SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Malicious Code Founds in xz utils
Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.
Editor's Notes
- Slide 1 of 5
Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.
- Slide 2 of 5
This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
- Slide 3 of 5
This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.
- Slide 4 of 5
APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.
- Slide 5 of 5
What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.
Slide 1 of 0- Slide 1 of 5
US House of Representatives Bans Staffers from using Microsoft Copilot AI Chatbot
The US House of Representatives has barred staff members from using the Microsoft Copilot AI chatbot. Microsoft Copilot “has been deemed by the Office of Cybersecurity to be a risk to users due to the threat of leaking House data to non-House approved cloud services.“ This is not the first timer legislators have restricted the use of AI applications: in June 2023, the House banned staffers’ use of the free version of ChatGPT and allowed only limited use of the paid version of the application.
Editor's Notes
- Slide 1 of 2
Microsoft stated “We recognize that government users have higher security requirements for data,” and release a set of tools presumably safe enough for government use. But, basically every business handling customer information needs to protect the privacy and security of that data and self-inflicted wounds from poorly secured and managed AI tools is a risk for all.
- Slide 2 of 2
Wise move. Two concerns need to be settled. First, how is your information used and protected? Second, copyright: who owns the information created by the service?
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
NIST Updates NVD Program Announcement
The US National Institute of Standards and Technology (NIST) has posted a new statement regarding the backlogs of analyzed CVEs in the National Vulnerability Database (NVD). Thousands of recently-reported CVEs have not undergone analysis, leaving them without important enrichment data. NIST says they are prioritizing the most pressing issues for analysis and “are working with [their] agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.” More than 20 security professionals recently signed an open letter to Congress and Commerce Secretary Gina Raimondo. The letter underscores the NVD’s importance to the cybersecurity community and “urges [the recipients] to expeditiously investigate the ongoing issues with the NVD to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation.”
Editor's Notes
Maybe this program needs to look for partners outside of government agencies. I would think this could become a good program for some academic partnerships.
Linux WallEscape Vulnerability
A vulnerability affecting the “wall” command in the util-linux core utilities package can be exploited to leak passwords and modify the clipboard. The researcher who discovered the vulnerability, which has been dubbed “WallEscape” described the issue in an advisory: “The util-linux wall command does not filter escape sequences from command line arguments.”
Editor's Notes
- Slide 1 of 2
The "wall" vulnerability is interesting in that it may not sound that the real danger comes from being able to misrepresent the console output. This is also a good reminder to not allow regular users access to "wall".
- Slide 2 of 2
Escape mechanisms are fundamentally problematic. Proper filtering for triggers is essential. That said, because it is increasingly difficult for developers to understand the environment in which their code will run, knowing what to filter for is not easy. At a minimum, one should look to the OWASP guidance.
Slide 1 of 0- Slide 1 of 2
TheMoon Malware Campaign Creates Botnet
Researchers at Lumen have identified “a multi-year campaign” that uses malware known as TheMoon. The campaign has been targeting end-of-life home and small office routers and IoT devices, recruiting them into a botnet that the threat actors rent out as a proxy service for cyber criminals. As of earlier this year, the botnet comprised more than 40,000 devices in 88 countries. TheMoon was first detected a decade ago.
Editor's Notes
- Slide 1 of 2
It is amazing how things do not change, and how little impact we have made to the IoT world. TheMoon worm was first described in a isc.sans.edu post ten years ago.
- Slide 2 of 2
This campaign highlights three ugly truths: 1) IoT devices are typically installed using default configuration (passwords); 2) they are rarely if ever updated (software, firmware); and 3) they continue in service well past their expiration date (EoL). The miscreants know this and are simply taking advantage of these weaknesses to great effect.
Slide 1 of 0- Slide 1 of 2
NYC MyCity Chatbot is Giving Bad Advice
A chatbot set up by New York City government to answer questions about city policy, laws, and regulations has been found to provide incorrect information about housing policy, rules regarding employee rights, whether businesses may refuse to accept cash payments (they may not), and other issues. In February, a court forced Air Canada to honor an inaccurate refund policy offered by its chatbot. In an emailed statement, a spokesperson for the NYC Office of Technology and Innovation said that they “will continue to focus on upgrading this tool so that we can better support small businesses across the city.”
Editor's Notes
- Slide 1 of 3
Human support personnel (especially poorly trained ones) obviously can give out bad advice, too – but much more slowly. Making sure AI models are properly tested and trained will required certification processes just like training of humans does.
- Slide 2 of 3
I’m not sure we can put the chatbot genie back in the bottle. The offsetting people cost is too great. A new skillset needs to emerge, effectively the QA of chatbots plugged into LLMs, along with a core understanding that they are authoritative for your company.
- Slide 3 of 3
I have an idea: Tell it to talk to another AI chatbot for advice. It’s just going to be AI chatbots down instead of turtles. But honestly, this technology is new to the broader audience it’s being used in, and I’m sorry the adoption rate is so rapid that this will happen. I am not sure this technology is ready to remove the training wheels fully, but it’s happening anyway. Actually, I will run this answer through the Bing chatbot because it will probably have the highest likelihood of terrible advice—one second. How does a chatbot Blue Screen? Moving on.
Slide 1 of 0- Slide 1 of 3
AT&T Says Breach Affects More Than 70 Million Individuals
AT&T has acknowledged that data leaked to dark web last month includes more than 70- million records of data belonging to current and former customers. Of those roughly 7.6 million are current customers; AT&T has reset passcodes for those individuals. All the compromised data appear to be from 2019 or earlier.
Editor's Notes
On its face this appears to have been a data breach circa 2021. Ok. Whether through an internal compromise, since closed, or via a third party, AT&T is responsible. Unfortunately, the data has been out there and available for years and simply resetting passcodes doesn’t solve the problem of identity theft.
Internet Storm Center Tech Corner
The amazingly scary xz sshd backdoor
https://isc.sans.edu/diary/The+amazingly+scary+xz+sshd+backdoor/30802
The xz-utils backdoor in security advisories by national CSIRTs
https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800
xz-utils Backdoor CVE-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://tukaani.org/xz-backdoor/
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Backdoor reverse analysis
https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
YARA Rule
https://github.com/byinarie/CVE-2024-3094-info/blob/main/CVE-2024-3094.yar
Social Engineering Attempts to Include Backdoor in Distros
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
https://news.ycombinator.com/item?id=39866275
Statements from Distributions
https://www.kali.org/blog/about-the-xz-backdoor/
https://archlinux.org/news/the-xz-package-has-been-backdoored/
https://access.redhat.com/security/cve/CVE-2024-3094
https://bugs.gentoo.org/928134
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Checking CSV Files
https://isc.sans.edu/diary/Checking+CSV+Files/30796
Infostealers Pose Threat to macOS
https://www.jamf.com/blog/infostealers-pose-threat-to-macos/