SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsNine months after suffering a catastrophic ransomware attack, Change Healthcare says that its healthcare-related transactions clearinghouse services have been restored. Change Healthcare normally handles 15 billion financial transactions annually. The American Hospital Association reported that the February attack disrupted services at 94 percent of US hospitals.
Nine. Months. Later. Their clearinghouse service is not the last thing needing service restoration. I'm pretty sure none of us have put nine months as a recovery time objective without considerable management buy-in. I'm sure there were many conversations about the restored service stability, ability to handle the prior workload plus any catch-up work, and the zinger, promises that the compromise would never happen again, all of which result in delays. Work these out, including what evidence is expected, in your tabletop exercises. Don't forget to include exercises where you actually rebuild/recover and operate a system.
What fallout will we see from Change Healthcare? I am not sure the blowback has been strong enough yet in the Medical Sector. Does that say more about Healthcare IT or just Healthcare in general?
This may well have been one of the most expensive breaches in history with much of the cost being borne by customers.
The US Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment of a critical infrastructure organization at the organization's request. CISA has published a cybersecurity advisory detailing the tactics, techniques, and procedures they used. The report also includes lessons learned in the areas of insufficient technical controls, continuous training, support, and resources, and business risk as well as noted strengths demonstrated by the critical infrastructure provided.
The western world has a serious problem with critical infrastructure. Don't forget Volt Typhoon! Adversaries have persistence TODAY in water, power, healthcare, etc. and can break our first world bubble at any time. If you aren't a critical infrastructure provider, please consider volunteering with Infragard or local cyber civilian reserves (where available). Note: the red team here did not gain access to OT/ICS systems. That's great news!
Red Team, Blue Team, Purple Team, Architect, in the sector, not in the industry, it doesn't matter. I highly recommend reading this report. It doesn't matter if you are early in your career, late in your career, director, or CIO, this is a valuable report. I recommend reading this report if you do nothing else today or next week.
Three takeaways here: First is the importance of defense in depth. Not just EDR but also network layer detection and response. Second is to keep the staff trained and supported with the resources to detect, understand and respond to current threats. Third is management support and understanding of threats for proper risk-based decision making, not supporting updates of known vulnerable software, instead accepting the risk. Where a WAF had been deployed in response to a discovered vulnerability, in the new VDP program, it was never toggled from monitor/learning mode to blocking mode, management should have verified procedures were in place to ensure issues were fully addressed and verified. Take a hard look at your shop in this context, then take steps to avoid a me-too scenario.
In a Security Announcement published this week, D-Link 'recommends that D-Link devices that have reached EOL/EOS be retired and replaced.' Specifically, the advice applies to these D-Link routers: DSR-150 (EOL May 2024), DSR-150N (EOL May 2024), DSR-250 (EOL May 2024), DSR-250N (EOL May 2024), DSR-500N (EOL September 2015), and DSR-1000N (EOL October 2015). The announcement follows the disclosure of a serious buffer overflow vulnerability in the devices that could lead to remote code execution.
These devices are typically installed in the houses of non-IT individuals. I suspect when you're in the US and going to your parents'/relatives' houses, maybe take a look and see if they are running these older devices. If so, Christmas is around the corner.
These are not expensive devices and most users have gotten good value from them. The replacements will offer improvements in value, performance, features, and functions. Much of the cost of replacing them will be in the setup, configuration, and network downtime. (Hopefully the replacements will not have default passwords.)
It's totally legitimate to set EOL dates and not provide updates beyond that point. And it's on us, as consumers, to plan for that. Having a scored CVE for the vulnerability helps make the case for prompt action, even if these devices are under $200 each.
D-Link is at least offering a discount for people who need to switch devices. On the other hand, open source solutions like OpenWRT will often extend the life of these devices by years.
The Qualys Threat Research Unit (TRU) has published a report on five local privilege escalation vulnerabilities in "needrestart," a Linux utility that helps automatically keep service versions current by flagging them for restart after updates. The utility has had all five flaws since version 0.8, released April 2014, and has been installed by default in Ubuntu Server since version 21.04, and may be manually installed on many older Ubuntu releases and in the package repositories of other distributions. CVE-2024-48990, CVE-2024-48991, and CVE-2024-48992 allow arbitrary code execution by running interpreters with malicious variables or by installing malicious interpreters; CVE-2024-11003 and CVE-2024-10224 allow execution of arbitrary shell commands via unsanitized input data. Updating to 3.8 or later patches the flaws, but a modification to the utility's configuration file to "disable the interpreter scanning feature ... [to] stop needrestart from executing interpreters with potentially attacker-controlled environment variables."
Qualys team continues to find classic amazing bugs in Legacy Software. It not only feels retro, but in this case, it is retro.
Needrestart can be compelled to execute arbitrary scripts, which can be mitigated by changing /etc/needrestart/needrestart.conf to disable interpreter scanners by setting $nrconf{interpscan} to 0 until you deploy the updated packages. In CVE-2024-48990 and CVE-2024-48922 an attacker can run a script which uses environmental varabiles to execute arbitrary code, while CVE-2024-48991 requires exploiting a time-of-use time-of-check race condition. In CVE-2024-11003 attacker-controlled input is fed to Module::ScanDeps triggering CVE-2024-10224. Tip: it took you longer to read that paragraph than it would to deploy the updated needrestart and libmodule-scandeps-perl.
Qualys did not provide a proof of concept exploit, but there is enough detail in their report to assume that an exploit will be released before you read this. This is only a privilege escalation issue, but should still be addressed quickly.
Qualys
Bleeping Computer
SCMedia
The Register
Google's OSS-Fuzz tool, which now includes AI capabilities, recently detected 26 vulnerabilities in open-source projects. Google announced that it was bringing large language model (LLM) capabilities to bear on the tool, which has been in use since 2016. Google says the vulnerabilities would not have been detected without the targets generated by the LLM component.
Everything we do in security is bounded by resources (people, time, money), and prioritizing those resources towards maximum RRROI (Risk Reduction Return on Investment) is critical. Since by definition fuzzing starts with an infinite number of possible inputs, creating fuzzing targets to increase the odds of finding vulnerabilities, or in particular to maximize code coverage and reduce, is needed. Using AI techniques seems promising, but my worry is what 'blind spots' are or will be built into the LLM models being used for this? There have been great demonstrations about how AI-based image recognition models can be easily defeated. Increased code coverage should be a good thing, unless the remaining code area is the real vulnerability swamp.
The AI LLMs are both reducing the time to detection and finding flaws not discovered by "human-written" fuzzing tests. While the ultimate goal is to have the LLM generate a suggested patch for flaws found, consider how leveraging the OSS-Fuzz open-source tool in your SQA processes would help you with discovery with nominal impact on the release process, assuming no issues are found.
On Tuesday, November 19, Apple released patches for two zero-day vulnerabilities in macOS and iOS systems; the company "is aware of a report" that these bugs have been exploited in the wild on Intel-based Mac systems, but does not specify details nor indicators of compromise (IoC). Both vulnerabilities stem from "processing maliciously crafted web content": CVE-2024-44308 allows arbitrary code execution through JavaScriptCore, and CVE-2024-44309 allows a cross-site scripting attack through WebKit. To apply the patches, update to macOS Sequoia 15.1.1, iOS/iPadOS 17.7.2 or 18.1.1, and visionOS 2.1.1.
CVE-2024-44309 is a cookie management flaw, while CVE-2024-44308 impacts the JavaScript core. Note these apply to both iOS 17 & 18. Make sure that you're working to be on devices which can all run iOS 18, it's a lot easier when your fleet is all on the same version. Your Mac users are likely already getting prompts to install 15.1.1 - make sure the updates are actually applied.
Just a reminder that most Apple users should have automatic updates enabled.
Bleeping Computer
TechCrunch
The Hacker News
Security Week
NIST
NIST
According to Censys's 2024 State of the Internet Report, there are more than 145,000 internet-exposed industrial control systems (ICS) worldwide. Censys detected exposed systems in 175 countries. Thirty-eight percent of the exposed systems are in North America, 35% in Europe, and 22% in Asia. The report indicates that the exposed systems are accessible through certain protocols, including Modbus, Fox, BACnet, WDBRPC (Wind River), EIP, S7 (Siemens), and IEC 60870-5-104.
Oracle has released fixes for an actively exploited, high-severity unauthenticated information disclosure vulnerability in their Agile Product Lifecycle Management (PLM). The flaw has been exploited to download files. The issue affects PLM version 9.3.6. Admins are urged to update to a fixed version as soon as possible.
Oracle
Security Week
Heise
Help Net Security
Bleeping Computer
NVD
MITRE has published their list of 25 Most Dangerous Software Vulnerabilities for 2024. Topping the list is improper neutralization of input during web page generation, or cross-site scripting; followed by out-of-bounds write, improper neutralization of special elements used in an SQL command, or SQL injection; cross-site request forgery; improper limitation of a pathname to a restricted directory, or path traversal; and out-of-bounds read.
While their placement has moved around from a ÒMost DangerousÓ perspective, all of the vulnerabilities were listed last year in the top 40 Ð none of them are new. If you required all code to get a clean run from most modern app vulnerability testing tools before promoting to production systems, you would have known of these in advance of exposure.
What have we learned? In my lifetime thus far, these bugs haven't changed in how dangerous they are, they appear to be static in that sense. Take this into account when you consider we are not making any less software as a species, only more software is being made.
Input sanitization (neutralization) has been a challenge and a successful attack vector for a while. The other vulnerabilities aren't new either, so your security testing (static and dynamic) should already be revealing these weaknesses. The focus has to be on secure coding, taking the time to ensure weaknesses are addressed as early as possible in the SDLC. Use this report to bolster the case that secure development is as important as delivery.
In a statement to customers updated on November 13, Finastra, "which provides software and services to 45 of the world's top 50 banks," disclosed a data breach in an internal secure file transfer platform (SFTP), mentioning but neither verifying nor disavowing claims that a threat actor allegedly stole and sold the data on the dark web. Finastra's business spans over 8000 clients in 42 countries, often "processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients." The company's Security Operations Center (SOC) believe that malware was not deployed, and no files were accessed, viewed, or tampered with apart from those exfiltrated. The compromised SFTP was not the default platform, and certain products and customers were not affected. Finastra has emphasized "accuracy and transparency" in communication with customers, employing a third-party cybersecurity firm as well as "implement[ing] an alternative secure file sharing platform" while their investigation of the breach continues.
The threat actor, or at least their persona abyss0, seems to have vanished, abandoning some transactions mid-stream. Given the success of recent law enforcement takedowns, one hopes there is a connection. Regardless, file interchange systems continue to be a target. Fully understand the risks of those used, and offered Ñ Finastra's system was in-house Ñ and make sure you have proactive monitoring. Check those incident response parts of your contracts, making sure all contacts are current and are part of the cyber provisions your procurement team incorporates into contract language. Having a good relationship with that team, as well as your OGC, goes a long way to stacking the deck in your favor.
Krebs on Security
Bleeping Computer
Krebs on Security
Increase In Phishing SVG Attachments
https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456
Apple Patches Two Exploited Vulnerabilities
https://isc.sans.edu/diary/Apple+Fixes+Two+Exploited+Vulnerabilities/31452
Detecting the Presence of a Debugger in Linux
https://isc.sans.edu/diary/Detecting+the+Presence+of+a+Debugger+in+Linux/31450
Logging blind spot revealed in FortiClient VPN
https://pentera.io/blog/FortiClient-VPN_logging-blind-spot-revealed/
Needrestart Vulnerability
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
Oracle Patch for Agile Product Lifecycle Management CVE-2024-21287
https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
OFBiz Patches CVE-2024-47208 CVE-2024-48962
https://nvd.nist.gov/vuln/detail/CVE-2024-47208
https://seclists.org/oss-sec/2024/q4/95
D-Link Warns of Vulnerability in EOL Devices
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415
Palo Alto Patches
https://security.paloaltonetworks.com/CVE-2024-0012
https://security.paloaltonetworks.com/CVE-2024-9474
VMware vCenter Server Attacks
Veritas Enterprise Vault Vulnerability
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveA SANS Product Review: Optimizing Security Operations with Cortex XSOAR.
Virtual Event: Cloud Security Convergence: How Control Models for A Robust Cloud Security Stack Are Changing | December 6, 1:00 PM ET | As cloud security controls mature, it's common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric.
Survey: 2025 ICS Security Budget vs.
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity.