SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsSolarWinds says that the recent lawsuit filed by the US Securities and Exchange Commission (SEC) “is fundamentally flawed—legally and factually—and we plan to defend vigorously against the charges.” The complaint alleges that SolarWinds and its former CISO defrauded customers and investors by obfuscating the company’s inadequate cybersecurity practices. Solar Winds maintains that “snippets of documents and conversations out of context to patch together a false narrative about our security posture.”
This is where your legal team will earn their retainer. And they need support from you to succeed. Without taking sides in the SolarWinds lawsuit, there are some lessons here we can leverage. Finalize and review assessment documents. Address deficiencies and document actions taken. Make sure that you're fully following your security standards, including documenting any risk acceptance or deviations. Have frank conversations with your internal auditors, remember they work for you, follow their guidance, or document why not and have management sign off either way.
And, so, the legal posturing begins. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company. There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little, well, then you might get sued by the government.
This lawsuit is not so much about SolarWinds security posture as it is about misleading customers and investors. That said, their security posture notwithstanding, they did ship malicious code to their customers for which they have not been held accountable. This may well be the single most expensive security failure ever, with the cost borne not by the failing party but by its customers.
Late last year, the threat actor known as Sandworm launched an attack against a Ukrainian energy facility. What sets the attack apart is that it employed techniques that have not been seen before to target the plant’s industrial control systems (ICS) and operational technology (OT). Researchers at Mandiant have written an in-depth technical analysis of the incident.
Malware that lives off the land in an OT attack, which seems to have been developed in 1-2 months is a peek at how Sandworm's cyber capabilities have evolved. Note they also deployed CADDYWIPER via GPO from a domain controller using the TANKTRAP PowerShell script, (also used for NEARMISS, SDELETE and PARTYTICKET), on the IT systems to distract from the attack on the OT systems. The mitigations remain the same. Focus on securing the attack vector and detection/monitoring. Have the hard discussion about exactly which entry points are exposed and needed. While many OT components don't have security updates, there are other components which do, such as hypervisors, firewalls, routers and monitoring components, that need to be considered. Have an in-depth conversation on how to keep them updated without unacceptable impact to operational objectives.
Two points stand out in the Mandiant report. First, the attacker applied ‘living off the land’ tactics to compromise the OT environment. We’ve seen this tactic used in information technology (IT) environments but, perhaps this is the first time used against OT. Second, the attacker, exploited the physical connection of the two environments, IT and OT, to enable the attack. Yes, there are legitimate business reasons for connecting the two environments, but that just means you had better understand the security consequences and protect accordingly.
Novel attack or otherwise, the risk of mis-operation of critical infrastructure in time of armed conflict should not surprise anyone. What may be concerning in the Mandiant report is the increasing maturity of the Russian attackers.
Mandiant
Wired
Cyberscoop
The Record
Dark Reading
Bleeping Computer
Security Week
Threat actors are exploiting a zero-day path traversal vulnerability in on-premises versions of SysAid service management software. The flaw was detected by researchers at Microsoft Threat Intelligence, who notified SysAid about the issue. SysAid has released an update to address the vulnerability; users are urged to ensure their systems are running SysAid version 23,3,36 or later.
CVE-2023-47246, a path traversal flaw, doesn't have a published score; attackers leverage the flaw to upload a WAR file containing a WebShell and other payloads to the root of your SysAid Tomcat server. The threat actors appear to be the same group which exploited the MOVEit flaw, the clop ransomware gang. SysAid urges taking action, Rapid 7 takes it a step further suggesting applying the update on an emergency basis. Patched or otherwise, use caution with SysAid instances exposed to the Internet as they are being targeted, and discoverable with Shodan.
Rapid7
SysAid
The Record
Security Week
The Register
Bleeping Computer
Researchers from Checkmarx have detected malware they are calling BlazeStealer in malicious Python packages that masquerade as legitimate Python obfuscators. BlazeStealer fetches a malicious script that enables a bot that gives the attacker control over infected systems.
For these packages, both the setup.py and init.py scripts include the scripts, used during package installation, which receives and executes code from an external source. The primary fix is to make sure that you properly vet all your included packages. Leverage services from Git, Google, your CI/CD tools and others as a force multiplier here.
This malware highlights the fragile nature of open-source software libraries. If done correctly, malware introduced in the supply chain can have disastrous consequences for developers across a large number of vendors. This malware demonstrated that level of skill. What’s baffling though is that the consequence is about the least possible thing that could happen. Strange.
Checkmarx
Ars Technica
Security Week
Dark Reading
Wordfence is launching a bug bounty program to find vulnerabilities in WordPress plugins and themes. The rewards offered in the program “are based on active install counts, the criticality of the vulnerability, the ease of exploitation, and the prevalence of the vulnerability type.”
We're all aware of the seemingly perpetual list of WP vulnerabilities, particularly in the myriad of plugins. Wordfence (aka Defiant Inc) is working to raise the security bar with this program. To participate, register with the Wordfence bug bounty program, carefully read the conditions, paying particular attention to what is and is not in scope. If you've previously submitted vulnerabilities, they can be associated with your account to increase your status/ranking. Note that bounties are not paid for out-of-scope vulnerabilities, and while each submission is checked, you're encouraged to limit out-of-scope submissions as there are limits on how many of your reports will be checked.
Kudos to Wordfence for implementing such a program. As we’ve discussed in previous SANS NewsBites, WordPress plugins are the security weak link. Bug bounty programs are an efficient way to ferret out vulnerabilities before they can cause harm. It’s proven highly successful in large organizations such as the US Department of Defense.
The New York state attorney general has fined US Radiology Specialists $450,000 for inadequate cybersecurity practices and failure to protect patient data. The breach was part of a ransomware attack. The compromised data include driver’s license and passport numbers as well as medical exam and diagnosis information.
This breach, and a recent breach of plastic surgeons shows that HIPAA is missing the teeth to prevent these breaches. HIPAA may have a lot of reasonable rules to help clinics protect this data, but without per-breach enforcement and independent auditing, the rules are meaningless.
US Radiology is a private service provider for partner companies. At core, they failed to quickly update their firewall to provide adequate protections to both their and partner connected networks as well as failing to upgrade other systems in a timely fashion. In addition to the fine, they are also required to update their IT infrastructure, properly secure their network and update data protection policies. Meaning they need to incur both the cost of the deferred actions and the penalty as well as any costs associated with the ransomware incident. While it may be easy to defer updates to systems and security practices, consider this scenario, then work to prioritize needed improvements, to include scheduling out-year activities so they are not lost. Make sure that any interconnected networks, such as one to a service provider, are properly constrained and have monitoring you're watching. Think trust but verify.
The State of New York, both the OAG and the DFS, have been on a tear this year in fining companies for inadequate cybersecurity practices. Per the OAG, US Radiology Specialists, did not demonstrate a standard of reasonableness in implementing its cybersecurity program. In addition to the fine the OAG also required adoption of data security practices. A good starting point for any organization implementing security practices is the CIS Critical Security Controls, Implementation Group 1.
Regulators have been punishing victims for a generation now with no measurable effect on security.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a known Service Location Protocol (SLP) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability “allows an unauthenticated remote attacker to register arbitrary services,” and can be exploited to launch denial of service attacks with a high factor of amplification. Researchers at Bitsight and Curesec disclosed the vulnerability in April.
Another protocol that should never have been exposed to the public internet. But if it can be exposed: It will be exposed.
CVE-2023-29552, CVSS Score of 7.5, allows an unauthenticated remote hacker to register arbitrary service, which then is used to conduct an amplified DDoS attack leveraging spoofed UDP traffic. You can apply your vendor specific mitigations or disable the SLP (RFC 2608) service on UDP port 427. Vulnerable systems share the characteristic of being old and not otherwise using the service. Odds are this is an old service you're not using and can simply block/disable.
Security Week
The Hacker News
Bitsight
CISA
NVD
The US National Institute of Standards and Technology (NIST) has published a revised draft of SP 900-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST will accept comments on the draft through January 12, 2024. This document is the third draft; a final rule is expected to be published early next year.
The comment period goes through January 12, 2024. While CUI has been on the books for a while, not all agencies have transitioned until recently. The comments have highlighted a need to streamline and simplify CUI guidance in 800-171. CUI is more complicated than prior guidance relating to sensitive unclassified information, allowing for more fine-grained categorization and identification of needed controls. As such don't try to figure that out on your own. If you're going to be processing/handling or generating CUI, work with your federal contacts to learn exactly which categories of CUI they are using and how they expect them to be marked and protected, as they have already developed guidance and training for their users.
The American Hospital Association (AHA) and three other healthcare organizations have filed a lawsuit challenging the US Department of Health and Human Services guidance that warned against the use of online trackers. In July, the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent letters to 130 healthcare organizations, warning that tracking technologies like Meta/Facebook pixel and Google Analytics used in a healthcare environment could disclose personal health information to third parties and potentially violate HIPPA and FTC regulations.
If you are using trackers on your web site, make sure that you are fully aware of the data they have access to and where that is sent/used. Document this and make sure the risk is accepted. If you are not actively using them and the related services, take them off.
OpenAI says that ChatGPT outages earlier this week were due to a distributed denial-of-service (DDoS) attack. Partial outages were reported on Tuesday, November 7, and a significant outage was reported on Wednesday, November 8. As of about 4:30 pm ET, OpenAI was reporting that “the incident has been resolved and status of our services have returned to normal.”
Verify that your DDoS protections include layer 7 defenses as well as make sure that you don't already own services (in house or otherwise) you haven't leveraged to keep the bar on this sort of attack.
2023 has seen a dramatic increase in DDoS attacks. Threat intelligence generally attributes the uptick in DDoS attacks to the military conflict in Ukraine. Organizations should review their SLAs with their upstream provider to limit the effect of DDoS attacks.
Visual Examples of Code Injection
https://isc.sans.edu/diary/Visual+Examples+of+Code+Injection/30388
Example of a Phishing Campaign Project File
https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384
What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR)
https://isc.sans.edu/diary/Whats+Normal+New+uses+of+DNS+Discovery+of+Designated+Resolvers+DDR/30380
SysAid Exploited by Cl0p Ransomware (CVE-2023-47246)
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
WS_FTP Server Update CVE-2023-42659
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023
Malvertiser copies PC news site to delivery infostealer
pyArrow/Apache Arrow Vulnerability
https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
Cryptomining with Microsoft Azure Automation Services
https://www.safebreach.com/blog/cryptocurrency-miner-microsoft-azure
Windows 11 Insider Changing Firewall Behaviour
CISA Adds SLP Vulnerability to Known Exploited Vulnerability List
BlueNoroff macOS Malware
https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/
Emphasizing Security by Default with Advanced Microsoft Authenticator Features
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SNYK LimitedBusinesses are moving to a cloud-native approach at an increasing rate to improve efficiency, reduce costs, and ensure availability.
How the Cloud Changes SecOps and Incident Response: Lessons from a Real-World Living-Off-The-Cloud Attack | Join us on Wed, November 15 at 3:30pm ET as our guest speakers provide practical advice to strengthen cloud detection and response capabilities.
Upcoming Webcast: Safeguard Your Business-Critical Web Apps and APIs with a WAF | Join Dave Shackleford and Srija Allam on November 14, to discuss Fortinet's latest solution designed to protect applications from web application attacks, API attacks, malicious bots, and much more.
Software Supply Chain Security: Hunting Hidden Threats Before They Strike | Tune in on November 15 to dive into the different types of software supply chain attacks, and how to improve existing detective capabilities.