SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 09
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Take Downs and the Rest of Us: Do they matter?
Published: 2024-02-27
Last Updated: 2024-02-27 17:19:25 UTC
by Johannes Ullrich (Version: 1)
Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials.
Why do nation-state actors go after "simple" home devices? Usually, these attacks are associated with simple "vandal ware" like Mirai and similar bots. Often, a Miner may be deployed as part of the attack. But even for more sophisticated attackers, these devices are attractive:
- They may provide access to more interesting networks. The Ubiquity Edge router attacked by this Moobot variant is often used as a perimeter device for smaller remote networks. This may provide access to a remote site of a power network or industrial equipment deployed remotely. Disabling this equipment may cause significant cost if a technician must visit the remote site.
- Due to the enormous scan volume for these default credentials, the attacker can hide in the noise created by vandals and miners. The attack tools are essentially identical. Even if the attack is discovered, it is likely considered a "nuisance attack" and not attributed to a particular actor. For a sophisticated attacker, winning with a simple default password is far preferred over winning using a zero-day vulnerability. Each time a vulnerability is exploited, the attacker risks being discovered, and the zero-day vulnerability may be fixed.
- "Innocent" home devices make a great attack platform. Some networks will, for example, block access from certain countries or specific hosting providers. Having access to a diverse set of commodity devices in different networks is a great asset to building up an attack infrastructure of proxies to obfuscate the source of the attack.
Read the full entry: https://isc.sans.edu/diary/Take+Downs+and+the+Rest+of+Us+Do+they+matter/30694
Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary]
Published: 2024-02-25
Last Updated: 2024-02-26 01:13:50 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Keegan Hamlin, an ISC intern as part of the SANS.edu BACS program]
Part of the SANS undergraduate program is a 20-week internship with the SANS Internet Storm Center. During that time, interns are tasked with setting up a DShield sensor to act as a honeypot, capturing data and generating logs for SSH/Telnet, Firewall activity, Web requests, and most interesting to me, file uploads. With those logs, we are expected to create attack observations, explaining what vulnerability is being exploited, what the attacker is attempting to accomplish, and how to defend against this attack. I wanted to give myself a project to help aid with creating these attack observations, and in my case, a way to quickly get information on the uploaded files. At the beginning of the internship, I had given myself a personal goal, which was to do something to build my Python skills. I thought this might be the opportunity to do that.
VirusTotal is a go-to source to upload or search for hashes of suspicious files and it is what I typically use when investigating files uploaded to the honeypot. They offer an API to automate this process, and it integrates well with Python.
Simple Command Line Query
I began by following the steps listed in the VirusTotal quick start page for their Python integration tool ...
Read the full entry: https://isc.sans.edu/diary/Utilizing+the+VirusTotal+API+to+Query+Files+Uploaded+to+DShield+Honeypot+Guest+Diary/30688/
[Guest Diary] Friend, foe or something in between? The grey area of 'security research'
Published: 2024-02-22
Last Updated: 2024-02-22 00:21:39 UTC
by Rachel Downs, SANS BACS Student (Version: 1)
[This is a Guest Diary by Rachel Downs, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.
Scanning on port 502
I’ve been running my DShield honeypot for around 3 months, and recently opened TCP port 502. I was looking for activity on this port as it could reveal attacks targeted towards industrial control systems which use port 502 for Modbus TCP, a client/server communications protocol. As with many of my other observations, what started out as an idea to research one thing soon turned into something else, and ended up as a deep dive into security research groups and the discovery of a lack of transparency about their actions and intent.
I analysed 31 days of firewall logs between 2023-12-05 and 2024-01-04. Over this period, there were 197 instances of scanning activity on port 502 from 179 unique IP addresses.
Almost 90% of scanning came from security research groups
Through AbuseIPDB and GreyNoise, I assigned location, ISP and hostname data (where available) to each IP address. GreyNoise assigns actors to IP addresses and categorises these as benign, unknown or malicious. Actors are classified as benign when they are a legitimate company, search engine, security research organisation, university or individual, and GreyNoise has determined the actor is not malicious in nature. Actors are classified as malicious if harmful behaviours have been directly observed by GreyNoise, and if an actor is not classified as benign or malicious it is marked as unknown.
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Friend+foe+or+something+in+between+The+grey+area+of+security+research/30670/
Internet Storm Center Entries
Update: MGLNDD_* Scans (2024.02.24)
https://isc.sans.edu/diary/Update+MGLNDD+Scans/30686/
Simple Anti-Sandbox Technique: Where's The Mouse? (2024.02.23)
https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/
Large AT&T Wireless Network Outage #att #outage (2024.02.22)
https://isc.sans.edu/diary/Large+ATT+Wireless+Network+Outage+att+outage/30680/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2024-1709 - ConnectWise ScreenConnect is vulnerable to an Authentication Bypass flaw that could enable attackers to bypass authentication controls and access sensitive data or critical systems.
CVE-2024-1708 - ConnectWise ScreenConnect 23.9.7 and prior may allow an attacker to execute remote code or impact critical systems due to a path-traversal vulnerability.
CVE-2024-1597 - pgjdbc, the PostgreSQL JDBC Driver, is vulnerable to SQL injection when using PreferQueryMode=SIMPLE, allowing attackers to alter queries and bypass parameterized query protections in certain versions.
CVE-2023-50257 - eProsima Fast DDS (formerly Fast RTPS) is vulnerable to a Disconnect Vulnerability in RTPS Packets Used by SROS2, allowing malicious attackers to forcibly disconnect and deny Subscribers connections.
CVE-2023-6260 - Brivo ACS100 and ACS300 are vulnerable to OS Command Injection, allowing attackers to bypass physical security measures from version 5.2.4 to 6.2.4.3.
CVE-2024-1297 - Loomio version 2.22.0 is vulnerable to OS Command Injection, allowing attackers to execute arbitrary commands on the server.
CVE-2024-1644 - Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
CVE-2024-1651 - Torrentpier version 2.4.1 is vulnerable to insecure deserialization, allowing for arbitrary command execution on the server.
CVE-2024-1608 - OPPO Usercenter Credit SDK is vulnerable to an escalation of privilege through loose permission checks, allowing for potential internal information leaks without user interaction.
CVE-2024-25610, CVE-2024-25147, CVE-2024-25152, CVE-2024-25601, CVE-2024-25602, CVE-2024-25603, CVE-2024-26266, CVE-2024-26269, CVE-2023-40191, CVE-2023-42496, CVE-2023-42498, CVE-2023-47795 - Multiple XSS vulnerabilities in Liferay Portal
CVE-2023-45318 - Weston Embedded uC-HTTP git commit 80d4004 is vulnerable to a heap-based buffer overflow in its HTTP Server functionality, enabling arbitrary code execution via a specially crafted network packet.
CVE-2024-22245 - VMware Enhanced Authentication Plug-in (EAP) is vulnerable to Arbitrary Authentication Relay and Session Hijack exploits, enabling malicious actors to manipulate web browser-installed EAP to request and relay service tickets for any Active Directory Service Principal Names (SPNs).
CVE-2024-22250 - Deprecated VMware Enhanced Authentication Plug-in poses a Session Hijack vulnerability, allowing local malicious actors to hijack privileged EAP sessions on Windows systems.
CVE-2024-1631 - Impact: Ed25519KeyIdentity.generate in the library may use an insecure seed for key pair generation, compromising the private key and potentially leading to loss of funds or access to associated resources.
CVE-2023-46241 - `discourse-microsoft-auth` enables authentication via Microsoft, allowing potential attacks to take control of Discourse accounts on sites with this plugin enabled.
CVE-2024-23346 - Pymatgen library has a critical security vulnerability in the JonesFaithfulTransformation.from_transformation_str() method that allows execution of arbitrary code.
CVE-2024-1212 - Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
CVE-2024-25124 - Fiber web framework in go may expose applications to CORS vulnerabilities prior to version 2.52.1.
CVE-2023-51389 - Hertzbeat is vulnerable to YAML deserialization due to lack of security configuration, fixed in version 1.4.1.
CVE-2024-1783 - Totolink LR1200GB 9.1.0u.6619_B20230130/9.3.5u.6698_B20230810 is vulnerable to a critical stack-based buffer overflow via remote exploitation of the loginAuth function in the Web Interface component (
Sponsors
Snyk
*********** Sponsored By SNYK ***********Get ready for the transformative influence of generative AI. Delve into the four main areas that CISOs and their teams need to prepare for: 1. "Defend with" Generative Cybersecurity AI 2. "Attacked by" GenAI 3. Secure Enterprise Initiatives to ""Build"" GenAI Applications 4. Manage and Monitor ""Consumption"" of GenAI Access the full Gartner® Report on Impact of AI on CISO Impact Report: 4 Ways Generative AI Will Impact CISOs and Their Teams:
Apiiro
Upcoming Webcast: Modernizing AppSec with Application Security Posture Management | Join Matt Bromiley and Idan Elor from Apiiro on March 6 at 1PM ET as they discuss how to secure applications, a complex and cumbersome issue many organizations have yet to solve. Register now:
Zscaler
Buyers Guide: How to Secure Egress Traffic from Workloads in the Public Cloud | Tune in on March 12! Dave Shackleford will explore the inherent challenges associated with legacy cloud workload security, and highlight seven critical capabilities to securing egress traffic from workloads in the public cloud. Register now:
Palo Alto Networks
2024 SANS State of Security Automation Survey | We would like to understand what drives automation in security teams, the role of automation in facilitating collaboration, and the ongoing challenges of automating security operations. Complete this survey for a chance to win a $250 Amazon gift card!