SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Critical Ivanti Zero-days are Being Actively Exploited
A pair of vulnerabilities in Ivanti Connect Secure and Policy Secure are being actively exploited. There are currently no fixes available for the authentication bypass and command injection vulnerabilities. Ivanti expects to have fixes for the vulnerabilities available by January 22 and February 19, respectively. Users are advised to take steps to mitigate the issues until patches are available.
Editor's Notes
- Slide 1 of 4
Ivanti users should consult the excellent write up by Volexity for details. Connect Secure used to be known as Pulse Secure before being acquired by Ivanti in 2020. The product has a rich vulnerability history and has frequently been used to breach corporate networks. Connect Secure has likely become expensive to maintain for Ivanti with its legacy Perl codebase and complex software architecture typical for a legacy product. This will make it difficult for Ivanti to invest into proactively identifying security vulnerabilities, relying on non cooperating third parties to assist in identifying product flaws.
- Slide 2 of 4
I had to look this up to make sure because Ivanti has been on an acquisition spree. This is affecting the old Juniper SSL VPN Customers. There is still a pretty sizable set of companies running this tech.
- Slide 3 of 4
Ivanti has both published a mitigation you can download and install and provided IOCs you can incorporate into your threat hunting. They are providing guidance for upgrading to newer releases which have more expedited patch release cycles. The patch will be released the weeks of the 22nd of January to the 19th of February, depending on the product version you’re running.
- Slide 4 of 4
Given the ease with which the pair of vulnerabilities can be exploited, download and apply the mitigation procedures that Ivanti provides with great haste. You can expect that evildoers are now circling and targeting the VPN appliance.
Slide 1 of 0- Slide 1 of 4
Patch Tuesday January 2024
The first Patch Tuesday of 2024 includes nearly 50 fixes for Microsoft products as well as patches for vulnerabilities in Adobe, SAP, Cisco, and Android. Microsoft’s batch of fixes addresses two critical flaws; none of the Microsoft vulnerabilities are being actively exploited. Adobe released one update to fix 6 vulnerabilities in Substance 3 Stager 3-D rendering software.
Editor's Notes
While the Microsoft vulnerabilities are not actively exploited, CVE-2024-20674, a Kerberos security feature bypass flaw, has a CVSS score of 9.0 and exploit code is expected in under 30 days. As such you’re going to want to get this update deployed quickly.
CISA Added Nine Vulnerabilities to KEV This Week
This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added nine vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. They include command injection and authentication bypass vulnerabilities in Ivanti Connect Secure and Policy Secure, a privilege elevation vulnerability in Microsoft SharePoint Server, and two deserialization of untrusted data vulnerabilities in Adobe ColdFusion.
Editor's Notes
No huge surprises here. Are you tracking the KEV catalog? It’s a good source of information on what’s being targeted to aid your decision making processes. While you’re addressing these flaws, make sure your on track for lifecycle replacements - hint: ColdFusion.
The Rest of the Week's News
Nozomi Researchers Find Vulnerabilities in Network-Connected Pneumatic Torque Wrench
Researchers from Nozomi found 23 vulnerabilities in the Bosch Rexroth NXA015S-36V-B pneumatic torque wrench. The tool, which connects to local networks, is used on automotive production lines. The vulnerabilities could be exploited to infect the device with malware and disrupt production lines, or to alter tightening settings. No patches are currently available.
Editor's Notes
This significance of this analysis does not rest in how these specific vulnerabilities might be maliciously exploited but in what is says about the development of appliances and the Internet of Things. One need not read very far into these reports to conclude that the source of the vulnerabilities is in gratuitous function (starting with an operating system) not essential to the operation, measurement, and reporting function of this tool. Avoiding vulnerabilities in single-use purpose built tools and appliances is not difficult. The problem arises from glitz, bells and whistles, features, complexity, that are not essential to the purpose. Starting with a general purpose OS may make the developer's job a little easier but may not lead to a safe product.
Forescout Report on Danish and Ukrainian Energy Sector Attacks
Forescout has published a report, Clearing the Fog of War: A Critical Analysis of Recent Energy Sector Attacks in Denmark and Ukraine, which analyzes recent energy sector cyberattacks in Denmark and Ukraine. While the attacks have been tentatively attributed to a group of threat actors with ties to Russia, Forescout cautions that “dismissing these events as targeted to a specific country or organization(s) can put other vulnerable organizations at risk.”
Editor's Notes
Ukraine being under an active cyber-attack is unsurprising. Denmark being included is as surprising as any other NATO country. In today’s world, you can imagine the amount of caution a vendor’s research team is taking in judging attribution when the stakes are high.
Fidelity National Financial Breach Affects 1.3 Million People
In an amended Form 8-K filed with the US Securities and Exchange Commission (SEC), Fidelity National Financial has disclosed that the cybersecurity incident it last fall affects 1.3 million individuals. Fidelity National Financial, a title insurance and transaction company, first disclosed the incident in November 2023.
Editor's Notes
- Slide 1 of 2
The law of large numbers at work: FNF says they “…do not believe that the incident will have a material impact on the Company.” An incident this large is likely to have a hard cost in the $100M dollar range but since that is less than 2% of FNF’s reported 12 month profit of $6B, it is not “material” as far as regulators are concerned. But, if management was convinced that spending $10M would have prevented the loss of $100M they may have made that investment.
- Slide 2 of 2
Although most attention on ransomware events is focused on small to medium size enterprises (K-12, Healthcare), FNF proves that even fortune 500 companies also fall victim. What’s even more interesting is that the company doesn’t believe it to be a ‘material’ event, thereby, skirting some of the new SEC rules.
Slide 1 of 0- Slide 1 of 2
FTC Order Bars Outlogic from Sharing Location Data
The US Federal Trade Commission (FTC) has reached a settlement with data broker Outlogic, previously known as X-Mode Social, over its sale of people’s location data. The settlement requires Outlogic/X-Mode to cease sharing precise sensitive location data, must destroy any such data that it currently holds, and take steps to prevent similar data abuse in the future.
Editor's Notes
This is a signal to other data brokers to watch what they are sharing. Among other concerns, the FTC wants to ensure opt-out requests are honored. Not a wise move to be on the punitive side of the FTC, but they can’t police this entire subject area; congressional privacy legislation is also needed to support enforcement.
Microsoft: EU Cloud Users May Store Personal Data in Europe
Microsoft is making changes to its cloud computing structure to allow European Union (EU) cloud customers to store all their personal data within the EU. Over the past year, Microsoft started processing and storing some EU data within the region’s borders. The new arrangement will keep all personal data, including automatically generated information from system logs, within EU borders.
Editor's Notes
- Slide 1 of 3
This raise a point that is important to get across to your management: using cloud services does *not* mean having to allow your sensitive data to be stored in countries that don’t meet your regulatory requirements for protecting privacy. Similarly, if you are in the business of providing cloud services, your customers will increasingly have requirements for meeting higher national data privacy standards than the US has.
- Slide 2 of 3
This is a continuation of Microsoft efforts to abide by strict privacy laws within the EU. There was hope that the US and EU would reach agreement on data sharing but in the end, this is the most effective way for CSP’s to abide by national privacy laws. Expect other CSP’s to follow Microsoft’s lead.
- Slide 3 of 3
Microsoft has a vast EU presence, unsurprisingly, so it makes perfect sense for them to focus on EU-based privacy and data sovereignty.
Slide 1 of 0- Slide 1 of 3
Vulnerabilities in Two WordPress Plugins
In separate stories, researchers have found vulnerabilities in two WordPress plugins: POST SMTP Mailer and AI Engine. There are two vulnerabilities in POST SMTP Mailer: a critical authorization bypass flaw and a cross-site scripting issue. The plugin has more than 300,000 downloads. The AI Engine plugin for WordPress contains an unauthenticated arbitrary file upload vulnerability; the plugin has 50,000+ active installations.
Editor's Notes
- Slide 1 of 3
Wordfence provided a firewall rule for the POST SMTP Mailer paid and free customers January 3rd and February 2nd respectively. Most importantly make sure that you have the updated plugins, 2.8.8 for POST SMTP and 1.9.99 of the AI Engine. Assume attackers are actively looking for known vulnerable plugins on WordPress sites.
- Slide 2 of 3
Wordpress’ market share is 43% of all websites. For content management systems its global market share is even higher. Unfortunately, plugins are its Achilles heel. The best protection is to maintain patch diligence and include a firewall to monitor and filter web traffic.
- Slide 3 of 3
It should no longer be necessary to point out that WordPress plugins are a source of vulnerability for web sites, that most come with no representations of quality, should not be used by default, only by design and intent, and when used must be diligently managed. The issue is plugins in general rather than these two.
Slide 1 of 0- Slide 1 of 3
Internet Storm Center Tech Corner
Microsoft January 2024 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+January+2024+Patch+Tuesday/30548/
Adobe Vulnerabilities
https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html
Jenkins Brute Force Scans
https://isc.sans.edu/diary/Jenkins+Brute+Force+Scans/30546
Timeline to Remove DSA Support in OpenSSH
https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-January/000156.html
Juniper Patches
ManageEngine ADSelfService Plus Patch CVE-2024-0252
https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html
Atomic Stealer for Mac Update
Ivanti Connect Security VPN Vulnerability Exploited
Zoom Privilege Escalation Vulnerability
https://www.zoom.com/en/trust/security-bulletin/ZSB-24001/
Apache Applications Targeted by Stealthy Attacker
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker
Infosec Toolshed
https://youtu.be/qDK1PQ1OZjk?si=_vTpHqlovD2Hjd4M
CVE-2023-50916: Authentication Coercion Vulnerability in Kyocera Device Manager
Network Connected Wrenches Used in Factories can be hacked