SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Signal Opposes Sweden's Proposed E2EE Backdoor
"We would leave the market before we would comply with something that would catastrophically undermine our ability to provide private communications ... We have a responsibility to provide technology that upholds human rights in an era where those rights are being infringed on in many, many corners," said Meredith Whittaker, president of the parent non-profit behind encrypted messaging service Signal, in an interview with Swedish publication SVT Nyheter. Whittaker's ultimatum is a response to a proposed bill in Swedish parliament that would require Signal and Meta's WhatsApp to "store chat data for up to two years and make it available to law enforcement officials upon request." The bill could go before the legislature as early as March 2026. SVT Nyheter also reports that Sweden's armed forces rely on Signal and have submitted a letter warning the government against the risks of weakening encrypted communication.
Editor's Notes
- Slide 1 of 4
Requests for encryption back doors are concerning on many levels, as the likelihood that such mechanisms would be restricted to specific use cases is nonexistent. The idea with E2EE is nobody, including the service providers, other than the recipient can access the content. While the Swedish legislation includes a 'where technically feasible' clause, it's not clear that will help in this case, and exiting this market may be Signal's best play.
- Slide 2 of 4
In the face of Salt Typhoon and other breaches, one must be naive to believe that access to such a capability can be restricted to legitimate law enforcement activity. It is not as though our infrastructure is not already sufficiently porous without nation states actively striving to make it more so. One's working assumption must be that nation states can already read any traffic that they want to but cannot read all the traffic that they want to. Therefore, one is led to infer that the intent goes to efficient, broad, secret, and warrantless surveillance.
- Slide 3 of 4
Dovetailing on last week's conversation with Backdoors in Encryption is not ideal. We haven't learned from CALEA and Lawful Intercept. Apple went away from the UK. The only recourse I see is Signal not allowing Swedish users. Interestingly, the Swedish military is asking their government not to do this. This is a patchwork of E2E hell, and I see more and more governments requesting the same thing happening more and more. What's inconvenient is when the actual 'Bad Guys (tm)' start to use their own E2E messaging systems that do not have any sovereign country to ask to open a backdoor.
- Slide 4 of 4
The right response from Signal. While the focus is on Signal and WhatsApp, the law might ensnare other E2EE applications like AAPL iMessage, FaceTime, and password managers. Let's see if the Swedish Riksdag blinks.
Slide 1 of 0- Slide 1 of 4
MITRE Caldera Critical Vulnerability
The MITRE Caldera team is urging users to download and install the most recent version of MITRE Caldera to address a critical OS command injection execution vulnerability that affects all versions of the scalable, automated adversary emulation platform. The vulnerability, which has been scored 10.0, 'can be triggered in most default configurations. The only preconditions for this vulnerability to be exploitable are the presence of Go, python and gcc on the system that the Caldera server is running on. Notably, all of these dependencies are required for Caldera to be fully-functional in the first place and on many distributions, gcc is a dependency of Go, meaning this vulnerability is extremely likely to be available to an attacker,' according to Dawid Kulikowski, who detected and reported the issue.
Editor's Notes
- Slide 1 of 3
I hope we see detailed Lessons Learned from Mitre on how a high risk Remote Code Execution error got into the production release of Caldera. Was it a failure of test tools, release/QA processes, other? Good guys using tools that can be remotely controlled by bad guys is obviously a worst case scenario - kinda like a gun that shoots bullets backwards.
- Slide 2 of 3
Given that the prerequisites for exploit are also needed to run Caldera, assume all your Caldera installations are targets. The command injection vulnerability lies in the Manx and Sandcat modules and is easy to exploit; POC has been released, so apply the update and make sure your Caldera instances are not exposed to the Internet.
- Slide 3 of 3
A CVSS score of 10 is serious business. That said, the impact of attack appears to be very limited. I mean, it's an emulation platform.
Slide 1 of 0- Slide 1 of 3
Cyberattack Causes Day of Shutdown for MD County Office
Maryland's Anne Arundel County has published an announcement informing residents and employees that due to a cyberattack that caused a day of shutdown on Monday, February 24, "some services may be limited" despite county buildings reopening the following day, and individual departments should be contacted with service inquiries. All essential employees and emergency employees must report in person as usual, but anyone eligible for telework is encouraged to work remotely to avoid possible internet connectivity issues. StateScoop quotes a previous revision of the announcement that specified MD officials had limited the office's internet access intentionally as a precaution, and the current page states that further updates are forthcoming.
Editor's Notes
- Slide 1 of 3
Not a lot of information out on this one yet, but it does highlight a key issue: while all the "return to work" edicts may reduce the number of employees working remotely, secure and reliable remote access will always be needed for the next incident, natural disaster, or pandemic. Don't let those remote access capabilities deteriorate and try for bi-annual "work at home" drills just like we have fire drills in office buildings.
- Slide 2 of 3
This a good use case for maintaining remote work capabilities. Even so, factor in impacts from down or isolated systems/networks. Also note the communication, which encourages telework, also provides guidance on reporting in, in this case at their usual times. Have that template ahead of time so you don't forget salient points in the heat of an incident.
- Slide 3 of 3
Suspect some form of ransomware attack. It appears that the county weathered the attack. Let this serve as a general reminder for organizations to segment and limit access to any OT networks they may manage.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
3.3 Million Affected by Data Breach at Employee Screening Company
DISA Global Solutions, "a third-party administrator of employment screening services, including drug and alcohol testing and background checks," has disclosed a data breach that took place between February 9 and April 22 in 2024. The breach affected 3.33 million people, according to a report filed February 21, 2025, with the Maine attorney general's office. A report filed with the Massachusetts Office of Consumer Affairs and Business Regulation indicates that the data accessed included social security numbers, financial accounts, driver's licenses, and credit/debit numbers, but not medical records. The notice on DISA's website states that in the attack, "an unauthorized third party accessed a limited portion of our environment ... and procured some information," leading the company to secure its network, notify law enforcement, restore its systems and operations, and implement additional security. DISA is not aware of "any attempted or actual misuse of any information." Affected individuals have been notified, and have been offered credit monitoring and identity restoration services through Experian. The Register indicates that wording of a now-removed statement suggested the company was responding to ransomware.
Editor's Notes
The repeated breaches of data brokers suggests that it is way past time that we regulate their very existence, but severe penalties for breaches would be a start.
Dragos 2025 OT/ICS Cybersecurity Report
In their 2025 OT/ICS Cybersecurity Report published earlier this week, Dragos notes a significant increase in ransomware attacks against industrial organizations and emergence of new threat groups targeting these organizations. New malware variants of ICS-specific malware were used against operational technology networks in 2024, and were used in the Russian-Ukrainian war to disrupt communications to gas, water, and sewage sensors, and to disrupt availability of heat for hundreds of apartment buildings. 'This year's report demonstrates two important trends,' said Robert M. Lee, co-founder and CEO of Dragos. 'That OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure.'
Editor's Notes
Dragos found that there was an 87% increase in ransomware attacks against industrial organizations, with 60% more ransomware gangs impacting OT/ICS systems, and discovered two new ICS specific malware variants used in the Ukraine-Russia war. ICS specific malware is rare. Typically botnets and existing malware are sufficient to disrupt these systems. Prior to the discovery of Fuxnet and FrostyGoop, there were only seven ICS malware strains in existence. This is also a reminder that in warfare, you need to protect these systems from both kinetic and logical attacks, with the added caution that logical attacks will try to exploit any remote access capability, not just sending an agent with a lethal thumb drive.
OpenSSF Open Source Project Security Baseline
The Open Source Security Foundation (OpenSSF) has announced the initial release of their Open Source Security Project Baseline (OSPS Baseline). 'The Open Source Project Security (OSPS) Baseline is a set of security criteria that projects should meet to demonstrate a strong security posture. The controls are organized by maturity level and category: Level 1: for any code or non-code project with any number of maintainers or users; Level 2: for any code project that has at least 2 maintainers and a small number of consistent users; and Level 3: for any code project that has a large number of consistent users.' Additionally, some of the controls map to external frameworks, including OpenSSF Best Practices Badge (BPB): 2024; NIST Cybersecurity Framework (CSF): 2.0; Cyber Resilience Act (CRA): 20.11.2024; Software Security Development Framework (SSDF): 1.1; ISO/IEC 18974 (OC): 1.0 - 2023-12; Open Cybersecurity Reference Architecture (OCRE): 2024; and Supply Chain Levels for Software Artifacts (SLSA): 1.0.
Editor's Notes
- Slide 1 of 2
This guidance is around the projects within the OpenSSL Project pipelines and includes how to protect the environment, the CI/CD, and so on. This is a good set of rules to try to prevent supply chain attacks, and if your company produces any software (and most do), I would read through this guidance and implement some of these requirements.
- Slide 2 of 2
This is targeted as actionable practical guidance to help developers improve project security posture. The maturity level categorization should help you create local guidance appropriate for your project and environment.
Slide 1 of 0- Slide 1 of 2
Claroty Team82 Takes a Deep Dive Into Windows CE
Researchers from Claroty's Team82 are looking into vulnerabilities in the Windows CE operating system, 'a legacy OS still prevalent in OT environments.' In the first of four planned blog posts on the subject, Claroty's Team82 describes how they developed a Windows CE app that is designed to help them understand the OS as they conduct their research. The researchers note that Windows CE 'is commonly found in industrial settings because of its ease of access. It's most often used in critical factory machinery, and is easily configurable and customizable, making it a great fit for HMI systems deployments.' Future blog posts will include information about CVEs found in the course of their research.
Editor's Notes
- Slide 1 of 2
Windows CE they say? Initially released in 1996, final release in 2023, itÕs still around - it is found in ICS / factory settings, you expected that, and also embedded in systems with easy to use interfaces such as public kiosks, vending machines, and some automobile infotainment systems. To create their app for Windows CE, they had to install Visual Studio 2005, and produce a project for Pocket PC 2003. Consider that a testament to the longevity of devices with embedded operating systems.
- Slide 2 of 2
Looks like the Claroty team is starting to dive into legacy Windows CE devices. Like everything that is very old, you must go through a ton of old documentation to make an application that compiles into Windows CE, which this blog post highlights. What someone can do with this roadmap is start to build applications that can inspect the operating system. These systems are still heavily used in OT environments, and you can expect them to be around for a long time.
Slide 1 of 0- Slide 1 of 2
Qualcomm Extends Android Support for Newer Phones
Earlier this week, Qualcomm announced that it is extending support for Android devices with Qualcomm chips for 'up to eight consecutive years of Android software and security updates.' Previously, the maximum duration of guaranteed support was four years. The new offer applies to 'Android smartphones running on the Snapdragon 8 Elite Mobile Platform [as well as] smartphones launching on new Snapdragon 8 and 7-series mobile platforms.' The decision to offer the extended update plan to customers will rest with the original equipment manufacturer (OEM).
Editor's Notes
Eight years of support, up from four, is a welcome change, but note it's for newer devices with the Snapdragon 8 Elite, like the Galaxy S25 and OnePlus 13; later this year the Snapdragon 7 & 8 will be supported. Note you need to be on Android 15. One additional caveat, the OEM has to support this lifecycle, so double check before assuming you'll have Android OS longevity support.
KEV Adds Flaws Impacting Adobe, Zimbra, Oracle, and Microsoft
The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical and two high-severity vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. CVE-2017-3066, CVSS score 9.8, allows arbitrary code execution through a deserialization flaw in the Apache BlazeDS library in Adobe ColdFusion. CVE-2023-34192, CVSS score 9.0, allows arbitrary code execution via a crafted script to the /h/autoSaveDraft function due to a cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CVE-2024-20953, CVSS score 8.8, allows an attacker with network access and low privileges to compromise a system via HTTP due to a deserialization vulnerability in Oracle Agile PLM. CVE-2024-49035, CVSS score 8.7, allows privilege escalation through an improper access control vulnerability in Microsoft Partner Center. The Microsoft privilege escalation CVE is the only one of the four to have been acknowledged in a public report, but no additional details of the attack were provided.
Editor's Notes
In case you missed it, the KEV now includes identification of vulnerabilities which are being used in ransomware campaigns. You'll need to update your Zimbra instance to 10.1.4 or 10.0.12 to have the fix for both CVE-2025-25064 and CVE-2025-25065.
Internet Storm Center Tech Corner
SANS Internet StormCast Friday, February 28, 2025
Njrat devtunnels.ms; Apple FindMe Abuse; XSS Exploited; @sans_edu Ben Powell EDR vs. Ransomware
https://isc.sans.edu/podcastdetail/9344
Njrat Campaign Using Microsoft dev Tunnels:
A recent version of the Njrat remote admin tool is taking advantage of Microsoft's developer tunnels (devtunnels.ms) as a command and control channel.
https://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724
NrootTag Apple FindMy Abuse
Malware could use a weakness in the keys used for Apple FindMy to abuse it to track victims. Updates were released with iOS 18.2, but to solve the issue the vast majority of Apple users must update.
360XSS: Mass Website Exploitation via Virtual Tour Framework
The Krpano VR library which is often used to implement 3D virtual tours on real estate websites, is currently being abused to inject spam messages. The XSS vulnerability could allow attackers to inject even more malicious JavaScript.
SANS.edu Research: Proof is in the Pudding: EDR Configuration Versus Ransomware. Benjamin Powell
https://www.sans.edu/cyber-research/proof-pudding-edr-configuration-versus-ransomware/
SANS Internet StormCast Thursday, February 27, 2025
High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln
https://isc.sans.edu/podcastdetail/9342
Attacker of Ephemeral Ports
Attackers often use ephemeral ports to reach out to download additional resources or exfiltrate data. This can be used, with care, to detect possible compromises.
Compromised Visal Studio Code Extension downloaded by Millions
Amit Assaraf identified a likely compromised Visual Studio Code theme that was installed by millions of potential victims. Amit did not disclose the exact malicious behaviour, but is asking for victims to contact them for details.
ByBit Theft Due to Compromised Developer Workstation
ByBit and Safe{Wallet} disclosed that the record breaking Ethereum theft was due to a compromised Safe{Wallet} developer workstation. A replaced JavaScript file targeted ByBit and altered a transaction signed by ByBit.
https://x.com/benbybit/status/1894768736084885929
https://x.com/safe/status/1894768522720350673
PoC for NAKIVO Backup Replication Vulnerability
This vulnerability allows the compromise of NAKIVO backup systems. The vulnerability was patched silently in November, and never disclosed by NAKIVO. Instead, WatchTowr now discloses details including a proof of concept exploit.
OpenH264 Vulnerability
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x
rsync vulnerability exploited
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://cybersecuritynews.com/rsync-vulnerabilities-full-control-servers/
SANS Internet StormCast Wednesday, February 26, 2025
M365 Infostealer Botnet; Mixing OpenID Keys; Malicious Medical Image Apps
https://isc.sans.edu/podcastdetail/9340
Massive Botnet Targets M365 with Password Spraying
A large botnet is targeting service accounts in M365 with credentials stolen by infostealer malware.
https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf
Mixing up Public and Private Keys in OpenID
The complex OpenID specification and the flexibility it supports enables careless administrators to publish private keys instead or in addition to public keys
Healthcare Malware Hunt Part 1:
Medial images are often encoded in the DICOM format, an image format unique to medical imaging. Patients looking for viewers for DICOM images are tricked into downloading malware.