SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsPalo Alto Networks has released hotfixes to address a critical command injection vulnerability in multiple versions of their PAN-OS software. Palo Alto Networks was alerted to the vulnerability by researchers from Volexity. The flaw is being actively exploited to place Python backdoors on vulnerable devices. According to Palo Alto Networks, the flaw affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
"Must patch" should be obvious for this vulnerability. Palo Alto Networks released guidance with workarounds, and patches, this weekend. But also do not forget to check for compromise. There is no widely available exploit at this time, but we have seen reports of scans for vulnerable devices over the weekend. Whoever has the exploit will likely try to make good use of it as fast as possible.
CVE-2024-3400, PAN-OS command injection vulnerability in GlobalProtect has a CVSS score of 10.0 and is in the NIST KEV catalog with a remediation due date of April 19th. Apply the hotfix, or Threat ID 95817 to mitigate. If you're still running PAN-OS 9 or 10.1, you're not affected; however, you need to delve into why you're not on the current PAN-OS. In addition to making sure your more important systems, such as boundary control devices, are top of the list for patching/updating, make sure that you're actively managing lifecycle, to include the resources to deploy/cutover new equipment as well as purchase it. You're going to want top-down support here.
This is a timely reminder that security devices are sadly just as vulnerable as any other device. This means we need to ensure that we treat the security devices we rely on, in particular those perimeter security devices, with extra care. The UK's National Cyber Security Centre (NCSC) has an excellent blog post on this topic that you should read: "Products on your perimeter considered harmful (until proven otherwise)" https://www.ncsc.gov.uk/blog-post/products-on-your-perimeter.
Get used to patching. Maybe after 20 years of SSL VPN, it's time to think about these systems as they are now increasingly targeted by attackers.
Palo Alto Networks
Volexity
The Register
Security Week
NVD
In early March, the US Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) advisory about a hard-coded credentials vulnerability in Chirp Systems Chirp Access. The flaw affects all versions of Chirp Access, which is used to remotely open Chirp Systems smart locks. The vulnerability was detected and reported to Chirp in March 2021; the company has not responded to CISA requests to work with them to address the problem.
What is more worrying than the vulnerability is the fact that Chirp systems is not commenting on it. But from Chirp's perspective, this is the best thing for them to do. In two weeks, people will have forgotten, and locks will continue to be sold without having to worry about customers possibly bricking devices with firmware updates (if that is an option).
As Chirp systems is not yet responding to the issue, the best action is to make sure that your smart lock systems are isolated, not Internet accessible, and only authorized systems/users can access them. Also make sure you're monitoring for unwelcome advances.
Hardcoding passwords into software was a common practice a couple decades ago. Unfortunately, it's still common with ICS devices. Now that the proverbial cat is out of the bag with media attention and the potential for lawsuits, Chirp likely will be motivated to make the relatively straightforward fix. That said, that doesn't mean users will implement the software update.
Delinea has released an update to fix a critical vulnerability in their Secret Server privileged access manager (PAM). The critical flaw affects the SOAP API and could be exploited to gain admin privileges. Delinea is urging users to upgrade their Secret Server installations to version 11.7.000001.
This issue slipped in a bit under the radar at the same time people were busy dealing with the GlobalProtect vulnerability. The vulnerability puts your secrets and access to privileged accounts at risk. It also sounds like Delinea dodged a bullet. A security researchers informed Delinea of the vulnerability before someone with less honest motives was able to take advantage of it against Delinea's cloud.
If your Secret Server is exposed to the Internet, you need to either update to the current version, or follow the remediation guide until the patch for your version is released. Note you need to be on version 11.5.2 (11.5.000002) before you can upgrade to 11.7.1.
Cisco Duo is warning customers that a third-party telephony provider suffered a breach, resulting in the theft of some customer logs for MFA. The intruder gained initial access to the system by phishing account credentials from an employee; at the beginning of April, they used their access to the system to download MFA SMS message logs for messages sent during the month of March. The incident has exposed phone numbers, carriers, location information, and other metadata.
The leak of Duo customer phone numbers may lead to more targeted phishing ("smishing") attacks. As a Duo customer, you may consider asking your users to look out for such scams.
While the stolen credentials were immediately invalidated, the question remains of why the third-party wasn't using stronger authentication, say phishing / replay resistant credentials? When evaluating the security at your third-party providers, make sure that it is commensurate with the information handled.
Makes you wonder a few things here: What are the attackers after? Can they reverse engineer the OTP or gain other types of information? Who else has been compromised?
Cisco
Security Week
Bleeping Computer
Dark Reading
The US Federal Bureau of Investigation (FBI) has published an alert warning of a smishing campaign that pretends to be invoices for unpaid road tolls. The SMS phishing messages have targeted people in at least three US states with seeming urgent messages and a link to pay the alleged outstanding toll. The FBI Internet Crime Complaint Center (IC3) has received more than 2,000 complains about the scheme since early March.
As organizations and people get better at detecting and stopping email phishing attacks, cyber criminals simply shift to smishing (text based) and vishing (voice based attacks). Smishing can be very effective as the messages are much shorter, with so little context it's harder to determine what is fake or real. In addition, texting is more informal; we are more likely to respond to it. Finally, most companies have little if any control or insight into employees phones. As for official government organizations, it would help greatly if they would stop registering their own personal .com domains and instead use official .gov domains, making it easier for people to determine which are legitimate URLs.
Strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) will not prevent one's users from clicking on bait. It will prevent the reuse of compromised credentials.
This is one of those places where we need to have users slow down and validate using a known URL/process, not hit the "easy button" in that SMS message. This can be hard, as the immediate reaction is to deal with the issue right away. Consider advising users to filter out unknown senders, and then take extra caution when reviewing those messages with this attack in mind. If you or your users get one of these messages, file a complaint through the ic3.govweb site.
Never underestimate the craftiness of the cybercriminal. We're programmed to respond to text messages. Bottom line: fight the urge to respond; but do periodically check your toll transponder account and keep the card information current.
IC3
Bleeping Computer
Infosecurity Magazine
Roku has reset account passwords and implemented two-factor authentication (2FA) for all 80 million users after breaches compromised account data of nearly 600,000 customers. Roku says the accounts were breached through credential stuffing attacks.
With so many companies getting breached and moving to MFA, at some point MFA will become the standard. As MFA usage goes up, expect to see an explosion in MFA targeted phishing attacks.
Statistics are hard to come by, but one trend is clear: services not requiring MFA are getting compromised by credential stuffing attacks and those using MFA are not. The best time to move to MFA is before the inevitable compromise of reusable passwords Ð which has been true for over 300 years when this phrase was coined: Don't wait until the horses are gone to lock the barn door.
When implementing their 2FA, you may be prompted to create a new, strong password. Their solution causes an email with a validation link to be sent to the email address associated with the Roku account. If you have a streaming device connected to your account, you can also use the last 5 characters of the device ID to complete the authentication which could be helpful when you cannot access a device with the email for the associated account. Users who cannot receive email on the address associated with the Roku account will need to contact customer support to assign a new email and password.
Telegram has fixed a remote code execution flaw in the Telegram for Windows desktop app. The vulnerability can be exploited to bypass security warnings and launch Python scripts automatically. The problem lies in a typo in the apps source code that allowed the Python file to execute without a warning. Telegram made a server-side fix to prevent the Python files from executing automatically.
There were claims this was a zero-click vulnerability; this is not the case. The user needs to click on the Windows Python fill (.pyzw) for the flaw to be exploited. The server-side fix changes .pyzw files to .pyzw.untrusted - causing Windows to prompt for which application to open them. Future versions of the Telegram Desktop app are expected to include a security warning rather than appending the ".untrusted" extension.
Bleeping Computer
Over the past week, Juniper has released 38 security bulletins to address vulnerabilities in Junos OS, Junos OS Evolved, and other products. Three of the bulletins have maximum severity ratings of critical; all three address vulnerabilities in third-party software used in Juniper products. One of the critical bulletins addresses flaws in the cURL open source data transfer tool; the other two address third-party software vulnerabilities used in Juniper Networks Junos cRPD and Cloud Native Router.
There are no workarounds for the flaws; the only fix is to deploy the update. The updates to JunosOS are only available for supported versions and will not be backported, so you may have to upgrade to a supported version before you can apply the patch/update.
Juniper
Security Week
Semiconductor manufacturer Nexperia has acknowledged that their IT systems were breached last month. Nexperia disconnected the affected equipment to contain the breach, and they have launched an investigation. Nexperia's disclosure followed the release of data by threat actors to a darknet site.
A ransomware group that calls itself Dunghill Leak is taking credit for this attack, claiming to have both technical and confidential (PII) documents.
In written testimony delivered to the Senate Armed Services Committee hearing on Wednesday, April 10, General Timothy D. Haugh, Commander, United States Cyber Command said that the US Cyber Commands Cyber National Mission Force executed 22 hunt forward campaigns in 2023. The force has deployed a total of 55 times since it was elevated to a Unified Combatant Command in 2018.
Hunt Forward missions are executed at the request of a foreign government and are not always disclosed. They are part of their persistent engagement strategy which is designed to keep them in constant contact with adversaries and ensure proactive (versus reactive) actions can be taken. As a result of these campaigns, US Cyber Command has released at least 90 samples of malware for public analysis, allowing them to be more easily thwarted/detected.
Gov Infosecurity
c4isrnet
rackcdn
Quick Palo Alto Networks Global Protect Vulnerability Update CVE-2024-3400
https://isc.sans.edu/diary/30838
Palo Alto Networks GlobalProtect 0-Day CVE-2024-3400
https://security.paloaltonetworks.com/CVE-2024-3400
Delinea patches critical vulnerability in secret manager
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3
Lancom Windows Setup Assistant May Reset Password
https://www.lancom-systems.com/service-support/general-security-information
PHP Patches
https://seclists.org/oss-sec/2024/q2/113
Duo SMS and VoiP Logs Leaked
https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e
Lastpass Stops Deepfake Attack
https://blog.lastpass.com/posts/2024/04/attempted-audio-deepfake-call-targets-lastpass-employee
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveTake the SANS 2024 AI Survey: AI and Its Growing Role in Cybersecurity: Lessons Learned and Path Forward | The goal of this survey is to look at AI's role in cybersecurity and understand the opportunities and workforce dynamics as well as emerging threats, shortcomings and challenges.
SANS 2024 CTI Survey: Managing the Evolving Threat Landscape | May 22 | Join us to learn How the CTI discipline has evolved in the past year-how CTI analysts kept up with the ever-changing threat landscape, how they view emerging threats (adversary use of AI), and how technology enablement improves efficiency.
Do You Know Where Your Data Is?
Unleashing Secure Access with an Identity-Centric Zero Trust Network Access Solution: Microsoft Entra Private Access | May 1 at 3:30 pm ET | Join us to explore how you can enable secure access to any app or resource, from anywhere using Microsoft's identity-centric Security Service Edge solution.