SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsWatchtowr labs has published analysis of their discovery of "~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned." The researchers purchased the empty buckets for a total of $420.85 and received "more than 8 million HTTP requests over a 2 month period," including but not limited to requests for: software updates, "pre-compiled (unsigned!) Windows, Linux and macOS binaries," virtual machine images, JavaScript files, CloudFormation templates, and SSLVPN server configurations. The requests arrived from around the globe, including from government networks and agencies, military networks, Fortune 100 and 500 companies, major payment card networks and financial institutions, universities, casinos, and companies in the cybersecurity, software, and industrial product sectors, among others. The researchers emphasize the malicious potential of this position, positing that it "could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far," including SolarWinds. AWS has since worked with Watchtowr to sinkhole all the S3 buckets involved in the research, but "Amazon did not say why it doesn't ban the reuse of S3 bucket names, which is what watchTowr says would be the easiest way to fix the issue."
Imagine if you would, a software product with the update source hard coded, which gets decommissioned, then someone else comes along and re-registers that bucket and starts providing "enhanced" updates. Part of the problem is that S3 buckets are in a global namespace, so while permissions restrict access, any of us can create a specific bucket name if it is available. Watchtowr researchers have proposed AWS implement changes to prevent re-use of bucket names; whether or not that gets implemented, make sure that you're following current AWS S3 bucket best practices.
Congrats to Watchtowr for the excellent research and responsible reporting. This also serves as a great reminder for organizations to 'know their environment.' That means knowing and managing what hardware and software assets are on your network, including cloud resources. It's also the reason why the CIS Critical Security Controls have Controls 1 and 2. I would include Control 3, Data Protection in this reminder. Finally, it's also an opportunity to discuss with your cloud service provider their processes for reuse of terminated infrastructure.
The EU Artificial Intelligence Act, entered into force on August 1, 2024, has reached the first of several deadlines for different elements of compliance. The Act defines a hierarchy of AI use cases, categorizing them by their potential for risk to human "health, safety, [and] fundamental rights ... including democracy, the rule of law and environmental protection," promoting transparency and endeavoring to "harmonise" regulation with innovation. This first six-month period enforces Chapter II, Article 5, prohibiting AI usage deemed to carry unacceptable risk. Unacceptable use cases include: creating "social scoring" profiles based on a person's behavior; manipulating decisions subliminally or deceptively; exploiting users' personal and circumstantial vulnerabilities; predicting crime based on appearance; inferring human characteristics based on biometrics; publicly collecting "real time" biometric data for law enforcement; inferring emotions from observation in schools and workplaces; and scraping images from cameras and online to create or add to facial recognition databases. Companies deploying prohibited AI in the EU may be fined the greater sum of Û35 million or up to 7% of the prior fiscal year's revenue, regardless of where the company is headquartered.
A far reaching law by the European Union. With perhaps the exception of one or two, all the remaining use cases listed are highly subjective and difficult to prove or not. This law is a win for lawyers and likely to clog up the judicial system. Is that helpful to society?
The fundamental principle is that users, individuals or organizations, are responsible for any application of a tool and for all the properties and uses of the results. The more powerful the tool and sensitive the application, the greater the responsibility.
The EU, on Tuesday, published guidelines, which include practical examples and legal explanations, for developers to help them follow the law to avoid those penalties. While the guidelines are still draft, the information covers a broad range of topics needed to get your arms around the EU AI act, including where it does/doesn't apply, before the act is in full enforcement mode. The guidelines are here: https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
Microsoft has published a security update disclosing a CVSS 9.9 flaw in Azure AI Face service, now "fully mitigated" and requiring no action from users. The service's purpose is human facial recognition, and Microsoft's example use cases include verifying identity against an existing image; detecting "liveness," i.e., preventing spoofing by checking for a human user; aiding check-in processes with identity verification; and redacting faces in captured media to protect privacy. The vulnerability is described as an "Authentication bypass by spoofing in Azure AI Face Service [that] allows an authorized attacker to elevate privileges over a network," and Microsoft does not believe it has been exploited.
CVE-2025-21415, authentication bypass, CVSS score 9.9, has a relatively low attack complexity and a published POC. When they pushed that fix, they also pushed the fix for CVE-2025-21396, elevation of privilege flaw, CVSS score 7.5. Facial recognition authentication providers are working hard to detect both aliveness and deepfakes. This is a good time for an update from your service provider on how they are mitigating these risks.
Ransomware payments declined in 2024, according to data gathered by Chainalysis. In a section of their crime report focused on ransomware, Chainalysis found that ransomware payments totaled $814 million in 2024, a drop of 35 percent compared to the $1.25 billion recorded in 2023. The drop is even more precipitous when viewed in 6-month increments. Chainalysis attributes the decline in ransomware payments to an increase in international cooperation and law enforcement takedowns and disruptions of ransomware operations, as well as increasing number of ransomware victims refusing to pay.
Yes, this is an exciting trend, but hold the celebrating, ransomware operators are already pivoting to more of an exfiltrate-and-pay model over an encrypt-and-pay approach, which is getting traction. Even so, there is no clear assurance the data is deleted after payment, and companies are factoring this in when refusing to pay. While this guidance is helpful when considering your ransomware response plan, don't lose focus on your cyber hygiene protections, monitoring, updating, strong authentication (MFA), and segmentation.
It makes sense that you would see a drop in ransomware payments because of law enforcement action. That said, the 2024 Record Future Annual Report (Cyber Threat Analysis) states "that ransomware activity remained consistent year over year, [but] the number of new ransomware groups increased." So, while law enforcement actions have had a positive effect in the short term, there still exists an active ransomware threat. The best defense remains maintaining an active secure configuration and patch management program.
Good news. Still, "a billion dollars here, a billion there, pretty soon adds up to real money."
Chainalysis
Wired
The Record
The Register
Investigation by The 74, a US educational news nonprofit, aims to reveal the legal and financial machinery behind late, absent, or misleading notices of data breaches in the education sector. When schools hire experts in the wake of cyberattacks, they often involve a growing industry of privacy attorneys, dubbed "breach coaches," who encourage tightly-controlled language and a restricted flow of information under attorney-client privilege in the name of exhaustive investigation and limiting schools' liability. The article offers cases in which legal intermediaries and limitations have prevented victims of school data theft from receiving accurate and timely information and support; have restricted or delayed the possible involvement of law enforcement; and have misled victims who later experienced identity fraud or extortion as a result of a breach. The comparative stakes of potential legal action from breach victims versus schools' liability for prompt, open, and/or legally compliant disclosure is a matter of contention between privacy attorneys and their critics, who claim the lawyers "overstate schools' actual exposure" and actually undermine security. Insurers, often associated with the privacy lawyers and hired vendors, may also be incentivizing ransomware attacks with coverage "all but guarantee[ing]" payment. Legal accountability under US state and federal law for ensuring student privacy and accurate breach reporting is inconsistent and seldom enforced.
The report goes into details on why the breach information may or may not be shared, and it's reminiscent of 15 years ago where revealing a company breach was virtually taboo for so many reasons. The best defense is to get yourself, and your children, set up with Identity/Credit Monitoring and restoration. More and more insurance and other benefits programs include this service, or allow you to add it inexpensively, leaving you with the challenge of selecting between the services you know and have rather than having to locate and trust a new provider. Make sure you understand how they protect your information and how it's disposed of if/when you terminate the service. Don't forget to keep your information updated once you do have a service in place.
On February 3, 2025, Grubhub disclosed a data breach that occurred via unauthorized access to an account belonging to a support services "third-party contractor," whose connection to Grubhub systems has now been removed. "Campus diners, as well as diners, merchants and drivers who interacted with [Grubhub's] customer care service" may have had data accessed, including name, email, phone number, and payment card type and the last four digits of the card number. Data not accessed include customer and merchant credentials, full card numbers or bank details, and Social Security or driver's license numbers. "Hashed passwords for certain legacy systems" were also accessed, prompting Grubhub to "proactively rotate" passwords. The company has also implemented improved monitoring and hired a cybersecurity firm to investigate.
Good response on GrubHub's part, not only clearly stating what was and was not accessed but also making sure to rotate any compromised credentials. While they also partnered with third party experts, and rotated credentials, they make no mention of implementing MFA or strengthening third-party access processes. Third-party access is easy to set and forget, and while enhanced monitoring is essential, making sure that connection is secure and meets your requirements for data protection, access control and incident reporting and response are also table stakes.
Bad but not as bad as it could have been. No timeline was given as to how long the evildoers had access to the system. It's a good reminder that when it comes to cybersecurity, third party providers are part of the security program. Processes should be in place to vet the company and manage access to company systems. Still, one can expect lawsuits to be filed for not maintaining a standard duty of care.
Veeam has published an advisory urging that users patch to fix a critical vulnerability in the Veeam Updater component, which would "[allow] an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions." The only product whose current release is affected is Veeam Backup for Salesforce, version 3.1 and older. Older versions of other products are also affected, and have been fixed as of Veeam Backup for Nutanix AHV, version 6 and higher; for AWS, version 8; for Microsoft Azure, version 7; for Google Cloud, version 6, and for Oracle Linux Virtualization Manager and Red Hat virtualization, versions 5 and higher.
Read the advisory CVE-2025-23114, remote code execution flaw, CVSS score 9.0, carefully. The flaw is fixed in all current versions but leads with it not being fixed in Veeam Backup for Salesforce, it's fixed in 7.9.0.1124. Irrespective be sure you're running the current version everyplace and that updates are enabled, cross checking the version on each platform, the different platforms have different version numbers.
Netgear has released firmware updates to address two critical vulnerabilities affecting several models of their WiFi routers and access points. The flaws affect Netgear Nighthawk Pro Gaming router models XR1000, XR1000v2, and XR500, and WiFi 6 access points models WAX206, WAX214v2, and WAX220. The vulnerabilities can reportedly be exploited to achieve remote code execution and authentication bypass without user interaction.
We rely upon these routers, in part, to hide our local devices from the Internet. Unfortunately, most of these routers will never be patched or replaced and many will end up in botnets. Patching is, at best, an inefficient way of achieving essential quality. In this case, it will not even be effective.
Netgear
CNET
Bleeping Computer
ZDNet
The Register
Security
Netgear
Police in Spain have arrested an 18-year-old individual in connection with dozens of cyberattacks that targeted both public and private entities, including Spanish universities, government and law enforcement agencies, as well as the United Nation's International Civil Aviation Organization, NATO, and the US military. The suspect is believed to have stolen data from the organizations and leaked the information on the dark web. Authorities have seized cryptocurrency and electronic equipment believed to be related to the attacks.
The attacker posted the attacks on the BreachForums hacking forum, attempting to sell or leak the data, often with the alias of Natohub, and while he used anonymizing technologies, authorities used assistance from the National Cryptographic Center of the National Intelligence Center, Europol and US Homeland Security Investigations to track him down. He faces up to 20 years in prison for his crimes under Spanish law. Following his arrest, BreachForums has permanently banned his account.
Another talented life squandered.
Policia
Security Week
Help Net Security
Bleeping Computer
This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added 10 vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The CVEs include a local file inclusion vulnerability and an OS command injection vulnerability affecting Paessler PRTG Network Monitor; an information disclosure vulnerability affecting Microsoft .NET Framework; an Apache OFBiz forced browsing vulnerability; a Linux Kernel out-of-bounds write vulnerability; and six others. All 10 flaws have mitigation due dates between February 25 and 27 for US Federal Civilian Executive Branch (FCEB) agencies.
The rate of change to the KEV, like the number of patches on a Tuesday, can be taken as a broad measure of software quality and the risk in our infrastructure.
Not a bad time to check the KEV to see what is being actively exploited and in your environment. The flaws include 7-Zip's Mark-of-the-Web bypass, Microsoft Outlook's improper input validation, and the Sophos XG firewall buffer overflow. With luck the response to all of these should be they are fixed or are scheduled. If you're not subscribed to CISA's mailing list, or otherwise monitoring these, today is a good day to fix that.
SC World
The Hacker News
Bleeping Computer
Bleeping Computer
Security Week
SANS Internet StormCast: Friday, February 7, 2025
https://isc.sans.edu/podcastdetail/9314
The Unbreakable Multi-Layer Anti-Debugging System
Xavier found a nice Python script that included what it calls the "Unbreakable Multi-Layer Anti-Debugging System". Leave it up to Xavier to tear it apart for you.
https://isc.sans.edu/diary/The+Unbreakable+MultiLayer+AntiDebugging+System/31658
Take my money: OCR crypto stealers in Google Play and App Store
Malware using OCR on screen shots was available not just via Google Play, but also the Apple App Store.
https://thehackernews.com/2025/02/sparkcat-malware-uses-ocr-to-extract.html
Threat Actors Still Leveraging Legit RMM Tool ScreenConnect
Unsurprisingly, threat actors still like to use legit remote admin tools, like ScreenConnect, as a command and control channel. Silent Push outlines the latest trends and IoCs they found
https://www.silentpush.com/blog/screenconnect/
Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities
Java deserializing strikes again to allow arbitrary code execution. Cisco fixed this vulnerability and a authorization bypass issue in its Identity Services Engine
F5 Update
F5 fixes an interesting authentication bypass problem affecting TLS client certificates
https://my.f5.com/manage/s/article/K000149173
SANS Internet StormCast: Thursday, February 6, 2025
com- prefix domain phishing; Win 10 ESU pricing; Firewall CT Policy; Veeam and Netgear patches
https://isc.sans.edu/podcastdetail/9312
Phishing via com- prefix domains
Every day, attackers are registering a few hundred domain names starting with com-. These are used in phishing e-mails, like for example "toll fee scams", to create more convincing phishing links.
https://isc.sans.edu/diary/Phishing+via+com+prefix+domains/31654
Microsoft Windows 10 Extended Security Updates
Microsoft released pricing and additional details for the Windows 10 extended security updates. For the first year after official free updates stopped, security updates will be available for $61 for the first year.
https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
Mozilla Enforcing Certificate Transparency
Mozilla is following the lead from other browsers, and will require certificates to include a certificate signature timestamp as proof of compliance with certificate transparency requirements.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA/m/Q4c89XG-EAAJ
https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies
Veeam Update
Veeam's internal backup process may be used to execute arbitrary code by an attacker with a machine in the middle position.
Netgear Unauthenticated RCE
SANS Internet StormCast: Wednesday, February 5, 2025
Feed Updates and Rosti; Resurrecting Dead S3 Buckets; Let's Encrypt Changes; Edge Device Security
https://isc.sans.edu/podcastdetail/9310
Some Updates to Our Data Feeds
We made some updates to the documentation for our data feeds, and added the neat Rosti Feed to our list as well as to our ipinfo page.
https://isc.sans.edu/diary/Some+updates+to+our+data+feeds/31650
8 Million Request Later We Made the SolarWinds Supply Chain Attack Look Amateur
While the title is a bit of watchTowr hyperbole, the problem of resurrecting dead S3 buckets back to live is real and needs to be addressed. Boring solutions will help not becoming an exciting headline.
Let's Encrypt Ending Expiration Emails
Let's Encrypt will no longer send emails for expiring certificates. They suggest other free services to send these emails for you
https://letsencrypt.org/2025/01/22/ending-expiration-emails/
Guidance and Strategies Protect Network Edge Edvices
CISA and other agencies created a guidance document outlining how to protect edge devices like firewalls, vpn concentrators and other similar devices.
https://www.cisa.gov/resources-tools/resources/guidance-and-strategies-protect-network-edge-devices
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveWebcast | Empowering Responders with Automated Investigation, February 19, 1:00 ET | Join Megan Roddie-Fonseca and Lee Sult from Binalyze as they discuss how with the right tooling, analysts of all backgrounds can effectively handle incidents, reducing the response time by removing the need for frequent escalation.
Webcast | SANS 2025 Threat Hunting Survey Webcast & Forum: Chasing Shadows - Advancements in Threat Hunting Amidst AI and Cloud Challenges | March 13, 10:30 am ET | Join SANS Principal Instructor Josh Lemon as he delves into results from the SANS 2025 Threat Hunting Survey.
Survey | 2025 SANS SOC Survey: Facing Top Challenges in Security Operations | The goal of this survey is to collect data and deliver a supporting white paper for those looking to establish a new SOC or increase the efficiency and effectiveness of an existing SOC.
Webcast: February 25, 3:30 pm ET | Insights into Detection Engineering: Findings from a SANS and Anvilogic Survey | Join SANS Certified Instructor Terrence Williams and Anvilogic's Kevin Gonzalez as they discuss insights from this survey, including effective detection types and the most popular tools and technologies used by detection engineers, the impact of AI on detection efforts, cloud architectures, automation in detection workflows, the integration of Detection Engineering with other operational areas, and much more!