SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
White House: Internet Routing Security Enhancement Roadmap
The White House Office of the National Cyber Director has published a roadmap to enhancing Internet routing security. The document “aims to address a key security vulnerability associated with the Border Gateway Protocol (BGP),” and advocates for the adoption of Resource Public Key Infrastructure (RPKI). The roadmap offers recommended actions for network operators, network service providers, Federal Government and Communications and Information Technology Sector Stakeholder Collaboration, and policy actions specific to the federal government.
Editor's Notes
- Slide 1 of 5
Combatting all forms of hijacking and forgery requires strong authentication and integrity services, which in turn need reliable and ubiquitous cryptographic key infrastructure services – BGP and RPKI is just one example. The US government needs to use its market power to require all suppliers and recipients of government funding to move to strongly protected services – much the way years ago the US federal government required strong crypto to be used in browsers and that drove the overall adoption and improvement of SSL.
- Slide 2 of 5
Improvements in routing security have been ongoing. Many larger IPSs have implemented RPKI over the last few years. Let’s hope this initiative will help us cross the finish line to a more secure routing infrastructure.
- Slide 3 of 5
This directive is intended to require network providers to implement ROA, RPKI and ROV, which are the current best practices for BGP security, including disclosure of the status of those implementations, ultimately resulting in restrictions or requirements in purchase agreements or contracts. This follows the June requirement from the FCC for the nine largest US broadband providers to file confidential reports on their plans to bolster BGP security. At this point about 70% BGP route originations on the global Internet are ROA-valid.
- Slide 4 of 5
It is high time this issue was addressed. We need a robust, resilient, and trustworthy infrastructure. That said, a quarter of a century of history and experience suggests that it represents a tolerable risk.
- Slide 5 of 5
Setting up the infrastructure for RPKI comes at additional cost and complexity; and that, perhaps, is the reason it hasn’t been implemented in North America. Absent a mandate by the USG, it’s just another nice document to put on the shelf.
Slide 1 of 0- Slide 1 of 5
Security Camera Vendor Verkada Faces $2.95 Million Fine Over CAN-SPAM Act Violation
The US Federal Trade Commission (FTC) intends to fine security camera company Verkada nearly $3 million for violating the US’s CAN-SPAM Act, which requires entities to offer a means of opting out of receiving emails from them. The FTC will also require Verkada to develop and implement an information security program; Verkada failed to adequately protect customer data and intruders were able to access customer’s cameras.
Editor's Notes
- Slide 1 of 2
The Verkada incident started in 2021, where credentials were compromised allowing access to as many as 150,000 CCTV cameras. The investigation then revealed many security flaws including lack of data protection, even possible HIPAA violations. Now, in addition to the fine, they need to not only address the shortfalls but also implement a security program for the next twenty years. The FTC is putting companies on notice that they need to take protecting customer data seriously.
- Slide 2 of 2
Interesting settlement, using an email SPAM law to focus attention on a non-existent information security program. Might I suggest the CIS Critical Security Controls, Implementation Group 1, as the cybersecurity framework to use for the next 20-years. https://www.cisecurity.org/controls/implementation-groups/ig1
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Cryptographic Flaw in YubiKey 5
Researchers from NinjaLab have detected a cryptographic flaw in the YubiKey 5 two-factor authentication FIDO-based hardware token. According to the researchers, an attacker with physical access to the token could exploit the side-channel flaw to clone it. The vulnerability affects all YubiKeys running firmware older than version 5.7; it is not possible to update firmware on YubiKey.
Editor's Notes
- Slide 1 of 2
There is no need to panic. Extracting the secrets not only requires physical access, but also requires the attacker to open the key, which is usually destructive to the housing. Remind users to properly secure keys with PINs and expedite reporting of misplaced keys.
- Slide 2 of 2
The flaw is specific to the Infineon ECDSA implementation and could be used to recover ECDSA private keys. It requires physical access to the device, knowledge of the accounts they wish to compromise, the device PIN or authentication key, expensive equipment and expertise to exploit. Risks to the FIDO key can be reduced by requiring more frequent FIDO authentication. Risks to PIV/OpenPGP signing keys can be mitigated by using the RSA algorithms. Yubico has removed the Infineon cryptographic library in favor of their own library in current devices. Historically, Yubico has addressed security flaws by working with customers to issue replacement devices as the firmware doesn't support updates.
Slide 1 of 0- Slide 1 of 2
Zyxel Releases Updates to Address Multiple Vulnerabilities in Routers and Firewalls
Zyxel has released eight security updates to fix vulnerabilities in multiple products, including CVE-2024-7261, a critical OS command injection vulnerability in certain access point and security router versions; the issue affects dozens of products. The seven other vulnerabilities have CVSS scores ranging from 4.9 – 8.1 and affect various Zyxel firewalls.
Editor's Notes
CVE-2024-7261 has a CVSS score of 9.8, and is due to lack of input sanitization. This CVE affects different products than the other seven CVE's. The fix is for you to update to the most current firmware; there is no workaround, with the exception of their security router which should have auto-updated. Refer to the Zyxel support articles for your specific products as updates are only released for supported products.
Transport for London Cybersecurity Incident
Transport for London (TfL), the UK government organization that manages London’s public transportation system, is experiencing a cyber incident. The issue reportedly affects TfL’s corporate backroom systems. According to BBC London, TfL has asked employees to work from home. The ongoing incident began September 2.
Editor's Notes
- Slide 1 of 2
We are at the point where services, such as the Oyster portal, are offline, but TfL is not providing specifics, and rumors about what happened are flying. Saying all is well, declining to comment on reported details, yet turning off or disabling services isn't ideal. Make sure your communication plan includes as much transparency as possible. By day four, you should have identified entry points and potential root causes. Don't assume communication to staff will not be released to the media.
- Slide 2 of 2
My question: does this sort of response help or it’s simply a lawyer crafted response to a regulatory requirement?
Slide 1 of 0- Slide 1 of 2
Tewkesbury Borough Council Suffers Cyberattack
The Tewkesbury Borough Council in Gloucestershire, UK, is in the process of recovering from a cyberattack. The borough, which has nearly 100,000 residents, is also home to the UK’s Government Communications Headquarters (GCHQ). A statement on the council’s website says, “We are having to assume that our systems have been compromised, and we are taking the necessary cyber response steps, including shutting down our systems.”
Editor's Notes
Tewkesbury is still assessing the impact of the attack; it appears to have had no impact on GCHQ. The UK is seeing a surge of incidents, with 160 reported in 2023 as opposed to 176 for the prior four years, and 30 incidents declared in the first quarter of 2024. The trend in these attacks is to exfiltrate personal data and try to leverage that data to get the companies to pay the ransom demand.
Swatting Indictment
A recently unsealed US federal indictment identifies two people – Thomasz Szabo, 26, of Romania, and Nemanja Radovanovic, 21, of Serbia – who were behind a swatting attack that targeted Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly in December 2023. The pair also targeted a former US president, US legislators, and senior law enforcement officials.
Editor's Notes
There is a long laundry list of actions these two took, from threats to swatting to compromising PII, all of which tied up response resources. The indictment puts would-be perpetrators on notice this is not a consequence-free prank.
Updated 8-K: Halliburton: Intruders Accessed and Exfiltrated Data
Halliburton has submitted an updated 8-K filing with the US Securities and Exchange Commission (SEC) that says they believe an “unauthorized third party accessed and exfiltrated information from the Company’s systems.” Halliburton also says the incident disrupted and limited access to parts of their IT system. An earlier 8-K filing (August 21) indicated that the company was aware of unauthorized third-party access to their system and that the company had activated their cybersecurity response plan.
Editor's Notes
- Slide 1 of 2
Halliburton is one of the world's largest fracking operators, and as such is a critical infrastructure target. This attack has been attributed to the RansomHub ransomware gang, whose activities were described in the CISA, FBI, HHS and MS-ISAC joint advisory AA24-242A. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a: #StopRansomware: RansomHub Ransomware
- Slide 2 of 2
As expected, a ransomware attack. We still have weeks to go before we find out what sort of data was exfiltrated.
Slide 1 of 0- Slide 1 of 2
Updated 8-K: Microchip Technology Says Intruders Stole Personal Data
In an updated 8-K filing with the US Securities and Exchange Commission (SEC) Microchip Technologies says they believe that intruders “obtained information stored in certain Company IT systems, including, for example, employee contact information and some encrypted and hashed passwords” during a cybersecurity incident last month. An August 20 8-K filing from Microchip Technology indicated that servers and operations had been disrupted, and that affected systems had been isolated.
Editor's Notes
- Slide 1 of 2
Microchip is still validating their claims for legitimacy and has restored critical systems, resumed order processing and shipping; while the recovery is not complete, indications are they will not be paying any ransom.
- Slide 2 of 2
Again, no mention of financial materiality. This kind of defensive reporting is defeating the purpose of the requirement to report, i.e., to inform investment decisions.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
INTERNET STORM CENTER TECH CORNER
Wireshark 4.4: Converting Display Filters to BPF Capture Filters
https://isc.sans.edu/diary/Wireshark+44+Converting+Display+Filters+to+BPF+Capture+Filters/31224
Protected OOXML Text Documents
https://isc.sans.edu/diary/Protected+OOXML+Text+Documents/31078
Scans for Moodle Learning Platform Following Recent Update
https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230
Enrichment Data: Keeping it Fresh
https://isc.sans.edu/diary/Enrichment+Data+Keeping+it+Fresh/31236
Veeam Update
New OFBiz Vulnerabilities
Cisco Smart License Manager Patches
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
PyPi Revival HiJack
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
Android Updates
https://source.android.com/docs/security/bulletin/2024-09-01
Mediatec WAPPD PoC Exploit
Sextortion E-Mails with Photos
https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/
Zyxel OS Command Injection Vulnerability
D-Link DIR-846W Unpatched RCE Vulnerabilities
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10411
VMWare Privilege Escalation Vulnerability CVe-2024-38811
YubiKey Sidechannel Attack
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
https://www.yubico.com/support/security-advisories/ysa-2024-03/
GitHub Comments Used to Spread Malware
https://www.reddit.com/r/Malware/comments/1f2n1h4/comment/lkbi5gi/
Voldemort Malware Curses Orgs Using Global Tax Authorities
https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities
Analysis of CVE-2024-43044 From file read to RCE in Jenkins through agents
https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/