SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Microsoft Provides Details About eMail Breach
Microsoft has released additional information about the breach that compromised executives’ emails. The intruders accessed the corporate email system through an old test account that had admin privileges but was not protected by multifactor authentication.
Editor's Notes
- Slide 1 of 3
The lack of MFA was obvious, even if not originally admitted by Microsoft. So, repeating part of my comment from the original news item: In Microsoft's recent “Secure Future Initiative” announcement, Microsoft President Brad Smith promised that “…over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box.” Replacing passwords with strong authentication has been done by many (though in this case, apparently not Microsoft) but needs the major IT platforms to make it easier to do and harder NOT to do. Additional lesson learned here: as an absolute minimum, require *all* privileged accounts to use phishing resistant authentication which means *denying* elevated privileges to all accounts relying on reusable passwords. And, remember your own policy probably already requires MFA for *all* remote access.
- Slide 2 of 3
First, this has several facets: password spraying as the initial compromise and persistence through OAuth applications. It's very nasty stuff for most students, I find. We discuss these attacks at length in the SEC588 class. The other component, the use of “residential proxy infrastructure,” was discussed a few years ago when Dr. Roberto Bamberger and I released a whitepaper at the Cloud Security Exchange for 2022. Get the whitepaper at the SANS Website. So, what can you do? First, turn on MFA, and use a powerful MFA like a Passkey or FIDO2 Token. Use a CASB or other product type to look at OAuth applications; finally, don’t allow your employees or non-admins to add OAuth applications. This is a nasty, hard-to-find hack from a state actor. Many people say Microsoft can do better, but this isn’t a 100-person company. This is a 250,000-person company with an extensive infrastructure. If they could solve it, we could move on and do other things.
- Slide 3 of 3
We have known for more than a decade, since the early DBIRs, the contribution of orphan systems to enterprise breaches and longer than that the contribution of reusable credentials. Microsoft is not alone among major enterprises that tolerate these risks. Do not be among them.
Slide 1 of 0- Slide 1 of 3
Additional Information About the 23andMe Breach
In a breach notification letter recently filed with regulators, 23andMe disclosed that intruders were accessing customer accounts for about five months before the situation was detected. From April through September of last year, the intruders brute-forced user accounts, stealing both raw genomic and health data.
Editor's Notes
- Slide 1 of 4
If you build it, they will come. This motto applies to large collections of sensitive data and attackers. 23andMe attempts to deflect responsibility by stating that weak user credentials are to blame. But "brute forcing or other automated" attacks are part of the OWASP top 10 (A7), and for a site like 23andMe, dealing with highly sensitive health data, it is inexcusable to not prevent the exploitation of 1000s of accounts using these well-known techniques.
- Slide 2 of 4
Five months to detect a breach that affected 50% of users is not ideal. Subsequently updating terms of service to prevent filing of class action lawsuits, even less so. Make sure that you're going beyond tabletop exercises to ensure that you can detect intrusions in a timely fashion. Make sure that you've got updated scenarios in your incident response plans that reflect your current architecture and services. Lastly, make sure key stakeholders are onboard, including legal, HR, C-Level and the board. You all need to be operating from the same sheet of music when it goes sideways.
- Slide 3 of 4
23andMe has become the poster child for why companies should enable MFA. It’s relatively simple to implement and raises the bar substantially in preventing credential theft. Companies no longer have an excuse for not implementing this valuable security control.
- Slide 4 of 4
Should not take months to detect brute force attacks. In today's threat environment, the objective should be to detect attacks in hours to days.
Slide 1 of 0- Slide 1 of 4
Ivanti Acknowledges Missed Patch Deadline
Ivanti has acknowledged that it missed a self-imposed deadline for releasing patches for several vulnerabilities that are being actively exploited. Initially, Ivanti planned to begin releasing fixes for the flaws on January 2; an updated advisory cites “the security and quality of” the fixes as the reasons for the delay.
Editor's Notes
- Slide 1 of 3
I get it. It isn't easy to fix vulnerabilities in unmaintained legacy code. In particular if after acquiring a company like Pulse Secure, you prioritize short term financial gains, lay off many of the employees who may actually understand how the product works.
- Slide 2 of 3
Ivanti is rightly not pushing out patches until they meet their quality standards. They hope to release updates next week. The rub comes from CISA's KEV deadline of 1/22 to either apply the patches or remove the software from government systems. In the interim, CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the Ivanti download portal.
- Slide 3 of 3
Rushing a patch for a critical vulnerability often leads to further security issues. In this case Ivanti wants to solve the underlying security issue once and for all. Until the patch is available for download, follow the previously published mitigation guidance.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Freehold Township (NJ) Schools Closed Due to Cyberattack
The Freehold Township (New Jersey) School District schools and offices were closed on Monday, January 29, because of a cyberattack. An investigation into the incident is underway. There has been a spate of cyberattacks targeting K-12 school districts in the US since the beginning of the year.
Editor's Notes
What makes this even more painful is that some schools that hired third-party companies to provide security services were themselves not secure and were themselves, subsequently compromised. This is a case where strong consideration should be given to leveraging free services, such as those offered by CISA, to help schools, already on tight budgets, assess their security posture, making tweaks to avoid a me-too scenario.
Ransomware Attack Disrupts Kansas City Transportation Communications
A ransomware attack disrupted communications for the Kansas City Area Transportation Authority (KCATA) last week. The incident affected KCATA’s RideKC call centers and all KCATA landlines. KCATA released a statement providing alternate phone numbers for customers who need to schedule rides through KCATA’s Freedom and Freedom-On-Demand Paratransit services.
Editor's Notes
- Slide 1 of 2
The Medusa ransomware gang is taking credit for this attack and is posting data samples in an attempted extortion ploy. KCATA was sufficiently prepared to only have their call center offline, stating all services are operating, immediately providing alternate options for the affected call center. We've all been walking through what we'd do if we were in a similar situation, but have we had the time to see if we could actually pull it off? Have some serious chats with organizations you're counting on to bridge gaps or take up the slack. Make sure that your capacity and startup time assumptions are sound.
- Slide 2 of 2
5000 successful extortion attacks in 2023. Large increase year over year. Billions of dollars in lost productivity. While we see an increase in the use of vulnerabilities, over phishing, to establish the initial foothold, the failure to mandate the use of strong authentication internally and to structure our networks facilitates the necessary lateral movement in these attacks.
Slide 1 of 0- Slide 1 of 2
Patch Jenkins Vulnerability Now
Users are urged to patch a critical arbitrary file-read vulnerability in the Jenkins command line interface. Proof of concept code has been released and there are reports that the vulnerability is being actively exploited. The vulnerability, CVE-2024-23897, is one of two Jenkins vulnerabilities disclosed last week.
Editor's Notes
Now we have multiple PoC exploits for the vulnerabilities, published in GitHub, most validated, which means that you need to assume compromise if haven't applied the updates or workaround. (Disable the CLI.) The Jenkins advisory below lays out all the detail. Packet Storm has published two POC scripts you can use to validate your environment; these are referenced in the NIST NVD details for CVE-2024-23897 linked below.
Schneider Electric Suffers Ransomware Attack
Ransomware operators have reportedly targeted systems at Schneider Electric’s Sustainability Division. The attack, which occurred in mid-January, resulted in the theft of terabytes of data. The incident has caused disruptions for Schneider’s Resource Advisor cloud platform.
Editor's Notes
This is a case of the Cactus ransomware gang, first observed in March 2023, which likes to gain access using purchased credentials, phishing, malware distribution and even just exploiting vulnerabilities. They are attempting to extort payment leveraging the terabytes of data exfiltrated from Schneider Electric. The exfiltrated data appears to be relating to their customer's power utilization, ICS and automation systems, and compliance with environment and energy regulations. Customers include Walmart, PepsiCo, Lexmark, PepsiCo, DuPont, Clorox and DHL.
Swatting Arrest
Authorities have arrested a 17-year-old individual in connection with a series of swatting attacks. The suspect is awaiting extradition from California to Florida to face four felony charges, including “making false reports concerning the planting of a bomb or the use of firearms, causing a law enforcement response.”
Editor's Notes
- Slide 1 of 3
The suspect is scheduled to be tried as an adult in Florida where swatting is a felony. Lately, swatting attacks are on the rise, particularly directed at prominent politicians. As of May, the FBI launched a collaborative effort to thwart swatting nationwide, which has processed over 550 reports since its inception. Florida's senator Rick Scott introduced a bill that proposes a maximum penalty of up to 20 years for individuals convicted of swatting.
- Slide 2 of 3
VoIP has enabled criminals to perpetrate swatting attacks anywhere. VoIP is hard to trace but with the help of federal law enforcement, there are techniques than can be used.
- Slide 3 of 3
People are exploiting weaknesses in our E-911 system. They exploit the Disability Systems to do this, and they exploit our inherent trust. This is a hard one to solve so I expect major penalties to whoever they do catch.
Slide 1 of 0- Slide 1 of 3
Prison Sentence for Ransomware Operator
A Canadian court has sentenced Matthew Philbert to two years in prison for launching ransomware and other cyberattacks. Philbert was arrested in 2021, and pleaded guilty to fraud and unauthorized access to computers in October 2023.
Editor's Notes
Philbert's attacks affected about 1,330, with losses of about $49,000, including $15,000 from a small family-run business that thought an employee may have stolen the money. The chilling part is each victim is considered as an opportunity for income, not the effect of the crime on their wellbeing or business. His lawyer proposed sentence was two years, minus a day, to be served out of jail; the judge disagreed, feeling the crimes warranted two years behind bars. Additional court sessions are scheduled in March to discuss restitution to his victims.
64-Month Prison Sentence for Trickbot Developer
A US court has sentenced Vladimir Dunaev to more than five years in prison for his role in the development of the Trickbot malware. The malware has been used to disrupt systems at hospitals and other businesses in the US. Dunaev, who is a Russian citizen, was extradited to the US from South Korea in 2021. He pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit wire fraud in November.
Editor's Notes
- Slide 1 of 2
Initially, Trickbot was used to capture banking credentials from PCs to siphon those fees to the gang. It evolved into an expandable ransomware-as-a-service that you could rent for your own nefarious purposes in exchange for a cut of the take. This gang is reported to have extorted at least $180 million from people and organizations worldwide. Trickbot was shut down in 2022, but many of its developers have moved to other criminal organizations, so expect variants in the future.
- Slide 2 of 2
With time served, he basically has three years left on his prison sentence. Doubtful this will deter cybercriminals from continuing ransomware attacks; but it is a win for law enforcement.
Slide 1 of 0- Slide 1 of 2