SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsMicrosoft Patch Tuesday release for October 2023 includes fixes for more than 100 vulnerabilities, including two flaws that are being actively exploited. One is a privilege elevation vulnerability in Skype for Business. The other is an information disclosure vulnerability in Microsoft WordPad. In a related story, Microsoft’s Patch Tuesday began 20 years ago.
The WordPad issue is interesting. Yet another way to trick Windows to send NTLM hashes to a malicious server. Can't wait for NTLM hashes to finally disappear. On the other hand, if you have halfway sane egress filter rules, this may be less of an issue.
CVE-2023-41763, Skype for Business, is a server rather than client flaw; now you just need downtime to patch those servers. The CVE-2023-4487 fix addresses the HTTP/2 Rapid Reset Attack, again necessitating server downtime to patch. The Skype, HTTP/2 and WordPad flaws are in CISA's KEV list with a remediation date of 10/31.
I remember being at meetings in Microsoft in the early years of Vulnerability Tuesday releases and they had engineering efforts underway to make it much less risky to patch Windows faster than monthly. Unfortunately, as the iPhone, Android-based phones and the iPad all came out and quickly began to dominate mobile markets, the business side of Microsoft made the business decision to compete with a “Windows Everywhere” strategy. That seemed to doom any chance of the Windows OS getting simpler to secure and easier to patch. Anyone remember the Windows phone?
It’s hard to believe that ‘Patch Tuesday’ began 20 years ago. Microsoft changed, for the better, how companies report security updates to their products. By moving to a monthly cadence, with some out-of-band updates along the way, it gave defenders the ability to plan for downtime in order to patch. Meanwhile, given that two of this month’s vulnerabilities are actively being exploited, prioritize them for patching.
It's been twenty years since Patch Tuesday. Some early-in-career practitioners may have only been toddlers. That would mean this would be a small set of patches since we have been doing secure computing for so long, right?
ISC SANS
Krebs on Security
The Register
Dark Reading
SC Magazine
The Register
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to take steps to protect their systems from a denial-of-service (DoS) vulnerability in the HTTP/2 protocol. Dubbed Rapid Reset, the vulnerability has been exploited over the past three months to launch unusually large distributed denial-of-service (DDoS) attacks.
To me, the key takeaway from Cloudflare's blog post was that an attacker with an "average" botnet (20,000 bots) is able to create as much traffic as 1/10 of the entire internet combined. You will not defend against these types of attacks with on premise filtering.
HTTP/2 Rapid Reset Attack (flaw) was leveraged to create the largest DDoS attack to date, 201 million requests per second, with a relatively small botnet of 20,000 machines. This attack abuses a weakness in the HTTP/2 protocol which allows for repeatedly sent session cancellation requests, which overwhelm the server. You need to apply fixes to all your HTTP/2 enabled web servers. Additionally, check the components in your DDoS protection strategy, from boundary protection and load balancers to CDN and cloud service providers to see if mitigations are available and if they need to be activated. Many CDN and cloud providers have already made changes to mitigate this attack, so you may catch a break there.
I am curious to see how this plays out. On the surface, not much was said, but under the hood, is this the current generation's version of Slow Loris? I wonder.
2023 is turning out to be the rebirth of DDoS attacks. Check with your upstream service provider on what defenses they have in place for the rapid reset vulnerability.
Cloudflare
CISA
ZDNet
Nextgov
Cyberscoop
The Register
NIST
Google has made passkeys the default option for Google Accounts. The company introduced support for passkeys earlier this year. Users can still manually toggle the option and use old-fashioned passwords.
Since there are over 1.5 billion users of Gmail (including over half of US email users), this relatively gentle move by Google is obviously a huge step forward to making phishing attacks much harder to succeed. Also, it makes using Google credentials a safer and more appealing option than creating yet another website account password – this should spur Google’s competitors to follow suit. One caution: backup processes for authenticating when stuff happens (and stuff will happen) are needed, and will be a target of bypass attacks.
Google was one of the first big players to offer and promote MFA (what they call two-step verification) and now one of the first to offer, promote and make default passkeys. Passkeys represent the gold standard in security: they make critical security behaviors simple. The simpler a behavior, the more likely people will exhibit it, something we too commonly forget when developing complex security policies and requirements. Unfortunately, passkeys are still offered on limited platforms, but that will change over time. In addition, you most likely will not need such strong authentication for every online account, just starting with the most important.
Google supports multiple authentication options, you can add a passkey to your existing 2FA, providing a fall back. It's time to disable the SMS validation option. Apple and Microsoft are also supporting passkey options, which are based on FIDO standards; it's time to do that deep dive into adoption.
Kudos to Google for making it the default option. By all accounts passkeys are far more secure than simply using [or overusing] a password. Making it the default option, forces users to manually change, and we know most users select the default configuration option. Between Google, Apple, and other third-party applications, we may, just may be seeing a fitting end to passwords.
Apple, Google, and Microsoft are now on board. There are already more than a dozen videos on YouTube explaining and promoting Passkeys. Users will be seduced by the convenience of one-click sign-on. Hopefully they will demand that all applications and services offer Passkey's, at least as an option, thus overcoming the biggest remaining hurdle. Like all other security mechanisms, Passkeys have their limitations. We must take care not to let the perfect (once more) become the enemy of the good.
curl project maintainers have released patches to address a pair of vulnerabilities in the command line data transfer tool. A heap buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545) affects both curl and libcurl and could be exploited to corrupt data and possibly execute arbitrary code. A cookie injection with none file (CVE-2023-38546) affects only libcurl. Users are urged to upgrade to curl version 8.4.0.
This vulnerability wasn't as bad as some expected it to be. Still: Get it patched, but there is no rush to do so. curl and libcurl are ubiquitous in the Unix world, and can also be found on Windows.
The SOCKS5 proxy handshake flaw is triggered by hostnames over 255 characters; the conditions to exploit this are not particularly common. The cookie injection flaw is specific to a calling the curl_easy_duphandle function in libcurl for handling single transfers. The problem there is that the handles are cloned but the actual cookies are not. Curl is prevalent in Linux, and is also on your Mac and Windows systems: apply the updates when they are available. Not every platform/distribution has released updates, keep an eye on your provider for updates.
Is this a “non-event?” The actual day came and went with very little fanfare but a lot of bluster. I think this is one of these Post-0-day events, and when someone properly weaponizes it, they will find many unpatched systems. cURL is one library that seems to be compiled widely into projects, IoT devices, embedded systems, and many other products. Your car may be running it. The only saving grace here may be the way you trigger the exploit.
While the hype over these two vulnerabilities has dissipated somewhat, the heap buffer overflow can still be dangerous. Especially now as more details of the buffer overflow are reported. Prioritize downloading the latest version of the tool and update.
curl
curl
The Register
ZDNet
Bleeping Computer
Security Week
Apple has released updates iOS and iPadOS 16.7.1 to address a pair of vulnerabilities that could be exploited to gain elevated privileges or execute arbitrary code. The privilege elevation vulnerability affects the kernel and has been actively exploited. Apple released iOS and iPadOS 17.0.3 last week to address the same vulnerabilities.
The two flaws, CVE-2023-42824, privilege escalation, and CVE-2023-5217, WebKit buffer overflow, are actively being exploited. Make sure that you're pushing iOS/iPadOS 16.7.1 to your non iOS/iPadOS 17 devices. With version 17.1 just around the corner, it's getting to be time to set version 17 as your minimum. Start replacing your devices which cannot run this version now.
With these updates Apple is acknowledging that there are a number of users that do not regularly update their Apple devices (hardware, software, or both). As iOS 16 was released just over a year ago, it’s prudent to provide the software update. Ditto for iPadOS.
This is a weird story. I thought Apple addressed these issues together. It seems odd they were waiting almost a month or so to patch an earlier yet supported build?
This is a rare move on Apple's part. Many versions of iPhones, iOS, and Macs are no longer supported.
Progress Software is facing multiple lawsuits and a US Securities and Exchange Commission (SEC) investigation related to the vulnerability in the company’s MoveIT file transfer tool. The MoveIT SQL injection vulnerability has been exploited to compromise data at more than 2,000 organizations, affecting 60 million individuals.
So far, the lobbying strength of the IT industry has been an immovable obstruction to real liability being assigned to software vendors and there really are no irresistible forces on the near horizon. But, there are certainly many, many Lilliputian lawsuits and fines that add up to real expenses. Take a shot at convincing your CFO that selling insecure products and services is actually less profitable than investing in “secure by design/default” just like quality was invested in.
To date 58 lawsuits have been filed against Progress Software, with another 23 notices of intent to file being received from other customers and entities. Progress Software has already spent almost $2m related to the vulnerability. Estimates are that between $75 and $100 million in ransom was earned by the attackers just from the MOVEit campaign. The question is will Progress Software survive judgements in favor of those seeking retribution? If you're still a customer, you should be looking at alternatives in case that turns out to be a no.
Both lawsuits and government investigation were to be expected given the impact of the vulnerability to their customer business operations. Progress Software’s software vulnerability will make for an excellent business case on downstream costs in dealing with a cyber incident. Those costs should be put in perspective to the cost of proactive cyber defense.
As of this month, Microsoft is no longer developing VBScript for Windows Client. Microsoft writes, “In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system.” VBScript was first released in 1996; the most recent release, version 5.8, dates to 2010. In September, Microsoft announced it was deprecating WordPad.
Microsoft has been hinting about the deprecation of VBScript since around 2016. VBScript was a great tool for administration back when it was introduced. Today, PowerShell has effectively replaced the use of VBScript, so take a look around for any lingering VBScript use, migrate it, and let go. In case you missed it, the notice about deprecating WordPad came out September 1st, and while the reasons why are unclear, it's likely tied to the availability of free online (web) alternatives from Google, Drop Box, and even Microsoft.
VBScript, we knew you well, and you'll still allow for vulnerabilities on older systems. By the way, Object Oriented BASIC scripting was as bad as it sounds… like ObjectOriented COBOL.
Simpson Manufacturing, a California-based company that produces building and structural materials, has disclosed that its IT systems were the target of a cyberattack earlier this month. Some of the company’s systems have been taken offline while the issue is being remediated. The company expects that the incident will “continue to cause disruption to parts of [its] business operations.”
Simpson Manufacturing, is a leader in its industry, operating seven research labs for testing new designs and materials as well as holding over 2000 patents, hinting the attackers are after their trade secrets. The attack is causing disruption of the business, coupled with not having a predicted ETA for resumption of services, hints of a ransomware attack recovery, likely preceded by data exfiltration. A couple of things you can take to your shop here: is your BC/DR plan such that you can meet the resumption expectations, so you can communicate accurate expectations to management? Do you know what your most valuable assets are, and are they adequately protected/monitored? Lastly, are your data exfiltration detections adequate and working?
Not a lot of details in the SEC filing, but most likely a ransomware event. Simpson operates in a sector that hasn’t reported much in the way of cyber incidents. It does, however, indicate that all industry sectors are potential ransomware targets, and companies should prioritize cybersecurity as a business operation imperative.
GitHub has disclosed a memory corruption vulnerability in libcue library. The library is used for parsing cue sheets, which describe optical disk track layouts. The vulnerability could be exploited to attain code execution on Linux GNOME desktop environments. The issue affects libcue versions 2.2.1 and older; the issue has been fixed in version 2.3.0.
Kudos to Paul Asadoorian who explained this to me. In short, applications like tracker-miners, which use libcue to index files on your GNOME desktop for searching, respond immediately when a file is added or modified on your desktop, meaning a malicious .cue file can be dropped in your home directory, which is then read, triggering the exploit. As a bonus the exploit can be used to break out of a seccomp sandbox which is used to restrict privileges to container processes.
GitHub
GitHub
Ars Technica
The Hacker News
Security Week
NVD
On Tuesday, October 10, the US Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) database, including a use-after-free vulnerability in Adobe Acrobat and Reader; a patch has been available for the flaw since January 2023. The other recently-added KEV entries are an out-of-bounds write vulnerability in Cisco IOS and IOS XE; the two zero-days that Microsoft addressed in this week’s Patch Tuesday; and a rapid reset attack vulnerability in HTTP/2.
Updating Adobe Acrobat and Reader and applying the Cisco and MS updates will get you most of the way done here. CVE-2023-44487, the HTTP/2 Rapid Reset Attack, applies to all your HTTP/2 enabled web servers, you'll need to apply those updates as well. Even though the due date on the KEV is 10/31, keep in mind these are being actively exploited.
We are now at the point where some small and medium size organizations may be overwhelmed by the burden of patching. CISA offers welcome and useful guidance in prioritizing. Start with their recommendations and the KEVs. Be sure you know what software you are using. Demand that vendors include a digital software bill of materials in the description of their offerings.
curl SOCKS5 oversized hostname vulnerability CVE-2023-38545
Microsoft Patch Tuesday
https://isc.sans.edu/diary/October+2023+Microsoft+Patch+Tuesday+Summary/30300
SeroXen RAT in Typosquatted NuGet Packages
https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/
Hexadecimal IP Addresses
https://asec.ahnlab.com/en/57635/
Juniper Vulnerabilities
Unpatched Squid Vulnerabilities
https://joshua.hu/squid-security-audit-35-0days-45-exploits
BSIDES Jacksonville
CVE-2023-22515 Actively Exploited
Adobe Acrobat Vulnerability Actively Exploited CVE-2023-21608
https://www.cisa.gov/news-events/alerts/2023/10/10/cisa-adds-five-known-vulnerabilities-catalog
Google Makes Passkey the Default
https://blog.google/technology/safety-security/passkeys-default-google-accounts/
VBScript Deprecated from Windows
https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
HTTP/2 Rapid Reset
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by CardinalOpsSANS Research | In our latest SANS Detection Engineering Survey, we're asking the cyber community to share their insights on the state of practice in “detection engineering." Share your thoughts with us to be entered into our drawing for a chance to win a $250 Amazon gift card!
CloudSecNext Summit Solutions Track on Tue, October 17 | Join AJ Yawn for this free virtual event, as we explore various cloud security topics that align with the 5 NIST CSF functions through invited speakers, while showcasing capabilities to implement for each function.
Equipped to defend against sophisticated attacks?
Upcoming webcast on Oct 17 at 10:30am ET | Microsegmentation in a Click - Join Matt Bromiley and Nicholas DiCola to learn how to automate policy implementation in real time.