SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsResearchers at Bishop Fox say that more than 330,000 FortiGate firewalls remain unpatched against a known critical heap-based buffer overflow vulnerability; Fortinet released updates to address the flaw last month.
The headline should probably read that these firewalls area likely already compromised. Patching them may not suffice.
That figure means only about 31% of internet exposed FortiGate devices have been patched in the three-and-a-half weeks or so since Fortinet released the patch. “Time at known risk” is something that needs to be decreasing. If limited downtime windows are the reason (vs. just not noticing the risk), time to escalate to management that one incident will overcome years of availability gained from shortened changed windows.
The flaws affects devices with VPN enabled, so there is a likely chance some of these are not running the VPN. The trick here is that the vulnerable code is present even if the VPN is not used, necessitating an update. The narrowness of the flawed services allows you to test the update before going to production, but you still need to keep moving forward. If you haven't recently, you may want to run a Shodan search for devices in your address space you might have missed.
The first thing I do when I see the headlines is make sure I had the latest version of the firmware on a FortiGate I have. Now that this is out of the way, I must say a few things. First, it’s hard to figure out when to patch these things. It’s not automatic, and it’s ad-hoc. It also can break; I had one of my settings breaks after an upgrade. I understand why the administrators are not patching because they may not be aware and maybe concerned about a big outage. This is, however, concerning that the number mentioned is 336,000. It’s also concerning that it's an attack on VPN. If this is true, I can only imagine that hundreds of thousands of companies could be completely owned by now. I hope that is not the case and this is just based on old Shodan data. If this is true and the numbers hold up. Expect a lot of breaches in the upcoming months (years?).
Well this is depressing news: fully two-thirds of FortiGate firewalls not yet been patched a month after the fix was released. If cyber criminals haven’t already, they will certainly read Bishop Fox’s blog and take advantage of those organizations that fail to patch the vulnerability lurking in their infrastructure.
Ars Technica
The Register
SC Magazine
Bishop Fox
FortiGuard
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report warning that TrueBot malware is being used in cyberattacks against networks in the US and Canada. The malware is being deployed by exploiting a known remote code execution vulnerability in Netwrix Auditor software. Users are urged to update vulnerable versions of Netwrix Auditor.
The “known time at risk” of this one is over a year, impossible to justify that. Security tool vendors should start building in “patch before use” fail-safes, kinda like those breathalyzer ignition switches that prevent drunk driving.
Here’s an example of a vulnerability that was properly disclosed and patch issued over a year ago. Here’s my question: how many customers have yet to download and install the patch? Perhaps a better approach would be for the vendor to take the advisory and targeted communication to those organizations still affected by the vulnerability.
Ingest the IOCs from the CISA alert to help hunt for and respond to Truebot incidents regardless of having the Netwrix Auditor, attacks are on the rise leveraging tools such as Cobalt Strike (RAT), Teleport (data exfiltration), Flawed Grace (RAT) and Raspberry Robin (wormable malware).
A free tool dubbed Snappy detects rogue WiFi access points. Snappy can help users determine if a public WiFi access point is the same one they have used before, or if it is suspicious. The tool uses “SHA256 hashes of wireless access points to determine whether something has changed since your last visit.”
This tool uses an interesting approach, which is likely going to work. It would be nice to have this functionality integrated into the operating system. Yes, the approach isn't foolproof, but it does look like a worthwhile effort.
This is a cool piece of Python code, leveraging scapy. You need to feed it a pcap of beacon management frames, and it produces fingerprint information as well as detecting AP's created by AIRBASE-NG. Most definitely get this to your Wi-Fi team and could be a cool addition to a wireless security class.
I am a big fan of reading the source code of tools you run like this. Surprisingly simple source code to read, maybe under 100 lines. However, of all the tools released in a while, this one seems to have struck a chord. We keep forgetting that Rogue WIFI is a thing.
GitHub
Bleeping Computer
Colorado-based JumpCloud has reset all API keys in the wake of an “ongoing incident.” JumpCloud, a cloud-based directory-as-a-service platform, has published a support page that includes instructions for generating new API keys.
Encryption, digital signatures, and strong authentication are all becoming increasingly important as generative AI makes disinformation easier to create and harder to detect. Key rotation, whether driven by “abundance of caution” during an incident, or at regular intervals (such as every 90 days as recommended by major players like Google and Okta) needs to be planned for, tested, and performed periodically.
Remember that you may need to invalidate API keys during an incident, particularly if they are compromised. An important step is to communicate to those affected, including instructions for generating new ones. Even if the compromised key is just your "client" key to a service, you need to follow any reporting requirements as they may want to forensicate and may need to take added steps.
It’s never a good thing when a vendor has to force an access reset on its user base. This gives some indication to the severity of the security incident they are dealing with. The reset will cause some impact to customer operations but at least the instructions for generating new API keys seem straight-forward.
This is not good, considering that JumpCloud is like an IdP, having an incident is really bad news for users of the system.
JumpCloud
Security Week
Bleeping Computer
New Jersey’s State Supreme Court has ruled that law enforcement must obtain a wiretap order to access Facebook account data in near real-time. The ruling overturned a lower court decision that allowed a warrant as sufficient for compelling Meta to provide access to two users’ accounts every 15 minutes over a 30-day period. The state Supreme Court ruling said that the 15-minute delay rendered the information “stored communications” rather than a live intercept. State supreme court disagreed, noting that ”the nearly contemporaneous acquisition of electronic communications here is the functional equivalent of wiretap surveillance and is therefore entitled to greater constitutional protection.”
Privacy laws in the US are still a patchwork that vary by state. This ruling aligns NJ with the rest of the country when it comes to privacy protections and legal oversight of data access requests by law enforcement. Perhaps Congress will help sort this patchwork out by enacting new privacy legislation.
Having some guard rails on the legal process is appropriate, and using the wiretap analogy to monitor data is about as close of a fit without waiting on new regulations. Even with a wiretap order, the question remains as to whether organizations like Facebook, Google and Microsoft will honor them as being good enough.
This makes a lot of sense in the digital age. Think of real-time access to a real-time phone call. This could be via voice over IP, Webex, zoom, direct messages, SMS, MMS, iMessage, and many other real-time communications media. Think of legacy posts as a voicemail. If the order relates to real-time communications, then I think it should stand to reason that wiretap is appropriate, if not badly named.
Japan’s Port of Nagoya became the victim of a ransomware attack on the morning of Tuesday, July 4. The attack affected the Nagoya Port Unified Terminal System (NUTS), the system that manages the port’s cargo terminals. The attack rendered the port unable to load and unload cargo for two days. The Port of Nagoya began to resume on Thursday, July 6.
The NUTS is employing a team of 60 to restore and re-write lost data. Consider the speed and size of that response and if you could pull that off. Currently, this is believed to be a LockBit 3.0 (aka LockBit Black) attack, and the NUTS will join the likes of Royal Mail on their victims list. The LockBit operators are known for exfiltrating and publishing data. Their TTPs are also well known, and decryption keys are available. CISA's Alert aa-23-075a (#StopRansomware: LockBit 3.0) https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a is a good reference and worth reviewing to see how you would fare if the tables were turned.
Ransomware gangs don’t differentiate when it comes to targets of attack. Here’s an association, Nagoya United Terminal System, that is the largest container shipper in Japan. One would expect that they have ample budget for cyber defense and are well aware of the attack tactics and techniques used by ransomware gangs. It still comes down to a relentless focus on the basics: know your environment (HW, SW, Data); configuration management, and patch management. Ransomware gangs are not super-human.
Kudos to the security team at the Port of Nagoya in restoring systems and services 48 hours after being impacted by ransomware. While prevention is always the better option having quick, effective, and efficient incident response and recovery capabilities in place is equally important.
MSSP Alert
Gov Infosecurity
Bleeping Computer
The Register
Security Week
Mainichi
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) database. Two of the issues affecting D-Link products: a command execution vulnerability in D-Link DIR-859 Router and a command injection vulnerability in D-Link DWL-2600AP Access Point. Six of the vulnerabilities affect Samsung mobile devices: an out-of-bounds read vulnerability, an improper input validation vulnerability, two race condition vulnerabilities, an improper boundary check vulnerability, and an unspecified vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until July 20 to mitigate the issues.
This set of vulnerabilities includes two D-Link vulnerabilities. This, and the story about FortiGate vulnerabilities, are good reminders to have a monthly "perimeter patch day". Add it to your calendar and double check that day if there are any updates for routers/firewalls. This is particularly useful for smaller networks. It can be difficult to notice new firmware releases. And remember to track the "End of Support" for these devices.
The identified D-Link products are targeted at home and small businesses, so you may have to look at remote sites or one-off environments to find them, if you have them. The challenge to the Samsung updates is that with Android, you need to apply and check for new updates as they are not always cumulative, and not all your devices will be eligible for these updates. Map your device inventory against their EOL dates to find devices you'll need to replace rather than update.
How many federal agencies have D Link Routers and Access Points? Not knocking the consumer products company that services many individuals, but federal agencies?
Researchers from VulnCheck have described three critical vulnerabilities in Internet-connected SolarView devices that are used to monitor solar facilities’ power generation, storage, and distribution. One of the vulnerabilities was identified by researchers from Palo Alto Networks Unit 42 last month. All three vulnerabilities are fixed in SolarView version 8.10.
These devices are typically Internet facing and if you have a device vulnerable to CVE-2023-29303, a command injection flaw from March 2022, it's also susceptible to CVE-2023-23333, a new command injection flaw. To fix both flaws you need to run SolarView 8.10. Additionally, you need to restrict access to internal networks only, requiring a VPN if remote access is needed.
Ars Technica
SC Magazine
Bleeping Computer
Dark Reading
VulnCheck
Unit 42
The US Federal Bureau of Investigation (FBI) has created a database to track swatting attacks. Prior to the database, swatting was not tracked as a discrete crime. While there is no federal anti-swatting law, some US states have passed anti-swatting legislation. Experts are glad the FBI is taking swatting seriously but are not confident that the database will lead to a reduction in swatting incidents.
Swatting can and has been prosecuted under several existing federal laws, with time in jail included. I don’t think we really need some federal law just so headline writers can say “Swatting on Tuesdays increased 27% last week, plus 310 million people at risk for thunderstorms.”
While the FBI tracking swatting will help track and monitor the crime, without good swatting laws, there isn't going to be a sufficient disincentive to stop the attacks. This is also a call to report any information you have on individuals planning on engaging in a swatting event to help law enforcement get ahead of the problem.
A responsible move by the FBI. Swatting attacks have become a serious problem in this country with deadly consequences. Creation of a database is a small but important first step. What really needs to be done is creation of a set of tactics, tools, and procedures to quickly adjudicate whether law enforcement response is required.
Swatting is a false crime report and is illegal in all jurisdictions.
Cisco has published a security advisory warning of “a vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode [that] could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic.” There are no workarounds, and Cisco has not released fixes, and recommends that users “disable [affected devices] and to contact their support organization to evaluate alternative options."
The complexity of the issue is likely the reason there is no fix here, and as encrypted traffic can be both decrypted and modified, I'd say it's time to order replacements, and roll up your sleeves for a long weekend deploying them.
Disabling devices is a "workaround," one frequently called for.
Dark Reading
SC Magazine
Security Week
Bleeping Computer
Cloud Apps
DShield pfSense Client Update
https://isc.sans.edu/diary/DShield+pfSense+Client+Update/29994
Exposed Industrial Control Systems
https://isc.sans.edu/diary/Controlling+network+access+to+ICS+systems/30000
Analysis Method for Custom Encoding
https://isc.sans.edu/diary/Analysis+Method+for+Custom+Encoding/29946
IDS Comparisons with DShield Honeypot Data
https://isc.sans.edu/diary/IDS+Comparisons+with+DShield+Honeypot+Data/30002
Truebot Exploits Netwrix Auditor
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a
StackRot Linux Privilege Escalation Vulnerability
https://www.openwall.com/lists/oss-security/2023/07/05/1
TeamsPhisher Exploit
https://github.com/Octoberfest7/TeamsPhisher
VMWare Update
https://www.vmware.com/security/advisories/VMSA-2023-0015.html
SNAPPY: Detecting Rogue WiFi Access Points
RUSTBUCKET Mac Malware
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Akamai TechnologiesJoin John Pescatore on Tuesday, July 18 as he hosts our 2023 SANS Survey: Application Security webcast.
Dave Shackleford reviewed Google's reCAPTCHA Enterprise platform.
SANSFIRE 2023 Bonus Session: Dodge the Sliver Bullet and Find the Smoking Gun | Tune in on Tuesday, July 11 at 12:30pm ET to learn about insightful community developed detections, and an open NDR that puts the power in your hands.
We invite you to take the 2023 SANS Attack Surface Management and Implications for Offensive Security Survey!