SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Microsoft Pro Guest SMB Insecure Guest Auth Off by Default
Microsoft Windows Insider Pro now has SMB insecure guest authorization turned off by default. In a blog post, Microsoft’s Ned Pyle notes that “guest logons don't require passwords & don't support standard security features like signing and encryption.” The change is effective in the Windows 11 Insider Preview Build 25276, which was released earlier this month.
Editor's Notes
- Slide 1 of 3
I’m going to skew *really* old here: before we had houses, we had caves, which mostly had only one way in and out. Perimeter security was pretty straightforward. Operating systems in general and certainly Windows in particular started out essentially like fields, not caves – everything could walk, slither or fly in and out as the default. Even though this change is not a big deal, always good to see Windows being more cave-like than field-like. In real businesses, as long as we don’t send paychecks to customers and products to employees, perimeters exist (albeit more complex than caves…) and will need to be defended.
- Slide 2 of 3
This is a move in the right direction, shares should only be enabled with a defined process, ideally never from a workstation, beyond what is required for management. Guest logins should only be enabled with deliberate care and forethought. Better still, use cloud-based file sharing services which have many options, including self-registration, logging, and centralized management.
- Slide 3 of 3
SMB is a network file sharing protocol that cybercriminals can leverage as part of a ‘living off the land’ attack. For years, standard cybersecurity best practice guidance has been to disable guest accounts. By turning off by default for Windows Pro editions, Microsoft removes one additional configuration change that end users have to make – a good thing!
Slide 1 of 0- Slide 1 of 3
Ermetic Researchers Find Cross-site Request Forgery Flaw in Azure Cloud Services
Researchers from Ermetic have detailed their findings of a cross-site request forgery vulnerability affecting Azure cloud services. The flaw, dubbed EmojiDeploy, can be exploited to achieve remote code execution. The vulnerabilities are due to a series of misconfigurations and bypasses in the Kudu back-end source control management tool. Microsoft was alerted to the issues in October 2022 and addressed them in early December.
Editor's Notes
This item, and the similar Server-side Request Forgery vulnerability found by Orca in Azure, point out 3 key issues: (1) Cross-site Request Forgery was on the OWASP Top 10 for many years, Server-Side Request Forgery is on the list for 2022. I’d like to hear some lessons learned from Microsoft about why these were in Azure code when so many tools find them easily. (2) Azure was patched when the patches were ready – Microsoft did not have to wait until the monthly Vulnerability Tuesday. (3) We still see external parties (good guys with responsibly disclosed vulnerabilities and bad guys exploiting zero days) being credited on the majority of patches that come out in Windows. This all adds up to faster patching is still important and the monthly patch cycle is like using a 4800 baud modem for IT ops hygiene when the bad guys are on gigabit connections.
GitLab Releases Address Critical Security Issues
Git source code version control system maintainers have released versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address critical vulnerabilities. The vulnerabilities – a parsing integer overflow issue and a heap overflow issue – can be exploited to achieve remote code execution.
Editor's Notes
- Slide 1 of 2
GitLab addresses some vulnerabilities that were found in the open source tool "git" as part of a recent code audit. Aside from GitLab, you should watch out for updates to git from various vendors. Many developers will also install various versions of "git" independently. Unix based operating systems like MacOS often include git, but may have other versions installed as well by development tools.
- Slide 2 of 2
My experience is folks running their GitLab services are all over keeping them updated, but it doesn’t hurt to verify. Also make sure that your scanning software is checking for versions of GitlLab/Atlassian and similar tools. If you don’t have visibility to their security bulletins, sign up on the announcement page.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
T-Mobile Discloses Breach in SEC Filing Document
In a Form 8-K filing with the US Securities and Exchange Commission (SEC), T-Mobile disclosed a breach that affects 37 million customer accounts. The attacker was able to gain access to the information through an Application Programming Interface (API). The intruder first gained access to the data in late November 2022; T-Mobile learned of the breach on January 5, 2023.
Editor's Notes
- Slide 1 of 3
This is T-Mobile's 8th breach in less than 5 years. Everybody gets breached at some point. But if you get breached 8 times, it may be time to not just look at technology but the overall culture and management of your security organization.
- Slide 2 of 3
While T-Mobile’s statement downplays the sensitivity of information obtained, characterizing it as marketing information, the information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. Take appropriate steps to watch for your information being misused, not just credit monitoring, but also very targeted social engineering.
- Slide 3 of 3
APIs are prevalent in today’s modern mobile and web applications and consequently are one of the most frequent attack vectors used by cybercriminals. The Open Web Application Security Project (OWASP) regularly publishes the ten most critical security concerns for web application security. Organizations that provide mobile and web services should become familiar with OWASP and implement the security recommendations provided as part of their software development process.
Slide 1 of 0- Slide 1 of 3
Health Sector Breaches
Health sector breaches recently reported to the US Department of Health and Human Services (HHS) include a network disruption affecting more than 250,000 patients at Bay Bridge Administrators, a network intrusion affecting more than 60,000 patients at Circles of Care Providers, and a data exposure affecting more than 35,000 patients at the Elizabeth Hospice.
Editor's Notes
- Slide 1 of 2
If you’re in the health care sector, don’t expect the volume of attacks to drop anytime soon. The challenge here is that while the third-party provider notified of the breach within 60 days after confirmation/validation, HIPAA actually wants notification “even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Have a conversation with your third-party providers to understand how they interpret this language, so you know what to expect. You may want to include your legal counsel in the conversation for peace of mind.
- Slide 2 of 2
An interesting interpretation of the HIPAA requirement to inform patients within 60 days of possible data exposure. Yes, organizations should be afforded some time to investigate a cyber breach but allowing that amount of time before notification is concerning. Simply put, victims should have been notified faster. Perhaps Congress will take on this reporting requirement ambiguity as they look at potential cybersecurity mandates for health systems.
Slide 1 of 0- Slide 1 of 2
Flaws in Historian Servers Put OT Systems at Risk
Vulnerabilities in historian database servers raise concerns as they can provide a connection between an organization’s IT and OT networks. Researchers at Claroty have detailed their findings about a set of vulnerabilities in the GE Proficy Historian. The report notes that “these critical databases not only store data collected from industrial control systems, but they also extend to the corporate network by sharing information with enterprise resource planning systems and analytics platforms."
Editor's Notes
There are business and operational reasons for an organization to connect its IT and OT networks. That said, once connected, it does provide a pathway for remote access to vulnerable OT systems. You can count on the adversary finding the connection once they have initial access. Proper planning and active monitoring of these connections should be a high priority for IT and security staff and a feature of regular reporting to executive leadership.
Royal Mail Still Working to Recover from Cyberattack
Royal Mail, which suffered a ransomware attack earlier this month, is slowly recovering from the incident. Initially, the attack disrupted the UK postal service company’s operations, rendering it unable to ship overseas. Earlier this week, Royal Mail said that it has “resumed the export of letters which do not require a customs declaration to all international destinations,” but asks that customers refrain from sending new parcels.
Editor's Notes
- Slide 1 of 2
Bravo to Royal Mail implementing “Operational Workarounds” indicating they are not paying the ransom but rather recovering their systems per their DR plan. The UK seems to be under a wave of increased ransomware attacks, this is a good time to make sure that your operations over there are prepared.
- Slide 2 of 2
In the face of our continued failure to resist extortion attacks, our backup and recovery procedures must enable us to recover entire mission critical applications in hours to days rather than simply a few files. It may be necessary to recover entire subnets in days.
Slide 1 of 0- Slide 1 of 2
Cisco Releases Updates to Address Unified Communications Manager SQL Injection Flaw
Cisco has released updates to fix an improper user input validation vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability could be exploited to conduct an SQL injection attack.
Editor's Notes
- Slide 1 of 2
While Cisco is not aware of this being exploited in the wild, it’s a good time to gather all the updates they released this month and get them deployed, starting with anything which is directly Internet accessible. While you’re at it, make sure that you are able to detect (and ideally block) attempted exploits of these vulnerabilities.
- Slide 2 of 2
We continue to name vulnerabilities by the method of exploiting them rather than the development and coding practices and quality control failures that lead to them. It should not surprise us that the vulnerabilities persist and recur.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
SPF and DMARC use on 100k most popular domains
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+100k+most+popular+domains/29452
Malicious Google Ads for Fake Notepad++ Lead to Aurora Stealer
https://isc.sans.edu/diary/Malicious+Google+Ad+Fake+Notepad+Page+Aurora+Stealer+malware/29448
Finding that one GPO setting in a pool of hundreds of GPOs
https://isc.sans.edu/diary/Finding+that+one+GPO+Setting+in+a+Pool+of+Hundreds+of+GPOs/29442
Netcomm Router Vulnerabilities
https://kb.cert.org/vuls/id/986018
Microsoft Pushes Outdated Office Install Check
Oracle Critical Patch Update
https://www.oracle.com/security-alerts/cpujan2023.html
QT QML Vulnerability
Sysmon Exploit Released CVE-2022-41120, CVE-2022-44704
https://github.com/Wh04m1001/SysmonEoP
ManageEngine CVE-2022-47966 Technical Deep Dive
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
sudo sudoedit vulnerability
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
GIT Code Audit
https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/
Azure SSRF Flaws
https://orca.security/resources/blog/ssrf-vulnerabilities-in-four-azure-services/
SMB Insecure Guest Auth Off By Default In Windows 11 Pro
Packet Tuesday: IPv6 Router Advertisements