SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
AHA Survey: Change Healthcare Ransomware Impact
According to a survey from the American Hospital Association (AHA), 94 percent of hospitals say they are experiencing financial impacts from the Change Healthcare ransomware attack; more than half deem the impact “significant or serious.” The survey includes responses from 1,000 hospitals. Nearly three-quarters of those responding said the incident had a direct impact on patient care. Hospitals say that while they are implementing workarounds, they are expensive and time-consuming.
Editor's Notes
- Slide 1 of 2
The attack is being felt nationwide. HHS has issued $2.5 billion in advance Medicaid and Medicare action payments, which providers will need to reconcile later, so providers can continue to operate. HHS is insisting insurance companies do the same for providers. The good news is that Change Healthcare is paying 95% of their insurance health insurance claims. Here is a clear example of third-party provider outage risk. Make sure you are capturing the risk of service interruptions from your third parties and options, if any, mitigate them, note you may need to accept more than you think.
- Slide 2 of 2
The cyberattack on Change Healthcare continues to highlight 1) the dependency on 3rd party service providers; 2) the unintended consequences of vendor consolidation; and 3) its impact on healthcare operations. For one and three internal workarounds can be established. Unfortunately, to reduce vendor consolidation (via merger and acquisition), the government will have to weigh in.
Slide 1 of 0- Slide 1 of 2
Patch That Fortinet Flaw Now
A known critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software is being actively exploited. The improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability allows attackers to execute unauthorized code or commands with SYSTEM privileges. Fortinet released a fix for the vulnerability last week.
Editor's Notes
- Slide 1 of 2
Luckily, only few FortiClient EMS systems appear to be exposed to the internet. But with an exploit available, this vulnerability could also be used for lateral movement after a network is breached. Access to this software will allow attackers to reach managed systems and it will make it more difficult to evict an attacker.
- Slide 2 of 2
No surprised looks, researchers released a POC exploit for CVE-2023-48788, SQL Injection flaw, last Thursday. You know that means is a race condition between your application of the update and successful exploitation. The vulnerability is being targeted to gain access to corporate networks to facilitate ransomware attacks and/or corporate espionage campaigns.
Slide 1 of 0- Slide 1 of 2
Ivanti Releases Fixes for Critical Flaws in Standalone Sentry and Neurons for ITSM
Ivanti has released updates to address two critical vulnerabilities. One is a remote code execution vulnerability in Ivanti Standalone Sentry. The second is an authenticated remote file write vulnerability in Ivanti Neurons for ITSM. In both cases, the issues affect all supported versions of the products; older versions may be vulnerable as well. As of Thursday afternoon, March 21, NIST National Vulnerability Database (NVD) entries for the flaws have not yet been generated.
Editor's Notes
CVE-2023-41724, unauthenticated user RCE flaw, CVSS score 9.6; and CVE-2023-46808, authenticated user remote file write issue, CVSS score 9.9; were identified in late 2023, but not publicized as they were not being exploited and Ivanti didn't have a patch yet. As there are no mitigations other than applying the update, which may require you to update to a supported release as well, you're going to want to get ahead of this one.
The Rest of the Week's News
Microsoft Threat Intelligence Report: US Tax Season
Microsoft has published a threat intelligence report focused on the awareness of and preparedness for phishing attacks during the US tax season; in the US, tax returns are generally due to the Internal Revenue Service in mid-April. Microsoft has already observed a tax season phishing activity. The report includes tactics, techniques, and procedures (TTPs) most commonly used by threat actors.
Editor's Notes
- Slide 1 of 2
With tax filing in the US being almost entirely electronic, the cybercriminals are taking advantage of the weakest link in the chain: you. They target your identity, financial accounts and passwords in hopes of tricking you into giving them information and/or access needed to grab your refund. Your primary mitigations are phishing awareness training and enabling MFA on all your accounts. Don't forget to secure your state tax account if you have one.
- Slide 2 of 2
While this report focuses on the US tax season, the adversary also builds campaigns for other important dates. The stats tell us that the average click rate for a phishing email is 18%; for targeted email, the number goes up to 53%. Why not focus on patch and configuration management vice trying to sus out malicious email?
Slide 1 of 0- Slide 1 of 2
Chrome and Firefox Updates
On Tuesday, March 19, Google and Mozilla released updated versions their flagship browsers. Google released Chrome 123 to the stable channel for Windows, macOS, and Linux. It includes fixes for 12 vulnerabilities, including a high-severity object lifecycle issue in V8 (CVE-2024-2625). Mozilla Firefox 124 also includes fixes for a dozen vulnerabilities, including critical memory safety bugs (CVET-2024-2615) and nine high-severity issues.
Editor's Notes
Seven of the Chrome flaws were reported by security researchers; Google paid a total of $22,000 in bug bounty rewards to them. While your systems are downloading updates to Chrome and its Chromium based cousins, remember Thunderbird and Firefox ESR 115.9 also dropped addressing ten vulnerabilities, nine of which are addressed in Firefox 124. The tenth is CVE-2024-2614, a memory safety bug which could be used to execute arbitrary code.
GitHub Code Scanning Autofix Tool
GitHub has released a code scanning autofix tool to public beta for GitHub Advanced Security customers. The tool is capable of identifying vulnerabilities in JavaScript, Typescript, Java, and Python repositories. When a flaw is detected, the tool will offer “fix suggestions [that] include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss.”
Editor's Notes
- Slide 1 of 2
Having used GitHub's Copilot as a coding aid, AutoFix looks like it may become a very useful tool to avoid many of the basic oversights that sneak in when coding. Looking forward to testing it.
- Slide 2 of 2
Cross-site scripting is a huge target as making sure your code is sanitizing all inputs is hard, let alone going back and working all the code in your app, not just the part with an identified weakness. This tool looks at multiple files in your app to discover repeated issues, and you could, in theory, fix them consistently with one click. More importantly, IMO, this could dramatically cut the time it takes to do the needed security checks. I would start evaluating this sooner than later, assume attack tool counterpart is out, or nearly out.
Slide 1 of 0- Slide 1 of 2
Windows Server Update Responsible for Domain Controller Crashes
Microsoft has acknowledged that a memory leak issue introduced in the March 12 Windows Server update is responsible for Windows domain controller crashes. The Local Security Authority Subsystem Service process memory leak is causing servers to freeze and reboot. Microsoft is currently working on a resolution.
Editor's Notes
- Slide 1 of 2
Just before the March Microsoft Vulnerability Tuesday patch release, Microsoft released a progress update on the first four months of their “Secure Future Initiative.” The first two accomplishments said 86% of Azure code and over 1 billion lines of code overall were now being analyzed for vulnerabilities using the GitHub CodeQL tool. Microsoft has to move to faster than monthly patch release and bad updates are a major impediment to ever convinces CIOs to move forward with expecting all software to do what cloud software and browsers already do – patch critical vulnerabilities nearly continuously. I’d like to see Microsoft put out a lessons learned how this memory leak made into the released update.
- Slide 2 of 2
If you've not applied the March security update to your DC's (KB5035857) to your DCs, hold off. This affects Windows Server 2022, 2019, 2016 and 2012 R2. Expect the updated patch in the next week. While you're waiting you can focus on browser and iOS/iPadOS updates.
Slide 1 of 0- Slide 1 of 2
Websites with Firebase Misconfigurations Leak Passwords
Misconfigured instances of the Google Firebase app development platform have exposed millions of records, including plaintext passwords and bank account information. Researchers found that more than 900 websites were built on Firebase instances that had either misconfigurations or no security rules enabled at all.
Editor's Notes
The attack started with exploiting the Chattr AI based hiring system, which has been fixed. That lead researchers to the discovery of other flawed applications on 842 websites. Attempts to contact the owners of these sites resulted in an 85% email success rate, 25% of the sites addressing the issue, and 1% emailing back. Only two of these sites offered a bug bounty. If you're hosting or using a Firebase application, and you're relying on their security rules to keep data safe, you may want to introduce additional security protections and monitoring as those rules continue to be found problematic.
Radiant Logistics Discloses Cybersecurity Incident
Radiant Logistics, an international freight company, has isolated its Canadian operations following a cybersecurity incident. In a filing with the US Securities and Exchange Commission (SEC), Radiant writes that it detected the incident in mid-March. Canadian customers are experiencing delays in service, but service in other countries has not been affected.
Editor's Notes
- Slide 1 of 2
Oddly, nobody is trying to claim this assumed ransomware attack as theirs. Radiant is currently deep in their forensics, response and restoration process. They state they don't expect this incident to materially impact the company's financial conditions.
- Slide 2 of 2
Two phrases in the 8-K filing worth noting 1) …initial stages of a cybersecurity incident…; and 2) …as of the date of this filing, the incident has not had a material impact on the company’s overall operations. The words businesses use in cybersecurity disclosures matter. It’s been three months since the SEC cyber disclosure rules took effect, and we still have little additional insight into cyber incidents. For all the brouhaha about the rule changes, little has actually changed.
Slide 1 of 0- Slide 1 of 2
AWS Fixes Service Takeover Vulnerability
Amazon Web Services (AWS) has fixed a vulnerability in its Managed Workflows Apache Airflow (MWAA) service. The vulnerability exists because of a session fixation issue in the MWAA management panel and a misconfiguration in the AWS domain. The flaw could be exploited to take control of web management panels. The vulnerability was detected by researchers at Tenable. AWS fixed the vulnerability in September 2023.
Editor's Notes
Both AWS and Microsoft took steps to mitigate the risk in response to Tenable's claims. Google elected not to take action after determining the flaw is not severe enough to be tracked as a security issue. If you've been running the current version of MWAA since September, you're not impacted. While exploitation requires social engineering, it's still a good idea to make sure that you're on the most current MWAA to mitigate the risk.