SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
T-Mobile Resists Intrusions, Suspects Chinese APT
T-Mobile has foiled an attack by threat actors suspected to be "linked to Chinese state-sponsored operations," according to Chief Security Officer (CSO) Jeff Simon in a November 27 update. The attack "originated from a wireline provider’s network" connected to T-Mobile, but the company's defenses successfully detected the infiltration attempts, protected sensitive customer records including metadata with "information about the caller, sender and recipient," and disconnected from the compromised network. The CSO attributes this success to a "cybersecurity major transformation" undertaken by T-Mobile in the wake of previous attacks: a 2022 internal systems intrusion by Lapsus$ and a 2022-2023 data breach affecting 37 million customers are the latest of eight major breaches the provider has disclosed since 2018. The recent overhaul focused on layered defenses, proactive monitoring, rapid response and mitigation, and "constant vigilance." Simon enumerates specific security measures including: MFA and FIDO2 authentication; network segmentation; improvements to logging, patching, and security tools; and regular testing, attack simulations, and rewards for vulnerability discovery. Though T-Mobile notes that this attack differs from other recent intrusions, the statement follows confirmations by government agencies that a Chinese Advanced Persistent Threat (APT) group has compromised the wiretap systems required under US law since 1994’s Communications Assistance for Law Enforcement Act (CALEA).
Editor's Notes
- Slide 1 of 2
Compare that list of specific security measures in the overhaul (layered defenses, proactive monitoring, rapid response and mitigation, and "constant vigilance”) to the Critical Security Controls – pretty close match.
- Slide 2 of 2
While none of the improvements is earth shattering alone, each needs to be ubiquitous and securely deployed, and in total the impact is dramatic. Yes, defense in depth remains important.
Slide 1 of 0- Slide 1 of 2
Undersea Cable Advisory Board
The International Telecommunication Union (ITU) and the International Cable Protection Committee (ICPC) have established the International Advisory Body for Submarine Cable Resilience. The board’s 40 members “will address ways to improve cable resilience by promoting best practices for governments and industry players to ensure the timely deployment and repair of submarine cables, reduce the risks of damage, and enhance the continuity of communications over the cables.“ ICPC estimates that there are between 150 and 200 undersea cable faults every year, resulting in an average of three undersea cable repairs every week.
Editor's Notes
- Slide 1 of 5
Three undersea cable repairs a week on average is pretty staggering. The resilience of this network is just astonishing; however, this is an excellent idea as we will probably add more cables in the future, not less. This can be a significant vulnerability for a country during times of war. This is the unfortunate way we will need to start looking at infrastructure going forward.
- Slide 2 of 5
Communication lines extending beyond national borders (space or underseas) will remain vulnerable. Some international collaboration may help, but it is unlikely to protect cables from hostile nations. The recent past has also shown that it can be quite difficult to attribute cable and pipeline cuts in busy international shipping lanes. Keeping critical data close is likely the best protection to limit the impact of a communication line outage.
- Slide 3 of 5
While this advisory body works to develop improvements in best practices, which then need to be implemented by service providers, examine the risks/dependencies you have on undersea communication links, and examine options, such as path diversity, to mitigate these risks or at least have management consciously accept them.
- Slide 4 of 5
Physical attacks, sometimes masquerading as accidents, are hard to defend against. Formation of a board is only the first step. Funding will need to be secured and ‘repair kits’ preplaced around the world as part of any cable resilience strategy.
- Slide 5 of 5
One of the most important properties of the Internet is that it provides multiple routes between any two nodes. Redundancy — avoid single points of failure.
Slide 1 of 0- Slide 1 of 5
Costa Rican Fossil Fuel Provider Suffers Ransomware Attack
Costa Rican energy provider Refinadora Costarricense de Petróleo (RECOPE) reverted to manual operations last week following a ransomware attack. RECOPE “imports, refines and distributes fossil fuels across the country while also operating pipelines stretching from its Caribbean to Pacific coasts.” Cybersecurity experts from the US have been brought in to help with the situation. The attack against RECOPE systems comes just weeks after a similar attack against the country’s General Directorate of Migration.
Editor's Notes
- Slide 1 of 2
While we’ve been talking a lot about critical infrastructure security and paths available to help raise the bar, we also need to consider who you’re going to call when things go south. Identify these resources early on, then take needed steps to empower their recovery and forensic activities now, before you need them.
- Slide 2 of 2
Whether it is nation-state sponsored or simply criminals trying to make a buck is undetermined. The best defense remains, patching, configuring, and active monitoring of the enterprise.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Upgrade Zabbix to Fix Critical SQL Injection Vulnerability
Zabbix disclosed a critical SQL injection vulnerability (CVE-2024-42327) in the CUser.get function in their open-source network monitoring tool. The vulnerability could be exploited by anyone with “a non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access.” The vulnerability affects Zabbix versions 6.0.0 - 6.0.31, 6.4.0 - 6.4.16, and 7.0.0. Users are urged to upgrade to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1.
Editor's Notes
- Slide 1 of 2
Like most other monitoring solutions, Zabbix has an elevated position in the network. Systems like these should be patched and treated as extremely sensitive. This was supposed to be the lesson of the SolarWinds breach, but I suspect it is a lesson we will need to continue learning. Hopefully Zabbix administrators can patch these systems quickly.
- Slide 2 of 2
CVE-2024-42327, SQLi vulnerability in user.get API, CVSS score 9.9, requires authentication to exploit, but any authenticated user can exploit it, resulting in privilege escalation. While this flaw has been categorized as unforgivable, which may seem a little harsh, identifying and fixing SQLi flaws is a known quantity, so there really isn’t any excuse for them in 2024.
Slide 1 of 0- Slide 1 of 2
Phishing Campaign Used Corrupted Microsoft Office Docs
Malware-hunting company ANY.RUN has detected a phishing campaign that used corrupted Microsoft Office documents and archive files to avoid detection. ANY.RUN writes that in this campaign, ”threat actors attempt to conceal the file type by deliberately corrupting it, making it difficult for certain security tools to detect.” However, the files can still be opened and executed.
Editor's Notes
- Slide 1 of 2
These “lightly corrupted” files are not detected as malicious by the email scanners, so users can be enticed into opening them and clicking the repair button. When repaired they have a QR code the user scans which takes the user to the phishing/credential-harvesting site. Reality is the documents don’t contain malware, just a QR code, which means you’re back to measures preventing access to known bad sites, in this case on your mobile devices. Also incorporate the IOCs identified in the ANY.RUN report.
- Slide 2 of 2
This concept isn’t new. Corrupt UPX files have been used for decades to evade some defenses. The common issue is that software’s resiliency to deal with corrupt files must extend to security tools.
Slide 1 of 0- Slide 1 of 2
Poland’s Government Investigates Previous Administration’s Use of Pegasus
The Polish government is aggressively pursuing an inquiry into the previous administration’s use of Pegasus spyware against several hundred people between 2017 and 2022. Poland’s former internal security services chief was recently arrested and forced to testify before parliament about the previous administration's use of Pegasus. Earlier this year, Polish prosecutors building their case asked more than 30 Pegasus victims to share their stories.
Editor's Notes
- Slide 1 of 3
The temptation of surveillance is great. The NSO Group has made a lucrative business model from bureaucrats' fear. One infers that such investigations as this one are continuous, but like most use of Pegasus, generally covert.
- Slide 2 of 3
Spying on opposition parties has been around for decades, the only difference has been the tools deployed. In the 70’s it was bugging of offices (Watergate). Today, it’s the bugging of mobile phones. The sophistication of spyware will continue to evolve as technology does.
- Slide 3 of 3
The former security chief was presented the opportunity to testify on his direction to use Pegasus without being arrested, but declined that option. The downside of using politically motivated spyware is that when the administration changes, support can evaporate, leaving the buck to stop squarely in front of you. Make sure to consider legal and ethical implications/consequences before embarking on such a path.
Slide 1 of 0- Slide 1 of 3
INTERPOL / AFRIPOL Cybercrime Operation: 1,000+ Arrested
In a joint operation aimed at disrupting multiple cybercrime schemes in Africa, INTERPOL and AFRIPOL have arrested more than 1,000 individuals and dismantled a large swath of infrastructure that was supporting cybercrime. The operation, which was active in September and October of this year, targeted individuals and campaigns involving ransomware, business email compromise, digital extortion, and online scams.
Editor's Notes
The numbers associated with operation Serengeti are amazing. More than 35,000 victims were identified with over $193 million (USD) in losses throughout the operation. Participating countries included Algeria, Angola, Benin, Cameroon, Côte d'Ivoire, The Democratic Republic of the Congo, Gabon, Ghana, Kenya, Mauritius, Mozambique, Nigeria, Rwanda, Senegal, South Africa, Tanzania, Tunisia, Zambia and Zimbabwe. Success leveraged efforts from law enforcement as well as private sector contributors. This is the level and involvement necessary to counteract operations like this at scale. While others are working to take down these sorts of attackers, we can double down on the known defenses for BEC, social engineering, online scams and extortion. You know the drill: MFA, EDR, and URL filtering to augment user education.
UK NHS Trust Hospital Cyberattacks
Two UK National Health Service (NHS) Foundation Trust hospitals have released statements disclosing recent cyberattacks. Alder Hey Children's Hospital is responding to online claims that patient and donor data were stolen from "systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust." Alder Hey is currently investigating the published data and working with law enforcement to "secure [their] systems," stating that "services are operating as normal, and patients should attend appointments as usual." Alder Hey believes their breach is unrelated to the simultaneous incident at Wirral University Teaching Hospital Trust, which took certain systems offline after a "targeted cybersecurity issue." The result is three associated Trust hospitals operating on "pen and paper," with disruptions to scheduled services and appointments, and postponement of certain procedures. The Trust is "working closely with the national cyber security services ... to return to normal services at the earliest opportunity."
Editor's Notes
- Slide 1 of 2
It’s unclear if these are isolated incidents or a miscreant taking advantage of connected systems to greater effect. An Information Sharing and Analysis Center (ISAC), such as the H-ISAC, can help with sharing of cybersecurity best practices for this critical industry sector.
- Slide 2 of 2
If you’re heading to a Trust Hospital, (Wirral Women and Children's Hospital, Clatterbridge Hospital, and Arrowe Park Hospital) call ahead to determine if needed services are online and available. While Trust is following the recovery/prevent recurrence playbook, it goes without saying that hospital/medical service providers remain a target and we need to help them with cyber hygiene to knock down the success rate of these attacks.
Slide 1 of 0- Slide 1 of 2
First Linux UEFI Bootkit Includes LogoFAIL Exploit
A bootkit is malicious software that inhabits a computer at the innermost level, outside the operating system where the firmware initializes the boot process. The Unified Extensible Firmware Interface (UEFI) governs many modern boot processes, and until recently only Windows UEFI was targeted by bootkits, according to a blog post from ESET: "In November 2024, a previously unknown UEFI application, named bootkit.efi, was uploaded to VirusTotal," which is the first known UEFI bootkit designed to target Linux. Named "Bootkitty," the malware is limited to certain versions of Ubuntu, which alongside other indicators led ESET to propose that the malware is a proof-of-concept project; an update to the report adds additional evidence that it may have been created by a Korean cybersecurity training program and inadvertently leaked. While ESET notes that Bootkitty "is not capable of running on systems with UEFI Secure Boot enabled unless the attackers['] certificates have been installed," a November 29 report from Binarly shows that the malware exploits a vulnerability (CVE-2023-40238), involving a year-old flaw called LogoFAIL, "us[ing] embedded shellcode within a BMP image to bypass Secure Boot protections by injecting rogue certificates into the MokList variable." Binarly believes the malware also refines its targets to certain machines made by Acer, HP, Fujitsu, and Lenovo, and suggests users ensure their systems are patched against LogoFAIL. ESET's suggested preventions are enabling UEFI Secure Boot, and updating the OS, firmware, and UEFI revocations list.
Editor's Notes
This exploit lets the Linux community know they are not immune. The preventative measures are the same, update and secure the systems and enable Secure Boot. Because UEFI enables execution of code during the boot process, at a significant privilege level, this will keep it on the radar for hackers, and us on our toes making sure we’re staying patched. Even with these concerns, UEFI/Secure Boot is far better than the alternative/prior solutions.
Vulnerabilities in Advantech EKI Wireless Access Points
Researchers at Nozomi Networks have identified 20 vulnerabilities version 1.6.2 of the EKI-6333AC-2G industrial-grade wireless access point device. Advantech has released firmware updates to address the vulnerabilities. Six of the vulnerabilities are rated critical, and all but one of the remaining 14 are rated high severity.
Editor's Notes
- Slide 1 of 2
Code reuse — firmware in this case — is an established software development practice, and when vulnerabilities crop up, they affect classes of products. Updating the firmware is the fix, but that can be problematic as these access points are often found in industrial settings, and downtime must be coordinated.
- Slide 2 of 2
These are access points intended to use with your OT, not general IT systems, which means they may fall under similar availability and downtime constraints as the OT components reliant on them. While you’re making the case for downtime to apply the updates, make sure that you’re also working to deploy detectors to monitor for malfeasance on your Wi-Fi networks, and that access to management interfaces is tightly controlled.
Slide 1 of 0- Slide 1 of 2