SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
US Legislators Want CLOUD Act Reform, Protected E2EE
In a February 13 missive, US Senator Ron Wyden (D-Ore.) and Representative Andy Biggs (R-Ariz.) urged Director of National Intelligence Tulsi Gabbard “to act decisively to protect the security of Americans' communications.” In light of the UK's Technical Capability Notice (TCN) demanding access to Apple's end-to-end-encrypted (E2EE) user data, reportedly served in January 2025, the legislators stressed the risk to American citizens' and government agencies' data from an encryption backdoor, citing the 2024 Salt Typhoon breach of US wiretaps as an example of surveillance backdoors' inevitable compromise and exploitation. The lawmakers asked Gabbard to reconsider and restrict US-UK intelligence sharing and cybersecurity programs if the demand is not reversed. The missive also requests "unclassified answers" to questions about the Trump administration's awareness of the TCN, and its understanding of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, specifically regarding "an exception to gag orders" and "obligation to inform Congress and the American public about foreign government demands for U.S. companies to weaken the security of their products." On February 14, Sen. Wyden released a draft bill aimed at reforming the CLOUD Act with measures to limit agreement terms, shift challenge and approval power toward US legislators and judiciary, and "Prevent foreign governments from using the CLOUD Act to require U.S. providers to adopt specific designs for products, reduce the security of a product, or deliver malware to a customer."
Editor's Notes
- Slide 1 of 7
Quoting Senator Wyden and Representative Briggs: "After years of senior U.S. government officials — from both Republican and Democratic Administrations — pushing for weaker encryption and surveillance backdoors, it seems that the U.S. government has finally come around to a position we have long argued: strong end-to-end encryption protects national security." Common sense and past experience certainly backs this, but every incoming administration gets lobbied immediately by intelligence agencies about the need for back doors, and overall data security has suffered.
- Slide 2 of 7
If Salt Typhoon has taught us anything, it's that weakening the security of communication provides opportunities for abuse. I understand the desire for warranted government access to conversations, but the US Congress is concerned by the price of intended access.
- Slide 3 of 7
It is nice to see our elected officials understand the issues with backdoors such as the UK requested. This move would add the US Government as an ally when pushing back against such requests, hopefully enabling providers to negotiate from a position of strength if not law. While this is getting attention, make sure you’re enabling available encryption, particularly on mobile devices, and make sure you’ve tested you are both using best practices and don’t have any gaps.
- Slide 4 of 7
The proposed bill highlights that in today's highly connected and digital world, security cannot be selectively compromised for one party without endangering all users. Either a service is secure or it is not, there is no middle ground.
- Slide 5 of 7
A bit surprising the speed and directness in the Congressional response to the UK TCN. AAPL has a card to play but it can’t stop the far-reaching effect of the TCN. What pressure, if any, the current administration applies will be interesting to watch in the coming days/weeks.
- Slide 6 of 7
The so-called Five Eyes have historically been allied in their opposition to private communications among their citizens. Salt Typhoon has taught the US a harsh lesson: "If allies are strong with power to protect me, might they not protect me out of all I own?"
- Slide 7 of 7
Oh interesting, an actual law that I can maybe get behind. I need to read the legalese a little more to really understand it.
Slide 1 of 0- Slide 1 of 7
Microsoft 365 Accounts Phished Using Device Codes
Microsoft has published a notice of their discovery that a threat actor tracked as Storm-2372, thought to be linked to Russia, has been targeting "government[s], non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East" with phishing lures that lead to exploitation of device code flow to capture users' authentication tokens. Device codes allow a user to authenticate a device using a code displayed on that device, usually entering it on a separate authorized smartphone, tablet, or computer. After posing as a "prominent person relevant to the target" via WhatsApp, Signal, or Microsoft Teams, the attacker requests a legitimate Microsoft device code and sends it in a counterfeit Teams meeting request to the target, tricking the target into authenticating that code with their Microsoft credentials in a legitimate login page. The threat actor then uses the compromised account to send additional phishing messages. Microsoft recommends several mitigations: "Only allow device code flow where necessary," ensure users are aware of phishing techniques, revoke refresh tokens if phishing activity is identified, and "implement a sign-in risk policy." They also recommend phishing-resistant MFA, centralization of identity management, and practicing credential hygiene.
Editor's Notes
- Slide 1 of 5
Something we covered in the Cloud Penetration Testing course I author is how OIDC systems work. Device Code Phishing is a thing; it’s likely a Just in Time Phishing attempt that would be nasty. The device code for something like the Azure CLI is only suitable for 10 minutes. Based on the screenshots, the phishing lures send you to some Microsoft services that support device code but are not the Azure CLI, as the messages do not indicate what is being used.
- Slide 2 of 5
Part of my full-time job is tracking social engineering attacks like this, and explaining these attacks in a simple-to-understand format so people can easily detect and stop them. I’ll be honest, I’m finding my job getting harder and harder. Attacks are getting far more sophisticated not only at a technology level but also at the human level; the emotional triggers and stories are extremely well thought out. This is why I try to stay away from the technical indicators of social engineering attacks and focus on the most common context indicators, such as tremendous sense of urgency, something too good to be true, pressure to ignore company processes, etc. One of the biggest challenges we face trying to secure the human is making security simple.
- Slide 3 of 5
This is another example of how OAuth fails users. OAUTH may be a great technical design, but it fails at usability. There appears to be, however, no overlap between security experts who understand cryptography well and those who understand users. Users do not understand what they exactly agree on. Some competence-free administrators attempt to compensate by asking for frequent logins, which sometimes worsens things as it leads to even more careless authentication and authentication fatigue.
- Slide 4 of 5
Social Engineering, meet technology. The average user isn’t going to understand this weakness, but they will understand never giving their one time code to anyone. The long term solution is to implement phishing resistant MFA, which significantly reduces the influenced behavior based bypass option.
- Slide 5 of 5
As more and more organisations adopt MFA, criminals in turn will improve their techniques to bypass it. So, while MFA is now table stakes for protecting online systems, you do need to regularly review its effectiveness to stay ahead of evolving threats.
Slide 1 of 0- Slide 1 of 5
Known PAN-OS Flaw is Being Actively Exploited
Attempts to exploit a high-severity vulnerability in Palo Alto Networks’ PAN-OS management interface are on the rise just hours after the authentication bypass issue (CVE-2025-0108) was disclosed. Palo Alto Networks disclosed the vulnerability and released the updates on Wednesday, February 12; active exploitation of the flaw was detected the next day. CVE-2025-0108 was detected by researchers at AssetNote while they were looking into patches for older PAN-OS vulnerabilities. Palo Alto Networks is urging users running PAN-OS 11.0 to upgrade to a more recent version as PAN-OS 11.0 reached end-of-life in November 2024.
Editor's Notes
- Slide 1 of 5
This PAN-OS flaw is rooted in the chaining of different HTTP proxies, and these proxies interpret headers and paths slightly differently. Try avoiding that. I am not sure why PAN considered this solution, but complexity hardly ever helps with security.
- Slide 2 of 5
The fact that individuals expose the management interfaces to the internet is a significant issue. This, however, does not mean do not patch; that is table stakes. Once you have it globally exposed to all your internal devices, you don’t have direct access from unknown sources on the internet, but it’s still an exposure. Harden your control planes. Should your phones be able to touch the management interfaces of the firewall?
- Slide 3 of 5
This is one of the quickest turnarounds from vulnerability to active exploitation in recent memory – 24 hours. It says three things: 1) Edge devices continue to be a high value target; 2) The skills needed to exploit are modest; and 3) Attackers are hungry for quick wins. Bottom line, patch the vulnerability; the attacker clock is running.
- Slide 4 of 5
Verify you’re no longer running PAN-OS 11, which may mean some lifecycle upgrades are in order, then cross check the update process. If you are leveraging HA, make sure you’ve tested the failover to know how it behaves.
- Slide 5 of 5
Giving some people timely information about vulnerabilities to patch without giving others information about vulnerabilities to exploit has proven to be difficult.
Slide 1 of 0- Slide 1 of 5
The Rest of the Week's News
XCSSET macOS Malware Variant
Researchers from Microsoft Threat Intelligence have discovered a new variant of the XCSSET macOS malware being used in limited attacks. The researchers say the variant contains “enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.” The malware spreads through Xcode projects. XCSSET was first documented in August 2020 by researchers at Trend Micro. Microsoft writes that “users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.”
Editor's Notes
- Slide 1 of 3
XCSSET has an exciting target — Xcode — which means developers. This would be considered a supply chain attack. Here is the more significant thing: MacOS is a target in many technology shops. I wonder why we don’t see more of this. Maybe it’s just the legacy of understanding how Windows works and all the work that has gone into it.
- Slide 2 of 3
What’s most interesting is the ingenuity of the attacker to seed infected Xcode projects in open source. That shows understanding that developers will use what’s available to them, in effect hastening the spread of the malware. As far as inspecting the Xcode, that’s difficult as its not easily readable.
- Slide 3 of 3
The new variant of XCSSET has enhanced obfuscation techniques, and creates a fake version of launchpad and replaces the dock entry point, causing the malware and legitimate launchpad to execute every time it’s accessed from the dock. The best mitigation is to verify your Xcode projects.
Slide 1 of 0- Slide 1 of 3
Known SonicWall Vulnerability is Being Targeted Following Release of PoC Code
Researchers from Arctic Wolf have observed active attempts to exploit a high-severity authentication bypass vulnerability in SonicOS SSLVPN authentication mechanism; SonicOS is the SonicWall firewall operating system. The vulnerability (CVE-2024-53704) was disclosed in January, at which time SonicWall released updates to address the issue. The exploitation attempts follow the disclosure of technical details and proof-of-concept (PoC) code for CVE-2024-53704 published by Bishop Fox earlier this month. SonicWall has updated their advisory to note the public availability of the PoC and to add indicators of compromise for CVE-2024-53704.
Editor's Notes
Another Month, Another VPN Vulnerability Being Exploited. This time, it’s SonicWall. People forget about this device and how prevalent it is. Specifically, either in heavily Dell shops or MSPs/MSSPs.
Dutch Authorities Seize Zservers Bulletproof Hosting Servers
Police in the Netherlands seized 127 servers affiliated with the Zservers bulletproof hosting service. The action follows the announcement of sanctions against Zservers and two of its Russian operators brought by Australia, the UK, and the US. Zservers, like other so-called bulletproof hosting services, offered services that criminals find appealing, including shielded identities and anonymous payment with virtual currency. Zserver customers included the LockBit and Conti cybercrime groups. The seized servers have been taken offline and are being analyzed by Dutch authorities.
Editor's Notes
- Slide 1 of 2
A lot of Russian companies operate infrastructure in the Netherlands; that appears to be changing. While the sanctions and action by Dutch police will have a short-term impact on criminal activities, the hosting service remains active in Russia and other front companies will pop up soon.
- Slide 2 of 2
Well done to all involved in this operation. No doubt that the seizure of various servers by law enforcement will lead to more intelligence data which in turn will hopefully lead to the arrests of those behind ransomware attacks.
Slide 1 of 0- Slide 1 of 2
Italian Privacy Agency Warns Unlawful Spyware Use Will Result in Fines
Italy’s Data Protection Agency has published a warning against the use of spyware, which when employed in ways “outside the uses permitted by law, violate the Privacy Code and may result in the application of an administrative fine of up to 20 million euros or 4% of the turnover.” The warning mentions one such products by name: Graphite, made by Paragon Solutions. Graphite was reportedly used to compromise WhatsApp accounts of 90 journalists and other individuals in a number of countries, including Italy. Recorded Future spoke with Francesco Cancellato, an Italian journalist whose phone was infected with Paragon Solutions spyware.
Editor's Notes
- Slide 1 of 2
One finds it difficult to conceive of any legitimate use of spyware that does not involve a judge or other magistrate.
- Slide 2 of 2
The intent is to put guardrails around the use of spyware. While well intended, I’m not sure those illegally using spyware are going to heed the restrictions.
Slide 1 of 0- Slide 1 of 2
DeepSeek Faces More Scrutiny Over Privacy Practices
Downloads of DeepSeek apps in South Korea have been temporarily suspended while the Chinese company works with South Korean authorities to determine whether DeepSeek is in compliance with the country’s data protection rules. While the web version of the AI chatbot remains available, South Korea’s Personal Information Protection Commission (PIPC) urges people not to share personal information in the app. In a separate story, the Texas state Attorney General has launched an investigation into DeepSeek’s privacy practices.
Editor's Notes
- Slide 1 of 3
We have long known that complexity obscures, that it is the enemy of security. LLMs are so complex by design that they even obscure their own workings.
- Slide 2 of 3
While it is important to research AI offerings to see how they can be used to your advantage as well as discover possible risks, make sure you’re clear on where and how your data, prompt, payment, etc., is stored and protected. Make sure risks are accepted at an appropriate level before storing any sensitive information. If you’re going to experiment with DeepSeek, use a local copy.
- Slide 3 of 3
Don’t use DeepSeek Apps?
Slide 1 of 0- Slide 1 of 3
Virginia Attorney General’s Office Suffers Cyberattack
On Wednesday, February 12, the office of Virginia Attorney General Jason S. Miyares shut down its computer systems and moved to working on paper after suffering a cyberattack. Office employees received an email that night from Chief Deputy Attorney General Steven Popps, disclosing the attack and informing them that email, VPN, internet access, and the office's website were offline. The Virginia State Police, the FBI, and the Virginia Information Technologies Agency have been notified and are investigating. No other details about the attack have been disclosed.
Editor's Notes
The AG website appears to be back online and makes no obvious mention of the incident. With impacted service, transparency is your ally: giving users and customers direction, and alleviating fears with current, accurate information. Plan your communication well before you need it, then review and update that plan regularly.
Internet Storm Center Tech Corner
SANS Internet StormCast Tuesday, February 18, 2025
Securing the Edge; PostgreSQL Exploit; Ivanti Exploit; WinZip Vulnerability; Xerox Patch
https://isc.sans.edu/podcastdetail/9328
My Very Personal Guidance and Strategies to Protect Network Edge Devices
A quick summary to help you secure edge devices. This may be a bit opinionated, but these are the strategies that I find work and are actionable.
PostgreSQL SQL Injection
A followup to yesterday's segment about the PostgreSQL vulnerability. Rapid7 released a Metasploit module to exploit the vulnerability.
https://github.com/rapid7/metasploit-framework/pull/19877
Ivanti Connect Secure Exploited
The Japanese CERT observed exploitation of January's Connect Secure vulnerability
https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html
WinZip Vulnerability
WinZip patched a buffer overflow vulnerability that may be triggered by malicious 7Z files
https://www.zerodayinitiative.com/advisories/ZDI-25-047/
Xerox Printer Patch
Xerox patched two vulnerabilities in its enterprise multifunction printers that may be exploited for lateral movement.
SANS Internet StormCast Monday, February 17, 2025
Fake BSOD; Volatile IPs; PostgreSQL libpq SQL Injection; OAUTH Phishing
https://isc.sans.edu/podcastdetail/9326
Fake BSOD Delivered by Malicious Python Script
Xavier found an odd malicious Python script that displays a blue screen of death to users. The purpose isn't quite clear. It could be a teach support scam tricking users into calling the 800 number displayed, or a simple anti-reversing trick
https://isc.sans.edu/diary/Fake+BSOD+Delivered+by+Malicious+Python+Script/31686
The Danger of IP Volatility
Accounting for IP addresses is important, and if not done properly, may lead to resources being exposed after IP addresses are released.
https://isc.sans.edu/diary/The+Danger+of+IP+Volatility/31688
PostgreSQL SQL Injection
Functions in PostgreSQL's libpq do not properly escape parameters which may lead to SQL injection issues if the functions are used to create input for pqsql.
https://www.postgresql.org/support/security/CVE-2025-1094/
Multiple Russian Threat Actors Targeting Microsoft Device Code Auth
The OAUTH device code flow is used to attach devices with limited input capability to a user's account. However, this can be abused via phishing attacks.