SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
DARPA: Let's Translate Legacy C into Rust
The US Defense Advanced Research Projects Agency (DARPA) has announced the TRACTOR (TRanslating All C TO Rust) project to automate converting code written in C to Rust. Dr. Dan Wallach, DARPA program manager for TRACTOR, anticipates proposals that include novel combinations of software analysis, such as static and dynamic analysis, and large language models. The program will host public competitions throughout the effort to test the capabilities of the LLM-powered solutions. DARPA will host a Proposers Day on Monday, August 26, 2024, with both in-person and virtual attendance options.
Editor's Notes
- Slide 1 of 3
Interesting tool, and something that should work quite well. I just hope it doesn't add new vulnerabilities. Remember that memory safety is important, but not the only source of vulnerabilities.
- Slide 2 of 3
It's exciting to see an initiative to accelerate code migration tools, in this case C to Rust, but memory safe code doesn't alleviate the need to use secure coding practices. Additionally, careful consideration has to be considered to making a language conversion, not only for compatibility and stability but also growing the needed expertise and tooling to support the new language, to support both new projects and updating of the converted code. Even with improved translation tools, the code produced by these tools will need to be analyzed and modern security practices will likely need to be added.
- Slide 3 of 3
DARPA is in the business of taking on high risk projects that advance science. While their success rate is low, when they succeed, they really succeed - just look at today's modern Internet. That said, there is a lot, and I mean a lot of C/C++ code out there, much of which is in embedded systems. I suspect that C/C++ is not going away in my lifetime Ð see COBOL.
Slide 1 of 0- Slide 1 of 3
Volexity: State-Sponsored Threat Actors Launched DNS-Poisoning Attack
Researchers at Volexity say that a group of state-sponsored cyberthreat actors with ties to China compromised an Internet service provider (ISP) to poison DNS responses for certain organizations. The researchers determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms.
Editor's Notes
- Slide 1 of 2
There are not a lot of examples of this type of MitM DNS poisoning being exploited. The best defense is DNSSEC. We always say that you should never trust the network, but how many of us are following through and enable DNSSEC? Maybe DNSSEC will get an overdue boost due to attacks like this and its increased usability in e-mail safety. Check with your registrar. Many made enabling DNSSEC dead simple.
- Slide 2 of 2
StormBamboo, aka Evasive Panda or StormCloud, were taking advantage of automated software updates that still used HTTP vs HTTPS and didn't validate the update packages, resulting in an unattended install of the malicious packages such as the macOS threat MacMa (CDDS) or Reloadext Chrome extension. Mitigate the risks by ingesting the IOCs and implementing the detection rules provided by Volexity.
Slide 1 of 0- Slide 1 of 2
AWS is Using a Neural Network to Detect Malicious Domains
AWS says it is using a neural network called Mithra, 'a massive internal neural network graph model É that uses algorithms for threat intelligence' to identify malicious domains. Mithra has been detected more than 180,000 on a daily basis; it is also capable of predicting malicious domains days, weeks, and sometimes even months before they show up on threat intel feeds from third parties.
Editor's Notes
- Slide 1 of 2
Detecting malicious domains is a classic application for machine learning. Note that there are roughly 500k new domains a day. 180k represents a significant portion of all new domains.
- Slide 2 of 2
The data from Mithra can be used by AWS security services such as GuardDuty to proactively protect your AWS services. Make sure you're taking advantage of AWS security tools to give yourself every advantage.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Vulnerability in Rockwell Automation Logix Controllers
Rockwell Automation has released fixes to address a high severity chassis restrictions bypass vulnerability in certain Logix programmable logic controllers (PLCs). Updates are available for most affected PLCs; users of those for which a fix is not available are urged to upgrade to supported versions. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS advisory. The flaw was detected by researchers at Claroty's Team 82.
Editor's Notes
- Slide 1 of 2
Rockwell Automation has released fixes to address a high severity chassis restrictions bypass vulnerability in certain Logix programmable logic controllers (PLCs). Updates are available for most affected PLCs; users of those for which a fix is not available are urged to upgrade to supported versions. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS advisory. The flaw was detected by researchers at Claroty's Team 82.
- Slide 2 of 2
The attack requires network access, which in today's environment is the new normal. Organizations should look to first limit remote access (e.g., a simple firewall can be highly effective); and second, only use secure remote access (i.e., VPN) to the OT network. While you're at it you should review your physical and personnel security processes to minimize potential insider threat attacks.
Slide 1 of 0- Slide 1 of 2
OneBlood Ransomware Recovery; AHA and Health-ISAC Update Threat Bulletin
The blood donation organization that suffered a ransomware attack in late July says they are starting to bring critical systems back online; they are 'operating in a reduced capacity.' OneBlood serves hospitals in several southeastern US states. On August 1, the American Hospital Association (AHA) and the Health Information Sharing and Analysis Center (ISAC) updated their joint threat bulletin to include the OneBlood attack. The bulletin states, 'Now that three critical third-party supply chain attacks have significantly impacted healthcare delivery in the past three months, it should serve as a wake-up call across the industry to address supply chain security and resilience.'
Editor's Notes
- Slide 1 of 2
OneBlood expects to have systems back online in the next few days and with the impending arrival of tropical storm Debby in Florida, is calling for volunteers to sign up to donate platelets soon to meet anticipated demands. Healthcare remains squarely in the cross-hairs of threat actors, meaning anyone in the business needs to not only go through their business resumption plans, but also make implementing, and verifying cyber security protections a priority.
- Slide 2 of 2
While the attack was specific to the healthcare sector, every critical sector should revisit their supply chains and run tabletop exercises looking for weaknesses. It should be a regular part of board discussions to add supplier diversity into the business. Lacking that, guardrails should be put in place to limit the effects of a supply chain disruption.
Slide 1 of 0- Slide 1 of 2
Police in Singapore Recover Millions Stolen in Business eMail Compromise Scheme
Authorities have seized over $41 million that was stolen from a commodities firm in Singapore in a business email compromise (BEC) attack. The thieves, impersonating a supplier, requested that a $42.3 million payment be made to an account in Timor Leste. When it became apparent that the funds had been misdirected, Singapore police contacted authorities in Timor Leste who helped recover the stolen money.
Editor's Notes
- Slide 1 of 2
There is not a lot of time for this type of recovery. If you find yourself in a similar situation, report to law enforcement immediately. In this case, the authorities in Timor Leste were able to arrest a total of seven suspects and recover an additional $2M, beyond the initial $39M recovered. Make sure your users, particularly those involved in authorizing payments, have heightened awareness of BEC scams. One successful scam can outweigh the cost of technical countermeasures, and associated training designed to reduce the likelihood of a successful scam.
- Slide 2 of 2
Given that the funds transfer didn't happen until four days later, speaks to some process being in place to verify the transaction. Executive teams can use this near-miss as an example to review their own financial transaction process and make changes as needed.
Slide 1 of 0- Slide 1 of 2
Patch Apache OFBiz Against Code Execution Flaw
An incorrect authorization vulnerability (CVE-2024-38856) in Apache OFBiz affects versions up through 18.12.14. The flaw could be exploited to allow execution of screen rendering code. Users are urged to upgrade to OFBiz version 18.12.15 or later. Another OFBiz vulnerability (CVE-2024-32113), which was disclosed in May, has been exploited.
Editor's Notes
OFBiz is an open-source java-based framework for creating ERP systems. CVE-2024-38856 doesn't have a CVSS score yet, but is a weakness in unauthenticated processes, and can be used to execute arbitrary code, it's a good idea to start the update process, particularly as your ERP system owner is going to want you to do full regression testing before they'll let you update production.
Linux Kernel SLUBStick Attack
Researchers from Graz University of Technology in Austria have published a paper that describes 'a novel kernel exploitation technique elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive.' The researchers successfully demonstrated the exploit against Linux kernel versions 5.19 and 6.2, both of which have reached end-of-life (EoL) in October 2022 and May 2023, respectively.
Editor's Notes
If you have systems running the 5.19 or 6.2 Linux kernel, you'll need to update. For better or for worse, your Enterprise or long-term-support Linux distributions are running older kernel versions. Check with your users running leading edge projects/versions who typically don't run these "older" versions, to verify they've already updated.
Another Azure Outage
Microsoft has addressed an Azure outage that affected services in North and Latin America on Monday, August 5. The incident lasted roughly two hours. The entry on the Azure status page reads, 'a subset of customers experienced intermittent connection errors, timeouts, or latency while connecting to Microsoft services that leverage Azure Front Door (AFD), as a result of an issue that impacted multiple geographies. The issue was limited to internal Microsoft services hosted on AFD, and did not impact external commercial customers using AFD.' Last week, an outrage affecting Azure and Microsoft 365 services caused problems worldwide.
Editor's Notes
It appears a configuration change impacted Microsoft's CDN service, which was rolled back about 90 minutes after the impact was discovered. Make sure that you're using all the HA tricks offered by your cloud service providers to mitigate risks of any service failures. Do a deep dive on what you can fail away from, don't assume you can just "turn off" services and that you understand what the potential blast radius of services are. For example, having east/west separation doesn't help for a common service across the country.