SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Cyberattacks Target Two Chicago-Area Hospitals
Chicago’s Lurie Children’s Hospital has proactively taken its systems offline following a cybersecurity incident. The outage affects phone and email services as well as electronic health records (EHR). Lurie disclosed the incident on February 1. Another Chicago-area hospital, Saint Anthony, recently disclosed a cybersecurity incident in which patient data were accessed. That incident occurred in December.
Editor's Notes
- Slide 1 of 3
Lurie Children’s doesn’t currently have an ETA for service restoration. They have implemented contingency plans to provide maximum service to patients, having set up a call center to handle questions and arrange services. Getting a call center to handle customers online quickly should be a priority activity in your BC/DR process, make sure you've got that process nailed down, don't assume any existing phone service will be operating. Keep in mind that despite guidelines from ransomware operators to not target hospitals, ransomware gangs are ignoring those and targeting healthcare organizations, the takeaway being to not depend on usage restrictions from attack service providers to stop the gangs from attacking anyway.
- Slide 2 of 3
With the decade old shift to electronic health records and interconnected systems, hospitals administrators now must prioritize cybersecurity. If not, they will continue to be targeted by cybercriminals and separately, held accountable for the data loss. In upcoming budgets, HHS likely will offer financial assistance to smaller hospitals that implement cybersecurity performance goals.
- Slide 3 of 3
High risk public network facing applications like phone and email should be isolated from mission critical systems like healthcare records.
Slide 1 of 0- Slide 1 of 3
Synergia: Interpol Operation Takes on Cybercrime
A global Interpol operation last fall “was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.” The operation involved law enforcement agencies from more than 50 countries. More than 1,300 suspicious IP addresses were identified; more than 70 percent of those have been taken down. 31 people have been arrested and 70 additional suspects have been identified.
Editor's Notes
- Slide 1 of 4
The operation ran from September through November, which is pretty quick for this broad of a takedown and shows what can be done with broad cooperation. The international cooperation included 60 law enforcement agencies as well as Interpol's gateway partner private sector groups such as Kaspersky, TrendMicro, Shadowserver, Team Cymru and Singapore-based Group-IB. The 30% of servers that weren't taken offline are still under active investigation for their involvement in cybercrime operations. The dismantled infrastructure was used for phishing, banking malware and ransomware attacks.
- Slide 2 of 4
Well done to all involved in this operation. Cyber criminals need to realise that the days of operating at low risk on the Internet are no longer around. As this operation demonstrates, law enforcement agencies are becoming more and more proficient and detecting, disrupting, and detaining criminals.
- Slide 3 of 4
It will always be a ‘cat-n-mouse’ game between law enforcement and cybercriminals. Expect cybercriminals to modify their TTPs because of the joint law enforcement action. Thankfully, law enforcement is being supported by members of the tech sector to better the odds of success.
- Slide 4 of 4
Cyber criminals continue to believe that cybercrime has a low risk of investigation, identification, and punishment. It may take many efforts like this over time to change this belief.
Slide 1 of 0- Slide 1 of 4
AnyDesk Forces Passwords Resets After Data Leak
AnyDesk forced a password reset for all users of its remote access solution after learning that user credentials were leaked. In a public statement, AnyDesk writes, “We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”
Editor's Notes
- Slide 1 of 5
AnyDesk could have provided some additional details in their notification. For example, lists of certificates compromised. Attackers may use these certificates later to sign malware. AnyDesk has also failed to provide additional details about which weaknesses the attacker exploited. This is always useful for others to learn. Maybe they will follow up with a better postmortem after their investigation concludes.
- Slide 2 of 5
If your cybersecurity program is mature, it may be time to include lost certificates in your threat model. Include signed, malicious code in your offensive operations engagements.
- Slide 3 of 5
AnyDesk released their statement about this breach on Friday night (European time)/Friday afternoon US time. Communicating to your clients that you have suffered a security breach on a Friday afternoon/evening does not align with the phrase "The integrity and trust in our products is of paramount importance to us and we are taking this situation very seriously" I often say, "you won't be judged for being the victim of a cyber attack, but you will be judged on how you respond to it."
- Slide 4 of 5
AnyDesk is a popular target for threat actors as it provides remote control, VPN and file transfer capabilities, often leveraged in the fake Microsoft Support scam which offers to "clean" malware or other bugs off your system, even if you're on macOS. All users of my.anydesk.com need to change their passwords. Both the AnyDesk client and the portal support 2FA via TOTP, while you're rotating your portal password, make sure that you've enabled and configured 2FA. Then see if you can also enable it for your AnyDesk clients.
- Slide 5 of 5
The optimum time to reset a password is not after a breach but automatically after its first use. We call this a one-time password, OTP. It is a component of many systems of strong authentication. Strong authentication is an essential and efficient security mechanisms. Many such systems, e.g., Passkeys, are more convenient than passwords and do not rely upon the user to change them.
Slide 1 of 0- Slide 1 of 5
The Rest of the Week's News
Cloudflare Provides More Info on November Breach
In a recent blog post, Cloudflare provides details about the November 2023 cybersecurity incident affecting its Atlassian server. The post is based on information from CrowdStrike’s Forensic team, which Cloudflare brought in to investigate the incident. A threat actor, believed to be state-sponsored, used credentials stolen in an Okta October breach to access Cloudflare’s Atlassian Confluence internal wiki and their Atlassian Jira bug database.
Editor's Notes
If you're wondering how to approach a similar situation in your shop, the blog post lays out all things you should consider. From identifying the root cause, failure to rotate a compromised credential, understanding the possible access with those credentials as well as any accounts created, containment, eradication and post-event hardening and improvement. Consider your network architecture and how resistant it is to lateral movement. Consider how to reduce trust based on network, that systems are validating both the user and system are appropriate for the requested connection.
Mitsubishi Electric Factory Automation Vulnerabilities
Mitsubishi Electric has published an advisory detailing two vulnerabilities in several of its Factory Automation (FA) products: a high-severity missing authentication for critical function vulnerability (CVE-2023-6942) and a critical-severity unsafe reflection vulnerability (CVE-2023-6943). Patches for the flaws are not yet available.
Editor's Notes
CVE-2023-6941 has a CVSS score of 7.5; CVE-2023-6943 has a CVSS score of 9.8. While there are no patches, the Mitsubishi bulletin provides guidance on affected products and mitigations. In short, make sure these systems are properly isolated, don't expose them to the Internet, and make sure the system you're using to access them is itself secure (patched, EDR, etc.). Exploiting the flaw would allow the attacker to reprogram your PLCs as well as installing new utilities on your engineering workstations.
Rust Foundation Receives $1M Grant From Google
Google has given the Rust Foundation a $1 million grant “to support efforts that will improve the ability of Rust code to interoperate with existing legacy C++ codebases.” Google Vice President of Engineering, Android Security & Privacy Dave Kleidermacher noted that “Based on historical vulnerability density statistics, Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem. This investment aims to expand the adoption of Rust across various components of the platform.”
Editor's Notes
Rust has been making great inroads in the Android space as one of the strongest tools to address memory safety and security issues. This funding should help increase the interoperability with legacy C++ codebases, resulting in both easier and more use in non-Android scenarios.
Pennsylvania Courts System Suffers Denial-of-Service Attack
The Pennsylvania Courts system says its website has been disrupted by a denial-of-service attack. The incident has affected the availability of PACFile (the online court document filing system), online docket sheets, PAePay, and the Guardianship Tracking system. Pennsylvania Courts remain open and accessible to the public.
Editor's Notes
- Slide 1 of 3
Current claims are this is a DoS attack, and they are busy restoring services and forensicating the environment. If the DoS attack is a smoke-screen, this approach will reveal any additional attacks. As the capabilities to launch very disruptive DDoS attacks seems to be perpetually increasing, you may want to setup a regular check/update from your service providers on their protections/capabilities to make sure they are adapting to the evolving threat environment. Also, check-in with any services which didn't offer DDoS protections previously to see if that has changed. Don't forget to check your third-party and outsourced service providers.
- Slide 2 of 3
DDoS attacks are mostly a nuisance for organizations and not sustainable. What is concerning is the increase in attacks over the past year. It indicates that large numbers of devices aren’t practicing basic cyber hygiene and have been herded into botnets. Is it time to consider a cyber health check before allowing access to the Internet?
- Slide 3 of 3
Keep in mind that DoS attacks are used to distract from other more subtle attacks.
Slide 1 of 0- Slide 1 of 3
US Sanctions Iranian Officials Over Critical Infrastructure Cyberattacks
The US Treasury Department has sanctioned six Iranian government officials over their part in a cyberattack targeting critical infrastructure in the US and other countries. The individuals breached water utilities in the US through Unitronics programmable logic controllers (PLCs). Affected organizations include a water utility in Aliquippa, Pennsylvania.
Editor's Notes
- Slide 1 of 2
The sanctions mean that all property and interests in property of these Iranian officials in the U.S., or that are in control of U.S. persons are blocked and must be reported to the Office of Foreign Assets Control (OFAC). Additionally, any entities with over 50 percent ownership by these officials are also blocked. In essence, all tractions within the U.S. with these assets or entities are prohibited. While this may make things difficult for the Iranian officials, the impact on the threat actors isn't clear, as such you still need to take steps to protect your critical infrastructure. Leverage the Water ISAC for threat intelligence as well as guidance for expertise you can leverage. Consider hiring a friendly assessor, rather than reacting to issues revealed by those threat actors.
- Slide 2 of 2
While important to demonstrate American resolve, it is highly unlikely that any of the individuals will be visiting the US or extradition friendly countries any time soon. What is more important is that vendors, where possible, apply ‘secure by design’ principles in future releases of their products.
Slide 1 of 0- Slide 1 of 2
40-Year Sentence for Leaking CIA Secrets
Joshua Adam Schulte has been sentenced to 40 years in prison for espionage, computer hacking, making false statements to the FBI, and other offenses. Schulte leaked classified CIA information to WikiLeaks in 2016. Schulte was employed as a software developer at the CIA’s Center for Cyber Intelligence.
Editor's Notes
There really are consequences for unauthorized disclosure of classified information; it's nice to have a current example to reinforce this point. Schulte was able to perform his actions by obtaining admin privileges, as well as granting himself added access. While the role-granting should trigger an alert, this is where regular account and access control reviews are important in case those alerts are missed. Also verify you have active/rapid processes to restrict access when an account holder is sanctioned or otherwise in a questionable state.
Internet Storm Center Tech Corner
Public Information and Email Spam
https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620/
DShield Sensor Log Collection with Elasticsearch
https://isc.sans.edu/diary/DShield+Sensor+Log+Collection+with+Elasticsearch/30616
AnyDesk Breach
https://anydesk.com/en/public-statement
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-213655-1032.pdf
Ivanti POC For CVE-2024-21893
https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
Deepfake Exploits
Leaky Vessels
https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/