SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
RADIUS Protocol Vulnerability
The Remote Authentication Dial-In User Service, or RADIUS, network protocol is vulnerable to forgery attacks. The cybersecurity experts who detected the vulnerability have devised Blast-RADIUS, an attack [that] allows a man-in-the-middle attacker to authenticate itself to a device using RADIUS for user authentication, or to assign itself arbitrary network privileges. RADIUS is ubiquitous, so the vulnerability affects most networking devices. The researchers recommend that RADIUS/UP be deprecated. Short of that, suggested mitigations include transitioning to RADIUS over TLS, isolating RADIUS traffic, and watching for updates and applying them when they are available.
Editor's Notes
- Slide 1 of 6
The vulnerability was first made public a couple months ago. More details have now been made public. The issue is more of a protocol design issue, and the use of the MD5 hashing algorithm to protect message integrity. Running RADIUS over TLS may be the simplest solution, but mitigations need to take into account the capabilities of devices relying on RADIUS for authentication.
- Slide 2 of 6
RADIUS needs to go away. With that said, I am not surprised by this. RADIUS was a clear text protocol for modems; I'm glad someone is calling attention to it. We need to fix the protocol internals. The current fix of TLS requires an immense amount of overhead in deploying the certificates and the certificate authorities. One 'wrong move' would crater the entire network in many organizations. There should be some mechanism in RADIUS to secure itself, and it needs to be kept up with crypto support. MD5 for this was good in 2003. Not in 2024. We either standardize dialup modems, or we need to fix this. Enable TLS/SSL in certain environments; be aware of the lift.
- Slide 3 of 6
The attack is leveraging a MD5 hash collision race condition over UDP, as well as requiring MITM network access and only work on non-EAP authentication methods. Long term fixes will require updates to the RADIUS specification, and corresponding product updates. In the meantime, look at isolating RADIUS EAP authentication traffic over VLANs and requiring Message-Authenticators where possible. Note that Message-Authenticators may break older clients, so testing is needed. One hopes this will move the process forward towards standardizing RADIUS over TLS. The protocols have existed for a while, so check your implementation to see if you can switch to TLS. Note that is going to require a PKI infrastructure to support those communications.
- Slide 4 of 6
This is a big deal as RADIUS is a mainstream protocol used in a large number of vendor products. The vulnerability is in the protocol, so those vendors are likely affected. The simplest mitigation in the short term is to run RADIUS over TLS.
- Slide 5 of 6
If you have software using MD5 anywhere, be prepared for more discoveries of long dormant attack paths.
- Slide 6 of 6
In any case, we should be providing alternatives and discouraging the use of dial access. (My newest laptop does not even have a dial modem.)
Slide 1 of 0- Slide 1 of 6
Australia Instructs Government Entities to Examine Technology for Risk of Exposure to Foreign Control
The Australian government has published Protective Security Directions under the country's Protective Security Policy Framework (PSPF) instructing government entities to take steps to assess whether their systems are vulnerable to being controlled or manipulated by foreign threat actors. The three directions require Australian Government entities to identify indicators of Foreign Ownership, Control or Influence risk as they relate to procurement and maintenance of technology assets and appropriately manage and report those risks; to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities; [and] to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities.
Editor's Notes
- Slide 1 of 4
These directives went into effect Monday, July 8, and apply to "any hardware, software or information system" such as mobile apps, as-a-service offerings, hosting platforms and enterprise systems. They have until June 2025 to identify and report these FOCI risks. Included in these security directions is a restriction on use of TikTok on government devices based on the security risk of that application.
- Slide 2 of 4
This type of effort should really require government entities to examine all technology for risk of exposure to external control, not just 'foreign' control. Remember: Solar Winds was not considered a 'foreign' company to US (and probably Australian) government agencies, nor were many vulnerability riddled VPN providers.
- Slide 3 of 4
Some excellent recommendations and I strongly recommend that even if you are not an Australian entity that you take heed of them.
- Slide 4 of 4
The lesson for the rest of us is that understanding the threat environment is essential to an effective and efficient security architecture.
Slide 1 of 0- Slide 1 of 4
Joint Advisory from International Intelligence Agencies on Chinese APT Group Activity
A cybersecurity advisory published jointly by intelligence agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the UK, and the US warns of malicious cyber activity being conducted by a People's Republic of China state-sponsored threat actor group. The advisory notes that adversary, known as APT40, possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability.
Editor's Notes
- Slide 1 of 2
Current APT40 activities leverage techniques that require user interaction, such as phishing campaigns, to obtain credentials for follow-on activities as well as leveraging compromised SOHO devices for launching point attacks which blend in with legitimate traffic. Mitigations for these attacks include enforcing MFA, replacing EOL equipment, implement a robust patch management system, disabling unneeded services/ports/protocols, and segmenting networks to limit horizontal movement/access.
- Slide 2 of 2
The two biggest takeaways: 1) new vulnerabilities can be rapidly weaponized in hours by utilizing proof of concept code; and 2) the increasing use of compromised devices as operational infrastructure. The mitigations listed are standard security controls captured in mainstream cybersecurity frameworks like NIST CSF, ISO 270001, and CIS Critical Security Controls. Hopefully, organizations have already implemented those controls and underlying safeguards.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Snowflake Now Lets Admins Make MFA Mandatory
Data cloud company Snowflake has introduced multi-factor authentication (MFA) to its user accounts. Users who log in without MFA will be prompted to enable the feature every three days until adopted. In addition, an update to Snowflake's Authentication Policies allows admins to make MFA mandatory for all users on an account. Snowflake recently made headlines when several large data breaches were traced back to the fact that all were Snowflake customers.
Editor's Notes
- Slide 1 of 4
Your admin Snowflake users should already be on MFA; this completes the circle allowing you to require mandatory MFA for all users. MFA by default needs to become our mantra with the state of credential compromise.
- Slide 2 of 4
Snowflake is going to keep giving for a while. This morning, AT&T announced that almost all customer phone records have been compromised, probably through Snowflake. This is an early report; however, enabling MFA is one step. This needs to go further.
- Slide 3 of 4
Seatbelts went from an option to a standard feature provided by the automobile industry. Over time the government made its use mandatory for all drivers (and front seat passengers). We can expect the same for MFA, as legal settlements will drive its mandatory use as an example of reasonable cybersecurity.
- Slide 4 of 4
We can mandate strong authentication on employees and new customers. However, because the user must be involved in setup, it is difficult to mandate it on existing customers. This approach seems like a useful compromise between option and mandate.
Slide 1 of 0- Slide 1 of 4
Google Makes Passkeys Available to Advanced Protection Program Users
Google began support for passkeys for regular accounts more than a year ago and made them the default login method in last October. Google has now begun offering passkeys to users of its Advanced Protection Program (APP), which provides added protections for users who are likely to be targeted in digital attacks, such as journalists, human rights workers, and elected officials and campaign workers. APP requires multi-factor authentication, which until now required hardware tokens.
Editor's Notes
- Slide 1 of 4
Previously, these users needed two hardware tokens for enrollment and login requires the password plus one physical security token; that will be replaced by the use of a Passkey which facilitates login in certain high-risk situations as well as simplifying the process of securing these accounts quickly. Make sure that your high-risk individuals are taking advantage of every available trick, such as passkeys, to secure their accounts.
- Slide 2 of 4
If any of your management qualifies for this, take them to lunch and sell them on signing up.
- Slide 3 of 4
Passkeys are the future in user authentication. High risk users can already take advantage of the technology but lose the added security advantages provided by APP. Google has simply streamlined the process and removed the need for a separate hardware token. Kudos to Google!
- Slide 4 of 4
Passkeys are a more convenient option than passwords. In single user devices, they are more secure. In multi-user devices and multi-device users (e.g., support personnel) other strong authentication options (e.g., hardware tokens) should be available.
Slide 1 of 0- Slide 1 of 4
CISA and FBI Secure by Design Alert: Eliminating OS Command Injection Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a Secure by Design alert aimed at eliminating operating system command injection vulnerabilities. The alert references recent OS command injection vulnerabilities in Cisco NX-OS (CVE-2024-20399), Palo Alto Networks PAN-OS (CVE-2024-3400), and Ivanti Connect Secure and Policy Secure (CVE-2024-21887). The document provides concrete advice: use built-in library functions that separate commands from their arguments; use input parameterization to keep data separate from commands; validate and sanitize all user-supplied input as well as a list of Secure by Design principles: take ownership of customer security outcomes; embrace radical transparency and accountability, build organizational structure and leadership to achieve these goals.
Editor's Notes
- Slide 1 of 2
I recently published a video with tips to avoid OS command injection. See https://www.youtube.com/watch?v=7QDO3pZbum8: SANS Cloud Security | Operating System Command Injection
- Slide 2 of 2
In addition to taking precautions in code to prevent exploitation, the guide advocates aggressive adversarial testing to assure the quality and security of the code throughout the development lifecycle. While that sounds burdensome, it's a lot easier to fix issues when looking at smaller sections of the code than after the entire application is integrated and deployed. Remember that our adversaries are not restricted by delivery timelines to discover flaws, so anything we can do to not only make our testing more comprehensive but also aid remediation, is a big win.
Slide 1 of 0- Slide 1 of 2
Microsoft Patch Tuesday
On Tuesday, July 9, Microsoft released updates to address more than 130 CVEs, including two that are being actively exploited: a Windows Hyper-V privilege elevation flaw (CVE-2024-38080) and a Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-38112); both are rated important severity. The Windows MSHTML Platform Spoofing Vulnerability has been under exploit since at least January 2023.
Editor's Notes
- Slide 1 of 2
There are 142 vulnerabilities addressed by this patch set. The MSHTML flaw affects all hosts from Windows 2008 R2 onwards, including clients. These days, browser related patches should already migrate to the top of your priority list. Don't lose sight of CVE-2024-38021, RCE flaw in MS Office, CVSS score 8.8, which could be used to disclose NTLM hashes; while there is debate about the criticality of the update, as it's a flaw in user facing components which is relatively easy to exploit, I'd jump on that too.
- Slide 2 of 2
I think the 1245 Microsoft Vulnerability Tuesday CVEs is MSFTÕs high-water mark but at the 2024 pace they will shatter that. Back in 2020, I had hoped the big year (which was followed by three years of 30% fewer vulnerabilities reported) might lead to long term improvement. But as the Cybersecurity Safety Review Board study of Microsoft and this month's numbers point out, the truth was Microsoft had really taken their eyes off the security ball. It is important to make sure cost of patching and mitigation before patching is possible are considering when evaluating software and cloud services - lowest acquisition cost is not always the most cost effective.
Slide 1 of 0- Slide 1 of 2
Palo Alto Networks Updated Include Fixes for Critical Flaw in Expedition and RADIUS Privilege Elevation Flaw
On Wednesday, July 10, Palo Alto Networks released security advisories to address five CVEs. One of the advisories is rated critical, one is rated important, and the rest are rated medium. The critical advisory (CVE-2024-5910) affects Expedition; a missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. One of the medium-severity advisories (CVE-2024-3596) addresses the BlastRADIUS vulnerability as it affects PAN-OS firewalls in certain configurations.
Editor's Notes
CVE-2024-5910, Expedition authentication flaw, CVSS score 9.3 affects all versions of Expedition prior to 1.2.92. Until you have the update deployed you can mitigate the risk by limiting network access to Expedition to authorized users, hosts or networks. PAN devices are vulnerable to BlastRADIUS if they are configured to use CHAP or PAP for authentication, if you're with EAP-TTLS with PAP, you're not vulnerable. The update adds RADIUS message authentication which is disabled by default. You can enable using "set auth radius-require-msg-authentic yes" - no commit required. Check the status with "sho auth radius-require-msg-authentic."
VMware Releases Aria Updates to Address SQL-injection Flaw
VMware has released updates for their Aria Automation product to address an SQL-injection vulnerability that could be exploited to perform unauthorized read/write operations in the database. The vulnerability is due to the product not applying correct input validation. Users are urged to update to fixed versions of VMware Aria Automation.
Editor's Notes
- Slide 1 of 2
CVSS-2024-22280, Aria SQLi flaw, CVSS score 8.5, requires an authenticated user to exploit, affects VMware Cloud foundation 4.x and 5.x, as well as VMware Aria Automation version 8 prior to 8.17. The fix is to upgrade to 8.17, which can be done using Aria Suite Lifecycle, which will also pre-check your environment for compatibility and capacity.
- Slide 2 of 2
It is 2024, we should not be seeing SQL-injection flaws in products and systems, especially products as critical to organisations as VMware is. It is this continuous lack of security in products, despite repeated assurances from vendors that they "take security seriously", that is forcing regulators to introduce laws and regulations on the minimal security requirements for the products we rely on.
Slide 1 of 0- Slide 1 of 2
GitLab Critical Patch Release
GitLab has released versions 17.1.2, 17.0.4, 16.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address six vulnerabilities, including a critical improper access control vulnerability (CVE-2024-6385) which could be exploited to trigger a pipeline as another user under certain circumstances. The update also address a medium severity improper access control vulnerability that could allow a developer user with admin_compliance_framework custom role É to modify the URL for a group namespace under certain circumstances. The other four vulnerabilities are rated low severity.
Editor's Notes
- Slide 1 of 2
You may already have traffic at your site on deploying this fix. Note this is for your local, self-hosted GitLab. Note that GitLab has modified their release process to combine security and patches to facilitate deployment. GitLab has not published a workaround; you need to deploy the updates.
- Slide 2 of 2
You can imagine triggering pipelines as a different user can be a major issue. It appears this is limited to on-premises, in a public cloud service, which could be highly problematic.
Slide 1 of 0- Slide 1 of 2
Ransomware Operators are Exploiting Known Veeam Vulnerability
A ransomware group is exploiting a known vulnerability in Veeam to infect systems with a LockBit variant. A fix for the high-severity flaw in Veeam Backup & Replication software was released in March 2023. The malware operators appear to have gained initial access to their victims' environment through a dormant account on a Fortinet FortiGate firewall SSL VPN appliance and from there they then exploit the Veeam vulnerability.
Editor's Notes
- Slide 1 of 2
Backup systems like Veeam have been in the crosshairs of attackers for a while. In particular ransomware attacks like to remove backups as a recovery option. But these systems can also be used for lateral movement. The backup processes may be corrupted to execute code on clients.
- Slide 2 of 2
CVE-2024-27532, vulnerability in Veeam Backup & Recovery component, CVSS score 7.5, allows encrypted credentials in the configuration database to be obtained. The patch was released in March of 2023. Make sure that got deployed; if not, assume compromise. Initially abused by the FIN7 gang to obtain credentials, the EstateRansomware gang is now exploiting this flaw to deploy their LockBit variant both encrypting files and extorting payments.
Slide 1 of 0- Slide 1 of 2
Citrix Releases Seven Security Bulletins
This week, Citrix released seven security bulletins to address vulnerabilities in multiple products, including a critical improper authentication vulnerability in NetScaler Console (CVE-2024-6235) that could be exploited to obtain sensitive information. Other vulnerabilities addressed in the bulletins include high severity improper privilege management issues in Citrix uberAgent, Citrix Workspace app for Windows, Windows Virtual Delivery Agent for CVAD, and Citrix DaaS.
Editor's Notes
The flaws exist in NetScaler ADC and Gateway versions 14, 13 and 12.1. Version 12 is unsupported, so you need to update to a supported version, no options to patch. Make sure you're subscribed to the Citrix security bulletins to keep in the loop. In addition to addressing CVE-2024-6235, authentication bug, CVE-2024-6236, buffer overflow flaw, CVSS score 7.1, which can be exploited to cause DOS, is also addressed in these updates.
Internet Storm Center Tech Corner
Microsoft Patch Tuesday July 2024
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+July+2024/31058
Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks in Internet Shortcut File CVE-2024-38112
Adobe Patches
https://helpx.adobe.com/security/security-bulletin.html
Finding Honeypot Data Clusters Using DBSCAN Part 1
https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part+1/31050
Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots
https://isc.sans.edu/diary/Understanding+SSH+Honeypot+Logs+Attackers+Fingerprinting+Honeypots/31064
Patch or Peril: A Veeam Vulnerability Incident
https://www.group-ib.com/blog/estate-ransomware/
Juniper Patches
RADIUS protocol susceptible to forgery attacks
https://kb.cert.org/vuls/id/456537
https://www.inkbridgenetworks.com/blastradius/faq
VMWare Aria Automation SQL Injection Vuln
Leaked SMS Messages
https://www.ccc.de/de/updates/2024/2fa-sms
Second RegreSSHion Like OpenSSH Vulnerability
https://lwn.net/ml/all/20240708162106.GA4920@openwall.com/
SharePoint Proof of Concept Exploit CVE-2024-38094 CVE-2024-38024 CVE-2024-38023
https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC/blob/main/poc_filtered.py
Citrix Netscaler, Agent and SDX Security Bulletin CVE-2024-6235 CVE-2024-6236
OpenVPN Updates