SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsResearchers from Volexity found that a Russian APT gained access to a targeted network by finding nearby vulnerable networks and “daisy-chaining” access to breach the targeted organization’s Wi-Fi network. The attackers used credential stuffing attacks to find passwords to the targeted organization's web service platform accounts, but MFA prevented them from accessing those accounts. Once they gained access through the nearby organizations’ Wi-Fi however, the attackers found that the purloined credentials worked on the neighboring Wi-Fi network because it had no MFA. Beyond monitoring and detection tools, mitigation suggestions from Volexity include “creat[ing] separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources [and] … hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.” Volexity’s Steven Adair presented the company’s findings at the Cyberwarcon security conference last week.
So much to consider here. I continue to be surprised when VPN and Wi-Fi networks not only just require username/(AD) password, but also that these lightly authenticated connections are now trusted. At a minimum, implement OTP for these connections. With all the work we've done to expose services for access without respect to the network, maybe circle back and look at them from a zero-trust perspective; both the user and the device need to be authenticated before connections to services are granted, regardless of the originating network. Make sure you have Wi-Fi monitoring and security dialed in, not only for unexpected behavior, but also for rogue device and network detection and response.
I have heard people speculating about attacks like this. This is the first time I have seen it documented. The closest attack like this was an attack against a financial institution where an adversary landed a drone on the building that was used as a Wi-Fi relay. This attack should renew interest in Wi-Fi security.
Volexity
Wired
Ars Technica
Dark Reading
Bleeping Computer
Security Week
In a November 20 blog post, researchers at Trellix describe a malware campaign that abuses an outdated but authentic trusted Avast anti-rootkit driver and "manipulates it to terminate security processes, disable protective software, and seize control of an infected system." The driver in question is a kernel-mode driver, which interacts directly with the core of an operating system. The attack leverages the kernel-level position "to terminate security processes [and] disable protective software"; a list of 142 process names from major software vendors is hardcoded into the malware. Preventing a Bring Your Own Vulnerable Driver (BYOVD) attack like this involves implementing rules to "identify and block specific vulnerable drivers based on their unique signatures or hashes," according to Trellix.
The trick is preventing the installation of old/outdated software (drivers, applications/etc.) coupled with visibility to the endpoint (think EDR). While the idea of allow/deny lists for installation may be daunting, take a look at this for your purpose-built servers which don't need a lot of flexibility in what they do.
Consider this article from Microsoft around the defensive control called Hypervisor-Protected Code Integrity (HVCI), which can help to prevent the use of BYOVD attacks. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985
In a November 20 press release, The University of Chicago Harris School of Public Policy's Cyber Policy Initiative (CPI) announced its collaborative effort with the National Rural Water Association (NRWA) and volunteers from the DEF CON Franklin Project to pair experts with vulnerable US water utilities in the wake of rising cybersecurity attacks in the water sector. The Franklin project states two key tasks: the first is collecting information on "pressing cyber policy gaps" from participating DEF CON villages, synthesizing it into informed recommendations and a "Hackers' Almanack" resource; the second is connecting volunteers from the DEF CON community to sectors and organizations in need of cybersecurity expertise. Already six water utilities in Indiana, Oregon, Utah, and Vermont have been identified to pair with volunteers. CPI's press release highlights the overwhelming majority of US water systems that serve small communities, but lack the resources and staff to secure their systems, whom the Franklin project aims to serve by "deploying volunteers as a free, scalable solution to help secure water systems nationwide."
What an excellent initiative! Unfortunately sign-ups for volunteers are presently closed, and it isn't clear how water authorities can put their names on the list. While they learn to scale: remember that we also have Infragard and state agencies to help manage volunteer efforts.
While I applaud the efforts of the DEF CON hackers, what happens once the volunteers depart? At the end of the day whatever solutions implemented must continue to be resourced; is that part of the plan?
It's nice to see a news story that recognises the good that hackers do and our contribution to making the world a safer place.
The Register
DEF
University of Chicago
While British critical national infrastructure suffered an unprecedented number of "cyber incidents" in 2024 -- possibly as much as a 50% increase from 2023, -- under UK law providers must report any significant incidents to the government but are not required to disclose them publicly. Recorded Future News discovered through a UK Freedom of Information (FOI) Act request that drinking water systems experienced at least six significant cyber incidents this year that “directly impact[ed] on the production and delivery of wholesome water, irrespective of whether or not customers are directly affected,” rising from a previous yearly record of two. The information request was initially denied, but successfully appealed when the Department for Environment, Food, & Rural Affairs "could not demonstrate how [disclosing] statistical data might make services more vulnerable." The Cyber Security and Resilience bill, to be introduced in Parliament in 2025, aims to redefine thresholds and requirements for reporting, and to establish a balance between secrecy and transparency, prioritizing citizens' informed confidence in infrastructure alongside the security of critical details.
An n of six hardly supports any statistical inference, particularly in such a large population. That is not to suggest that there is no problem, only to caution about how to talk about its growth.
All critical infrastructure is a target - from the smallest town water authority to national power grids. Sharing details about attacks like this helps everyone prepare for WHEN they're hit.
On November 22, 2024, the Supreme Court of the United States (SCOTUS) issued a per curiam decision in the case of Facebook, Inc. v. Amalgamated Bank, dismissing Meta's petition for writ of certiorari as "improvidently granted." Granting the writ would have brought the case to SCOTUS for review; this dismissal leaves the case under a District Court's appellate ruling, "allow[ing] a securities fraud class action against Meta to go forward." The "multibillion-dollar" suit stems from investors' complaints that when the Cambridge Analytica scandal came to light, stock prices plunged because Meta had "improperly downplayed the risks of a data breach." In 2019 the Federal Trade Commission fined Meta an unprecedented $5 billion over the company's culpability in misleading customers while their personal information was collected, purchased, and used by Cambridge Analytica in 2016 US political campaigns. A separate class-action suit over the same breach settled in 2022 for $725 million.
To help them fight any possible tendency to soft-pedal incident reports, make sure your CFO and corporate PR/communication teams are aware of this decision.
Companies that collect and manage consumer data should pay attention to this decision. If you’re in the data collection business, and who isn’t these days, have your legal team review and update the authorization agreement as needed.
The US Federal Communications Commission (FCC) has proposed a fine of nearly $735,000 against Hong Kong-based smart device manufacturer Eken. Specifically, the FCC alleges that Eken has violated an FCC requirement that foreign companies designate an agent within the US. Additionally, the FCC’s enforcement bureau is investigating allegations of security issues with Eken video doorbells. A Consumer Reports investigation found “serious security and privacy vulnerabilities with these devices” that could have been exploited to gain control of affected doorbells and to view images from the doorbell’s camera. The devices also leaked WiFi network names and home IP addresses. Eken released fixes for the vulnerabilities after meeting with Consumer Reports engineers.
With new 2025 tariffs in the news, good for CISOs to check on impacted supply chain reliances on vendors, subcontractors/outsourcers, and the suppliers to critical vendors, and develop contingency plans to deal with supply chain impacts.
The US agent is supposed to conduct required wireless interface testing and obtain authorization from the FCC prior to products being sold in the US. Elken and the other Chinese equipment manufacturers being investigated all used the same US agent, GSS Service Inc., based in Colorado Springs. This agent's address/mailbox, has been inactive since 2019, so it's likely the claimed authorizations are fraudulent. Consumer Reports identified both the security flaws and lack of FCC ID sticker on the devices. Subsequently, Elken did issue a firmware update which addressed their security flaws in April, and the company claims to have an approved FCC ID which appears in their app.
Enforcement leads to establishment and implementation of security better practices. With the proposed fine, the FCC has exposed a dirty little secret in how foreign companies get around, at minimal cost, the intent of the law requiring US-based company agents.
FCC
Advocacy
SC World
Roughly 2,000 Palo Alto Networks devices have been compromised via a pair of recently-disclosed vulnerabilities, according to data gathered by The Shadowserver Foundation. The flaws, an authentication bypass vulnerability (CVE-2024-0012) and a command injection vulnerability (CVE-2024-9474), affect Palo Alto Networks PAN-OS Management Interface. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to their Known Exploited Vulnerabilities catalog on November 18; Federal Civilian Executive Branch agencies have until December 9 to address the issues.
Palo Alto has released updates which address both of these flaws. In addition to applying the update, secure access to the management interface. CVE-2024-0012 has a CVSS score of 9.8, which drops to 5.9 after restricting access to management interface. CVE-2024-9474 has a CVSS score of 6.9. Regardless of the score, the flaws are being agressively targeted, so you need to take action now. The campaign is being tracked by Palo Alto Unit 42 as Operation Lunar Peek.
bsky
The Record
The Register
https
SC World
Cybersecurity Dive
CISA
QNAP has pulled a firmware update, QTS 5.2.2.2950, build 20241114, that was reportedly breaking some network attached storage (NAS) features and capabilities, and in some cases preventing users from logging into their devices. In a community announcement, QNAP wrote that “the issue caused by this update only affected limited models of TS-x53D series and TS-x51 series: HS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2." QNAP provides instructions for downgrading the update.
It’s generally a poor security practice, but in this case it hopefully saved some users a tech support call. Firmware tends to be the one area where users lag in implementing the software update.
The firmware downgrade involves downloading the prior firmware image and doing a manual install. QNAP is ready to provide technical support for this process. If you're downgrading, keep an eye open for the next update, as the downgrade reintroduces the flaws, mostly operational, previously fixed. As NAS continues to be a target, be mindful of malicious actors targeting the downgraded devices. Make sure your NAS devices are not directly exposed to the Internet.
Make sure to test changes against all devices or products.
QNAP Community
The Register
Bleeping Computer
"We're having issues, but we're working on it," reads the service status page for Microsoft's software products, as Microsoft 365 (Consumer) "continu[es] to incrementally recover" from an outage starting in the morning on Monday, November 25. Throughout the day, customers reported problems or complete outages in Exchange Online, Microsoft Teams, SharePoint Online, OneDrive, Purview, Copilot, Microsoft Fabric, Microsoft Bookings, Microsoft Defender for Office365, and Outlook Web and Desktop. At 6:25pm EST, Microsoft updated the status of the outage, adding an explanation: "We identified a change that caused an influx of retry requests routed through servers, impacting service availability. To address this, we implemented optimizations to enhance the infrastructure's processing capabilities. These changes have provided incremental relief, and we are closely monitoring the service to ensure stability. Our team is actively performing follow-up actions and will initiate additional workstreams as needed to fully resolve the issue."
Microsoft’s Service Level Agreement document is over 100 pages long and is based on the percentage of “user minutes” impacted per month — or (for internal Exchange 365 use) when 95% of email takes longer than 1 minute to be delivered — but an 8 hour disruption could qualify your company for a 25% service credit. Make sure IT ops knows how to determine when Microsoft is non-compliant with its own SLAs, and that you are being compensated. It is important to make such outages expensive as possible to the offenders.
This affects Microsoft 365 Commercial rather than their Government cloud service offerings. While it looks like Microsoft has either rolled back the change or implemented mitigations to at least 98% of their environments, with outage reports tapering off after noon on Monday, the size and interconnection of the components affected mean that it'll take a bit for service to normalize everywhere. If the conversation takes you to moving off MS 365, consider your prior on-premises service offering, including services offered, scaling and availability, and that alternate cloud services may have similar outage impact risks to explore before going there.
One more in the increasingly frequent Microsoft incidents. Reliance at the cost of resilience.
Quick & Dirty Obfuscated JavaScript Analysis
https://isc.sans.edu/diary/Quick+Dirty+Obfuscated+JavaScript+Analysis/31468/
Decrypting a PDF With a User Password
https://isc.sans.edu/diary/Decrypting+a+PDF+With+a+User+Password/31466/
The strange case of disappearing Russian servers
https://isc.sans.edu/diary/The+strange+case+of+disappearing+Russian+servers/31476/
QNAP Buggy Firmware Update
https://community.qnap.com/t/firmware-qts-5-2-2-2950-build-20241114-released/254
7-ZIP Zstandard Decompression Integer Underflow
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveVirtual Event | Cloud Security Convergence: How Control Models for A Robust Cloud Security Stack Are Changing | December 6, 1:00 PM ET | As cloud security controls mature, it’s common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric.
Survey | 2025 SANS Threat Hunting Survey: Chasing Shadows - Advancements in Threat Hunting Amid AI and Cloud Challenges | In this SANS survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts.
Survey | 2025 ICS Security Budget vs.
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity.