SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Chinese Salt Typhoon Threat Actors Breached US Broadband Providers' Networks
According to a report in The Wall Street Journal, a threat actor group with ties to China's government has broken into the networks of several US broadband providers. Known as Salt Typhoon, the group may have accessed systems used for court-authorized wiretaps. The breached companies include Verizon, AT&T, and Lumen/Century Link. The incident is being investigated the FBI, U.S. intelligence agencies, and the Department of Homeland Security.
Editor's Notes
- Slide 1 of 4
If you build it, they will come. The court-authorized wiretap interfaces at telco providers are too juicy of a target for attackers to overlook. Note to also closely monitor any infrastructure like this in your own environment. You may not deal with court ordered wiretaps, but your security team likely still has extensive systems to reach out to and monitor endpoints.
- Slide 2 of 4
Large ISPs are attractive targets for nation state intelligence agencies and present an equally large attack surface. While they could do more for the security of their users, they cannot be relied upon to do so. Targeted users should take appropriate precautions, to include end-to-end encryption and proprietary DNS service.
- Slide 3 of 4
The attack vector used by Salt Typhoon/Ghost Emperor in this case is unknown. In the past they have been known to obtain initial access through flaws like the Exchange ProxyLogin vulnerability to leverage a custom backdoor, SparroDoor, customized Mimikatz, and a rootkit known as Demodex. Make sure that any remaining on-premises Exchange servers are fully patched, and reach back to your team to make sure that MFA is required on your Internet facing services.
- Slide 4 of 4
Details are lacking, but two immediate thoughts: 1) there has to be an exploit in common for all three communication service providers (CSPs); and 2) over time CSPs automate CALEA implementation, which creates a pathway to those protected systems. Nation states understand that, as they implemented them in their own countries.
Slide 1 of 0- Slide 1 of 4
Wayne County, Michigan is Dealing with a Cybersecurity Incident
Wayne County, Michigan, which includes the city of Detroit, is dealing with the aftermath of a cyberattack that shut down government websites and disrupted operations of several offices. The incident reportedly began on Wednesday, October 2. Sources say that the county is experiencing disruptions in collecting taxes and processing prison inmates. A county spokesperson said they expected to be 'fully operational' by Friday, October 4.
Editor's Notes
- Slide 1 of 2
Wayne County was putting updates on their Facebook page while their website was offline; these are reflected on the home page of the now restored county website. Wayne County is the largest county in Michigan with 1.75 million residents. This is the latest blow to Michigan, which included hits on Flint and Traverse City, as well as impacts from the Ascension and McLaren hospital ransomware incidents. Don't assume you're not a target and leave things be. Be proactive, start with the basics, MFA, patching and monitoring, grow from there.
- Slide 2 of 2
Municipalities rank right up there with healthcare as targets for ransomware attacks. Take appropriate care to include strong user authentication, isolating mission critical applications from e-mail and browsing, and having hot backup and recovery.
Slide 1 of 0- Slide 1 of 2
American Water Works Company
In an 8-K form filed with the SEC on October 7, 2024, the American Water Works Company disclosed a cyberattack described as "unauthorized activity within its computer networks." The company - whose services cover approximately 14 million people - states that no drinking water or wastewater plants have been affected, but the customer account system, bill payment portal, and call center are offline. Reported mitigation efforts include "disconnecting or deactivating" systems, and consulting "third-party cybersecurity experts." At just over two weeks after a cyberattack on a Kansas water treatment facility, this is the latest in a series of attacks on US water plants, coinciding with EPA and legislative efforts to shore up "critical cybersecurity vulnerabilities" in the largely non-compliant industry.
Editor's Notes
- Slide 1 of 3
A lot of focus has been on nation states potentially targeting critical infrastructure and efforts to protect said infrastructure. That is a concern, but this also could have been a simple ransomware event, targeting the internet accessible IT systems of critical infrastructure providers. There exist good solid cybersecurity frameworks (i.e., NIST CSF, ISO 27001, CIS Controls) that work, if implemented. Efforts should be made to ease the implementation and monitoring against one of those frameworks.
- Slide 2 of 3
American Water has published a FAQ on impacted services (amwater.com/corp/security-faq) and promises to update their home page as things change. It's not easy to find those updates; they are on their essential services page with a link back to the FAQ. On a positive note, while the billing system is offline, customers will not be assessed late fees or have service disconnected. One hopes customers will be notified when the system is online. When you're doing notification, consider making things more easily found.
- Slide 3 of 3
'Largely non-compliant' means failure to employ basic hygiene. However, the industry is also plagued with ad hoc connections to the public networks placed not by management but by operators for their own convenience. In the absence of basic security measures this is all too easy to do. Management should provide operators with necessary, even useful, connections using VPNs that terminate on the intended control, not on the perimeter.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
MITRE Launches Collaborative AI Incident Sharing Initiative
MITRE's Center for Threat-Informed Defense, in collaboration with 15 private-sector organizations to develop the AI Incident Sharing Initiative. The project is part of MITREÕs Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) framework and operates 'as a mechanism for a community of trusted contributors to both receive and share protected and anonymized data on real world AI incidents that are occurring across operational AI-enabled systems.'
Editor's Notes
- Slide 1 of 3
Invariably, more industry collaboration is better than less, but self-inflicted wounds are as much, if not more, of a threat than adversaries. The wisdom of the Critical Security Controls and OWASP Top 20 apply to all large software systems, which includes AI.
- Slide 2 of 3
As AI continues to find its way into our environments, having a feed of AI incidents and defenses becomes a critical layer of defense. You should be reading up on ATLAS and seeing how you can leverage the data in your environment. Start with the beta set of AI mitigations which are designed to prevent techniques or sub-techniques from being executed. ATLAS mitigations can be found here: atlas.mitre.org/mitigations/
- Slide 3 of 3
There are two hard problems in intelligence. The first is enlisting reliable, but not necessarily trusted, sources. The second is identifying those who can use the intelligence to your advantage without compromising it. Ideally these are both small population as MITRE is using in this application.
Slide 1 of 0- Slide 1 of 3
Ireland's Data Protection Commission is Investigating Ryanair's Customer Verification Process GDPR Compliance
Ireland's Data Protection Commission (DPC) is investigating Ryanair's processing of customer personal data. Specifically, the DPC has received complaints from people that Ryanair is demanding extra data from customers who book flights through travel agencies or third-party websites. In some cases, the extra information demanded includes biometric data. The investigation is focusing on whether Ryanair's methods of gathering and holding the data comply with the General Data Protection Regulation (GDPR).
Editor's Notes
- Slide 1 of 2
Biometric data is not as vulnerable to disclosure or use as one might intuitively infer. It does not rely upon the secrecy of the stored reference for security (as do passwords and private keys) but upon the difficulty of counterfeiting the instant data. Biometric instant data is vulnerable to replay and therefore is most often employed, for convenience, as additional factors in MFA where protection from replay is provided by a different factor.
- Slide 2 of 2
Ryanair, famous for their low-cost, no-frills, everything-extra flights, has historically resisted efforts by third parties to sell their flights. They implemented the added ID validation as a deterrent and protection to consumers from unauthorized online travel agents who may be overcharging or scamming customers. The process has had numerous complaints. The issue here isn't addressing those concerns, rather focusing on how Ryanair is protecting and disclosing the gathered ID/Biometric data, particularly in cross-border scenarios, in this process. If you're processing data covered by the GDPR, double down on making sure you're following all of the requirements to avoid undue scrutiny by the DPC.
Slide 1 of 0- Slide 1 of 2
FBCS Breach Compromised Comcast and Truist Bank Customer Data
In a supplemental filing with the Office of the Maine Attorney General, Comcast says that the Financial Business and Consumer Solutions (FBCS) breach in February of this year compromised data belonging to more than 237,000 Comcast customers. Initially, FBCS said that Comcast customer data were not affected, but in July, FBCS notified Comcast that their customer data were compromised. Truist Bank recently notified customers that their data may also have been compromised in the FBCS breach. The total number of individuals affected by the FCBS breach is estimated to exceed four million.
Editor's Notes
FBCS is a debt collector, initially reporting a compromise in March. At that time, FBCS said the incident did not affect Comcast data. However, in July they notified Comcast that their customer data were compromised in the breach. Comcast stopped using the service in 2020, however; they didn't take steps to ensure their data was removed from FBCS systems. FBCS is claiming they are financially unable to bear the cost of identity monitoring/credit restoration services, so it falls to their customers, Comcast, CF Medical, etc. to pay for this. Make sure that you have procedures for clearing (and verifying) data on third-party service providers as well as an understanding of where liability falls should they have a breach with limited financial solvency.
Okta Addresses Sign-on Policy Bypass Vulnerability
Okta has identified and resolved a vulnerability in Okta Classic that could have been exploited to bypass sign-on policies and gain unauthorized access to applications. The vulnerability was introduced in the July 17, 2024 release of Okta Classic, and has been resolved in the Okta production environment since October 4, 2024. Okta recommends that users 'review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as 'unknown' between July 17, 2024 and October 4, 2024.' Okta provides details about how to perform the review in their advisory.
Editor's Notes
The vulnerability only existed in certain configurations of Okta Classic; even so, you should check your logs fusing the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso" for possible exploits, particularly authentication from unusual locations, IPs or times of day. While the vulnerability was introduced on July 17, it wasn't identified until September 27, and rapidly addressed with a tested patch in production eight days later.
Update Now: Cross-Site Scripting Flaw in LiteSpeed Cache WordPress Plugin
A high-severity cross-site scripting vulnerability in the LiteSpeed Cache plugin for WordPress could be exploited to gain elevated privileges and potentially load malware onto unpatched websites. The issue affects LiteSpeed Cache up through version 6.5.0.2; users are urged to update to the most recent version of the plugin, which has more than six million active installations.
Editor's Notes
- Slide 1 of 3
The vulnerability, CVSS score 7.1, is due to improper input neutralization and could be used to inject malicious scripts, advertising, redirects, and other payloads into your site. Auto-update should have already fixed your plugin, but you should double check. Uninstall any unused plugins or themes. Ask the hard questions on any plugins without updates, and minimize the number of plugins to keep the attack surface small and your site stable.
- Slide 2 of 3
Cross-site scripting vulnerabilities have been around for decades and are totally preventable. Seems as though the developers need some remedial training in secure software development practices like input validation and output encoding. Developers, take a look at the OWASP Cheat Sheet Series.
- Slide 3 of 3
The value of WordPress plugins must be balanced against their historic quality. They should be employed sparingly and managed carefully.
Slide 1 of 0- Slide 1 of 3
iOS 18.0.1
A "logic issue" in the VoiceOver screen reader (CVE-2024-44204) and a bug in the Media Session component (CVE-2024-44207) were both patched by Apple's release of iOS and iPadOS 18.0.1. The VoiceOver flaw allowed the accessibility feature to read aloud a user's saved passwords; the Media Session issue allowed the Messages app to record "a few seconds of audio before the microphone indicator is activated" when creating an audio message. Both CVSS base scores are rated medium.
Editor's Notes
- Slide 1 of 2
We may have caught a break in that Apple is not indicating these flaws are being actively exploited. The Media Session flaw is specific to the iPhone 16, while the VoiceOver flaw affects all devices running iOS 18; it has a CVSS 3.1 score of 5.5. It's a good idea to push iOS/iPadOS 18.0.1 to all your devices running version 18.0.
- Slide 2 of 2
Most Apple iOS users should enable automatic updates.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
macOS Sequoia: System/Network Admins, Hold On!
https://isc.sans.edu/diary/macOS+Sequoia+SystemNetwork+Admins+Hold+On/31330
Survey of CUPS exploit URLs
https://isc.sans.edu/diary/Survey+of+CUPS+exploit+attempts/31326
Free API Security Workshop
https://www.sans.org/webcasts/aviata-solo-flight-challenge-cloud-security-workshop-chapter-7/
Cisco Vulnerabilities
Apple iTunes PoC
https://github.com/mbog14/CVE-2024-44193
Attackers used ISP's Wiretap System to Spy on Users
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835 (paywall)
Exposed LDAP Servers
https://www.usenix.org/conference/usenixsecurity24/presentation/kaspereit
Exploiting Visual Studio via Dump Files
https://ynwarcs.github.io/exploiting-vs-dump-files
Apple Security Updates