SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
HUMAN Security Takes Down Vastflux Ad Fraud Operation
Researchers from HUMAN have taken down a sizeable ad fraud scheme that spoofed more than 1,700 apps and managed to generate 12 billion ad requests a day. By injecting JavaScript into the ads, the scammers were able to layer multiple ads, registering views for ads that users did not see. HUMAN dubbed the malicious campaign Vastflux.Editor's Notes
Ad botnets/malvertising attacks are a constant and this is reminder that if your company pays for ads or takes revenue from ad placement, advertising networks have to be considered as part of your supply chain security and user awareness programs. In particular, increased use of MFA will bring increased “MFA fatigue” attacks, which share a lot of evil DNA with ad stacking attacks. Use this one as impetus for an awareness push to users and management.
NSA Publishes IPv6 Transition Guidance
The US National Security Agency (NSA) has published IPv6 security guidance to help the Department of Defense (DoD) and other federal agencies with the transition to IPv6. One concern is dual stacked networks (networks that are running IPv4 and IPv6 at the same time), as this poses additional security risks, including an increased attack surface.Editor's Notes
- Slide 1 of 2
Not a bad overview, but note that recently released operating systems will use privacy enhanced IPs by default and embedded MAC addresses are rather uncommon these days. Also carefully test the interactions between SLAAC and DHCPv6 for your systems. Just like any feature, it should be enabled if there is a clear business need for it, and if you have the domain expertise to support IPv6.
- Slide 2 of 2
Practitioner's note: Whether you've intentionally "transitioned to IPv6" or not, it's likely already running in your environment. Test it yourself! Penetration testers make easy money from systems with rock-solid IPv4 firewall rulesets and "allow any any *" for IPv6. Also, without the protection of NAT, it's worth trying to access internal assets from an external host. It might be directly accessible!
Slide 1 of 0- Slide 1 of 2
Report: Ransomware Victims are Refusing to Pay
Studies from two security firms suggest that ransomware victims are increasingly refusing to pay the attackers’ demands. According to Chainalysis, ransomware payments fell from $766 million in 2021 to $457 in 2022. Coveware reports that 76 percent of ransomware victims paid the ransom demands in 2019, while that figure fell to 41 percent in 2022.Editor's Notes
- Slide 1 of 2
First, a caveat that there is *no* reliable data on ransomware payments, as even Chainalysis notes. That said, essential security hygiene works against the majority of attacks and ransomware is not different. If you’ve been unable to get backing to make needed changes, you can certainly take advantage these headlines to show management that your competition has been getting more secure.
- Slide 2 of 2
Between dropping crypto currency prices, and victims refusing to pay, the researcher in me can't wait for what attackers come up with next to monetize their efforts.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Indian Education App Exposed Student and Teacher Data
The personal information of students and teachers in India was exposed on the Internet for more than a year. The Digital Infrastructure for Knowledge Sharing (Diksha) app stored the data on an unprotected Azure cloud server. Diksha has made data privacy news before: last year, a report from Human Rights Watch found that the app was tracking students’ location and sharing that information with Google.Editor's Notes
- Slide 1 of 2
Practitioner's note: If you're not 100% confident that your cloud assets are appropriately secured from public access, test it! Try to access it from an account which shouldn't be able to access your instance/storage blob/assumed role policy. You may still miss subtle misconfigurations, but you'll catch the most egregious - like this one.
- Slide 2 of 2
Improper configuration of cloud resources is a preventable problem. The Center for Internet Security publishes and makes available for free foundation benchmarks for each of the major cloud service providers (Azure in this case). The benchmark contains security recommendations, and information on how to implement them, that improves the security posture of cloud resources.
Slide 1 of 0- Slide 1 of 2
Some MSI Motherboards Do Not Have Secure Boot Enabled by Default
Security researcher Dawid Potocki discovered that more than 300 motherboard models from MSI do not implement the Secure Boot feature by default, which means that they will allow any bootloader, signed or unsigned, to run. According to an MSI Reddit post, the company says they “preemptively set Secure Boot as Enabled and ‘Always Execute’ as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems.” MSI reportedly plans to release firmware updates that will change the default setting to “Deny Execute.”Editor's Notes
- Slide 1 of 2
Classic "usability vs security" issue. Disabling full Secure Boot protection will cause more support queries from users attempting to use a boot loader / operating system not sanctioned by MSI or the OEM.
- Slide 2 of 2
Organizations count on OEMs to ship their products properly configured. The troubling bit is that this configuration change, made by MSI, resulted in secure boot being irrelevant and users of the product were unaware. Lately, CISA has been talking about shifting the security burden (secure, transparent, and sustainable) from the end user to the vendor. Here’s an example where configuration control processes need to be reinforced and tested prior to shipping, else the security shift can become a potential supply chain attack.
Slide 1 of 0- Slide 1 of 2
Apple Updates Include Backported Fix for iOS Vulnerability
Apple released fixes for multiple security issues in iOS and macOS, including a remotely exploitable zero-day flaw in iOS. The type confusion issue in Apple WebKit browser engine was deemed serious enough to prompt Apple to release updates for older versions of iOS.Editor's Notes
Impressive from Apple to release an update for hardware released 10 years ago. I wish more device manufacturers would offer fixes for critical security issues for older devices. On the other hand, I don't think Apple offers any guarantees as to how long updates like this are available for specific devices.
Federal Agencies Do Not Implement Majority of GAO’s Cybersecurity Recommendations
According to a new report from the US Government Accountability Office (GAO), US federal agencies have implemented just 40 percent of the 335 cybersecurity recommendations made by GAO since 2010. The report, Cybersecurity High-Risk Series: Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight, is the first of four planned reports examining the government’s development and implementation of cybersecurity policy.Editor's Notes
- Slide 1 of 2
It is tempting to skip over this “evergreen” item – government agencies not implementing audit recommendations is not news. But, I have to point out that GAO/OMB always never seem to address the root problem of ” Why?” Instead, it is always an immediately jump to “a more comprehensive strategy” is needed at the top, vs. what really are the obstacles facing government CISOs and SOC managers who do want to improve cybersecurity and why some agencies *are* able to stay safe and score well.
- Slide 2 of 2
One would hope that implementing fundamental recommendations would obviate others even though it decreased the number of boxes checked. Checking boxes is not an efficient way to achieve quality. Unchecked boxes are not necessarily an indicator of poor quality.
Slide 1 of 0- Slide 1 of 2
FAA Statement on NOTAM Outage (January 19, 2023)
In a January 19 statement, the US Federal Aviation Administration (FAA) said that according to a preliminary review, “contract personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database. The agency has so far found no evidence of a cyber-attack or malicious intent.” The statement also notes that the FAA “has taken steps to make the NOTAM system more resilient.”Editor's Notes
File integrity management is one of basic security hygiene requirements that actually works when done right. One key element is figuring out what are the actual show stopper files, not always just key executables.
Bitzlato Virtual Currency Exchange Taken Down in International Effort
The digital infrastructure of the Bitzlato virtual currency exchange was taken down in an international operation involving authorities from the US, France, Belgium, Cyprus, Portugal, Spain and the Netherlands. Authorities said that nearly half of Bitzlato’s transactions were tied to criminal activity. Five people have been arrested in all: three in Spain, one in Cyprus, and one in the US.Editor's Notes
Defeating ransomware has three parts. Step one is making available best practice guidance to protect oneself from ransomware attack; see the ‘Blueprint for Ransomware Defense.’ A second step is not to pay the ransom; over the last year great progress has been made. The third step is removing the currency exchanges used by cybercriminals. Effort along all three parts is necessary, else the cybercriminal will continue targeting organizations.
Internet Storm Center Tech Corner
Who's Resolving This Domain
https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462
Importance of Signing in Windows Environments
https://isc.sans.edu/diary/Importance+of+signing+in+Windows+environments/29456
Apple Updates Everything
https://support.apple.com/en-us/HT201222
NSA IPv6 Security Guidance
https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI_IPV6_SECURITY_GUIDANCE.PDF
Roaming Mantis Implements new DNS Changer in tis malicious mobile app
https://thehackernews.com/2023/01/roaming-mantis-spreading-mobile-malware.html
FanDuel Discloses Data Breach Caused by Recent MailChimp Hack
OneNote Documents Used to Embed Malicious Office Documents
Cisco Unified Communications Manager SQL Injection
Possible KeePass Vulnerability