SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Exploit Activity for CVE-2023-22518, Atlassian Confluence Data Center and Server
Published: 2023-11-06
Last Updated: 2023-11-06 13:40:13 UTC
by Johannes Ullrich (Version: 1)
Last week, Atlassian published an advisory for CVE-2023-22518. The vulnerability is a trivial to exploit authentication bypass vulnerability. Atlassian emphasized the importance of the advisory with a quote from its CISO: "There are no reports of active exploitation at this time; customers must take immediate action to protect their instances." On Friday, Atlassian confirmed that attackers are actively exploiting the vulnerability.
The vulnerability is rated with a CVSS score of 9.1. Three different URLs are affected according to the advisory ...
I went back through our data to see how much exploitation we see for these URLs. We started seeing the first attempts on November 2nd (Thursday), just as Atlassian reported seeing these exploits being used against customers.
Read the full entry:
Example of Phishing Campaign Project File
Published: 2023-11-08
Last Updated: 2023-11-08 06:37:08 UTC
by Xavier Mertens (Version: 1)
We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose.
Yesterday, I found on VT an interesting file. It triggered one of my hunting rules because the file contained a reference to one of my customer’s domain. I had a look at the file named “EwoExcel (1)<dot>mmp’ (SHA256:0e016a41b6df3dc7daf076805e3cbb21df1ff33712b615d38ecf066cd25b6e06).
I was not aware of the file extension “.mmp” (it’s not a “.mpp” used by Microsoft Project). But it seems to be a project file.
Read tech full entry:
https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384/
What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR) (2023.11.07)
https://isc.sans.edu/diary/Whats+Normal+New+uses+of+DNS+Discovery+of+Designated+Resolvers+DDR/30380/
Quick Tip For Artificially Inflated PE Files (2023.11.02)
https://isc.sans.edu/diary/Quick+Tip+For+Artificially+Inflated+PE+Files/30370/
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
Product: Chef Automate InSpecCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40050NVD References: - https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050- https://docs.chef.io/automate/profiles/- https://docs.chef.io/release_notes_automate/CVE-2023-46248 - The Cody AI VSCode extension versions 0.10.0 through 0.14.0 allows arbitrary code execution if a user opens a malicious repository with the extension loaded.Product: Cody AI VSCode extension CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46248NVD References: - https://github.com/sourcegraph/cody/pull/1414- https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwqCVE-2023-46249 - authentik, an open-source Identity Provider, allows an attacker to set the password of the default admin user without authentication in versions prior to 2023.8.4 and 2023.10.2.Product: authentik Identity ProviderCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46249NVD References: - https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0- https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4- https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62wCVE-2023-1715 - Bitrix24 22.0.300 allows XSS bypass through a logic error in mb_strpos() due to HTML tags placed at the beginning of the payload.Product: Bitrix24 22.0.300CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1715NVD References: https://starlabs.sg/advisories/23/23-1715/CVE-2023-1716 - Bitrix24 22.0.300 allows arbitrary execution of JavaScript code in a victim's browser via a XSS vulnerability in the Invoice Edit Page, potentially leading to execution of PHP code on the server if victim has admin privilege.Product: Bitrix24 22.0.300CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1716NVD References: https://starlabs.sg/advisories/23/23-1716/CVE-2023-1717 - Bitrix24 22.0.300 is vulnerable to prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js, allowing remote attackers to execute arbitrary JavaScript code in the victim’s browser and potentially execute arbitrary PHP code on the server if the victim has administrator privilege.Product: Bitrix24 22.0.300CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1717NVD References: https://starlabs.sg/advisories/23/23-1717/CVE-2023-1720 - Bitrix24 22.0.300 lacks a mime type response header, allowing attackers to execute arbitrary JavaScript code in the victim's browser and potentially execute arbitrary PHP code on the server, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile if the victim has administrator privilege.Product: Bitrix24 22.0.300CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1720NVD References: https://starlabs.sg/advisories/23/23-1720/CVE-2023-20048 - The vulnerable product, Cisco Firepower Management Center (FMC) Software, allows an attacker to execute unauthorized configuration commands on a managed Firepower Threat Defense (FTD) device.Product: Cisco Firepower Management Center (FMC) SoftwareCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20048NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hNCVE-2023-45111 - Online Examination System v1.0 is vulnerable to Unauthenticated SQL Injection due to improper validation of the 'email' parameter in feed.php, allowing unfiltered characters to be sent to the database.Product: Online Examination System v1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45111NVD References: - https://fluidattacks.com/advisories/pires- https://projectworlds.in/CVE-2023-45112 - The Online Examination System v1.0 is susceptible to multiple Unauthenticated SQL Injection vulnerabilities due to inadequate validation of characters in the 'feedback' parameter.Product: Online Examination System v1.0 CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45112NVD References: - https://fluidattacks.com/advisories/pires- https://projectworlds.in/CVE-2023-45113 & CVE-2023-45114 - Online Examination System v1.0 multiple unauthenticated SQL Injection vulnerabilitiesProduct: Online Examination System v1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45113NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45114NVD References: https://fluidattacks.com/advisories/piresNVD References: https://projectworlds.in/CVE-2023-45012 through CVE-2023-45019 - Online Bus Booking System v1.0 multiple unauthenticated SQL injection vulnerabilitiesProduct: Online Bus Booking System v1.0 CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45012NVD: https://nvd.nist.gov/vuln/detail/…
*********** Sponsored By SANS ***********Zero Trust Solutions Forum 2023 | Join Matt Bromiley and invited speakers tomorrow, November 10, for our final solutions-focused virtual event of the year! Our presenters will cover the key challenges and opportunities in implementing a Zero Trust approach, and share their insights on best practices for securing your digital assets in today's rapidly evolving threat landscape. | Register now to save your seat:
Safeguard Your Business-Critical Web Apps and APIs with a WAF | Join Dave Shackleford and Srija Allam from Fortinet on November 14 to discuss Fortinet's latest solution designed to protect applications from web application attacks, API attacks, malicious bots, and much more. | Register now:
Software Supply Chain Security: Hunting Hidden Threats Before They Strike | Tune in on November 15 as Dave Shackleford and Jasmine Noel from ReversingLabs dive into the different types of software supply chain attacks, and how to improve existing detective capabilities. | Register now:
How the Cloud Changes SecOps and Incident Response: Lessons from a Real-World Living-Off-The-Cloud Attack | Join us on Wed, November 15 at 3:30pm ET as our guest speakers provide practical and actionable lessons to strengthen cloud detection and response capabilities. | Register now: