SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
CISA Cybersecurity Incident Response Guidance for Water Sector
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cyber incident response guide for the water and wastewater sector. The document establishes cyberincident reporting guidance for the water sector; identifies pertinent resources, services, and free training; and encourages utilities to establish a robust cybersecurity baseline and to become members of local cybersecurity communities.
Editor's Notes
- Slide 1 of 3
This guidance is not just about reporting, but also getting your ducks in a row ahead of time. You can engage CISA to evaluate your security posture, and make sure you're actively participating in your local cyber community, from industry specific ISAC, to professional organizations such as ISSA, ISACA and ISC2, there are lots of affordable ways to get connected with nearby expertise.
- Slide 2 of 3
Timely given recent cyber-attacks against water utility providers in Ireland, the UK, and US. While the guide is specific to the US water sector, with minimal ‘cut-n-paste’ it can be applied to every critical infrastructure sector, especially the incident response section.
- Slide 3 of 3
Special industry guidance should not be necessary except that this is an industry with many small scale operators and little security competence. They need an ISAC. In the absence of their own, operators might subscribe to the MS-ISAC.
Slide 1 of 0- Slide 1 of 3
HPE Cloud eMail Environment Breached by State-Sponsored Hackers
In a filing with the US Securities and Exchange Commission (SEC) Hewlett Packard Enterprises (HPE) disclosed that “a suspected nation-state actor” accessed the company’s cloud-based email environment and exfiltrated data as far back as May 2023. HPE learned of the situation on December 12, 2023. The disclosure comes just days after Microsoft made a similar disclosure.
Editor's Notes
- Slide 1 of 2
Notice: First, in June 2023 HPE was "notified" of suspicious activity but apparently didn't determine they had an active breach. Then in December they were "notified" again of suspicious activity that apparently was related to the original May breach. "Notified" implies HPE did NOT discover any of this on their own or they would have said "we discovered..." Users of HPE software and services should seek assurance that HP has active efforts to drastically reduce time to detect.
- Slide 2 of 2
Need to give HPE credit for taking steps designed to eradicate, remediate and contain the activity in June of 2023. The problem is they didn't fully work. The hard lesson here is to follow-up on monitoring/detection and threat-hunting. Assume your adversary is going to dust themselves off and have another go at you. Even so, the basics still work: MFA authentication, active account management and active monitoring, across the board. Resist the temptation to give the VIP an exception; remind them they are a prime target.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
UK and US Water Utilities Hit with Cyberattacks
Southern Water, a utility that provides water and wastewater services to municipalities in the southern England, acknowledged that they recently experienced a cybersecurity incident. The intruders stole “limited amount of data.” In a related story, Veolia North America disclosed a recent cybersecurity incident that affected its Municipal Water division.
Editor's Notes
- Slide 1 of 2
The Black Basta gang is taking credit for the Southern Water attack, claiming to have 750GB of data which will be released if the ransom isn't paid in 6 days. Southern Water is wisely assessing the damage to determine the sensitivity of the pilfered data to make an informed decision. Both attacks were confined to back-end IT systems, rather than their service delivery control systems, highlighting the value of separation. Note that Veolia is temporarily unable to process bill payments. Given the continued trends of attacks on critical infrastructure, beyond making sure that you've got isolation, strong access controls and robust monitoring, (see the CISA Water Sector guidance below) seems like it's a good idea for consumers to make sure they are enrolled in credit/identity protection and restoration services.
- Slide 2 of 2
In both instances, the attack appears to have targeted back-end systems via their operational network, which controls delivery of water services to consumers. That said, the attacks serve as another reminder for critical infrastructure providers to limit remote access to OT systems as part of their risk management program.
Slide 1 of 0- Slide 1 of 2
More Than 5,000 GitLab Instances Still Vulnerable to Password Reset Issue
A critical vulnerability in GitLab disclosed earlier this month allows account takeovers without user interaction. GitLab released Critical Security Release: 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address the vulnerability and four others. As of Tuesday, January 23, more than 5,300 GitLab instances remain unpatched, according to data from the Shadowserver Foundation.
Editor's Notes
If you're getting pushback that your services are obscure and nobody can find them, it may be a good time to introduce folks to what Shodan can list about your Internet facing services. Explain that attackers don't care if your site is important or otherwise: all exposed services are fair game. This particular vulnerability is easy to execute exploit, so get the update out there and hand the IOCs to your threat hunters to make sure that you're not already compromised.
Critical Vulnerability in Fortra GoAnywhere MFT Software
A January 22 security advisory from Fortra details a critical authentication bypass vulnerability in its Go Anywhere managed file transfer (MFT) technology. Fortra addressed the vulnerability in an update released in early December 2023, when the company also notified customers of the issue. Some security experts are questioning the lag time between the update and the advisory. Researchers at Tenable estimate that more than 96 percent of GoAnywhere MFT assets are unpatched as of January 23. Proof-of-concept code has been released.
Editor's Notes
- Slide 1 of 3
Another enterprise file upload system. These type of vulnerabilities have led to major ransomware attacks last year (remember MoveIt?). You should not just "patch and move on" but plan ahead and ask vendors for guidance on how to protect these systems better.
- Slide 2 of 3
While it’s generally good to announce a vulnerability publicly, in this instance Forta did communicate privately with their users when the patch was available. That isn’t a bad thing. What is more troubling is that a large number of assets still appear to be unpatched even with the private communication.
- Slide 3 of 3
CVE-2024-02024, authentication bypass, CVSS score 9.8, was first exploited as much as 12 months ago, and the patch was released in December; it's time to grab the IOCs and make sure you're not already compromised. File transfer services, critical for remote integration, continue to be a top target as they are sources for a significant amount of sensitive company data.
Slide 1 of 0- Slide 1 of 3
Cisco Updates Unified Communications and Contact Center Solutions to Fix
Cisco has released updates to address a critical vulnerability in its Unified Communications and Contact Center Solutions that could be exploited to achieve unauthenticated remote code execution. According to Cisco’s advisory, the “vulnerability is due to the improper processing of user-provided data that is being read into memory.”
Editor's Notes
Repeat after me - I will always sanitize all user input. And yeah, it's a pain, so where practical use a web application firewall to help, but the app is still the last defense. Some of the risk, in this case, can be mitigated by having access control lists to restrict communication to your Unified Communications or Contact Center cluster from other components on your network; these make sense long term as a hedge against further vulnerabilities. Don't stop there: also apply the update.
Update Better Search Replace WordPress Plugin
Threat actors are actively exploiting a critical flaw in the Better Search Replace plugin for WordPress. WP Engine has recently updated Better Search Replace to version 1.4.5 to address the PHP injection vulnerability. The plugin has more than one million installations.
Editor's Notes
- Slide 1 of 2
CVE-2023-6933, deserialization of untrusted data, has a CVSS score of 9.8. Make sure that you've updated to the current version (1.4.5 or higher) check your web application firewall for protections for attempted exploits of the flaw. Wordfence claims to have blocked about 2,600 attempts to exploit this vulnerability in the last 24 hours.
- Slide 2 of 2
Plugins are essential to the value of WordPress but also a major source of vulnerability. They should be used only by design and managed rigorously.
Slide 1 of 0- Slide 1 of 2
Bucks County Emergency Computer-Aided Dispatch Hit with Cyberattack
A cyberattack has disrupted the computer-aided dispatch system in Bucks County, Pennsylvania. The attack occurred on Sunday, January 21. The Bucks County 911 phone services are operational, and first responders are able to use radios. The affected system “primarily assists dispatchers and first responders with incident documentation,” according to a Bucks County press release.
Editor's Notes
Fortunately the phones and radio systems are still intact. It's easy to forget these are also IT systems today. The question to consider is how the data will be recorded then updated into their CAD system when it's back online. An interesting conversation to include in your BC/DR tabletop. Include a discussion of how much you are (or aren't) willing to omit.
Healthcare and Public Health Sector Alert: Threat Actor Used ScreenConnect to Gain Foothold in IT Systems
The US Department of Health and Human Services Office of Information Security and the Health Sector Cybersecurity Coordination Center have published a Sector Alert about potential security threats opposed by the use of the ScreenConnect remote access tool. The report notes that a threat actor abused the tool in late October and early November of last year to gain initial access to targeted organizations within the Healthcare and Public Health sector.
Editor's Notes
- Slide 1 of 2
Installing a remote support agent is pretty common to aid your support desk aiding users. The trick, particularly in remote workspace, is to make sure that you're both keeping these clients updated and following best practices to secure them.
- Slide 2 of 2
The attack was against a self-managed instance that had not been updated in 4+ years. It seems as if the provider, Outcomes, has some Cybersecurity 101 work to do, as they were used in a classic supply chain attack against their customers of their products.
Slide 1 of 0- Slide 1 of 2
Jenkins Fixes Critical RCE Flaw
A Jenkins Security Advisory released on January 24 includes fixes for nine vulnerabilities, including a critical arbitrary file-read issue that could lead to remote code execution. The issue also “allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”
Editor's Notes
As a workaround, until you can apply the patch, disable access to the command-line interface (CLI). Don't forget to go back, apply the patch, and re-enable CLI access, restricting access to the CLI to only authorized users and devices which need it.