SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsResearchers from Akamai have detected “an ongoing server-side template injection campaign” targeting Magento 2 shops that have not been patched against an input validation flaw for which a patch was released in February 2022. Akamai says that this particular campaign. Has been ongoing since at least January 2023.
Akamai’s good news is that Web App Firewall filters were effective against the attack and they only saw a small number of targets. But, Magento has been a major target for almost a decade now - going unpatched for 18 months is reckless behavior.
Make sure that you're applying patches and you have a WAF in active (non-learning) mode. Even if you've applied the updates you should check for the IOCs as this vulnerability dates back to January. If you've outsourced web/app services to a provider, make sure that you understand what security checks and updates they do, versus your responsibilities, as well as verifying that any notifications are appropriately routed, preferably not to a single point of failure.
This story highlights two things: 1) the importance of an organization knowing its environment; and 2) the criticality of having an effective patch management process. Knowing your environment has three components: identifying all hardware, all software, and the location of all sensitive data on the network. That is extremely important when it comes to maintaining software updates. If you don’t do either particularly well, you become a statistic.
I would say patch, but I suspect the people affected by this will not patch anytime soon. At least not until rampant fraud, theft, or ransomware affects the site they are neglecting. My dad was an auto mechanic. Most people need to be made aware of how to deal with car maintenance. I suspect most store owners will also be unaware of website maintenance, but not in this respect.
According to a Microsoft Threat Intelligence blog post, Microsoft “cyberphysical system researchers recently identified multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs).” The vulnerabilities affect CODEDSYS V3 earlier than version 3.5.19.0. Microsoft disclosed the vulnerabilities to Codesys in September 2022; the vulnerabilities were patched earlier this year.
While the vulnerabilities were patched, make sure that those patches were applied, the CODESYS V3 SDK is compatible with about 1000 different PLCs from about 500 different manufacturers; thus, you may have a wider impact than you otherwise would assume. You may want to engage with your PLC manufacturers to better understand how this affects you.
This one looks pretty bad as it affects many partners in the ICS ecosystem. If you are responsible for the security of these systems, ask your vendors how they are affected by this.
By definition, if enabled, this can be construed as a supply chain attack affecting a large number of vendors and their products. While each of the vulnerabilities requires user authentication, that is increasingly likely given the convergence of IT and OT networks. Hopefully over the last several months, those vendors affected have downloaded and patched the 15 vulnerabilities. Only time will tell.
Microsoft
GitHub
The Register
Ars Technica
Bleeping Computer
Infosecurity Magazine
Gov Infosecurity
Zoom has added clarification to its recently-updated terms of service that appeared to allow the company to train AI models on the content of customers’ calls. Customer pushback prompted the company to update the terms of service to clarify that “Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.”
The wording about not using your content for any AI training is pretty clear but if you consent to its use in other “Permitted Uses” areas, then it seems like that same data could be used by Zoom for other purposes. That may be OK for consumers and free use of Zoom but for paid corporate use there should be broader restrictions in the terms of service.
Be clear about differences in terms of services for paid and free users. In Zoom's case they don't appear to have a difference, albeit you would expect there to be, particularly for regulated industries. More services are taking measures to prevent generative AI from using their data, such as X (formerly Twitter) and Reddit limiting third-party API access.
The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has completed its report on Lapsus$ and will next turn its attention to the attacks that led to Microsoft Exchange government email account compromise. “The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and“ has outlined 10 recommendations for protecting systems from Lapsus$. The CSRB will now examine “the malicious targeting of cloud computing environments.”
Like most after action reports, this one states: “…Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data.” They also pointed out that the cell phone issue (like in many other cases) supported bypass of weak MFA implementations.
No rest for the CSRB. Straight off publishing its second report it already has been assigned a third study. The Lapsus$ study highlights the dependency on mobile carriers to prevent SIM swapping and the use of social engineering to enable an attack. The first is preventable, but it comes at a cost to user experience; so, a balancing act for the mobile carrier. The second is far more difficult, as social media platforms are now fully integrated into society and people believe what they want to believe. The upcoming cloud security study will be interesting, I look forward to what new findings the board uncovers.
I would highly recommend reading through the recommendations. Not all of them will apply to everyone. You may only be looking at the Outsourcing Responsibilities, or maybe just plain IAM and Passwordless. Nevertheless, worth the read!
Just as the CSRB found that simple things were leveraged by Lapsus$ to be effective, I'm worried they will find low-hanging fruit in cloud environments also aids compromise. While I'm pretty sure we're past the non-secured storage phase, there are likely still shortcuts relating to rapid adoption of and migration to cloud services. Key things to check here is MFA use, particularly on Internet facing services, rigorous identity management and logging and monitoring, as you would for on-premises services are the starting points. Don't forget the CSP can make mistakes with the best of us, verify things are as requested.
The recommendations from the initial report are the equivalent of the NTSB saying, “Keep your seatbelt fastened.” Jumping from the compromise of a private key by one cloud service provider all the way to cloud security does not seem well focused. That said, it may be that a CSRB investigation is the only way that we are likely to find out how that happened.
DHS
DHS
SC Magazine
SC Magazine
Bleeping Computer
Security Week
Cyberscoop
Nextgov
Amazon is using data from building entry badger-swipe systems to warn employees who appear not to be coming into the office as often as mandated by the company’s new return-to-office policy. The employee notifications came directly from Amazon to individual employees. The company shares anonymized badge swipe data with managers.
Kind of interesting that this specific action (integration of physical badge reader data with network logon data) was long ago ballyhooed as the “convergence of physical and cybersecurity” but now when actually used, the issue of who really owns user location data comes up again. In past cases, laws in the US have upheld employers’ rights on corporate owned property but not in all countries and I don’t think yet in hybrid work cases.
Requiring workers back in person has challenges and needs foundational measures for it to work. Having a clear understanding of employee/employee telework agreement, including when they are expected to be on-site, an exception process, and consequences for failure to follow the agreement is foundational before you can alert on non-compliance. Once that is in place, think through your measurement process carefully. Note that Amazon is looking at multi-week trends to minimize the impact of anomalies in the data. Be sure to examine use cases and validate data before entering an enforcement phase.
This ultimately comes down to who ‘owns’ the data. My sense is that it’s company data and they can do with it what they wish. Laws may vary by country, so I suspect that the AMZ legal department guided the company on its specific use to ‘monitor’ office access.
This isn’t surprising; pulling data from these databases is very trivial. There are some questions people will have, but of course, I will suspect many false positives / false negatives on this. “Hello, my fellow Cubemate. Can you badge me in every morning also?” Also, “Yes, please hold the door open for me while I have a bunch of coffee.” The real thing will be when they start to use facial recognition + badge swipes to monitor who is showing up. At this point, I would suggest it’s a management problem, and the big brother tactics will kill company culture. But what do I know?
At least in this special case, this seems to be a terms of employment issue. Management is entitled to know if (non-exempt) employees are coming to work.
A buffer overflow vulnerability in the SYNC3 onboard entertainment system used in Ford vehicles could be exploited to achieve remote code execution and potentially hijack the system. Ford recommends disabling the system’s WiFi until a fix is available, and that its vehicles are safe to drive despite the security issue. Ford is currently developing a patch that customers can download and install with a USB. Once the fix is available, customers should be able to connect their cars’ entertainment systems to a network and receive the patch over the air, if they choose.
Hooray for user-installable fixes! Too often these updates are only available at dealerships. Or, worse, vulnerabilities are discovered and patches are never created. Maybe someday they'll be pushed without any user interaction at all!
CVE-2023-29468, CVSS score 9.6, applies to the WL18xx MCP Driver in the SYNC3 system. SYNC3 is shipped with '21 & '22 Ford Escape, Explorer, Mustang, Transit and Super Duty. While Ford is still developing the patch, turn off Wi-Fi functionality in the SYNC3 settings to avoid exploitation.
This is new territory for automobile manufacturers. Vehicles have now become computers on wheels and cybersecurity best practices have to be an integrated part of the manufacturing process. The first step is recognizing the need for cybersecurity.
At the DEF CON security conference in Las Vegas last week, researcher Patrick Wardle delivered a presentation about vulnerabilities in the macOS Background Task Management tool that could be exploited to bypass the tool’s monitoring activity. Background Task Manager debuted in October 2022 with the launch of macOS Ventura. It is designed to notify users and security tools of unexpected persistent software.
The issue is specific to the new Background Task Manager in macOS 13 (Ventura.) These latest issues were released without notifying Apple as the researcher felt their prior notifications to Apple were sufficient to have covered these issues as well. Having OS built-in security in concert with your EDR solution can counter these types of scenarios. Be certain to not ruin performance to deliver secure operation.
Developing a capability to detect persistent malware is an incredibly complex task. I applaud companies like Apple and Microsoft for adding such capabilities to their respective operating systems. While not perfect, it does inflict a cost on the evil-doer and that’s a good thing. Hopefully Apple will investigate the vulnerabilities announced at DEF CON and continue to improve the detection and alerting capability.
Late last week, Colorado’s Department of Health Care Policy and Financing (HCPF) disclosed a data security incident that exposed personal information and protected health information of millions of people. The data were compromised due to attackers exploiting a vulnerability in the MOVEit file management software being used by HCPF third-party contractor IBM.
The third-party, in this case IBM, was providing file exchange using MOVEit. Most of us would not think twice about a product leveraged by a company with IBM’s size and reputation. The reality is you need to make sure that you're assessing the security of all your third-party service providers, to include documenting what resources are available in an incident. Don't assume, ask. You don't want to find out you can't get help during an incident. Don't forget the hard part - you need to keep that information current.
For the rest of us, if one is using MOVEit, assume that you are compromised and begin remediation.
HCPF Colorado
Bleeping Computer
Dark Reading
Security Week
An electric utility in an unnamed country in southern Africa was targeted with malware known as DroxiDat. Researchers from Kaspersky say the incident occurred in March of this year. DroxiDat appears to be a variant of System BC, a backdoor sometimes used in ransomware attacks, although no ransomware was delivered to the utility’s network. The attackers used DroxiDat in conjunction with a Cobalt Strike tool.
System BC is known for being a hands-off tool that can target multiple systems at the same time with automated tasks and windows built-in tools. Interesting thing here is that DroxiDat appears to be a stripped-down version of System BC, which is only a system profiler, no download-and-execute capabilities, (it can modify system registry entries and send data back) which indicates this was likely an early-stage attack, performing recon for a future more intensive incident. One hopes the utility is able to raise shields and prevent further attacks.
Show Me All Your Windows!
https://isc.sans.edu/diary/Show+me+All+Your+Windows/30116
PDFiD: False Positives Revisited
https://isc.sans.edu/diary/PDFiD+False+Positives+Revisited/30122
CVE-2023-32019 Fix Enabled by Default
CyberPower and Dataprobe Vulnerabilities
Ford WiFi Driver Vulnerability
https://www.ti.com/lit/er/swra773/swra773.pdf
Zero Touch Pwn
https://blog.syss.com/posts/zero-touch-pwn/
Maginot DNS Spoofing Attack
https://www.usenix.org/conference/usenixsecurity23/presentation/li-xiang
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Google CloudCloud Security Exchange 2023 on Friday, August 18 | Join us for our biggest cloud security event of the year where we bring together experts from the world's largest CSP's: AWS, Google Cloud & Microsoft Azure on ONE virtual stage.
Upcoming Webcast on Wed, August 23 at 10:30am ET | WhatWorks in Building Security Culture and Maturity Across a Global Enterprise - Join us to find out how the deployment of the SANS Security Awareness platform can increase overall awareness of how to recognize and avoid security attacks.
Upcoming webcast on Tue, August 22 at 1:00pm ET | The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?
Upcoming webcast on Thu, August 24 at 10:30am ET | The Importance of NDR Detection-in-Depth with Matt Bromiley and Corelight's Sr.