SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Fortinet Fixes Critical SQL Injection Flaw
Fortinet has released a fix for a critical vulnerability in the DB2 Administration Server (DAS) component of its FortiClient Enterprise Management Server (EMS) software. The flaw, an improper neutralization of special elements in an SQL command, can be exploited to execute unauthorized code.
Editor's Notes
- Slide 1 of 2
This has not been a good week for Fortinet. A PoC for this vulnerability is expected in the next few days. You must patch now! Vulnerability research firm Horizon3 released PoC for some vulnerabilities in Fortinet's wireless management product. These vulnerabilities have not been patched yet.
- Slide 2 of 2
The flaw affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), so you’re going to want to apply the updates, ideally this week.
Slide 1 of 0- Slide 1 of 2
Kubernetes Vulnerability
A researcher at Akamai discovered a remote code execution vulnerability in Kubernetes that could be exploited to attain remote code execution with system privileges on Windows endpoints within a Kubernetes cluster. The vulnerability (CVE-2023-5528) was fixed in updates released in November 2023.
Editor's Notes
CVE-2023-5528 has a CVSS score of 8.8 and is in default installations of Kubernetes prior to version 1.28.4 either on premise or Azure Kubernetes service and can be exploited by the introduction of a malicious YAML file. The only mitigation is to update to 1.28.4 or higher, even if you’re not running on Windows nodes.
NIST Looks Toward Improving NVD Tools and Methods
In mid-February, the US National Institute of Standards and technology’s (NIST’s) National Vulnerability Database (NVD) said that it “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” NIST says the process will likely cause delays in vulnerability analysis.
Editor's Notes
- Slide 1 of 3
The NVD database is crucial for many commercial and open source vulnerability management tools. I believe part of the problem is growing pains as the number of published vulnerabilities has skyrocketed. The NVD database should be compared to a public service like GPS that enabled many valuable services and has taken on a critical safety role. I hope they are able to resolve the issues quickly and continue processing vulnerabilities. If anything, one of NVDs problems has been the time it takes to publish the enriched data.
- Slide 2 of 3
Some research find that less than 50% of vulnerabilities are analyzed, which means they’re not benefitting from context and value add to aid businesses in evaluating them; some don’t have root cause or CWE information. Regardless of shortfalls, the NVD is still the best game in town and addressing the issues will help us determine the relevance and priority of noted CVEs.
- Slide 3 of 3
For automotive “vulnerabilities” (recalls) that have to be fixed, vehicle manufacturers are required to notify the National Highway Traffic Safety Administration who has maintained an easy to use database. Those manufacturers also have to pay for the vehicles to be fixed! The NHTSA had a 40 years head start over NIST/NVD but it really is time for legislation to treat software more like we treat vehicles.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
FCC Adopts IoT Security Labeling Rule
The US Federal Communication Commission (FCC) has unanimously approved Cyber Trust Mark, a voluntary labeling program for Internet of Things (IoT) and other smart devices to show that they meet certain security standards. The Cyber Trust Mark logo will include a QR code that consumers can scan to get information about how long the device will be supported, whether it will get patches, and whether those patched will be automatically installed.
Editor's Notes
- Slide 1 of 5
This initiative may give consumers a choice. Let’s hope they use it to buy more secure devices. I may have been doing this for a bit too long to have much hope. Please prove me wrong. I do like that this includes a "life expectancy" to inform consumers for how long this device will receive updates. And yes, some kid will glue fake QR codes on boxes. Ignore them. QR codes are used all the time to direct users to manuals and other additional information.
- Slide 2 of 5
This reminds me of various web “trust” seal programs: since search engines never favored sites with those trust seals, really not much impact on web site security levels. But when browsers started making it harder to get to sites not using SSL, rapid increase in security. It would be very good to see AI shopping tools have rules favoring higher levels of security in products.
- Slide 3 of 5
This is targeting home IoT devices, baby monitors, home security cameras, internet connected appliances, fitness trackers, garage door openers, and voice-activated devices. CISA and folks at the department of justice have been tasked with setting standards and enforcement actions. The logo is being equated to the Energy Star label. This could really help consumers make good buying decisions provided the standards and claims are consistent and trustworthy.
- Slide 4 of 5
Having an informed buyer is always a good thing. That said, having buyers use a QR code to get security information is an extra step that most will not take. In the meantime, creating a set of enforceable industry standards on device support (SW updates, Patches, Firmware, etc.) would be more beneficial.
- Slide 5 of 5
Good start. I would like to see labeling about safe and appropriate use, for example, whether it is intended for connection to public networks or needs to be fire-walled.
Slide 1 of 0- Slide 1 of 5
Stanford University Says Last Year’s Cyberincident was a Ransomware Attack
Last fall, the Stanford University Department of Public Safety’s network suffered a cybersecurity incident; the university now acknowledges it was a ransomware attack that they failed to detect for months. Stanford became aware of the breach on late September 2023, more than four months after the network was initially breached. The new information was disclosed in a notification letter sent to 27,000 people whose personal data were affected by the attack.
Editor's Notes
The Akira gang is taking credit for exhilarating 430GB of Stanford data. While the University is offering two years of credit monitoring with a $1m insurance reimbursement policy, the bigger question is why the gang had four months of dwell time. Are you equipped to detect any faster and have you tested? How about those new systems and services - does your onboarding include connecting them to your CSOC/monitoring? You really don’t want to discover a system for the first time when the phone rings.
Nissan Oceania to Notify Customers Affected by Breach
Nissan Oceania plans to notify roughly 100,000 people in Australia and New Zealand that their personal information was stolen in a cybersecurity incident last year. The compromised data include national health insurance card, passport, and driver’s license numbers, as well as loan transaction information and salary and employment data.
Editor's Notes
Estimates are 10% of their customer base had personal data exfiltrated. The remaining 90% had other less sensitive information compromised. Nissan is offering services from IDCARE, Equifax, ID Replacement and Centric depending on individual circumstances. Have you considered you may have to offer multiple credit monitoring/restoration options based on the locations of your customers/employees?
Patch Tuesday, March 2024
Microsoft’s Patch Tuesday release for March 2024 includes fixes for more than 60 security issues. Among the issues addressed are a pair of critical vulnerabilities in Windows Hyper-V hypervisor.
Editor's Notes
Patches from Microsoft, Adobe and Apple to focus on this month. Apple’s iOS releases to address zero days, Sonoma (macOS 14.4) which addresses 68 vulnerabilities, and Microsoft with their 60 fixes including CVE-2024-21334, a flaw in Open Management Infrastructure with a CVSS score of 9.8 and CVE-2024-21435, a flaw in OLE with a CVSS score of 8.8. Adobe released updates to Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate, and the newest Acrobat has a generative AI feature which scans your PDFs to better understand your questions and provide relevant help. You may want to disable that until you fully understand what it is doing and how. These can be disabled locally or by your organization admin.
ChatGPT Plugin Vulnerabilities
A report from Salt Labs describes a handful of security flaws in ChatGPT plugins. The Salt Labs researchers identified three types of vulnerabilities in ChatGPT plugins: vulnerabilities in the plugin installation process; vulnerabilities in the PluginLab framework for developing ChatGPT plugins; and OAuth redirection manipulation.
Editor's Notes
These plugins, known as Actions, allow content to be sent to other websites. Interaction with those sites often uses OAuth authentication, which isn’t a problem except Salt Labs is finding there are flaws in the implementation in a number of common Actions of these such that the auth tokens can be used to access other sites the user may have. While the plugins authors fixed these flaws, you’re going to want to develop a process for both vetting plugins as well as tracking fixes and updates to ensure you’re protected.
French Unemployment Agency Breach
France Travail, the French government’s unemployment agency, says that its network was breached and that those responsible for the intrusion may leak or misuse data that belong to 43 million people. The incident affects people who were seeking jobs through the agency over the past 20 years.
Editor's Notes
The exfiltrated data includes full name, date of birth, place of birth, NIR (think SSN), France Travail identifier, email address, mailing address and phone number. The agency will begin notifying affected individuals soon, they are providing guidance on monitoring your credit and identity, not yet offering such services to affected users.
CISA Secure Software Self-Attestation Form
The US Cybersecurity and Infrastructure Security Agency (CISA) has released its Secure Software Self-Attestation form. The document was created in response to the 2021 cybersecurity executive order. The repository for online submissions is expected to be available later this month. Some experts have expressed concerns that the form lacks memory safe programing and software bill of materials (SBOM) requirements.
Editor's Notes
- Slide 1 of 3
The form mandates signing by a software contractor’s CEO when being filed to the U.S. government. An outside software assessor is also allowed to demonstrate the security features of the software offering, assuming it’s a qualified Third Party Assessor Organization certified by Federal Risk and Authorization Management Program (FedRAMP). while the current form doesn’t support SBOM or memory safe coding, it’s still a big step in the right direction, and those should be incorporated over time.
- Slide 2 of 3
Three items of interest in the form: 1) Open source and software developed for the federal government is excluded; 2) Signature by CEO or designee that binds the company; and 3) doesn’t reflect the reality that is today’s distributed software development practice. It’s also unclear that completion of the form results in software that is trustworthy. Perhaps that will come with the next update to the form.
- Slide 3 of 3
One small step in the direction of necessary software quality. Software needs to be held to the same standard of merchantability as other products. We cannot continue to build our infrastructure on this porous foundation.
Slide 1 of 0- Slide 1 of 3
Internet Storm Center Tech Corner
Microsoft Patch Tuesday March 2024
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+March+2024/30736
Using ChatGPT to Deobfuscate Malicious Scripts
https://isc.sans.edu/diary/Using+ChatGPT+to+Deobfuscate+Malicious+Scripts/30740
Increase in the number of phishing messages pointing to IPFS and to R2 buckets
Michael Holcomb: Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents
Critical Fortinet Vulnerabilities
https://fortiguard.fortinet.com/psirt
Fortinet New Vulnerabilities
https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
Fortinet Updates
https://www.helpnetsecurity.com/2024/03/14/cve-2023-48788-poc/
Arcserve UDP Vulnerability and PoC
https://www.tenable.com/security/research/tra-2024-07
Adobe Security Bulletins
https://helpx.adobe.com/security/security-bulletin.html
Kubernetes Local Volumes Command Injection Vulnerability
Death Knell of NVD
https://resilientcyber.substack.com/p/death-knell-of-the-nvd
Unrestricted file upload vulnerability in ManageEngine Desktop Central
https://github.com/advisories/GHSA-fqf7-66f9-wqff
Siemens Fire Protection System Updates
https://cert-portal.siemens.com/productcert/html/ssa-225840.html