SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Banking Trojan in Google Play Store
The Anatsa banking Trojan has been found lurking in the Google Play store. This latest version of the malware has expanded its European focus from Germany, Spain, and the UK to include Slovenia, Slovakia, and Czechia. The malware spreads phony cleaner and PDF reader dropper apps. The malware is estimated to have been downloaded 150,000 times from the Google Play Store.
Editor's Notes
There is a level of implicit trust given to both Google Play and the Apple app store. Both do a good job vetting applications before placing in their app store. That said, this is the second example in the last few weeks where their vetting processes fell short. Expect cybercriminals to continue to target these app stores, and others, as part of a supply chain attack.
Government Network Breached Through Former Employee’s Credentials
An unnamed US state government organization suffered an intrusion that was determined to have been conducted using a former employee’s administrative credentials. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) “conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.”
Editor's Notes
- Slide 1 of 3
It is far easier for an attacker to gain unauthorized access to victim assets/data through valid user credentials than through ‘hacking’ the network. Ideally, as part of proper account management, user credentials, especially admin privileges, are removed upon employee departure. Organizations should revisit employee departure checklists and reinforce system accounts removal as an immediate action.
- Slide 2 of 3
A few factors to contemplate over your morning coffee: First, the account wasn't deactivated in a timely fashion. Second, these admin accounts didn't require MFA. Third these accounts also worked for the VPN. Even if you're holding an account for someone returning, that account should be unusable during that gap. At a bare minimum, require MFA for admin (privileged accounts) and remote access. Allowing admin accounts to activate the VPN should raise concerns of separation of duties. Some of you may disagree with me on the last one; if you have the use case, and it's legitimate, make sure that you have sufficient authentication strength, monitoring and risk acceptance.
- Slide 3 of 3
It is sad that we are still seeing major breaches implicating reusable credentials.
Slide 1 of 0- Slide 1 of 3
Air Canada Deemed Responsible for What its Chatbot Said
Canada's Civil Resolution Tribunal has ruled that Air Canada must honor a fare refund policy described by its chatbot. A customer interacting with the chatbot was led to believe that he could purchase a ticket and request a partial reimbursement for a bereavement fare later. While the chatbot’s explanation of Air Canada’s bereavement fares policy was not in line with the company’s website, the tribunal determined that the customer had no reason to mistrust the chatbot because it was representing Air Canada. Air Canada appears to have disabled its chatbot.
Editor's Notes
- Slide 1 of 4
This lines up with our policy for the use of LLM tools by SANS.edu students: It is ok to use them for some tasks, but you are responsible for the answers if you use them. Just like when search engines like Google started to be used to find answers, one of the real skills has become to figure out which answers to trust. Companies should be held responsible if they use "chatbots" without the necessary safeguards, in particular if the customer is not intentionally abusing bugs in the bot's responses.
- Slide 2 of 4
There are many legal rulings to come about corporate liability erroneous and/or malicious use of AI. Odds are pretty high companies will be held liable. Governance (which includes security but many other processes) of AI initiatives will become just as important as good sys admin hygiene on servers has proven to be.
- Slide 3 of 4
An interesting defense used by Air Canada – that it can’t be held liable for the actions of a representative [chatbot in this case]. Really? It’s an interactive part of the company’s website, whether it provides correct information or not. Bottom line: Air Canada failed the standard of reasonableness test as determined by the judge.
- Slide 4 of 4
Good precedent. Both enterprises and individuals are responsible for all the results of their use of AI tools. It is fundamental. Tools cannot be responsible for their use.
Slide 1 of 0- Slide 1 of 4
The Rest of the Week's News
SolarWinds Patches Critical Flaws in Access Rights Manager
On February 15, SolarWinds released ARM 2023.2.3 to address five RCE’s in SolarWinds Access Rights Manager (ARM). Three are critical: two path traversal issues and one deserialization of untrusted data issue. The other two are high severity flaws.
Editor's Notes
These five flaws have CVSS scores from 7.9 to 9.6. The ARM version 2023.2.3 service release appears to address all five. While there is no evidence of exploitation in the wild, keep in mind that even though it's been almost 4 years (March 2020) since their supply chain compromise, SolarWinds is still going to garner extra attention from attackers.
International Law Enforcement Operation Takes Down LockBit Website
In a cooperative effort, law enforcement agencies from 11 countries have (once again) disrupted operation of the LockBit ransomware gang. The LockBit website is now under the control of the UK’s National Crime Agency. Operation Cronos, as the effort is called, is “an ongoing and developing operation.”
Editor's Notes
- Slide 1 of 4
Having been in the Army Guard for well over 20 years now, I have a decent grasp of bureaucracies and the impediments they can create. I'm thrilled that these international organizations have been able to pull together and have real effects. Congratulations!
- Slide 2 of 4
Europol released a statement (https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation) this morning with more details on the operation. So far two people have been arrested, over 200 #cryptocurrency accounts seized, and more importantly lots of data gathered from over 42 servers that will hopefully lead to more operations and arrests. The decryption keys for #Lockbit are now also available on the #NoMoreRansom portal (https://www.nomoreransom.org/en/decryption-tools.html) This is one of the most extensive and successful law enforcement operations against cyber criminals. Congratulations to all involved and thank you for making the internet safer.
- Slide 3 of 4
International law enforcement has been on a tear these past two months – takedown of botnets, disruption of ransomware gangs, recovery of ransomware keys, etc. In this case, all we know is that the website has been taken over but it’s doubtful that’s the extent of law enforcement action against LockBit.
- Slide 4 of 4
Not going to lie here, I'm loving these takedowns. Consider the effectiveness of international law enforcement cooperation today versus the challenges outlined by Clifford Stoll in The Cuckoo's Egg. Cooperation involved agencies from 10 countries including the US, UK, Australia, Germany, the Netherlands, Japan, France, and Switzerland. LockBit is responsible for as much as a quarter of all ransomware attacks in some countries. US authorities detected at least 1,700 LockBit attacks in 2023. Apparently, the FBI breached the gang's operations servers using a PHP exploit and their source code, victim information and chats were seized.
Slide 1 of 0- Slide 1 of 4
WordPress Brick Site Builder Vulnerability is Being Actively Exploited
Attackers are exploiting an unauthenticated remote code execution vulnerability in the WordPress Bricks Builder Theme. The flaw can be exploited to run malicious PHP code on vulnerable sites. The issue affects Brick Builder Theme installed with default configuration. The Bricks development team released a fixed version, 1.9.6.1, on February 13.
Editor's Notes
- Slide 1 of 2
Pentesters, remember: Yes, find and exploit this if it's in your client's environment. BUT the fix here is not only "Patch it." Be sure to give a recommendation about how to adjust their patching process so they can stay ahead of the next one!
- Slide 2 of 2
This vulnerability, CVE-2024-25600, unauthenticated RCE, CVSS score 9.8. This flaw only works with unauthenticated users. The fix adds both input sanitization and permissions checks to the code. Given that it's WordPress, even if your WAF is blocking this attack, get on updating that theme WordPress is a hot target. In addition to making sure your themes, plugins, and base are configured for auto-update, make sure that you have a threat feed on WordPress security issues.
Slide 1 of 0- Slide 1 of 2
Shadowserver: 28,000+ Microsoft Exchange Servers Remain Vulnerable to Known Flaw
Last week, Microsoft released a fix for a critical privilege elevation vulnerability in Microsoft Exchange Server that is now being actively exploited. Shadowserver detected 28,500 instances that are confirmed vulnerable; as many as 68,500 more may or may not be vulnerable, depending on whether admins have applied mitigations. The issue is fixed in Exchange Server 2019 Cumulative Update 14 (CU14) update, CISA has added the flaw (CVE-2024-21410) to its Known Exploited Vulnerabilities database. Federal Civilian Executive Branch (FCEB) agencies have until March 7 to address the vulnerability.
Editor's Notes
- Slide 1 of 3
While the fix was only released last week, Exchange server flaws, not unlike WordPress flaws, are blood in the water for attackers, and should be near the top of your list for applying fixes. With the impact and occurrence of Exchange flaws, you may want to look again at total cost of ownership vs a hosted option. For those with a hybrid option, because you had a critical function which won't run in the hosted service, revisit that analysis, including the use case to be sure there isn't an alternative.
- Slide 2 of 3
Here are two shocking things in the headlines. One: companies numbering in the tens of thousands need to be patching exchange. Two: at least 28,000 on-premises exchange servers are left in the wild. Fascinating.
- Slide 3 of 3
It is difficult to comment on this without knowing the denominator. Suffice it to say that there are so many instances of MS Exchange server that is likely that many will not be patched on a timely basis.
Slide 1 of 0- Slide 1 of 3
Guilty Plea for Role in Malware Schemes
Vyacheslav Igorevich Penchukov has pleaded guilty to conspiracy to commit a RICO offense and conspiracy to commit wire fraud for his roles in the operations of Zeus and IcedID malware. Each carries a maximum prison term of 20 years. Penchukov was arrested in Switzerland in 2022 and extradited to the US in 2023. He has been on the FBI’s Cyber Most Wanted list for nearly a decade.
Editor's Notes
The Zeus banking trojan was shut down in 2014, which was followed by a Zeus successor, the SpyEye RAT, which was shut down in 2016 (leaders currently serving a 24-year sentence), and Penchukov joined the IcedID team in 2018. When IcedID, a banking credential stealer, added ransomware to its capabilities, the efforts to take it down escalated, resulting in his arrest. Sentencing for Penchukov is scheduled for March 9th.
Wyze Connectivity Problems Lead to Security Issue
Last week, Wyze experienced “an issue with [their] AWS partner which has impacted device connection and caused login difficulties.” The problem was resolved, although the company said it was temporarily disabling the Events tab in its app due to a security issue. Customers were reporting being able to see thumbnail views from other customers’ cameras. In an investigation update, Wyze writes that “the incident was caused by a third-party caching client library that was recently integrated into our system … [and that they] have added a new layer of verification before users are connected to Event Videos.”
Editor's Notes
Remarkable transparency here, not only explaining what happened and notifying affected users, but also steps taken to mitigate it. Beyond the topic of third-party risk/impact, it'd be good to discuss having sufficient visibility into an application; this is a good use case of how that can be advantageous.
Internet Storm Center Tech Corner
Old Mirai New Exploits
https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658
KeyTrap PoC Exploit
https://github.com/knqyf263/CVE-2023-50387
Google Open Sources Magika File ID System
Exploiting Unsynchronised Clocks
https://attackshipsonfi.re/p/exploiting-unsynchonised-clocks
SolarWinds Security Advisories
Google Chrome Adds Private Network Checks
https://chromestatus.com/feature/4869685172764672
Gold Factory iOS Trojan