SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Hardcoded Credentials in Solar Winds Web Help Desk
Hardcoded credentials in Solar Winds Web Help Desk (WHD) could be exploited to allow a 'remote unauthenticated user to access internal functionality and modify data.' The issue affects WHD versions 12.8.3 HF1 and earlier. Solar Winds has released a hotfix (WHD 12.8.3 HF2) to address the vulnerability. This is the second hotfix for WHD that Solar Winds has released this month. The previous fix addressed a Java Deserialization Remote Code Execution vulnerability.
Editor's Notes
- Slide 1 of 4
Should be obvious that this must be patched quickly. Hardcoded credentials tend to leak shortly after the patch is released (if not before).
- Slide 2 of 4
It's 2024, hardcoded credentials need to be ancient history. Make sure your SQA processes screen for them. The update, WHD 12.8.3 HF2, addresses two issues CVE-2024-28987, WHD hard coded credential vulnerability, CVSS score 9.1 and CVE-2024-28986, WHD Java deserialization RCE vulnerability, CVSS score 9.8, previously fixed in WHD 12.8.3 HF1. The hard coded credential flaw can be exploited by unauthenticated users, the Java deserialization flaw requires an authenticated user. Some good news: HF2 includes the fixes from HF1. The hotfix requires installation of three jar files and manually editing the tomcat_server_template.xml file.
- Slide 3 of 4
Hardcoded credentials are like catnip to cybercriminals; they are on the prowl and looking to exploit. Given the recent uptick in examples of this sort of exploit and its own recent software security issues, it's a bit surprising that the company didn't fix this before it became a problem. Bottom line: apply the hotfix now.
- Slide 4 of 4
One more example, as if any were needed, of why a safety first culture, secure by design, is so important to the modern enterprise.
Slide 1 of 0- Slide 1 of 4
New Campaign Exploits Log4Shell Vulnerability
Researchers from Datadog Security Labs have detected a new campaign exploiting the Log4Shell vulnerability. The critical flaw was first detected in November 2021 and exploits surfaced less than two weeks later. Exploits for the vulnerability have become parts of hacking toolkits. While fixes have been available since December 2021, the issue is proving difficult to eliminate 'because of software dependencies and so-called 'transitive dependencies' that make patching very difficult.'
Editor's Notes
- Slide 1 of 3
We are observing very consistent scans for Log4j/Log4Shell issues in our honeypots.
- Slide 2 of 3
We all acknowledged that it would take a long time to patch Log4J/Log4Shell, but were we thinking it'd still be in play almost three years later? There is a cliche about the old tricks still working. Anyway, beyond passing the IOCs from Security Labs to your team, make sure that you're still scanning for vulnerable Log4J, and applying updates when they are released. Make sure mitigations are still in place for those high-impact systems and applications which are difficult to get updated as well as having conversations about both fixed versions and deployment schedules.
- Slide 3 of 3
The lesson here is that, not only is patching an inefficient way to achieve quality, for some widely used software, it is futile.
Slide 1 of 0- Slide 1 of 3
Google Updates Chrome to Address Another Zero-Day
Google has updated their Chrome browser to address a high-severity type confusion vulnerability in V8 that could be exploited to execute code on unpatched machines. Microsoft notified Google of the vulnerability on August 19; Chrome 128 was released two days later. This is the ninth zero-day Chrome vulnerability that Google has patched this year. In all, Chrome 128 addresses 38 security issues, seven of which are high-severity.
Editor's Notes
- Slide 1 of 3
Since Microsoft has committed again to 'Security is Job 1,' it is time for Windows patching to happen as frequently and as transparently as browser and mobile OS patching. I think what is needed to make that happen largely overlaps with OS restrictions that are needed to force app developers to 'Secure By Design' anyway.
- Slide 2 of 3
With this vulnerability Google exceeds its 2023 total of eight zero-days. The update is easy: quit your browser and restart. As a reminder, as a good security practice, reboot your system on a weekly basis.
- Slide 3 of 3
Seems like we just updated Chrome yesterday. The what's-new page for Chrome 128 highlights Google Lens and Gemini chat. Google Lens was introduced in 2017 but has been enhanced to search videos, livestreams, or images youÕre watching. Gemini, also available at gemini.google.com, should fall under your current GenAI usage. Consider the activity setting under Gemini Apps (myactivity.google.com) which governs the use or review of your data by Google.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Equiniti Trust Company Fined Over Inadequate Protection of Client Funds and Securities
The US Securities and Exchange Commission (SEC) has fined financial service firm Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, $850,000 for failing to protect clients' funds and securities. In 2022, Equiniti Trust lost roughly $4.8 million to a business email compromise scheme; the company managed to recover about $1 million of the stolen funds. In 2023, thieves conducted account fraud using stolen Social Security numbers to steal nearly $2 million from Equiniti Trust customers. The company managed to recover all but $300,000 of those stolen funds. The SEC imposed the civil fine because the company 'failed to provide the safeguards necessary to protect its clients' funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets.'
Editor's Notes
- Slide 1 of 2
The size of the fine is pretty low compared to what this incident has already cost the company - changing their name probably cost more! But, the settlement should drive them to change the lax processes that lead to both incidents - stronger authentication to prevent email chain hijacking and better app/penetration testing to discover pre-production that any legitimate SSN can be used to create fraudulent accounts.
- Slide 2 of 2
Of the two attacks, the first (BEC) is relatable; the second is more concerning as they automatically linked accounts based on stolen SSN's to legitimate ones. FI's often link your accounts based on your SSN, which provides a single access point to all your accounts, but also includes some of the same risk. Ask your FI what controls are in place when linking account, determine if the linking uses an implied or direct permission, and if more than just the SSN is used to associate the accounts.
Slide 1 of 0- Slide 1 of 2
FAA Proposed Cybersecurity Rules for Aircraft
The US Federal Aviation Administration (FAA) has published proposed cybersecurity rules for airplanes, engines, and propellors. If approved, the rule 'would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI). The FAA is accepting public comment on the proposed rule through October 21, 2024.
Editor's Notes
- Slide 1 of 2
These rules are about the operations of the aircraft, not the security of passenger facing systems. With increased connectivity, and an increase in the number of reported cyber-attacks in the airline industry, the FAA is proposing changes to manufacture of aircraft, engines and propeller systems to mitigate these threats which include field loadable software, maintenance laptops, airport/airline/public networks, wireless and cellular communication, USB, Satellite and GPS navigation systems. Proposed designs would need to provide isolation or protection from unauthorized access, prevent unauthorized changes, and mechanisms/processes to ensure cyber protections are maintained.
- Slide 2 of 2
The FAA has been very successful in its safety mission. After elevators, it has made aviation the second safest form of transportation. These rules simply extend to software the procedures that have been so successful for hardware.
Slide 1 of 0- Slide 1 of 2
MIFARE Classic RFID Card Backdoor
Researchers from French security firm Quarkslab have discovered a backdoor affecting certain models of MIFARE Classis smart cards. The vulnerability allows the RFID cards to be instantaneously cloned, allowing access to hotel rooms and offices worldwide.
Editor's Notes
- Slide 1 of 3
Some excellent research by Quarkslab. What's strange is that the same hardware backdoor key exists in other vendor products. It feels a bit like a well-placed supply chain attack.
- Slide 2 of 3
Many MIFARE Classic cards are FM11RF08S or FM11RF08 cards which have this backdoor, which dates back to 2007, as do the FM11FR32 and FM1208-10 cards available from the same manufacturer. Double check the version of MIFARE Classic cards you're using, they may be the affected product. If you're using these cards, they are prevalent in hotels in the US, Europe and India, you're going to want to assess your risks.
- Slide 3 of 3
Whether or not RFID applications are secure by design, cloning is harder than it looks. Attacks are extremely local and do not scale. This is one of those issues where intuition does not serve us well.
Slide 1 of 0- Slide 1 of 3
Critical Vulnerability in LiteSpeed Cache Plugin for WordPress
A critical unauthenticated privilege elevation vulnerability in the LiteSpeed Cache plugin for WordPress could be exploited to gain admin privileges on unpatched websites. The issue has been fixed in LiteSpeed Cache version 6.4, which was released on August 13. The plugin has more than five million active installations.
Editor's Notes
- Slide 1 of 2
CVE-2024-28000, CVSS score of 9.8, allows an unauthenticated user to spoof the username and get admin access. This is due to a user simulation module which had easily guessable non-salted hash. This doesn't impact Windows based WordPress installations as the function relied on a PHP method not implemented in Windows. Make sure you're on LiteSpeed 6.4 or higher. Also make sure that you don't already have a cache service from your provider which could negate the need for this plugin. Wordfence has rules to block this attack and reports blocking nearly 59,000 attacks in the last 24 hours.
- Slide 2 of 2
Yep, another WordPress plug-in vulnerability. For once, windows-based WordPress installations are not at risk to this vulnerability. For everyone else that uses this plug-in, prioritize this download and install the patch.
Slide 1 of 0- Slide 1 of 2
Cisco Security Updates Address Two High-Severity Vulnerabilities
Cisco has released security updates to address half a dozen vulnerabilities in a range of their products, including high-severity flaws affecting Cisco Unified Communications Manager and OpenSSH Server. An out-of-bounds write vulnerability in the SIP call processing function of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could be exploited to create denial-of-service conditions. An unauthenticated remote code execution vulnerability in OpenSSH Server could lead to security regression; Cisco's advisory lists Cisco products affected by this vulnerability.
Editor's Notes
The OpenSSH flaw is the same unauthenticated RCE flaw Qualys disclosed on July 1st. Cisco has been releasing updates across their product line for any which use the vulnerable OpenSSH; you should already have a cadence of deploying these. There are no workarounds for the out-of-bounds write vulnerability (CVE-2024-20375); you need to deploy the update. (Unified CM and CM SME version 12.5(1)SU9, 14SU4 or 15SU1.) There are no reports of exploitation or published POCs. Make sure you're leveraging the capabilities of a VoIP-aware firewall in-line with your SIP traffic.
Atlassian August 2024 Security Bulletin
Atlassian's August 2024 Security Bulletin addresses vulnerabilities in Bamboo Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, and Jira Data Center and Server, and Jira Service Management Data Center and Server. In all, the updates address nine CVEs, all of which are rated high-severity.
Editor's Notes
These CVEs CVSS scores range from 7.1 to 8.1 and given that both your Confluence and Jira servers are impacted, not to mention Crowd and Bamboo, spend more time getting the update scheduled rather than arguing over severity, particularly if any of those are Internet facing. This is a good time to revisit using hosted (cloud) versus on-premises Atlassian services.
Internet Storm Center Tech Corner
INTERNET STORM CENTER TECH CORNER
Where are we with CVE-2024-38063: Microsoft IPv6 Vulnerability
https://isc.sans.edu/diary/Where+are+we+with+CVE202438063+Microsoft+IPv6+Vulnerability/31186
Mapping Threats with DNSTwist and the Internet Storm Center
OpenAI Scans Honeypots
https://isc.sans.edu/diary/OpenAI+Scans+for+Honeypots+Artificially+Malicious+Action+Abuse/31196
Securing the Future: How Memory-Safe Programming Languages Impact Industry Safety (Christopher Ross)
Broken Linux Boot Partitions after August Microsoft Update
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc
Google Fixes Chrome 0-day
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
Cisco Zero Day Exploited (now Patched)
https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/
Solar Winds Helpdesk Backdoor
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
Slack AI Prompt Injection
Phishing in PWA Applications
QNAP Ransomware Security Center
Microsoft August Update Prevents Linux from Booting
https://community.frame.work/t/sbat-verification-error-booting-linux-after-windows-update/56354
PHP CGI Vulnerability Exploited CVE-2024-4577
https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns
F5 Updates