SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsIn May of this year, more than 20 critical infrastructure organizations in Denmark were targeted with cyberattacks. A report published by SektorCERT, the Danish cybersecurity organization for critical infrastructure sectors details the attacks, which were carried out through known vulnerabilities in Zyxel firewalls.
Note the use of two Zyxel firewall vulnerabilities in these attacks. Before you move on to the next comment/story: Add a recurring monthly reminder to your calendar to check if your firewall/perimeter device firmware is up to date. It is notoriously difficult to be notified of available updates for these devices (not just Zyxel) and usually requires some manual care. Of course: If you do not want to be the script, write one to monitor for updates.
The SektorCERT report shows that security was not considered to be a critical part of Denmark’s critical infrastructure. Lack of knowledge that Zyxel was even in use, or that firewall software needed regular updates, ignoring repeated warnings between patch availability and before attacks all indicate a systemic problem. Good case study for all nations to proactively fix similar problems and a good “essential security hygiene” checklist to use with all critical service providers to your own organization.
Several lessons here. First, know what you have, get a good inventory, particularly of your boundary control devices. Second, don't assume devices are up-to-date, even if new: assume firmware updates were released after the unit was produced and always include updates as part of the provisioning processes. Third, paying for the needed contract (software, hardware, or labor) so updates can be installed, is cheaper than the breach recovery. Fourth, make sure you're monitoring for and responding to incidents 24x7, don't assume you have to do all that yourself in-house, there are external resources and services you can leverage.
A lot to unpack in this report. First, it appears to have been a series of targeted attacks, which often speaks to nation state involvement. Second, vulnerabilities that were not patched, which highlights an ineffective patch management process. Third, misunderstanding of the service level agreement between vendor and operators when it comes to maintenance of the Zyxel firewalls. Fourth, and unfortunately all too common, organizations not having complete knowledge of devices operating on their network. The lesson learned is that every organization has to have a relentless focus on cybersecurity basics, what we call essential cyber hygiene.
A cyberattack that affected the DP World shipping and logistics company disrupted operations at four Australian ports over the weekend. DP World took the ports’ systems offline on Friday, November 10. As of Monday, November 13, the ports in Brisbane, Fremantle, Melbourne, and Sydney were operating normally. DP World Australia said it expected to move 5,000 containers through the ports on Monday; they are facing a backlog of 30,000 containers due to the three days the systems were offline. The four ports account for approximately 40 percent of freight in and out of Australia.
DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days. While the investigation is not completed, they are bringing services online, indicating someone had addressed the risk of further compromise versus mission execution. Make sure to include that decision process in your planning. Beyond walkthroughs, make sure you schedule exercises for staff to practice their recovery techniques.
While not yet declared a ransomware attack, it has all the hallmarks of an attack by cyber criminals often associated with ransomware gangs. The attack on DP World, and several others over the last few months highlight the increasing impact to business operations, which translates to lost revenue. The next set of questions by regulators will be whether the organization exhibited a ‘standard of reasonableness’ in defending itself.
rackcdn
Bleeping Computer
Security Week
Infosecurity Magazine
Gov Infosecurity
The Record
Dark Reading
The government of the state of Maine has disclosed that its MOVEit server was breached earlier this year: intruders had access to files on the server on May 28 and 29. The incident affects 1.3 million people; the compromised data include names, Social Security numbers (SSNs), dates of birth, driver's license/state ID numbers, taxpayer ID numbers, and some medical and health insurance information.
The population of Maine, as of 2020, was 1.3 million, meaning it's safe to assume that if you are a resident you're impacted. The state is providing two years of credit monitoring to those directly impacted, and has setup hotlines, discount codes and access processes to facilitate service activation. The only concerning thing is that it took them five months to finish the analysis to disclose the breach. That is a long time for your customer or employee data to be unknowingly released. The state notes they took the needed steps from Progress Software to secure MOVEit, but don't indicate what they are doing to replace it. If you're still using MOVEit, you really need to consider moving to an alternate solution PDQ. It will remain a target.
Herein lies the conundrum: how much data should an organization maintain and what are their responsibilities to protect it? In this case, the State of Maine, provides digital services to its citizens and much of the data collected is for that purpose. The question now comes down to whether their measures to protect the data were reasonable, given the sophistication of the attack.
Researchers at Huntress say that cyberthreat actors are gaining unauthorized access to US healthcare organizations through locally-hosted instances of the ScreenConnect remote access tool, used by Transaction Data Systems. Huntress has provided a list of observed tactics, techniques, and procedures used in the attacks.
According to ConnectWise, the vendor of ScreenConnect, the attacker gained access via an on-prem instance which hadn't been updated since 2019. The point here is that all remote access tools, not just RDP, are targets, and they need to be configured to, at a minimum, vendor best practices, and kept updated. Don't expose any remote desktop or management interfaces to the Internet: require they be accessed via a VPN. And really assess that emergency access, you know the one - so the on-call person can respond without driving in when things break noting it can and will be leveraged by your attackers who also not want to drive in.
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) launched a campaign “to encourage the critical infrastructure community to focus on strengthening resilience.“ CISA director Jen Easterley said that Shields Ready “complements” the earlier Shields Up campaign, which encouraged critical infrastructure organizations to take defensive action in response to threat intelligence. In contrast, Shields Ready encourages the organizations to take steps ahead of time to prepare for cyberattacks.
Speed limit signs “encourage” safe driving. Speed cameras and speed traps enforce safe driving laws. We have many years of experience that we have plenty of US government “encouragement” and not enough enforcement of existing mechanisms (let alone new ones) for making lack of due diligence in cybersecurity look as risky to CEOs and boards as lack of financial due diligence.
It's easier to implement added protections when you're not busy fighting fires, which is why the recommendation is to get things in place today before they are needed. CISA has supporting services to help review and assess your resiliency as well as help with tabletop campaign. Leverage their process to assess your resiliency today and identify gaps as well as prioritize fixes, so you're ready to respond when the call comes for budget items.
Far too often it’s a known vulnerability for which a patch exists, that is the leading cause of compromise. Mandating a minimum cybersecurity baseline that all critical infrastructure providers have to adhere to, would go a long way to ‘strengthening resilience.’ A good starting point would be the CIS Critical Security Controls, Implementation Group 1.
The prevalence and persistence of ransomware attacks suggests the need for hot (or at least warm) backups.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) have published software supply chain security guidance for vendors. The document focuses on software bill of materials (SBOM) consumption.
While you're focused on SCRM, and your SBOM, make sure you have a complete inventory of software you need to check first. If you're not keeping that current and those items updated, you may want to get your arms around those processes before you start looking at their corresponding SBOMs. When you do start considering SBOMs, focus on areas where you're leveraging open-source software.
SBOM is a solid initiative, but a pre-requisite is accurate software inventory. SBOM for Zyxel firewall software was of no help to those Danish critical infrastructure providers who didn’t even know they were using Zyxel software.
This is a step in the direction of holding suppliers accountable for distributing malicious code.
On Monday, November 13, the US Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities in Juniper Junos OS to its Known Exploited Vulnerabilities catalog. Two of the flaws are external variable modification vulnerabilities, and three are missing authentication for critical function vulnerabilities. Juniper urges users to upgrade to patched versions of affected products.
The variable manipulation flaws, CVE-2023-36844, CVE-2023-36845 and CVE-2023-36846 have CVSS scores of 5.3, 9.8 and 5.3 respectively. The missing authentication flaws, CVE-2023-36847 and CVE-2023-36851 have CVSS scores of 5.3. All five have a due date of November 17th in the KEV catalog. Beyond expeditiously updating to the latest JunOS release, restrict access to or disable your J-Web interface immediately. Adversaries are going to be scanning for the J-Web interface, patched or otherwise, to see what they can do.
McLaren Health Care, a Michigan-based health care delivery system, has sent breach notification letters to about 2.2 million people. McLaren says the incident was detected on August 22, and that the intruders had access to its network between July 28 and August 23. The breach resulted in the theft of personal data, including but not limited to Social Security numbers, health insurance and medical information, diagnoses, medical record numbers, billing or claims information, Medicare/Medicaid information, and prescription/medication and treatment details.
The AlphaV/BlackCat ransomware gang is taking credit for the breach and threatening to auction off the data if not paid. Given that McLaren engaged help back in August, it's safe to assume they already have decided how to respond to this threat, and are currently holding their cards close. If you're a member or employee, rather than worrying about what specific data was or was not breached, or if it's going to be auctioned, make sure you're set with credit monitoring and identity restoration services.
The compromise of health insurance numbers and social security numbers will likely result in healthcare fraud. The lesson for the rest of us is that the most important role of social security numbers is to break collisions among other identifiers (e.g. name and address.) This can be done with the last four or five digits of the number and does not require the risk associated with storing the whole number.
The government of the City of Huber Heights, Ohio, is recovering from a ransomware attack. The city notified residents of the situation on the morning of Sunday, November 12, noting that “while public safety services are not impacted the following city divisions are affected: Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development.”
Notice that the city is committing to updates at 2PM daily to keep residents informed, and already shared to expect the disruption to last a week, what actions are underway, as well as clarifying which services were online/unaffected, and who to contact. Those actions should help reduce the interrupt level to allow those responding to the incident to execute rather than having to (repeatedly) stop and explain things.
A ransomware attack that targeted The Industrial & Commercial Bank of China (ICBC) last week disrupted financial services at institutions around the world. The incident began on Wednesday, November 8. ICBC sent messengers with thumb drives to the US to clear transactions.
ICBC is China's largest bank, and largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so. Additionally, some other actions are being taken to prevent other types of transactions, which cannot be cleared, from being initiated while the bank recovers. The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost. Beyond keeping things patched and secured, be aware of downstream impacts of isolating systems which conduct external transactions, incorporate actions business partners may take to protect themselves from your outage and how to recover from those steps.
Undoubtedly, this event will increase the clarion call for a prohibition on ransomware payouts as it impacted global financial services. Just for the record, I don’t support paying ransomware gangs. That said, it’s usually a bit more complicated for ransomware victims. They often have to weigh the impact to their business operations, their ability to quickly recover from the attack, and, requirements of their cyber insurance provider, in deciding whether to pay or not.
Noticing command control channels by reviewing DNS protocols
https://isc.sans.edu/diary/Noticing+command+and+control+channels+by+reviewing+DNS+protocols/30396
Routers Targeted for Gafgyt Botnet
https://isc.sans.edu/diary/Routers+Targeted+for+Gafgyt+Botnet+Guest+Diary/30390
Passive SSH Key Compromise via Lattices
https://eprint.iacr.org/2023/1711.pdf
Juniper Vulnerabilities Exploited
ScreenConnect used to Attack Healthcare
Fake Skills Assessment Portals Associated with Sapphire Sleet
https://twitter.com/MsftSecIntel/status/1722316019920728437
OpenVPN Access Server Vulnerabilities
https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by Devo Technology, Inc.Wondering how autonomous security capabilities are revolutionizing the SOC?
The results are in for our 2023 ICS/OT Cybersecurity Survey, written by SANS ICS expert Dean Parsons.
Configuring the Future: Addressing Network and Configuration Risks in Modern Cloud Security | Join Brandon Evans as he leads this upcoming webcast on Tue, Nov 28, to gain insights into fortifying your cloud infrastructures.
SANS Detection Engineering Survey | Tune in on Wed, Nov 29 as survey author Mark Orlando and invited speakers examine data from our recent survey on the state of the practice in “detection engineering” and provide guidance how to improve your capabilities in keeping up with rapidly changing threats.