomware. After identifying the VPN, an attacker may use simple brute forcing, credential stuffing, or social engineering in some very public cases to obtain access.
Today, I noticed in one of my honeypots new "most commonly hit" URLs...
Read the full entry:
https://isc.sans.edu/diary/Internet+Wide+Multi+VPN+Search+From+Single+24+Network/30226/
Microsoft September 2023 Patch Tuesday
Published: 2023-09-12
Last Updated: 2023-09-12 20:37:17 UTC
by Renato Marinho (Version: 1)
This month we got patches for 66 vulnerabilities. Of these, 5 are critical, and 2 are already being exploited, according to Microsoft.
One of the exploited vulnerabilities is a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability (CVE-2023-36802). According to the advisory, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The CVSS for this vulnerability is 6.8.
The second one is a Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761). According to the advisory, the Preview Pane is an attack vector and exploiting this vulnerability could allow the disclosure of NTLM hashes.
Regarding critical vulnerabilities, one of them is a Remote Code Execution (RCE) vulnerability on Internet Connection Sharing (ICS) (CVE-2023-38148). According to the advisory, an unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service. This vulnerability requires no user interaction and no privileges. The CVSS is 8.8 - the highest for this month.
The second highest CVSS this month is associated to a RCE affecting Visual Studio (CVE-2023-36793). To exploit this vulnerability an attacker would have to convince a user to open a maliciously crafted package file in Visual Studio. The CVSS is 7.8.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+September+2023+Patch+Tuesday/30214/
Apple fixes 0-Day Vulnerability in Older Operating Systems
Published: 2023-09-11
Last Updated: 2023-09-11 18:32:28 UTC
by Johannes Ullrich (Version: 1)
This update fixes the ImageIO vulnerability Apple patched for current operating systems last week. Now, Apple follows up with a patch for its older, but still supported, operating system versions.
According to Citizen Lab, this vulnerability is already being exploited. Exploitation took advantage of the ImageIO vulnerability and a vulnerability in the Apple wallet "PassKit" API to send a "Pass" to the victim, including the malicious image. These older operating systems support PassKit, but it needs to be clarified if they are vulnerable to the PassKit issue.
More details: Apple: https://support.apple.com/en-us/HT201222
Citizen Lab: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
Read the full entry:
https://isc.sans.edu/diary/Apple+fixes+0Day+Vulnerability+in+Older+Operating+Systems/30210/
Internet Storm Center Entries
What's Normal? DNS TTL Values (2023.09.20)
https://isc.sans.edu/diary/Whats+Normal+DNS+TTL+Values/30234/
Obfuscated Scans for Older Adobe Experience Manager Vulnerabilities (2023.09.19)
DShield and qemu Sitting in a Tree: L-O-G-G-I-N-G (2023.09.14)
https://isc.sans.edu/diary/DShield+and+qemu+Sitting+in+a+Tree+LOGGING/30216/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
Sponsors
Vectra®
*********** Sponsored By Vectra Networks Inc. ***********Free Virtual Event on Wed, October 4 | Join Matt Bromiley and invited security researchers, data scientists, and security analysts as they showcase industry-leading research, emerging attacker tradecraft and the effective AI-driven methodology needed to keep pace with hybrid attackers. You’ll gain practical insights and have the path toward unmatched resilience, SOC modernization, and agile response to advanced attacks. | Don't miss it, register now:
CardinalOps
In our latest SANS Detection Engineering Survey, we're asking the cyber community to share their insights on the state of practice in “detection engineering." Share your thoughts with us to be entered into our drawing for a chance to win a $250 Amazon gift card! |
Symantec by Broadcom Software Group
What does the 2023 MITRE test mean for You and Your team? Join us on Thu, September 28 as we discuss how the needs of each security role is different, and what each team member an take away from this year's test. Register for this panel discussion today:
Axonius
Upcoming Webcast on Thu, October 5 at 1:00pm ET | No More Acronyms – Let’s Solve Problems: Putting CAASM and SSPM Aside to Talk Real Use Cases | Learn more and register now: