SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
POC Code for Critical IPv6 Flaw has Been Released
Users are urged to update Windows to ensure they have addressed CVE-2024-38063, a critical remote code execution vulnerability that Microsoft released on Tuesday, August 13 as part of their August Patch Tuesday. Proof-of-concept exploit code for the integer underflow issue has been made available.
Editor's Notes
- Slide 1 of 3
Luckily, the released code will only cause a system to crash, and triggering even the DoS condition is not fully reliable. Finding paths to code execution will be tricky. Let's hope exploit developers are not going to surprise us with a solution anytime soon.
- Slide 2 of 3
This one is still fragile as an exploit, but it works. However, the exploit is complicated and, over time, maybe weaponized. I'm not a fan of disabling IPv6Ó at the network adapter layer, as I've been through this movie before. We had the same conversations in the Novell IPX/SPX and IPv4 days. Once you get to 'enabling IPv6, you may find it's not as easy as disabling it. I prefer to patch the systems and properly route IPv6; if you cannot, disable IPv6. Do not leave IPv6 untouched; that is also a vector for adversary in-the-middle attacks.
- Slide 3 of 3
You're thinking, 'Switch to IPv6 they said; it'll be secure they said.' They weren't wrong - implementation details are where things can go south. At the time the patch was released on August 13, there weren't any known POCs or exploits. If you've already rolled out the update, you're good. If you're still doing analysis, time to step it up. Then go back and make sure you're following the current best practices for a secure IPv6 rollout.
Slide 1 of 0- Slide 1 of 3
Microsoft Endpoint Security Ecosystem Summit
Microsoft will host a Windows Endpoint Security Ecosystem Summit on September 10. The event will allow 'Microsoft, CrowdStrike and key partners who deliver endpoint security technologies [to] come together for discussions about improving resiliency and protecting mutual customers' critical infrastructure.' Microsoft is also inviting government representatives to the meeting. A Microsoft spokesperson told the Register that the meeting will not be open to the press.
Editor's Notes
- Slide 1 of 3
Way back in 2003, Microsoft acquired GeCAD, a Romanian antivirus software company and I wrote a Gartner research note urging Microsoft change the game by making Windows and Office apps more secure and not just join in on endpoint security revenue (projected to be over $5B in the US in 2024) - revenue which largely exists because of Microsoft vulnerable code and Microsoft's refusal to force Windows users away from reusable passwords. This area is kind of like the profit attractiveness of drugs to alleviate symptoms vs. development of cure for causes of disease.
- Slide 2 of 3
It's common for Microsoft to ask vendors to come in and discuss their products. I suspect this may be the first time all the vendors are at the same conference on the same topic.
- Slide 3 of 3
A not unexpected follow-on event after the CrowdStrike incident. Cyber Resiliency is critical and making sure our endpoints are as robust as possible, to include detection and prevention of attacks, is a key component here. Part of the discussion will be the efficacy of removing kernel access, something Apple has been working on for the last few years; it's not simple and has nominal return. Even so, cyber improvements are likely to come in small increments.
Slide 1 of 0- Slide 1 of 3
Opting Out of Apple's AI Scraping
Apple's Applebot web-crawler has a secondary user agent, Applebot-Extended, that gives web publishers additional controls over how their website content can be used by Apple. Since the user agent's introduction several months ago, a sizeable number of news outlets and social media platforms, including the New York Times, Cond Nast, Instagram, and Facebook, have opted out of allowing Applebot to scrape data from their sites for AI training.
Editor's Notes
- Slide 1 of 3
Unlike traditional search engine web crawlers, AI bots will obscure the original source of any information they acquire to train their models. Even if asked for a reference, AI bots in the past have often made up fictitious references. Copyright holders are rightfully concerned about the use of their work by AI bots without being provided any credit or compensation.
- Slide 2 of 3
On the Red Team my first thought is, what happens when I switch my user agents around and become one of these bots? It's always interesting.
- Slide 3 of 3
Applebot respects directives in your robots.txt file, for user-agent Applebot or Googlebot. The directive blocks the data on your site from being used to train their LLM. Google's AI-specific bot, Google-Extended, is blocked by about 43% of websites while OpenAI is blocked by about 53%. Apple competitors like OpenAI and Perplexity are negotiating partnerships with news outlets, social platforms and other sites to allow processing their content. Speculation is businesses want to withhold data until a partnership (typically paid) is established. If you have copyrighted content, you likely don't want the LLM's trained on it, update your robots.txt. With the plethora of new AI bots, consider wildcards to avoid perpetual updates.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Botnet Campaign Exploits Multiple Vulnerabilities to Spread Mirai
Researchers from Akamai's Security Intelligence and Response Team (SIRT) have observed a botnet campaign that spreads a Mirai variant. The campaign exploits several known vulnerabilities as well as a zero-day command injection issue (CVE-2024-7029) affecting AVTECH IP Camera. The Akamai write-up includes indicators of compromise.
Editor's Notes
CVE-2024-70929 can be exploited over the network without authentication. There isn't a patch for the cameras, so you need to restrict access and monitor for unexpected activity. Mirai continues to be used to exploit unpatched/vulnerable IoT devices, so it's a good time to make sure you're both patching and defending these devices, particularly SOHO and other "set and forget" items, which easily fall of the radar because they "just work."
Fortra Patches FileCatalyst Workflow Vulnerability
Users of Fortra's FileCatalyst Workflow are urged to update their instances to version 5.1.7 or later. The update addresses two vulnerabilities: a critical default credential exposure vulnerability (CVE-2024-6633) and a high-severity SQL injection vulnerability (CVE-2024-6632). Both flaws were discovered by researchers from Tenable in early July.
Editor's Notes
Two issues here: First, the default, setup, HSQLDB database credentials were published in a support article. The database was not intended for production use, but some sites missed the guidance to create a replacement, and it is deprecated. Second is a SQLi flaw in their workflow, which requires update to 5.1.7 to fix. Make sure you're not using the default HSQLDB and if you are, limit access (it listens on port 4406), and then follow the guidance to create a replacement.
#StopRansomware Warning: RansomHub
A joint #StopRansomware cybersecurity advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) contains information relevant to RansomHub ransomware-as-a-service (RaaS). The document lists technical details, including the vulnerabilities RansomHub threat actors exploit for initial access, as well as indicators of compromise and tactics, techniques, and procedures.
Editor's Notes
Definitely a good document to brush up on your ransomware defenses. First and foremost, make sure you're using phishing resistant MFA wherever possible, eliminate SMS and phone call based two-factor, and make sure users are trained to recognize and report phishing attempts. You'll likely find your products already have the foundation you need to support MFA; this is more of creating (and executing) an implementation plan than rolling up a truckload of new products.
Dutch Defense Ministry Data Center Malfunction
A malfunction at a Dutch Ministry of Defense (MoD) data center is disrupting civilian air traffic control systems, emergency services communications, and preventing MoD civilian employees and others using the same network from accessing workstations. It has also prevented the Dutch National Cyber Security Centre (NCSC-NL) from sending out security advice. As of August 28, MoD did not know the cause of the malfunction.
Editor's Notes
- Slide 1 of 2
Not a lot of specifics are being shared. The Dutch Ministry of Defense is categorizing this as login problems with some service impacts due to phones being offline. The outage is impacting flights to Eindhoven airport which serves as a military base; Schiphol, the country's largest airport, remains unaffected. Given the impact on civilian travelers, it's reasonable to expect better communications on the outage, impacts and related activities.
- Slide 2 of 2
I suspect they will revisit connectivity to other networks as part of the After Action Report (AAR) and look to segment those networks.
Slide 1 of 0- Slide 1 of 2
Employee Arrested for Alleged Data Extortion
US law enforcement authorities have arrested a core infrastructure engineer for allegedly attempting to extort funds from his former employer. Daniel Rhyne faces charges of extortion in relation to a threat to cause damage to a protected computer, intentional damage to a protected computer, and wire fraud. In November 2023, some of the company employees received an email warning that all IT admins had been locked out of the company's network, that server backups had been deleted, and more servers would be shut down every day a ransom demand was not paid. Rhyne was arrested on August 27, 2024.
Editor's Notes
- Slide 1 of 2
The phrase "if this goes sideways, delete my browser history" comes to mind. While a privileged insider is tricky to prevent, particularly one with global admin, enforced MFA and monitoring can raise the bar.
- Slide 2 of 2
The court documents call into question the skillset of Mr. Rhyne as an infrastructure engineer. At a minimum, he didn't seem to have familiarity with the 'command line' interface. Oh well, score one for the good guys although it doesn't seem that they had to work that hard to find and charge the culprit.
Slide 1 of 0- Slide 1 of 2
Dick's Sporting Goods Discloses Cyber Incident
In a form 8-K filing with the US Securities and Exchange Commission (SEC), Dick's Sporting Goods says that they 'discovered unauthorized third-party access to its information systems' on August 21. Dick's activated their cybersecurity incident response plan and brought in third-party experts.
Editor's Notes
So far, Dick's is reporting that this didn't have a substantive impact on their operations, and ransomware wasn't in play. Store phone systems are offline, and employees are reporting that email and other accounts are locked, and access is only being restored after re-verification of employee identities on-camera, indicating the entry point was a compromised credential. Oddly, employees are being told the account lockouts were due to planned activity rather than the cyber incident and further information would be relayed via personal email or text messages rather than relying on the offline internal systems. Employees are being directed not to discuss the incident publicly or put anything in writing. Better guidance would be to direct any inquiries to the communication team. https://www.bleepingcomputer.com/news/security/dicks-shuts-down-email-locks-employee-accounts-after-cyberattack/: DICK'S shuts down email, locks employee accounts after cyberattack