SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsEarlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog; Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23.
Of course it is exploited. Ivanti vulnerabilities have become common enough where attackers have playbooks as to how to effectively exploit them. If attackers have playbooks to exploit a product, you had better have a playbook to keep it up to date and to deal with the resulting incidents if you are not up to date.
One's strategy shouldn't be to manage updates depending on whether the vulnerability is being actively exploited. It should be based on the criticality of the vulnerability (Arbitrary Code Execution). The hot patch should have been applied back in May. For those that haven't yet patched, now you may be in a race with a determined adversary - don't lose.
CVE-2024-29824, SQL Injection vulnerability, has a CVSS score of 9.6 and is due to improper input sanitization of special elements in a SQL command. The flaw affects Ivanti endpoint manager (EPM) up to 2022 su5. Address the issue by updating your Ivanti EPM to the latest version.
Ivanti
Help Net Security
Security Week
The Hacker News
CISA
NVD
Zimbra has released an update to address a critical inadequate user input sanitation vulnerability in its postjournal service. The flaw could be exploited by unauthenticated attackers to execute arbitrary commands on vulnerable installations. The flaw is being actively exploited, and has prompted warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from multiple threat researchers. Users are urged to install the latest Zimbra update or disable postjournal.
CVE-2024-45519, RCE flaw, has a CVSS 3 score of 10.0, and has been added to the NIST KEV catalog with a due date of 10/24/24. The fix is to either disable if not used, or to update postjournal to the latest version, ensure mynetworks is properly configured to prevent unauthorized access, and apply all Zimbra updates.
Project Discovery
Proofpoint
Zimbra
The Register
The Record
SC World
Ars Technica
Help Net Security
NVD
Researchers at Akamai have determined that several of the recently-disclosed vulnerabilities in the Common UNIX Printing System (CUPS) could be chained to launch distributed denial-of-service (DDoS) attacks. According to Akamai, 'Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity, [and] it would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.'
This is an interesting exploit vector and longer term, it may have a larger impact than the remote code execution issues.
If you're not using CUPS, don't just disable it, uninstall it so the vulnerable code is removed. IF you are using it, apply the updated fixes to cups-lib. Consider carefully how you're exposing TCP and UDP Port 631 (Internet Printing Protocol).
Simone Margaritelli has been trying for months to get the CUPS developers to acknowledge this vulnerability. Block port 631.
Researchers at Forescout's Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9), and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there steal data, deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers' web-based user interface. While DrayTek warns that the routers' control panels should be accessible only from local networks, the researchers at Forescout found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek Vigor routers, some of which are no longer supported. DrayTek has made patches available for all affected models, end-of-life included.
Never ever expose these admin interfaces to the internet. They are all vulnerable. For some of them, the vulnerability just hasn't been published yet.
Two things that should drive patch prioritization: 1) the large number of vulnerabilities; and 2) the criticality of the vulnerabilities. For the first, it gives the evildoer a lot to work with in developing an exploit. For the second, a criticality of 10.0 effectively means that the router is remotely vulnerable with low complexity. Although we can chastise DrayTek for having so many vulnerabilities, they at least did the right thing by including patches for end-of-life products.
The DrayTek routers are primarily used for commercial customers; it's important to get these patched to protect their business, providing VPN, firewall, content filtering, VoIP and bandwidth management. Of the 24 impacted models, 11 are EOL. Aside from updating the firmware, protect the management interface from unauthorized devices, replace EOL devices (the update for EOL devices only addresses CVE-2024-41592, the GetCGI() function with buffer overflow, CVSS score 10).
Forescout
DrayTek
The Register
SC World
Security Week
Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity.
The three medium-severity flaws could be used to access and decode encrypted credential values, API keys, Certificates and secret files. Check your component product versions, update Jenkins Weekly to 2.479, Jenkins LTS to 2.462.3, Credentials plugin to1381.v2c3a_12074da_b_ and OpenID Connect Authentication Plugin to 4.355.v3a_fb_fca_b_96d4. Jenkins advises to update immediately.
On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server, and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through "misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends "system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching, restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks.
AquaSec
The Hacker News
Bleeping Computer
Dark Reading
A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The high-severity race-condition flaw (CVE-2024-5102) exists in the 'Repair' feature of Avast Antivirus for Windows versions older than 24.2. Users are urged to ensure they are running the most recent version of the product.
Flaws in your endpoint protection solution should be rapidly addressed regardless of score. The flaw stems from how the repair function handles symbolic links; an attacker can manipulate those links to have it delete or recreate arbitrary files as well as execute code with system privileges. The root cause is improper link resolution before file access and improper validation of input.
A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take 'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft and release of millions of customers' "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures.
While T-Mobile has had as many as 7 breaches over the last five years, this settlement covers the last four (since 2021). You may recall in 2021 things kicked off with an attacker stealing personal and device related information, including PINs, for 76.6 million current, former, and prospective T-Mobile customers. The good news is that the FCC is actively raising the bar, requiring breach notifications, stating "ConsumersÕ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences." The hard part, if you're a T-Mobile customer, is deciding if you can survive until the changes are made or if you should switch to AT&T, Sprint or Verizon who have had other issues of late.
The FCC is increasingly holding organizations accountable for not exhibiting a standard of reasonableness when it comes to protecting consumer information. This is the latest installment. For companies wishing to stay out of the FCC, or judicial branch crosshairs, the Center for Internet Security recently published a 'Guide to Defining Reasonable Cybersecurity' that specifies what must be done to meet the standard of reasonable cybersecurity. https://www.cisecurity.org/insights/white-papers/reasonable-cybersecurity-guide: Reasonable Cybersecurity Guide
The Register
FCC
FCC
Ars Technica
The UK's Office for Nuclear Regulation (ONR) has fined nuclear waste processing firm Sellafield Ltd £332,500 (436,439 USD) for issues with 'management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.' An investigation determined that Sellafield's IT systems could have allowed unauthorized access and data loss. The Chief Magistrate presiding in court earlier this week also fined Sellafield £53,253 (69,900 USD) to cover costs associated with the prosecution.
Another example of the standard 'duty of care' being applied by the judicial system to an organization. Besides the monetary fine, the settlement typically requires the organization to apply additional security controls and submit annual risk management reports on the state of its cybersecurity program. You can get ahead of this by implementing and measuring yourself against one of several well-known cybersecurity frameworks: NIST CSF, ISO 27001, and the CIS Critical Security Controls.
ONR
SC Magazine UK
The Guardian
BBC
The Record
Reuters
A new publication of joint guidance from security organizations in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK outlines core principles for maintaining security in Operational Technology (OT). OT systems are 'vital services;' they are also complex, diverse, and difficult to change, making security difficult to assess. The document emphasizes checking decisions against six principles: 1. 'Safety is paramount,' specifically physical safety of human beings; 2. 'Knowledge of the business is crucial ... Top-down thinking has historically led many organisations to seek to separate OT from IT;" 3. 'OT data is extremely valuable and needs to be protected;' 4. 'Segment and segregate OT from all other networks;' 5. 'The supply chain must be secure;' and 6. 'People are essential for OT cyber security.' Within days of this guidance, MITRE fully published EMB3D: a 'living framework' for linking device properties to threats and mitigations in OT as well as IoT, automotive, healthcare, and other applications. The framework is informed by major vulnerability enumerations, and the mitigations are "mapped to the security controls" from International Society of Automation and International Electrotechnical Commission's ISA/EIC 62443 Series of Standards.
Flat networks continue to be problematic everywhere but exposing OT to the public networks is reckless.
SecurityWeek
Australian Signals Directorate
SecurityWeek
MITRE
MITRE
The US National Institute of Standards and TechnologyÕs (NISTÕs) National Vulnerability Database (NVD) is still showing a significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in February 2024. In May, NIST hired a third-party consultant to help with the backlog.
The trend is moving in the right direction: as of September 21, 72.4% of CVEs were not analyzed compared to 93.4% in May. NIST missed their self-imposed deadline of September 30th to clear the backlog; it's not clear what it'll take to clear it, as well as to thwart efforts to create alternates to the NIST vulnerability repositories.
One can only love the characterization of "significant enrichment backlog." They have had a broken system for months.
The US Justice Department (DoJ) has unsealed a warrant that authorized the seizure of more than 100 domains associated with cyberthreat actors with ties to Russia's government. The domains have been used to conduct computer fraud and other abuses in the US. A civil lawsuit filed by Microsoft and the NGO Information Sharing and Analysis Center (NGO-ISAC) sought the seizure of 66 domains; the DoJ seized an additional 41 domains.
While the work of government and the private sector is applauded, two areas need additional focus: 1) the speed in moving from detection of criminal domains to their seizure; and 2) detection of new criminal domains. For the first, it appears it took upwards of a year to seize the domains identified as supporting criminal activity. For the second, global collaboration and information sharing is needed. Let's celebrate the win and continue the fight against cyber criminals.
Microsoft
Justice
Nextgov
Cyberscoop
Security Week
Hurricane Helene Aftermath - Cyber Security Awareness Month
https://isc.sans.edu/diary/Hurricane+Helene+Aftermath+Cyber+Security+Awareness+Month/31314
Security Related Docker Containers
https://isc.sans.edu/diary/Security%20related%20Docker%20containers/31318
Kickstart Your DShield Honeypot
https://isc.sans.edu/diary/Kickstart+Your+DShield+Honeypot+Guest+Diary/31320
SANS Munich (free Community Night Tuesday October 15th)
https://www.sans.org/cyber-security-training-events/munich-october-2024/
CreanaKeeper Use of Cloud Services
Optigo Spectra Vulnerabilities
https://claroty.com/team82/disclosure-dashboard/cve-2024-41925
https://claroty.com/team82/disclosure-dashboard/cve-2024-45367
Pixel Addressing Vulnerabilities in Cellular Modems
https://security.googleblog.com/2024/10/pixel-proactive-security-cellular-modems.html
CUPS DDoS Attack
https://www.akamai.com/blog/security-research/october-cups-ddos-threat
Draytek Vulnerabilities
https://www.forescout.com/resources/draybreak-draytek-research/
Zimbra - Remote Command Execution (CVE-2024-45519)
https://blog.projectdiscovery.io/zimbra-remote-code-execution/
Enhancing the security of Microsoft Edge extensions with the new Publish API
CVE-2024-36435 Deep-Dive: The Year's Most Critical BMC Security Flaw
https://www.binarly.io/blog/cve-2024-36435-deep-dive-the-years-most-critical-bmc-security-flaw
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveWebcast: SANS 2024 ICS/OT Survey: The State of ICS/OT Cybersecurity | Wednesday, October 9, 10:30 AM ET | SANS Certified Instructor, Jason Christopher, explores the growing trends in cyber threats, vulnerabilities, and risks across industrial environments, including actionable recommendations for how organizations can improve their security posture.
Webcast: General Quarters!
Virtual Event: AI Summit Solutions Track on October 29th | Join us for our upcoming free virtual event to learn how industry leading technologies and techniques can enhance your ability to examine and analyze incidents like never before using AI.
Virtual Event: Fall Cyber Solutions Fest 2024 | Wednesday, November 6 Ð Friday, November 8 | This free virtual event features 5 tracks ranging from emerging technologies available today to zero trust and threat hunting.