SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Report Says SEC Breach Reporting Rules Aren't Providing Much Useful Information
According to a report from BreachRX, the US Securities and Exchange Commission's (SECÕs) breach reporting rules are not doing much to improve incident transparency. The rules, which took effect late last year, require public companies to disclose 'material' cyber incidents within four days of detection, and to include information about their cybersecurity strategies in their annual reports. BreachRX examined 71 8-K filings and 400 10-K filings; they 'found confusion and caution on whether and when to file and a general failure to provide enough information that could effectively protect companies from future SEC enforcement actions.'
Editor's Notes
- Slide 1 of 4
There was a lot of industry comment on the first draft of the SEC disclosure regulations that led to these results. After all those comments, being 'baffled' by the rules is a real stretch, especially since companies have for years been dealing with the long-standing definition of what is or is not a 'material event' which a Supreme Court decision loads with loopholes on usefulness, as this FASB guidance points out: 'The shorthand in the accounting and auditing literature for this analysis is that financial management and the auditor must consider both "quantitative" and "qualitative" factors in assessing an item's materiality.'
- Slide 2 of 4
Beyond reporting the minimum information required by the SEC, companies need to consider what best suits their customers, despite an SEC filing being slated towards their investors/owners, which could be opposing requirements. This could be a case where industry develops best practices rather than waiting on regulators so they can balance these needs. I am a fan of transparent honest disclosure versus rumor and speculation which can be at best distracting and at worst cost business.
- Slide 3 of 4
This shouldn't come as a surprise to anyone. Company legal teams have had time to fully digest the rule changes and come up with common language to describe cyber incidents and what, if any, effect it may have on the company. They tend to err on the side of 'less is more' when it comes to communicating cyber incidents.
- Slide 4 of 4
To this observer it appears that businesses are reporting defensively without a finding of materiality. This may tend to bury any useful signal in noise.
Slide 1 of 0- Slide 1 of 4
Photobucket Sued Over Sale of Images to Companies Training Generative AI Models
Photobucket is facing a class-action lawsuit that seeks to prevent the company from selling users' photographs to AI companies without first obtaining written consent. The complaint states 'The photos at issue, amounting to over 13 billion images, were entrusted to Photobucket over the course of almost two decades beginning in the early aughts - years before technologies like generative AI and biometrics existed outside of science fiction.' The litigation seeks to protect both people who uploaded photos to Photobucket as well as people in those photographs. The lawsuit seeks damages not only from Photobucket, but also from the unknown AI companies that purchased the data.
Editor's Notes
- Slide 1 of 4
This is another area where default opt-out is really needed but the US has consistently allowed industry to avoid that.
- Slide 2 of 4
It is past time for regulation to shift the balance of power to the subjects of PII. Courts should be more lenient in recognizing classes and imputing damages. The abuses are now both obvious and significantly damaging to the public good.
- Slide 3 of 4
The hard part about biometric data is that, unlike a password, you really can't change it if it gets released. Trends in the US and EU indicate there is increased focus, and corresponding lawsuits/fines, on protection of privacy data. As a user, make sure you understand the controls on your data when storing it online. If you're holding biometric data to include images, or obtaining the data from a third party, have a clear understanding of what the user has consented to. Don't become another example of case law.
- Slide 4 of 4
This lawsuit will be followed closely by many companies that have collected similar data over the years. Technology has changed dramatically in that time and it's doubtful the original user agreement included this use case. We'll see if the company's automatic change in terms will hold up in court. Yet another reason why this country needs a national data privacy law.
Slide 1 of 0- Slide 1 of 4
Microsoft Fixes MFA Bypass Vulnerability
Researchers at Oasis Security developed a way to bypass Microsoft multi-factor authentication (MFA) that could have been exploited to 'gain unauthorized access to the user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.' Oasis reported the issue to Microsoft in late June, and a temporary fix was released in early July. Microsoft released a permanent fix in early October.
Editor's Notes
- Slide 1 of 3
Many attackers still actively exploit rate-limiting API issues. The researchers found they could brute force the 6-digit TOTP by sending many requests. Even though Microsoft has fixed this, if you were in the Red Team space, I would highly recommend reading their article and writeup because generating the requests is somewhat of a neat trick.
- Slide 2 of 3
The time delay between successive prompts should be greater than the life of the OTP and, perhaps as suggested by Peter Capek, go up exponentially.
- Slide 3 of 3
This was a race condition. The TOTP guideline, RFC-6238, suggests codes be changed every 30 seconds, and it also suggests implementers allow a longer window to allow for time variances, delays/etc. In this case Microsoft had implemented a 3-minute window, and didn't have any rate limit throttling, which allowed a large number of possible codes to be sent. In 24 sessions (about 70 minutes) an attacker has better than a 50% chance of guessing the right code. While Microsoft has deployed a fix, you still need to make sure that the password you're using with your account is strong and not compromised, as the exploit requires having that password. Better still, implement stronger phishing-resistant options for MFA.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Cleo Patches Zero-Day RCE Flaw
A zero-day flaw in secure file transfer products managed by B2B software provider Cleo was observed under exploit in the wild by researchers since early December, and received a patch on December 11. Cleo serves "more than 4,200 customers from multiple industries such as logistics and transportation, manufacturing, and wholesale distribution ... Some recognizable names include Brother, New Balance, Duraflame, TaylorMade, Barilla America, and Mohawk Global." This new vulnerability, which "allows unrestricted file upload and downloads [and] leads to remote code execution," has a CVE designation pending, and its exploitation constitutes a bypass of Cleo's October patch for CVE-2024-50623, "an unauthenticated remote code execution (RCE) flaw in versions of Cleo Harmony, VLTrader, and LexiCom prior to 5.8.0.21." Researchers at Huntress observed over 1,700 affected servers, but estimate the actual number is likely much higher, affecting at least ten of Cleo's customers in the US and North America. The flaw and malware payloads involved are currently being analyzed by researchers. Cleo urges customers to upgrade to the patched release: Harmony, VLTrader, and LexiCom version 5.8.0.24, and "advises those who cannot immediately upgrade to disable the Autorun feature by going into the System Options and clearing out the Autorun directory (this will not block incoming attacks but will reduce the attack surface)."
Editor's Notes
- Slide 1 of 3
This is another file transfer application with critical vulnerabilities. Is this another MoveIT-style breach? If you are aware of any file transfer applications at the edge of your network, I recommend keeping these up to date and being observant.
- Slide 2 of 3
This flaw, bypassing the fix to CVE-2024-50623, allows an unauthenticated user to execute arbitrary bash or PowerShell commands on the host system, to include taking advantage of autorun configurations, is being actively exploited, likely by the Termite ransomware group and possibly others. It goes without saying that file transfer system weaknesses are blood in the water and have been successfully leveraged to exfiltrate data (MoveIT?). Apply the (new) updates post-haste, disable autorun on those systems and hand the IOCs to your threat hunters. Cleo has published scripts to help find the IOCs.
- Slide 3 of 3
Often in the rush to patch, developers miss the root cause with additional vulnerabilities being discovered. This is a good reminder for Dev teams to refocus on quality engineering as the key part of DevSecOps. For end-users, follow the guidance from the company.
Slide 1 of 0- Slide 1 of 3
Ivanti Intensifies Scanning, Finds and Patches CVSS 10.0 Flaw in CSA
In Ivanti's December Security Update on Tuesday, December 10, the company disclosed vulnerabilities affecting a handful of their products including three notably high and critical-severity flaws in the Cloud Service Application (CSA) in versions older than 5.0.3. CVE-2024-11639 is rated CVSS 10.0, and is "an authentication bypass in the admin web console ... allow[ing] a remote unauthenticated attacker to gain administrative access." CVE-2024-11772 is rated CVSS 9.1, and involves "command injection in the admin web console ... allow[ing] a remote authenticated attacker with admin privileges to achieve remote code execution." CVE-2024-11773 is also rated CVSS 9.1, and employs "SQL injection in the admin web console ... allow[ing] a remote authenticated attacker with admin privileges to run arbitrary SQL statements." These flaws are fixed in CSA 5.0.3. Ivanti has not observed any of the newly disclosed vulnerabilities being exploited. The update mentions that the company is ramping up "internal scanning, manual exploitation and testing capabilities," predicting "a natural and intended increase in disclosure."
Editor's Notes
Ivanti has been struggling to get their arms around maintaining the security of products with all the companies they've acquired of late Ñ it's good to see them increasing the focus on scanning these tools. Beyond applying updates as they are released (e.g., update to CSA 5.0.3 now), make sure that your management consoles are not exposed to the Internet, and better still, only allow approved connections to these services. Don't limit that approach to Ivanti services; management interfaces are a target, so don't make things any easier to attack than they need to be.
Apple Updates
Apple has released updates to address at least 46 vulnerabilities in iOS and iPadOS, macOS, watchOS, tvOS, visionOS, and Safari. Users are urged to update to iOS iPadOS 18.2; iPadOS 17.7.3; macOS Sequoia 15.2; macOS Sonoma 14.7.2; macOS Ventura 13.7.2; watchOS 11.2; tvOS 18.2; and visionOS 2.2.
Editor's Notes
While these numbers are starting to look like "patch Tuesday," Apple does not release updates on a schedule. Apple updates are rarely worse than the problems they address. Apple customers should enable automatic updates. (Settings>General>software update>Automatic updates>on)
Critical Flaw in Hunk Companion WordPress Plugin is Being Actively Exploited
Cyber attackers are exploiting a critical flaw in the Hunk Companion plugin for WordPress to install other plugins with known vulnerabilities. The issue, which 'allows unauthenticated POST requests to install and activate plugins directly from the WordPress.org repository' was detected by WPScan, who reported their findings to Hunk Companion developers in late November. A fix was released on December 10. The flaw affects the Hunk Companion plugin prior to version 1.9.0.
Editor's Notes
- Slide 1 of 2
The flaw comes from the return from the unauthorized user detection, which doesn't properly deny these requests, returning a response rather than the required boolean or WP_Error, which then evaluates to true, allowing the requests to succeed. CVE-2024-11972, CVSS score 9.8, is fixed in veriosn 1.9.0. Make sure both the ThemeHunk theme and Hunk Companion plugin are updated: typically you'll have both and want to update them concurrently. Make sure your WP firewall is checking/blocking exploits of CVE-2024-11972.
- Slide 2 of 2
WordPress Plugins come with little provenance, support, or representations of quality. They should be used only by design and intent, never by default, and carefully managed when used.
Slide 1 of 0- Slide 1 of 2
Romanian Cyber Agency Guidance After Power Company Hit by Ransomware
A cyberattack disclosed by Romanian power supplier Electrica on December 9 has now been acknowledged as the work of LYNX ransomware. The Romanian National Directorate of Cybersecurity (DNSC) published an IoC advisory on December 11 confirming the statement from Electrica's CEO that critical systems remain unaffected and functional, also providing guidance for any energy sector systems affected by ransomware attacks. The text of the advisory includes a YARA script that the DNSC suggests energy providers use to scan for malware. Guidance includes a strong recommendation to never pay ransoms, as well as a list of mitigation measures: identify and isolate affected systems; keep on file any messages from attackers and any logs for analysis and examination; communicate promptly with employees, customers, and business partners; investigate decryption tools; sanitize and restore systems from a backup if possible; and ensure systems and applications are up to date.
Editor's Notes
While the Electrica attack is likely politically based, relating to the annulled election, this ransomware has been spotted elsewhere targeting electrical, education, healthcare and government systems. Beyond making sure that your control systems are segmented, updated, not internet accessible and use MFA, hunt for indicators of the Lynx and INC ransomware (Lynx is based on INC.) Make sure you're monitoring your OT/ICS networks for unexpected/unusual behavior; leveraging tools which understand these protocols and can passively discover can be illuminating.
Krispy Kreme Online Ordering Disrupted by Cyberattack
Krispy Kreme has been suffering an ongoing cyberattack discovered on November 29. The company's 8-K filing with the Securities and Exchange Commission (SEC) states that "unauthorized activity" and subsequent operational disruptions to online ordering are "reasonably likely to have a material impact on the Company's business operations." Stores remain open, and retail and restaurant deliveries are not affected. Krispy Kreme holds cybersecurity insurance, but only "a portion of the costs" may be covered during ongoing remediation, mitigation, and investigation by cybersecurity experts.
Editor's Notes
- Slide 1 of 2
One of the few companies in their 8-K filing that acknowledges a material impact on Company operations. Let's hope that they're forthcoming on details of the attack, so we all may learn.
- Slide 2 of 2
In today's climate, it's dangerous to assume your cyber insurance will cover an incident like this. It's a good time to sit down with your insurer and have a hard talk about what they will and will not cover, to include any changes you should have been implementing.
Slide 1 of 0- Slide 1 of 2