SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Fortinet Releases FortiClient Updates to Address High-Severity Authentication Bypass Issue
A high-severity authentication bypass vulnerability (CVE-2024-47574) in Fortinet's FortiClient for Windows could be exploited to gain elevated privileges and execute arbitrary code via spoofed named pipe messages. Users are urged to upgrade to fixed versions of FortiClientWindows 7.4, 7.2, and 7.0; users running FortiClientWindows 6.4 are urged to migrate to a fixed release. This CVE and a second also affecting FortiClient were detected by a researcher at Pentera Labs.
Editor's Notes
- Slide 1 of 2
FortiClient is a critical component to many organizations. If you are a Fortinet customer running this client you should upgrade. This can be abused as an LPE and attackers are constantly looking for these vectors on local devices.
- Slide 2 of 2
Two flaws were discovered, CVE-2024-47574, authentication bypass, CVSS score 7.8, as well as a second flaw, no CVE assigned yet, allowing access to the plain text encryption key used to protect sensitive information. Both flaws are addressed in the updates. If you have Fortinet in your shop, updates to the management client are as important as updates to the firmware on the device. While you're looking at your Fortinet environment, make sure that your management interfaces are also protected, limited to authorized hosts only.
Slide 1 of 0- Slide 1 of 2
Reconfigure PAN-OS to Mitigate Exploited Zero-Day RCE Flaw
On November 8, 2024, Palo Alto Networks released a security advisory disclosing a zero-day remote code execution (RCE) vulnerability in the PAN-OS operating system. Palo Alto updated the advisory a week later after discovering evidence that the vulnerability had been exploited in the wild, providing Indicators of Compromise (IoCs): three IP addresses possibly used by attackers (though Palo Alto acknowledges they may be associated with legitimate VPNs) and a checksum "associated with a webshell observed in attacks." The vulnerability, tracked as CVE-2024-0012, is an authentication bypass in PAN-OS allowing "an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474." The most effective mitigation is ensuring the PAN-OS management interface is configured properly and is not accessible from the internet. Palo Alto has provided a list of scanned devices showing internet-facing management interfaces so users can identify and reconfigure any of their vulnerable devices. Left unmitigated, this flaw is rated critical at CVSS 9.3.
Editor's Notes
- Slide 1 of 3
You should not expose firewall management interfaces to the open internet. It's still happening, and it's usually unclear why. There are many hotfixes to fix this issue, which should be installed immediately. The more pressing situation is around exposing those management interfaces. Palo Alto is offering help to individuals who believe they have been compromised already.
- Slide 2 of 3
CISA/DHS got it right with BOD-23-02, make sure management interfaces are not exposed to the Internet. Even better, only allow authorized hosts access to those interfaces irrespective of the network; your future self will appreciate this change. If you're a Palo shop, make sure you not only protect the management interface but also update to the unaffected version of PAN-OS.
- Slide 3 of 3
Interesting that Palo Alto knew about an exploit, but wasn't able to figure out the vulnerability exploited. Some pundits complained about the additional telemetry Sophos added to its products to trap recent attacks against its customers, but this is exactly what is needed to better protect users (and some halfway sane development practices).
Slide 1 of 0- Slide 1 of 3
Twice-Patched VMware vCenter Server Flaws are Now Being Actively Exploited
According to an advisory update from Broadcom, known vulnerabilities in VMware vCenter Server are being actively exploited. Broadcom first issued patches for the flaws in September, but those fixes did not adequately address the problems. A second round of patches in October did fix the vulnerabilities; at that time, Broadcom said they were not aware of either flaw being exploited in the wild. Users are urged to apply patches for both VMware vCenter Server vulnerabilities: a critical heap-overflow vulnerability (CVE-2024-38812) and an important privilege elevation vulnerability (CVE-2024-38813).
Editor's Notes
- Slide 1 of 2
Broadcom support for existing VMWare customers has been somewhat bad to mixed from anecdotal stories. One of the more glaring ones has been just getting VMWare Workstation / Fusion customers back. I would speculate it was easier to make it all accessible than to continue the disaster of getting support. How easy has it been for customers to get vSphere patches post-acquisition? One other note is that widespread exploitation during the patch does not mean it will not happen in the future. N-Days are more and more common than 0-days.
- Slide 2 of 2
This flaw was initially discovered five months ago; the update can be tricky. Refer to the Broadcom update for the versions of VMware vCenter Server and VMware Cloud Foundation you should have deployed. Note the Cloud Foundation update is an Async patch. While you're at it, make sure your vCenter management interfaces are only accessible from authorized devices.
Slide 1 of 0- Slide 1 of 2
Unsecurely-Implemented 2FA Creates Critical WordPress Vulnerability
Calling it "one of the more serious vulnerabilities that we have reported on in our 12 year history," researcher Istv‡n M‡rton at Wordfence describes a critical authentication bypass vulnerability in WordPress's Really Simple Security plugin, as well as in the Really Simple Security Pro and Pro Multisite plugins, disclosed on November 6th. Tracked under CVE-2024-10924, the authentication bypass results from "improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the 'Two-Factor Authentication' setting is enabled (disabled by default)." Plugin versions 9.0.0 to 9.1.1.1 are affected; WordPress has pushed a patch, but users are urged to ensure their plugins are updated to 9.1.2 or later.
Editor's Notes
The flaw comes down to improper error handling of an invalid nonce, allowing the bypass. Really Simple Security used to be Really Simple SSL, it was renamed with the version 9 release, check for both. Make sure you're updating to the new version, to include enabling auto-updates. Version 9.1.2 was released November 14th, so you should see it deployed. Wordfence released firewall rules for their paid versions November 6th, and the free version will get these December 6th.
The Rest of the Week's News
Neither Personal Nor Business Passwords Are Improving
The sixth annual report from NordVPN's enterprise password management service suggests that easily-guessed or cracked passwords are still the most common personal and corporate credentials. NordPass studied 2.5TB of anonymized "publicly available sources" of leaked data from 44 countries, differentiating personal and business accounts by email domain. The company highlights the risk of reused credentials, and provides password composition suggestions that notably differ from NIST's revised authentication guidelines drafted in August, 2024: both recommend a high character minimum, 15 and 20 characters respectively, but NordPass emphasizes varying character types while NIST prohibits character type requirements. Seeing little to no improvement in this series of studies, the company looks to passkeys as a safer alternative.
Editor's Notes
- Slide 1 of 4
Use Passkeys, Use YubiKeys, Use Passwordless. You can use your Password Vaults on your phones. There are so many options now that we should be pushing SMBs and all businesses to more accessible and more secure mechanisms. This survey needs to clarify the delta from year to year in the password age. This is almost impossible to understand, so it will be complicated with a one or two-year lookback to see if businesses are genuinely secure. Considering that IOS Passkeys is new, we may not be capturing the move to these technologies yet.
- Slide 2 of 4
With passwords we're swimming upstream against decades of human behavior. If you need to keep using passwords, implement a service which checks data breaches for exposed passwords as well as enforces 800-63-3. We all need to target stronger authentication mechanisms which move away from passwords entirely (MFA, FIDO, passkeys, etc.). Get those projects in the chute or they will never happen.
- Slide 3 of 4
Yep, passwords are still a thing andÉ reuse is a problem given all the accounts that must be managed. Check. The best thing we can do is start an education campaign to move us along to adopt passkeys. The good news is all the major operating systems, browsers, and free email services have passkey options available. Seems like a global PSA is in order.
- Slide 4 of 4
Any discussion of bad passwords makes me uncomfortable because it suggests that there is some problem that good passwords would solve. While there are attacks that good passwords would resist, they are useless against the social engineering and fraudulent replay attacks that we are seeing. Heed the advice of my colleagues and focus your efforts on strong authentication (at least two kinds of evidence, at least one of which is resistant to replay).
Slide 1 of 0- Slide 1 of 4
DHS Creates Responsibility Framework for AI in Critical Infrastructure
The US Department of Homeland Security (DHS) has released a guidance resource aimed at all levels of AI development and implementation, assigning specific responsibilities for safety and security at each level as the benefits and risks of AI become integrated into critical infrastructure. The framework was created by a DHS AI Safety and Security board comprising many private and public sector members, including the CEO of OpenAI and the Policy Director of the White House Office of Science and Technology. Envisioned as a "living document," the framework identifies five security directives, making a matrix of responsibilities for five types of AI stakeholders (shown in Appendix A). The key directives are: to secure environments; to drive responsible model design; to implement data governance; to ensure safe and secure deployment; and to monitor performance and impact. The stakeholders guided to act are: cloud and compute infrastructure providers; AI developers; critical infrastructure owners and operators; civil society (such as research institutions and consumer groups); and the public sector. Another five items characterize DHS's hopes for the framework's success, briefly: "harmoniz[ed]" security practices; infrastructure safety; AI ecosystem transparency; research advancement; and protection of civil rights.
Editor's Notes
- Slide 1 of 4
In 99% of this document, you could replace 'AI' with 'software' and see pretty much a standard secure development/operations framework. In the Developer section is the important part, analogous to early worries about digital fakes and the need for integrity and authentication support to what was called 'watermarking.' The cite: 'Distinguish AI-generated content: Where technically feasible and commercially reasonable, AI developers are encouraged to ensure that AI-generated or manipulated content, such as code, text, images, audio, or video, can be clearly identified at the time and point of origin, and therefore distinguishable from human-generated content.'
- Slide 2 of 4
Guidance, regulation, and legislation of AI, at least in the short run, should be on an application by application basis. It should focus on holding users, both enterprise and individuals, accountable for the use and the results. The applications and risks are simply too broad to regulate at the technology level.
- Slide 3 of 4
This is going to be critical in the future. I noticed a news article about using general-purpose AI in critical and sensitive areas such as healthcare. General Purpose AI is often giving incorrect information, and putting guard rails on this is going to be important. It's one thing being able to get around a chatbot to get free airline tickets, and another thing to be giving the wrong medical advice or worse because of AI that hallucinates. Imagine if you decide to use AI to regulate chemicals in the water, this could be not the wisest approach. I suspect we will see more and more language around this as technology advances.
- Slide 4 of 4
AI, while still evolving and maturing, is pervasive, and we're all working to understand and secure the implementations in our shops. If you're in the critical infrastructure business, this is the droid you're looking for, at 35 pages it's not a bad read, and should drive some interesting conversations, both internally and with your suppliers. Even if you're not in that space, this is good input to consider relating to your AI deployments.
Slide 1 of 0- Slide 1 of 4
Investigation of EPA Finds US Water Systems Vulnerable
97 of 1,062 drinking water systems surveyed by the Office of the Inspector General (OIG) for the US Environmental Protection Agency (EPA) are at critical or high risk for cyberattacks; these systems alone serve 26.6 million US citizens. The OIG investigation holds the EPA to obligations established in the Safe Water Drinking Act (SWDA), America's Water Infrastructure Act (AWIA), and federal directives urging infrastructure security, and points out significant inadequacies and failures to meet these responsibilities. The EPA has previously leaned on The Cybersecurity and Infrastructure Security Agency (CISA) to handle incident reports -- no official program exists for notifying the EPA of cyberattacks on US water plants, nor any "documented policies and procedures related to the EPAÕs coordination with CISA and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies." The OIG urges the EPA to "seek additional authority as necessary" to address and remedy the situation, noting "this challenge is not hypothetical."
Editor's Notes
When was the last time you verified your incident reporting process, particularly with third-party (cloud and outsourced) service providers? Check not just for current contacts, but also for the process. Be alert for a process which notifies a third party rather than you, as you'll never get those alerts. For scope and context the report estimates the impact of the Charlotte Water being offline at $132 million/day, and the California State Water Project at $61 billion/day when offline. While the report highlights the need to formalize the relationship between the EPA and CISA for monitoring and reporting of attacks, water system operators, who are aware of the need for increased cyber security measures, aren't seeing the corresponding budgets to implement those protections. Hopefully the report results in actionable data to bolster the argument for those budgets.
FCC Cybersecurity Pilot Demand Exceeds Expectations
The US Federal Communications Commission (FCC) saw 'strong interest' in their cybersecurity pilot program for libraries and K-12 schools. The FCC received more than 2,700 applications totaling $3.7 billion in requests; the program has allocated $200 million over three years to provide help with the costs of services and equipment for eligible schools and libraries. The funding formula is based on the number of students served; the grants for the pilot program range from $15,000 to $1.5 million. The funds have not yet been distributed. The application process closed on November 1, 2024.
Editor's Notes
The funding, when granted, can be used for securing their networks in one of four categories: advanced or next-gen firewalls; identity protection and authentication; endpoint protection; and monitoring, detection, and response (MDR). The volume of applicants shows an unmet need in our local schools and libraries, who are facing shrinking budgets with no room to incorporate cybersecurity improvements. There may be an opportunity to partner with your local schools and libraries to help them raise the bar.
Threat Actor Intercepted eMail Communications Between US Congressional Staffers and Library of Congress Staff
An 'adversary' accessed email communications between US congressional legislative staffers and staff in the Library of Congress's Congressional Research Service. The information theft occurred between January and September of this year. Staff affected by the incident were notified on Friday, November 15.
Editor's Notes
- Slide 1 of 2
The intercepted communication included legal advice to congressional staffers from library research staff regarding confidential legislative issues. Beyond work you're doing to mitigate BEC, Phishing and other email scams, make sure that your SMTP services/relays are configured to use TLS to prevent MiTM message interception; this is already required for cabinet level agencies per BOD-18-01.
- Slide 2 of 2
Not a lot of information on the incident. That said, suspect it to be a missed email server patch. What's troubling is that it took nine months to detect and mitigate the security incident. Lots of lessons learned that should, at the appropriate time, be shared with the cybersecurity community.
Slide 1 of 0- Slide 1 of 2
UN Joint Statement on Ransomware Targeting Healthcare Facilities
More than 50 United Nations member states have issued a joint statement, saying they are 'deeply concerned with the frequency, scale, and severity of ransomware attacks against critical infrastructure, in particular hospitals and other healthcare facilities.' The statement calls on all UN members 'to collectively work together to strengthen the cybersecurity and resilience of our critical infrastructure and work to confront and disrupt the ransomware threat.'
Editor's Notes
- Slide 1 of 2
The relentless extortion attacks on healthcare deserve our attention. Certainly improved resiliency of our systems is both efficient and essential. However, these attacks continue to escalate in part because the perpetrators believe that there is little risk they will be investigated, indicted, or punished. The role of nation states is to so enforce the law so as to discourage these attacks.
- Slide 2 of 2
The UN could call out nations that are harboring ransomware gangs and enforce a penalty on them. Or they could continue to issue statements and adjourn for cocktail hour. It looks like they chose the latter.
Slide 1 of 0- Slide 1 of 2