SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Known PHP Vulnerability is Being Exploited in Targeted Attacks
There is a critical OS command injection vulnerability (CVE-2024-4577) in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 that can be exploited to achieve remote code execution. Researchers from Cisco Talos have detected a campaign exploiting this vulnerability, ongoing since at least January of this year, targeting organizations in Japan. The Talos researchers note that 'the attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities.' Researchers from GreyNoise now 'confirm that exploitation of CVE-2024-4577 extends far beyond initial reports.' There are nearly 80 known exploits for the vulnerability; a patch was made available last year.
Editor's Notes
- Slide 1 of 2
We have seen this exploited at least since last June in our ISC honeypots. Attackers exploiting it now are a bit late to the party, mopping up systems that the simpler automated attacks may have missed.
- Slide 2 of 2
This is a doozy because it requires some history. First, the exploit was originally patched in 2012; CVE-2012-1823. Secondly, this was found by Orange Tsai of the Devcore team in 2024. The vulnerability is very 'edge case,' which is why we see the attacks in specific countries. There is a feature of Windows that I knew about in Linux but was unaware of its name, which Windows refers to as 'Best-Fit.' The idea is that UTF characters can be upgraded or downgraded to fit different UTF versions. Because of 'Best-Fit' in Windows, there is a workaround to the 2012 patch by using different language sets, of which Traditional Chinese, Simplified Chinese, and Japanese are known to be vulnerable. If you have systems implemented in these languages, are running Windows as the OS, have a vulnerable version of PHP, and are running PHP-CGI, then you are vulnerable. What is surprising is that in Japan specifically, many systems have been impacted. Who knew?
Slide 1 of 0- Slide 1 of 2
Unauthorized Instances of Cobalt Strike Down 80 Percent Over Two Years
Cobalt Strike is a legitimate offensive security tool that has been used by threat actors to conduct malicious activity. Fortra, which purchased Cobalt Strike in 2020, notes in a recent blog post that 'over the past two years, the number of unauthorized copies of Cobalt Strike observed in the wild has decreased by 80%.' The decline is being attributed to a collaborative effort between Fortra, Microsoft's Digital Crimes Unit (DCU), and the Health Information Sharing and Analysis Center (Health-ISAC). In March 2023, the three entities obtained a court order allowing them to take down the 'malicious infrastructure' used by threat actors exploiting Cobalt Strike for malicious purposes.
Editor's Notes
- Slide 1 of 4
At least part of the decline should be attributed to the emergence of different tools that offer an alternative to Cobalt Strike.
- Slide 2 of 4
On the surface, this would seem like a win. I will, however, state a few things lost in the article here. First, it doesn't analyze whether the attacker groups have moved to a different C2 infrastructure since the EDRs are tuned to shut down Cobalt Strike. The attacker groups could have moved to an alternative C2, of which there are many now, or their tooling. Second, this is just 'known pirated CS.Ó What about unknown pirated CS? The other interesting thing to note is the three groups involved: Fortra (the makers of Cobalt Strike) Microsoft, and the HS-ISAC. I would suppose it is because of all the ransomware being deployed. What about the other ISACs? A win is always a win; however, I'm not sure what to make of this and how big of a win this is.
- Slide 3 of 4
This could be a feel good news story as a community, but won't save you as a target. Preventing/Detecting/responding to the use of Cobalt Strike and other tools like it should be the priority, between endpoint and network telemetry and detections, it's non-trivial but can be done.
- Slide 4 of 4
Kudos to everyone involved. The key is obtaining a court order and working with ISPs to take the infrastructure offline. Microsoft's DCU is increasingly acting as a Cyber Health Organization. Keep up the good work!
Slide 1 of 0- Slide 1 of 4
The Rest of the Week's News
Swiss Critical Infrastructure Operators Will Have 24 Hours to Report Cyberattacks
Critical infrastructure operators in Switzerland will soon be required to report cyberattacks within 24 hours. The mandate, which comes in the form of an amendment to the country's Information Security Act, will take effect on April 1, 2025. Covered organizations will be required to report cyberattacks to Switzerland's National Cybersecurity Centre (NCSC) when 'the functionality of the affected critical infrastructure is endangered; [the incident] has resulted in manipulation or leakage of information remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks, or involves blackmail, threats or coercion.' Following a six-month grace period, organizations failing to comply with the requirement will face fines of up to CHF 100,000 ($113,500).
Editor's Notes
- Slide 1 of 3
24 hours seems a bit short. Recall the response when India put in a similar restrictive timeframe. 48 or 72 hours allows for more analysis and a more organized report.
- Slide 2 of 3
Given that time to detection of breaches (except for extortion attacks) is measured in weeks to months, the urgency should be on detection rather than reporting.
- Slide 3 of 3
Re the Swiss reporting requirements, they are similar to those under the EU NIS2 (Network Information Security Directive). Under NIS2 regulated entities must notify their regulator within 24 hours of being aware of a significant incident. Note this is a notification and not a full report. An additional report with more details is required with 72 hours. A full report should be given one month after the incident (note this can be extended if required and agreed with the regulator). The regulator can also request updates as required.
Slide 1 of 0- Slide 1 of 3
High Severity Vulnerabilities in ICONICS and Mitsubishi SCADA Systems
Last year, researchers from Palo Alto Networks Unit 42 identified five high-severity vulnerabilities affecting Mitsubishi Electric and ICONICS Suite Supervisory Control and Data Acquisition (SCADA) system. The flaws could be exploited to attain elevated privileges, create denial-of-service (DoS) conditions, and in certain cases, completely compromise unpatched systems. Unit 42 notified ICONICS of their findings and ICONICS released patches, advisories, and workarounds to address the issues.
Editor's Notes
A good news story on how responsible vulnerability disclosure can work. The only missing piece is monitoring for exploitation whilst the patch is being developed, distributed, and implemented by affected organizations.
FBI Warning: Ransomware by Snail Mail
The US Federal Bureau of Investigation's (FBI's) Internet Crime Complaint Center (IC3) has published an alert warning that threat actors have been sending letters to C-suite executives, claiming that the targeted organization's network has been infiltrated by ransomware actors. The letters claim the threat actors have stolen data and threaten to publish the information unless a ransom is paid.
Editor's Notes
- Slide 1 of 3
Snail mail, USB/CD, email, browser, phone (SMS/call) are all vectors through which social engineering can happen. Be skeptical about any gifts, winnings, punishments and deadlines creating urgency and fear of loss.
- Slide 2 of 3
Do people still read physical mail? I just wanted to get this straight: a ransom note for ransomware is being sent out. Does it have the letters cut out like in the movies?
- Slide 3 of 3
Fast or slow, it is the content of the message that counts.
Slide 1 of 0- Slide 1 of 3
Recently Reported Healthcare Breaches Affect More Than Half a Million People
Four recently-disclosed breaches affecting healthcare organizations affect amore than 560,000 individuals in total. Kansas-based Sunflower Medical Group became aware of anomalous activity on its network in early January; an investigation revealed that intruders had had access to Sunflower's systems since mid-December 2024. According to a filing with Maine's Attorney General, the breach affects nearly 221,000 people. Gastroenterology Associates of Central Florida reported a breach affecting more than 122,000 people; Community Care Alliance in Rhode Island reported a breach affecting nearly 115,000 people; and Hillcrest Convalescent Center in North Carolina reported a breach affecting just over 106,000 people.
Editor's Notes
- Slide 1 of 2
While unfortunate, the breaches serve as a reminder for organizations to regularly review their data retention policies. If you don't have a business requirement to maintain social security numbers and driver's license numbers, then don't.
- Slide 2 of 2
How does a company that technically cannot have a bank account purchase IT equipment and secure systems? Do security vendors take suitcases full of cash? How does all this work?
Slide 1 of 0- Slide 1 of 2
Former Employee Sabotaged Company Systems
A US federal jury has convicted Davis Lu on the charge of causing intentional damage to protected computers, for sabotaging systems at his former place of employment. Lu worked as a software developer for an Ohio company from November 2007 until October 2019. 'Following a 2018 corporate realignment that reduced his responsibilities and system access, Lu began sabotaging his employer's systems, creat[ing] 'infinite loops' (in this case, code designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs), deleted coworker profile files, and implemented a 'kill switch' that would lock out all users if his credentials in the company's active directory were disabled.' The charge carries a maximum prison sentence of 10 years.
Editor's Notes
- Slide 1 of 3
Eaton is a big company ($20+B revenue in 2024) and apparently has big problems with managing permissions and testing software for vulnerabilities and errors before pushing out to production. Good to see the perpetrator punished, but if I was an Eaton board member I'd want to see a long list of changes to prevent this from happening again. Something more like Eaton's Zero Incident Safety Program for physical safety.
- Slide 2 of 3
Unfortunately this sort of attack continues to be a thing. It can take two forms: the first, a person being removed from the company and access not immediately revoked; the second, the person still employed becoming embittered and lashing out. The first is solvable via process; the second requires focusing on the signs of mental health and is far harder to prevent. This is even more difficult as leaders are increasingly managing a remote workforce.
- Slide 3 of 3
Happy, well-adjusted employees do not come in and take the place apart. Disaffection grows over time. When the damage comes to light, few are surprised by who did it. Note the signs and take timely action.
Slide 1 of 0- Slide 1 of 3
City of Mission, Texas Cyberattack Results in State of Emergency
The city of Mission, Texas has asked the governor to declare a state of emergency following a cyberattack that compromised city government computer systems. According to a letter from Mission Mayor Norie Gonzalez Garza to Texas Governor Greg Abbott, the incident 'could release protected personal information, protected health information, civil and criminal records, and/or any and all other data held by the City of Mission and all departments within the City.' Mission city systems have been taken offline, but emergency services are reportedly operational.
Editor's Notes
Seems like the State of Texas has borne the brunt of cyber-attacks, mostly ransomware, over the last 18 months. It's probably time for the State to establish a minimum cybersecurity baseline and have all Texas municipalities be measured against it. While I know that municipalities want to keep their independence, they simply don't have the resources available to protect themselves. I would look to Implementation Group 1 of the CIS Critical Security Controls for that minimum baseline.