SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsIt appears that criminals are now actively exploiting vulnerabilities in Progress Software’s WS_FTP Server. Progress released updates to address eight vulnerabilities in the software last week. On September 30, researchers from Rapid7 noticed “exploitation of one or more recently disclosed WS_FTP vulnerabilities in multiple customer environments.”
An exploit has been made available publicly. No reason to believe that this is not already being exploited.
You already applied the patches to WS_FTP, right? The vulnerability and POC exploit code are both out there. And Progress Software lists their high-profile customers on their website, simplifying target selection. On top of all that, Progress is dealing with a bunch of lawsuits after the MOVEit breach, which is going to, at best, impact their ability to respond to additional issues, building the case to find an alternate solution.
Roughly 72 hours from patch release (vulnerability) to active exploit. A useful metric for defenders as they evaluate patches before introducing them into their environment. Part of me wonders if the CVSS score that usually accompanies vulnerability announcement helps evil-doers prioritize their workload. In this case, a vulnerability with a CVSS score of 10 certainly gets attention from both attacker and defender.
WS_FTP is not the option I would choose for an FTP today. There are many more options robust and more straightforward options. So, who is using this software today? Are those environments easier to breach than others? This software package is also maintained by the same company that maintains MoveIT. Where there was smoke, there was plenty of fire.
The Register
Security Week
Gov Infosecurity
Rapid7
Progress
In June 2022, researchers from Google’s Zero Day Initiative reported six vulnerabilities in Exim email transfer agent to the vendor. The most serious of the issues is an AUTH out-of-bounds write remote code execution vulnerability. Exim has recently begun developing fixes for the flaws. As of this writing, Exim has released fixes for three of the vulnerabilities.
Exim released an update fixing the three most severe issues. They also provided guidance to mitigate the remaining vulnerabilities. One issue here is communications between the zero day initiative and the EXIM team. This could have likely been dealt with better.
While researchers discovering the Exim flaws have been notifying the company of the flaws, the company has been slow to respond, so issues are now getting published, patched or otherwise. Move to the latest version of Exim post haste, noting you're going to want to jump again when the rest of the fixes are released. When you get a vulnerability reported, don't ignore it: respond, working with the discovering party, or parties, to reproduce and remediate it before their non-disclosure window closes.
A lot of finger-pointing between ZDI and Exim developers; however, given the large install base, download and install the patches as they become available. Separately, it does resurface the need for vendors to find ways to support vulnerability management of open-source software applications. It’s a continuing problem we all are facing given large open-source software usage.
What is clear is that Exim is a very popular MTA, and everyone should watch their MTA closely. I would look at the Security Mailers like Bugtraq to see what all the fuss was about from the devs.
SC Magazine
Ars Technica
Security Week
Zero Day Initiative
Seclists
Arm has released advisories for three vulnerabilities affect its Mali GPU Kernel Driver. One of the vulnerabilities is reportedly being actively exploited. Arm describes the issue as allowing “a local non-privileged user [to] make improper GPU memory processing operations to gain access to already freed memory.” Fixes are available for affected products.
Another Android patch gap issue avoided by Google Pixel phones, as Google pushed the fix out to its Pixel phones in the September update.
Google released fixes for CVE-2023-4211 in September for affected Pixel and Chromebook devices. The issue also impacts Samsung S20/21, Motorola Edge 40, and other Android devices, make sure that you've got the September update for AOSP, which may not yet be available depending on your device OEM. For Linux or other systems with the chipset, make sure that you have the appropriate ARM Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.
Since news of the MoveIT file transfer software vulnerability broke earlier this year, more and more organizations are coming forward to disclose that their data have been compromised in wide-reaching attacks. Progress Software released a patch for MoveIT in May; by that time, numerous organizations had already become victims of MoveIT-related attacks. What makes the actual number of victims mor difficult to determine is that many companies experienced data theft via third party contractors who were using MoveIT.
Current estimates are almost 2200 organizations are impacted, the number jumping when it was disclosed that nearly 900 colleges and universities were also impacted. The primary actor behind the attack appears to be the Clop ransomware group, which seems to be working as hack and extort gang, foregoing the ransomware step; which has, according to Coveware, netted them between $75 and $100 million. Whether or not you're impacted or suing Progress Software, double down on moving away from MOVEit.
No real surprise here as companies often have a regulatory or State requirement to announce a data breach. It also takes a bit of time for third-party providers to inform their clients of a data breach.
Breaches via third parties are only going to keep increasing as criminals move to the supply chain to either target larger number of victims via a thirds party or to launch a specific attack against an organization via its supply chain. The European Union Agency for Cybersecurity provides an excellent guide on Good Practices for Supply Chain Security: https://www.enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecurity
If you have it installed, assume that you are compromised and initiate mitigation. File transfer is problematic if only because everyone does it.
The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification (PIN) warning of new trends in ransomware attacks: an increase in organizations being impacted by two or more ransomware variants in quick succession, and new data destruction tactics. The PIN offers recommendations for preparing for cyber incidents, strengthening identity and access management, protective controls and architecture, and vulnerability and configuration management.
Since neither of these variants generally succeed if the attackers don’t get user credentials first, I’d like to see the FBI update its guidance to first recommend moving to phishing resistant MFA instead of having that advice be second after ancient password complexity recommendations that don’t reduce the risk of phishing.
With multiple ransomware variants deployed decryption becomes much more challenging. On top of that, the ransomware gang is adding/tweaking the malware to make it both harder to detect and include multiple separately timed data wipers. Go through the PIN verifying you've taken as many of those steps as possible. For things that you're taking a pass on, set a time to revisit. Ever more critical is ensuring your third/fourth/fifth party risks are mitigated. Don't forget to include these when calculating critical business functions.
The scourge of ransomware is not going to go away any time soon. As with all security events, prevention is better than the cure. This guide provides some good information on how to prevent becoming a victim of ransomware. In addition, Europol provides recommendations and known decryption keys as part of its industry partnership No More Ransom initiative: www.nomoreransom.org
You can expect ransomware gangs to adjust their TTPs (tactics, techniques, and procedures) as victims balk at paying the ransomware – this PIN highlights that shift. In addition to the mitigations listed in the notification, an excellent resource is the ‘Blueprint for Ransomware Defense.’ It remains effective even with changes in adversary TTPs.
IC3
Dark Reading
Infosecurity Magazine
The Record
Researchers at ESS+ET have detected a malware campaign involving a previously unknown backdoor. The Lazarus Group, which has ties to North Korea’s government, managed to compromise an aerospace company in Spain. The initial vector of attack was a spear phishing email; the hackers pretended to be recruiters from Meta and send messages to developers via LinkedIn Messaging.
Here’s a bumper sticker for your security awareness campaign during October’s Computer Security Awareness month: “Every form of messaging will be used by attackers. Treat all inbound messages as if they were asking to borrow your toothbrush.”
The malware was disguised as a coding challenge in an executable, which was protected to only decrypted on the intended victim's system, making detection/sandboxing much more difficult. Even so, remind users to beware of recruiters bearing executables, noting that many threat actors, such as the Lazarus group, are really good at social engineering and will work to convince users the payload is benign.
This is a great example highlighting that in today’s modern business environment, email is not the only potential vector for a phishing attack and criminals can target staff via many other messaging platforms.
All messages are suspicious. All should be treated with skepticism, as bait. Many can simply be thrown away. A few should be confirmed out of band. Edge systems should be isolated from mission critical applications. One user clicking on a bait message should not compromise the enterprise.
We Live Security
SC Magazine
Dark Reading
Gov Infosecurity
The Record
The US Department of Homeland Security (DHS) is investigating whether a recent ransomware attack affecting Johnson Controls compromised sensitive agency data. CNN had access to communications suggesting that the agency is concerned that the breach may have compromised physical security information, including DHS floor plans. Johnson Controls offers building automation products, including fire, HVAC, and physical security equipment.
This attack highlights the fact that third-party providers often collect customer data as part of normal business operations. Organizations should revisit with their third-party providers what information is collected, whether it should be collected, and how it is secured. Additionally, as third-party provider relationships end, the SLA should specify how company sensitive data is to be disposed of.
We all trust sensitive data to third parties we hire to do work for us. Have we considered the impact of that data being released? Once upon a time, physical security mitigated a lot of those risks, as well as many of those documents being just that, physical, but with so many things, including OT systems, being connected and reachable, information now fully digitized, that bar may not be where you think it is. Make sure that your control systems are properly protected, that you know what information is held by third parties and walk through what can be done with it as well as verify how they are protecting it.
DHS is only one of tens of thousands of enterprises that have Johnson Controls, most installed by contractors, and unknown to the using enterprise. Best to start looking.
The European Telecommunications Standards Institute (ETSI) has disclosed that it experienced a cybersecurity incident which affected the system dedicated to members’ work. ETSI believes that the attackers exfiltrated a database containing information about its online users. ETSI is working with France’s National Cybersecurity Agency (ANSSI) to investigate the incident and fix the affected system.
This is an example of a low value incident press release: no information on why the attacked succeeded, how long it took to detect the database exfiltration, etc. And it ended with a disappointing “Following this incident, ETSI asked their online services users to change their passwords.” vs. committing to movement away from reusable passwords.
This body is responsible for the development and testing of technical standards for information and communication including GSM. 3G, 4G, 5G and others, so don't be too hard on them for flaws in their IT system security. They were well positioned to value the proposed mitigations and have already fixed the vulnerability, updated their IT security procedures and are working with online users to reset credentials. If your core strength isn't IT security, hiring someone to help you where you need to be, and then help you stay there is going to be more cost effective than data breach recovery, particularly when you include secondary impacts to your business.
Hopefully ETSI will be forthcoming in the coming weeks with details of how the evil-doer compromised the IT environment and what changes they’ve taken in response to the data breach.
Users are urged to patch on-premises versions of JetBrains TeamCity continuous integration and continuous deployment (CI/CD) server to fix a critical authentication bypass vulnerability that can be exploited to achieve remote code execution. A fix was made available on September 21 with the release of TeamCity 2023.05.4. The flaw is being actively exploited.
Apply the update to your on-premise deployment of TeamCity. The cloud version is already fixed. This vulnerability appears to be easy to exploit, and researchers are easily discovering vulnerable installations of TeamCity.
Analyzing MIME Files: a Quick Tip
https://isc.sans.edu/diary/Analyzing+MIME+Files+a+Quick+Tip/30266
Infostealers Looking for Password Files
https://isc.sans.edu/diary/Are+You+Still+Storing+Passwords+In+Plain+Text+Files/30262/
Simple Netcat Backdoor
https://isc.sans.edu/diary/Simple+Netcat+Backdoor+in+Python+Script/30264/
Friendly Reminder: ZIP Metadata is Not Encrypted
https://isc.sans.edu/diary/Friendly+Reminder+ZIP+Metadata+is+Not+Encrypted/30268
EXIM New Version Released
https://www.exim.org/static/doc/security/CVE-2023-zdi.txt
Mali GPU Kernel Driver Allows Improper GPU Memory Processing Operations
https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Bing AI Serves Malicious Ads
Google Announces Robots.txt Ad-Restrictions
Exploit for WS_FTP Vulnerability
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Devo Technology, Inc.Is the future of your SIEM uncertain?
Upcoming Webcast on Thu, October 5 at 1:00pm ET | No More Acronyms – Let’s Solve Problems: Putting CAASM and SSPM Aside to Talk Real Use Cases | Learn more and register now: https://www.sans.org/info/227255
Free Virtual Event Tomorrow, October 4 at 11:00am ET | Join Matt Bromiley and invited speakers for Think Like a Hybrid Attacker Solutions Forum 2023 to step into the shoes of an attacker as we break down real-world attack scenarios.
Asset and inventory control solutions are difficult to build and maintain.