SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThere are a lot of software components to the VMware infrastructure. Kinda like SolarWinds, VMware has a high market share in data centers, and those VMware software components are installed with access at the heart of business networks. This means VMware is an obvious high leverage/high priority target for very sophisticated attackers, just as Solar Winds was. This particular log management software vulnerability by itself may not rate as top priority but use VMware’s CVSS score of 9.8 to drive a check on patch levels on all VMware installs.
The VMware vRealize issue is yet another string of issues plaguing VMWare. While it may not be as popular as vCenter, it is considered core infrastructure in many companies. Most of these items stay unpatched for years. Patch your VMware kit. When doing Red Team assessments on internal networks, we often find ways into VMware backends as they are often unpatched.
Deploy the updated version of vRealize Log Insight. Yes, there is a workaround, and it makes tasks like adding nodes to clusters more manual. Read and understand the entire workaround before moving forward, which will likely take more time than patching.
Nice to see Microsoft continuing its quest to block common malware delivery methods. XLL files are not seen as frequently as some of the other malware delivery vehicles, but they are gaining more prominence after "classic" macros became less effective.
XLL files are dynamic link libraries (add-ins) that extend the functionality of Excel. As such these should only come from trusted locations. While users are warned before an XLL is activated, too often they just click Enable and move on. Another topic to cover in your user training, even after the block is rolled out later this year.
In the physical world, there are many additives that have some advantages (red dye #2 in food, lead in gasoline, DDT in pesticides) that provide some clear usage advantages but overall are found to be too dangerous to use. We are going through that process in software, but software makes it easier for more new dangerous “additives” to be put in use. Ideally, software is also easier to test for danger – let’s hope Microsoft, Google, etc. will not just remove old bad additives, but also release many fewer dangerous ones in the future.
Microsoft Excel is such a powerful toolset. The fact that it can load its sort of DLL payload is unsurprising when you search for videos on Excel Programming. It is, however, interesting to see that as Microsoft Harden Excel, the attackers will move into other Office products (such as OneNote), Teams, and maybe even non-office products like PowerTools.
And so continues the ‘cat and mouse’ game between attacker and defender. Last year, MSFT began blocking VBA macros by default. With that change the attacker shifted their tactics, tools, and procedures moving to an increase in the use of XLL files for payload delivery. By blocking these macros and extensions by default, MSFT is doing two things: 1) reducing the attack surface; and, 2) forcing a cost on the adversary to attack organizations.
This is even more difficult to detect if the attacker does not install any new software, but uses existing remote control software on the host. Access to these tools needs to be monitored. Make sure you are not instrumenting your network with "attack tools". This also reminds me a bit of the old days when attackers used console servers to bypass organization's perimeter security stacks.
A few years ago in the SANS annual threat report, SANS highlighted “Living Off the Land” attacks where both OS capabilities (like remote desktop) and installed software tools were used by bad guys to facilitate attacks and evade detection. The campaign discussed is a good illustration and a good one to use in security awareness material – there are lot of chances for a user to say, “wait a minute…” and click X in the upper right corner – and, ideally, report a phishing attempt to security using the convenient menu bar item you have provided for them.
I have a person I work with in their 70s that fell for a phishing scam using RMM like this on their iPhone. The first alarming part I found is that AnyDesk could be used on an iPhone, which I had no idea was a thing. The second part of that conversation was that they fell for it because, according to them (unconfirmed), Apple support also used AnyDesk a few weeks before to troubleshoot their device. That felt a bit alarming. Be very careful to explain to friends and family that internet-based remote control is dangerous.
The CISA article includes IOCs for your threat hunters to follow up on. Yes, this is a social engineering attack, tricking users into installing remote management software and a refund scam to get access to user's systems and bank accounts. You should be checking for installations of any remote management software. Take this scenario to your training team to make sure they have this type of social engineering covered, and that people are training regularly. Remember, after 4-6 months, retention fades.
A slightly different spin on Living off the Land Attacks. It starts first with a specially crafted phishing/smishing/vishing message that lures the unsuspecting victim to visit a malicious domain. While user training on phishing attacks is now part of annual security awareness training, some attacks will still get through. Proper configuration, patch, and network management are still highly important to limit attacker success.
CISA
Bleeping Computer
Security Week
Health IT Security
FCW
SC Magazine
We are not ready for a world with AI yet, but I’m very happy to see NIST working on how we can start to look at the risk around AI. One of the fallacies we have as humans can be to take a non-critical thinking approach to what the machines are outputting. Before we become super awed, we should have a skeptical look at the output to validate that what it is emitting is of good quality. Give this a look through, as you will likely see many security vendors attempting to hook things into AI-based systems to augment the work.
While we all get that AI is a learning environment, changing as it goes, what we may miss is that environment or social changes ingested by the system can cause unexpected outcomes. This guidance is intended to help govern and normalize that behavior, as well as address risks of AI systems in practice. NIST is taking feedback on the framework email AIFramerwork@nist.gov
Certainly timely. However, one wonders how much "govern, map, measure and manage" helps, since these require experience and skill which few organizations enjoy. Users should keep in mind that AI is a tool, neutral, not magic, but which may invite abuse and misuse. The role of users is to identify the applications, formulate the questions and tasks, evaluate and use the results.
NIST
NIST
NIST
NextGov
FedScoop
What's changed here is that Akamai published a PoC for exploiting this flaw, which means if you were avoiding deploying the fix because of concerns with altering the CryptoAPI, you need to move forward. Research found the one app vulnerable to this attack was Chrome v48, which is old. Applications that don't use certificate caching are not impacted. Roll out the update.
This is an example of outdated use of MD5 hashes and not all that easy to exploit before this proof of concept code came out – the CVSS base score was relatively low (6.5-7.5). But, a nice New Year’s resolution would be to get IT to commit to faster patching of all data center software – with the ease of cloud-based patch QA, lowering data center time to patch from 6 months to 3 months would be a nice raising of the bar.
Practitioner's note: Remember that Chrome patches are applied automatically when it starts. So for those of you who never close your browser, this is your reminder to do so regularly. (-:
The update addresses two critical use-after-free flaws, the most severe CVE-2023-0471 has a CVSS score of 8.8. Currently there is no evidence of active exploitation. Good news is, after 2022, we're all good at deploying Chrome updates. Bad news is, browsers will continue to have flaws, and your users will continue to demand using them as if they don't.
Chrome Releases
SC Magazine
Security Week
The FBI claims to have hacked the hackers legally, obtaining access to their network to deliver decryption keys to victims, saving about $130M in ransomware payments. Don't attempt that sort of action yourself: you don't want to run afoul of what is and is not legal. This doesn't mean you can't reach out to law enforcement and contribute to the take-down, when invited; it means don't go rogue (no matter how upset you are and how weak the target looks.)
An interesting figure contained in the report is the savings of approximately $130 million in ransom. This lines up nicely with earlier reporting on the reduction in ransomware payouts in 2022. One can infer two things from the article: 1) that actual malware attacks continue to be highly successful; and, 2) while government was successful in disrupting the Hive gang, other cybercriminal gangs will use this announcement to change up their vetting procedures. In the end, more work needs to be done to make enterprises more resilient against ransomware attack.
SC Magazine
Europol
Bleeping Computer
Security Week
Health IT Security
Cyberscoop
Gov Infosecurity
Washington Post
The recommendations include guides, fact sheets, and organizations you can partner with to help get your arms around securing your school IT. Beyond the recommendations the CISA toolkit includes links to free resources and training to help our educators succeed without being entirely dependent on obtaining funding. Even if you're not in the K-12 space, there are good references here you may want to leverage in your own environment.
The three recommendations are sort of a motherhood and apple pie generic statement. Sure, you want to leverage security investments. Sure, you want cybersecurity buy-in at the top as a priority. Sure, we’re all in this together and you should leverage your community. In one respect the needs of the K-12 community are no different from every other industry vertical; a need to focus on basic cyber hygiene. This becomes important as the K-12 community is increasingly targeted by ransomware gangs.
Apparently my choice to take the 25th off was a good idea. The core outage ran from 7-9AM UTC and was due to a network routing change, which Microsoft rolled back. About the only region not impacted was China. Double check your Azure-hosted services to make sure things are working properly. You may need to restart some services. For example, Facebook had to turn off and back on their database verification service to recover. If you still have folks balking at a back-out plan for change requests, here's an example they should relate to.
Gov Infosecurity
Bleeping Computer
ZDNet
TechCrunch
DDoS attacks have been around for well over two decades; the tactics, tools, and procedures really haven’t changed that much. While airports aren’t typically targets, financial and government sectors have been victims of DDoS attacks in the past. Unfortunately, in this new, frenzied geo-political environment, nation states and their surrogates will take what’s available to them to cause mischief. Every organization should revisit mitigation guidance, such as that published by the Cloud Security Alliance to protect against DDoS attacks.
As DDoS attacks are becoming more common, don't assume you, or one of your services, won't be impacted, directly or indirectly. Actively check that you have countermeasures in place and learn how they are verified. Now go through both your cloud and outsourced services and do the same. Setup a schedule to re-verify this doesn't change.
I suspect we will see more attacks on European countries as the war efforts will be protracted. Expect this to go on for years to come.
Live Linux IR with UAC
https://isc.sans.edu/diary/Live+Linux+IR+with+UAC/29480
First Malicious OneNote Document
https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470
Apple Patch Summary
https://isc.sans.edu/diary/Apple+Updates+almost+Everything+Patch+Overview/29472
Bitwarden Phishing
https://community.bitwarden.com/t/phishing-website-bitwardenlogin-com/49704
https://www.reddit.com/r/Bitwarden/comments/10k2aj5/google_search_ads_showing_fake_bitwarden_web/
BitWarden Server Side Iterations
https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/
Guidance for Securing Remote Monitoring and Management Software
https://media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF
PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets
https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/
Skyhigh Security Secure Web Gateway: XSS in Single Sign On Plugin
Windows Crypto API Vuln PoC
https://github.com/akamai/akamai-security-research/tree/main/PoCs/CVE-2022-34689
ManageEngine News
https://github.com/vonahisec/CVE-2022-47966-Scan
BIND Patches
https://kb.isc.org/docs/cve-2022-3094
Microsoft Blocking XLL Files Downloaded From Internet
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=115485
Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts
https://www.darkreading.com/cloud/microsoft-azure-kerberos-attacks-open-cloud-accounts
Lexmark Vulnerabilities
https://publications.lexmark.com/publications/security-alerts/CVE-2023-23560.pdf
VMware VRealize Update
https://www.vmware.com/security/advisories/VMSA-2023-0001.html
KSMBD Vulnerability
https://sysdig.com/blog/cve-2023-0210-linux-kernel-unauthenticated-remote-heap-overflow/
Packet Tuesday: Neighbor Advertisements
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SANSJoin SANS Senior Instructor Ismael Valenzuela for the Cyber Threat Intelligence Summit Solutions Track on January 31st at 10:00am ET | Ismael and invited speakers will dive into discussions and presentations around showcasing state of the art threat intelligence solutions and their capabilities.
Tune in for A Leader's Guide to Security Operations: Improve Productivity with Threat Intelligence and Automation on February 14th at 1:00pm ET | We will candidly discuss digital transformation, SOC automation and tactical security operations.
Upcoming webcast on February 21st at 1:00pm ET | How to Build a Risk Register That Accounts for Internal and External Risk - tune in to learn how to create a strong foundation for your cyber and third-party risk management | Register now: https://www.sans.org/info/225130
Join John Pescatore on February 22nd at 1:00pm ET for A DNS Security Architecture as SecOps Force Multiplier | During this webcast, we will discuss best practices for an effective DNS security architecture.