SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 01
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Interesting large and small malspam attachments from 2023
Published: 2024-01-03
Last Updated: 2024-01-03 13:17:51 UTC
by Jan Kopriva (Version: 1)
At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. Over the years, I found that, at a minimum, it is usually instructive to look at what the largest and the smallest pieces of malware that one managed to catch were. This held true even for 2023, as both the smallest and the largest sample I had turned out to be interesting in their own right. But let’s start at the beginning…
Over the last 12 months, 1152 potentially malicious attachments of various types were caught by my malspam trap. When I decompressed and/or unpacked all the images and archives, removed all duplicates and eliminated all the non-malicious files, I was left with 525 unique malicious samples – 285 of these were PE files with various extensions, and the rest were a wide assortment of scripts, Office files, PDFs, help files, shortcut links, etc.
The smallest malicious file among all of these was a VBE (an encoded VBScript file), which was quite surprising, since these are not too common in the wild – in fact, among all the “2023 malspam files”, there were only 2 VBEs (compared to 43 “traditional” VBS files).
Read the full entry:
https://isc.sans.edu/diary/Interesting+large+and+small+malspam+attachments+from+2023/30524/
Shall We Play a Game?
Published: 2023-12-22
Last Updated: 2023-12-22 06:05:22 UTC
by Xavier Mertens (Version: 1)
Our youngest readers won’t probably not get the point with this quote, it’s from the 1983 movie “WarGames”. I used this subject because I found yesterday a small game in Python that offers not only some fun but also malicious code that will exfiltrate your browser data!
The file is called “Dimension_Lands_10 (1)<dot>py” (SHA256: 8b9f750310115110cad2716ab7496344d543dd437e4452c5eafbe11aee28f492).
In a previous diary, I mentioned a malicious Python script based on a Tk interface. It seems to become popular because this new one does the same with a nice window. Compared to the other one, it has a great advantage: it’s a game and will attract more potential victims. People like small games to spend time during meetings.
And the game is properly working!
Read the full entry:
https://isc.sans.edu/diary/Shall+We+Play+a+Game/30510/
Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]
Published: 2023-12-27
Last Updated: 2023-12-28 01:03:42 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Elias Bou Zeid, an ISC intern as part of the SANS.edu BACS program]
Introduction
In this digital age, as our dependence on technology grows, understanding which devices are connected to our networks and keeping track of their security updates is critically important. In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware. This finding serves as a stark reminder of the vast amounts of vulnerabilities available in the wild.
Description of Mirai
Mirai, a notorious malware strain, has caused a disruption since its inception. Designed to exploit the security weaknesses in IoT (Internet of Things) devices, it converts these devices into a network of bots, or a 'botnet,' used to launch large-scale network attacks. The fact that malicious actors are still leveraging Mirai is a showcase of Mirai's capabilities and its evolving threat landscape.
Mirai Overview
The method in which Mirai infiltrated numerous IoT devices was through common vulnerabilities, such as weak and default username and password combinations. Once Mirai gains access to a system, it carries out its primary function – to enslave devices and coordinate them for massive Distributed Denial of Service (DDoS) attacks. Mirai’s evasion & persistence mechanisms include but are not limited to the following ...
Read the full entry:
Internet Storm Center Entries
Fingerprinting SSH Identification Strings (2024.01.02)
https://isc.sans.edu/diary/Fingerprinting+SSH+Identification+Strings/30520/
Pi-Hole Pi4 Docker Deployment (2023.12.31)
https://isc.sans.edu/diary/PiHole+Pi4+Docker+Deployment/30516/
Python Keylogger Using Mailtrap.io (2023.12.23)
https://isc.sans.edu/diary/Python+Keylogger+Using+Mailtrapio/30512/
How to Protect your Webserver from Directory Enumeration Attack ? Apache2 [Guest Diary] (2023.12.20)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-7111 - Code-projects Library Management System 2.0 is vulnerable to SQL injection via the argument category in file index.php, allowing remote attackers to exploit it with a critical impact (
CVE-2023-51090 through CVE-2023-51093, CVE-2023-51095 - Tenda M3 V1.0.0.12(4856) was discovered to contain multiple stack overflow vulnerabilities.
CVE-2023-51094 - Tenda M3 V1.0.0.12(4856) was discovered to contain a Command Execution vulnerability via the function TendaTelnet.
CVE-2023-51097, CVE-2023-51101, CVE-2023-51102 - Tenda W9 V1.0.0.7(4456)_CN was discovered to contain multiple stack overflow vulnerabilities.
CVE-2023-51098, CVE-2023-51099, CVE-2023-51100 - Tenda W9 V1.0.0.7(4456)_CN was discovered to contain multiple command injection vulnerabilities.
CVE-2023-5991 - The Hotel Booking Lite WordPress plugin before 4.8.5 allows unauthenticated users to download and delete arbitrary files on the server due to lack of input validation, CSRF, and authorization checks.
CVE-2023-50255 - Deepin-Compressor prior to version 5.12.21 allows remote attackers to execute arbitrary commands via a path traversal vulnerability in crafted archives.
CVE-2023-6879 - Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().
CVE-2023-7163 - D-Link D-View 8 v2.0.2.89 and prior versions allow an attacker to manipulate the probe inventory, potentially leading to information disclosure, denial of service, or execution of unauthorized tasks on other probes.
CVE-2023-50839 - JS Help Desk – Best Help Desk & Support Plugin is vulnerable to SQL injection from n/a through 2.8.1.
CVE-2023-7134 - SourceCodester Medicine Tracking System 1.0 is vulnerable to remote path traversal due to inadequate input validation, allowing attackers to manipulate the argument page and access unauthorized files with the potential for unauthorized actions.
CVE-2023-7139 through CVE-2023-7142 - Code-Projects Client Details System 1.0 multiple SQL injection vulnerabilities.
CVE-2023-51434 - Some Honor products are affected by buffer overflow vulnerability, successful exploitation could cause code execution.
CVE-2023-25054 - David F. Carr RSVPMaker is vulnerable to improper control of code generation, allowing code injection, from n/a through 10.6.6.
CVE-2023-32095 - Rename Media Files from n/a through 1.0.1 allows for improper control of code generation, leading to a code injection vulnerability in Milan Dini.
CVE-2023-40606 - Kanban for WordPress Kanban Boards for WordPress before version 2.5.21 allows attackers to inject malicious code and gain unauthorized access.
CVE-2023-45751 - POSIMYTH Nexter Extension versions up to 2.0.3 are vulnerable to code injection due to improper control over the generation of code.
CVE-2023-46623 - TienCOP WP EXtra is prone to a code injection vulnerability, affecting versions from n/a through 6.2.
CVE-2023-47840 - Qode Essential Addons from n/a through 1.5.2 is vulnerable to code injection due to improper control of code generation.
CVE-2023-49830 - Brainstorm Force Astra Pro from n/a through 4.3.1 is vulnerable to code injection due to improper control of code generation.
CVE-2023-51420 - Verge3D Publishing and E-Commerce before version 4.5.2 is vulnerable to code injection due to improper control of code generation.
CVE-2023-51414 - EnvíaloSimple: Email Marketing y Newsletters version n/a through 2.1 is vulnerable to Deserialization of Untrusted Data.
CVE-2023-51422 - Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin allows remote attackers to execute arbitrary code via crafted serialized objects in WebinarIgnition plugin versions up to 3.05.0.
CVE-2023-51470 - Rencontre – Dating Site is vulnerable to deserialization of untrusted data from n/a through 3.11.1.
CVE-2023-51468 - Rencontre – Dating Site allows unrestricted upload of files with dangerous types.
CVE-2023-51505 - The realmag777 Active Products Tables for WooCommerce plugin before version 1.0.7 allows deserialization of untrusted data.
CVE-2023-51545 - ThemeHigh Job Manager & Career – Manage job board listings, and recruitments is vulnerable to Cross-Site Request Forgery and Deserialization of Untrusted Data from n/a through 1.4.4.
CVE-2023-51410 - WPVibes WP Mail Log allows for the unrestricted upload of files with dangerous types, exposing the system to potential exploits.
CVE-2023-51411 - Frontend Admin by DynamiApps allows the unrestricted upload of files with dangerous types, posing a security risk.
CVE-2023-51412 - Unrestricted Upload of File with Dangerous Type vulnerability in Piotnet Piotnet Forms.This issue affects Piotnet Forms: from n/a through 1.0.25.
CVE-2023-51417 - JVM Gutenberg Rich Text Icons allows unrestricted upload of files with dangerous types, leading to a vulnerability.
CVE-2023-51419 - BERTHA AI allows for unrestricted upload of potentially dangerous files from n/a through 1.11.10.7.
CVE-2023-51421 - Verge3D Publishing and E-Commerce allows unrestricted upload of files with dangerous types.
CVE-2023-51473 - The Pixelemu TerraClassifieds – Simple Classifieds Plugin (from n/a through 2.0.3) is vulnerable to unrestricted upload of dangerous file types.
CVE-2023-51475 - The WP MLM SOFTWARE PLUGIN allows unrestricted upload of files with dangerous types, posing a vulnerability from version n/a through 4.0.
CVE-2023-4541 - Ween Software Admin Panel through 20231229 is vulnerable to SQL Injection, allowing attackers to manipulate SQL commands.
CVE-2023-4674 - Yaztek Software Technologies and Computer Systems E-Commerce Software through 20231229 is vulnerable to SQL Injection.
CVE-2023-4675 - GM Information Technologies MDO is vulnerable to SQL Injection through 20231229, allowing attackers to execute unauthorized SQL commands.
CVE-2023-52139 - Misskey is an open source, decentralized social media platform that allows unauthorized access to certain endpoints and Websocket APIs, leading to leakage of confidential information and unauthorized actions on non-public content.
CVE-2023-39157 - JetElements For Elementor before version 2.6.10 allows code injection due to improper control of code generation.
CVE-2023-52181 - Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1.
CVE-2023-52182 - ARI Stream Quiz – WordPress Quizzes Builder is vulnerable to deserialization of untrusted data.
CVE-2023-49777 - YITH WooCommerce Product Add-Ons versions up to 4.3.0 are vulnerable to deserialization of untrusted data.
CVE-2023-51423 - Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition allows SQL injection from n/a through 3.05.0.
CVE-2023-51469 - Mestres do WP Checkout Mestres WP versions n/a through 7.1.9.6 are prone to an SQL Injection vulnerability.
CVE-2023-33025 - Memory corruption in Data Modem when a non-standard SDP body, during a VOLTE call.
CVE-2023-33030 - Memory corruption in HLOS while running playready use-case.
CVE-2023-33032 - Memory corruption in TZ Secure OS while requesting a memory allocation from TA region.
CVE-2023-6436 - Ekol Informatics Website Template is vulnerable to SQL injection.
CVE-2023-4280 - Silicon Labs TrustZone implementation in v4.3.x and earlier of the Gecko SDK allows unauthorized access to trusted memory.
CVE-2023-48419 - Google Home devices in the wifi vicinity of an attacker can be exploited to spy on users, leading to Elevation of Privilege.
CVE-2024-21623 - OTClient is vulnerable to expression injection in Actions, allowing an attacker to run remote commands, leak secrets, and alter the repository.
CVE-2023-6339 - Google Nest WiFi Pro root code-execution & user-data compromise
Sponsors
CrashPlan
*********** Sponsored By CrashPlan ***********Do You Know Where Your Data Is? In our newly released survey, SANS is seeking insight into the amount and makeup of data that exists on on user endpoints versus central data stores, along with the rigor and effectiveness of policies that either restrict or support storing data on user endpoints. Share your thoughts with us, complete this survey for a chance to win a $250 Amazon gift card!
SANS
First FREE Event of 2024 | Join us for the CTI Summit Solutions Track 2024 on Jan 30 at 9:20am ET. SANS Senior Instructor Ismael Valenzuela and invited guest speakers will dive into cutting-edge CTI case studies while highlighting how the integration of AI technologies can provide unprecedented insights and advantages. | Register now:
Dragos
2023 OT Cybersecurity Year in Review Executive Briefing | Join Dragos CEO and SANS Senior Instructor Robert M. Lee on Feb 23 at 10:30am ET for a look at the most important OT cybersecurity events and lessons learned in 2023. | Register now:
Carbon Black
The results are in for this year's SANS Threat Hunting Survey! Join us on Wed, March 20 as we reveal the results from this year's survey and take a look at how organizations are changing their proactive hunting activities. Register now to receive the accompanying white paper: