SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
iOS and Android Will Soon Have E2EE RCS Messages
The Global System for Mobile Communications Association (GSMA) has announced that updated Rich Communication Services (RCS) protocol specifications will allow iPhones and Android phones to exchange messages protected by end-to-end encryption (E2EE). GSMA began working to enable this functionality last fall. While Apple had already added E2EE to their own messaging app, they only introduced RCS in an iOS 18 update in September.
Editor's Notes
- Slide 1 of 5
Another good step forward to 'E2EE' everywhere. Now, let's see if they get the user interface right and find ways to communicate to the user if a message was encrypted, digitally signed, or just sent 'plain.'
- Slide 2 of 5
This will be a great improvement as it would allow for a more secure messaging option over potentially compromised services. Google already uses E2EE for RCS messages between Android devices; Apple and Google will be rolling out the cross-platform feature in future OS updates. Once available, you'll need to enable RCS, which already improves the cross-platform messaging experience.
- Slide 3 of 5
Pervasive use of device-to-device encryption will resist pervasive bureaucratic surveillance; therefore we should all support it and use it. However, it will not resist highly targeted surveillance. It is not suitable for life and limb applications, where true end-to-end, i.e., person-to-person, encryption is indicated.
- Slide 4 of 5
This is essentially mobile operators and device manufacturers giving the finger to Government surveillance. While each device manufacturer already had their own proprietary E2EE implementation, it didn't protect cross-platform communication. Adhering to the updated RCS does. A win for security professionals, less so for Government.
- Slide 5 of 5
Hey Green Bubbles, you get Crypto, and you get Crypto, everyone gets Crypto. Although many more people have been using Signal anyway, or worse, Telegram.
Slide 1 of 0- Slide 1 of 5
As of March 28, Alexa Commands Will be Sent to the Cloud for Processing
On March 28, users who have chosen for their Amazon Alexa virtual assistant voice commands to be processed locally on their Echo devices will no longer have that option. Instead, all verbal Alexa commands will be sent to the cloud for processing. While the change has not yet been formally announced, Echo users received emails from Amazon, informing them, 'As we continue to expand Alexa's capabilities with generative AI features that rely on the processing power of Amazon's secure cloud, we have decided to no longer support this feature.' The voice commands will be sent to the cloud for processing and deleted once they have been executed.
Editor's Notes
- Slide 1 of 4
There are two kinds of 'AI companies': The companies that ignore privacy and intellectual property rights, and the companies that will fail. One of the critical pieces needed for any of these AI models is training data, and your customers are the easiest place to get it from.
- Slide 2 of 4
This is intended to both increase the range of commands supported and reduce the error rate, but I'm wondering about Gen AI hallucinations. While you're already considering the microphone mute when sensitive conversations happen near your digital assistant, you need to decide if the risk of processing commands remotely is acceptable, particularly for your workspace, including home office devices.
- Slide 3 of 4
In the current era of hybrid and remote working this is a real risk that organisations should consider. Indeed, during the COVID-19 pandemic the Irish Revenue service issued a warning to staff working from home to ensure they do not talk about citizens' tax details in proximity to smart speakers https://www.irishtimes.com/business/technology/revenue-tells-staff-not-to-discuss-confidential-matters-near-smart-speakers-1.4241279
- Slide 4 of 4
Seems like AMZ has determined they need more data in which to build their LLM and this is a convenient source; or it's simply a ploy to drive users to the subscription-based application. The question becomes, how much do you trust AMZ with your data?
Slide 1 of 0- Slide 1 of 4
UK Holds Closed IPT Hearing Amid Calls for Transparency
On March 14, 2025, the UK's Investigatory Powers Tribunal (IPT) held a six-hour closed hearing suggested to be Apple's appeal of a secret Technical Capability Notice (TCN) demanding a government backdoor in the company's end-to-end-encrypted (E2EE) Advanced Data Protection (ADP). Listed as "an application in private," the hearing was attended by Sir James Eadie, King's Counsel. UK-based civil rights groups Privacy International and Liberty legally challenged the TCN and applied to open the hearing, alongside ten major media organizations, but no outside parties were admitted. On March 13, a bipartisan group of US legislators wrote to the IPT requesting they "remove the cloak of secrecy," concurring with a simultaneous open letter from a coalition of civil advocacy groups stating that continued silence is no longer justifiable, that "lawful intercept" systems carry unacceptable risk, and that a closed hearing fails to serve the public interest. In recent months, France, Sweden, and India have also begun efforts to access citizens' encrypted data.
Editor's Notes
- Slide 1 of 4
There is something ironic about a secret hearing on removing encryption in the name of transparency for law enforcement. A larger question is, should a single government have the right to undermine protections used worldwide, particularly in light of carrier security concerns?
- Slide 2 of 4
All data privacy eyes will be on the UK, looking to see if the Government blinks. Unfortunately, since the meeting and ruling will be done in secret, no consequence for the members in how they vote. We'll know the outcome by the actions affected device and app manufacturers take.
- Slide 3 of 4
Not sure what the outcome will be for this closed-door meeting, but we will know at some point how this appeals process will go. The fact that there is little transparency has many groups worried.
- Slide 4 of 4
Star Chambers are an instrument of tyrants. If we tolerate them, Democracy is over. It is under threat in any case.
Slide 1 of 0- Slide 1 of 4
The Rest of the Week's News
Compromised GitHub Action Dumped CI/CD Secrets
On or before March 14, 2025, attackers added a malicious commit to the tj-actions/changed-files GitHub Action, causing the Runner Worker process to dump secrets associated with Continuous Integration and Continuous Deployment/Delivery (CI/CD) into projects' build logs, some of which were in publicly accessible repositories. CI/CD secrets known to be leaked include AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA Keys; no evidence of exfiltration of leaked secrets has been found, but tj-actions/changed-files is used in over 23,000 repositories. StepSecurity first detected the issue on March 14, and by 10:00PM UTC on March 15, GitHub had removed the changed repository and restored a fixed version. Maintainers state that tj-actions was compromised using a stolen PAT belonging to a bot with privileged access to the repository; the bot's credentials have now been changed and secured using a passkey. Wiz Threat Research has observed leaks from repositories belonging to "large enterprise organizations," and recommends ceasing use of tj-actions/changed-files and removing all references to it; downloading and deleting workflow logs; and rotating secrets, especially if the malicious base64 string is present in any files changed by the Action.
Editor's Notes
Note that this attack bypassed the most common best-practice security precautions. The 'tj-actions' repository is well respected and widely used. The attacker retroactively changed older versions. Even organizations that 'pinned' a particular version were affected, not just organizations using the latest version. You must be able to detect sudden changes to your supply chain like this.
Denmark Cybersecurity Agency Warns of Threat to Telecoms
Denmark's Ministry of Societal Safety and Emergency Management has published a threat assessment warning that the country's telecommunications sector is facing a 'heightened cyber threat.' While the document does not mention Salt Typhoon and no European companies or governments have confirmed Salt Typhoon activity on their networks, last year, former U.S. deputy national security adviser for cyber and emerging technologies Anne Neuberger indicated that Salt Typhoon had affected some European organizations.
Editor's Notes
- Slide 1 of 2
At this point, telecom providers should assume comprise and take actions to both hunt for IOCs and secure their network, as well as communicate with subscribers about security of their networks. Consumers need to enable encryption where possible, and consider using non-SMS options for sensitive messages: Signal, WhatsApp, etc.
- Slide 2 of 2
They are not saying it is Salt Typhoon, but there is a group that is targeting telcos in the world called Salt Typhoon, so this could be Salt Typhoon, but at the end of the day, there is a group in a Telco that has root.
Slide 1 of 0- Slide 1 of 2
Critical Remote Code Execution Flaw in Apache Tomcat
A critical vulnerability in Apache Tomcat could lead 'to remote code execution and/or information disclosure and/or malicious content added to uploaded files via write enabled default servlet.' According to researchers from Wallarm, 'the attacker uploads a serialized Java session file via PUT request [and then] triggers deserialization by referencing the malicious session ID in a GET request.' The vulnerability is being actively exploited. The flaw affects Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. The issue has been addressed in Tomcat versions 11.0.3, 10.1.35, and 9.0.99.
Editor's Notes
- Slide 1 of 2
I just got wind of this one. This isn't good. It seems like full weaponization in 30 hours. The exploit vector uses the PUT method to store the session on disk (as they are all for every language) in a serialized fashion. Simply using the GET request will cause deserialization to occur, in which case there is an RCE. Now, I haven't gotten all the details of the bug. I know that Apache Tomcat is everywhere, but I am not sure how many of these instances have been implemented with the PUT method. Make sure you patch. Please.
- Slide 2 of 2
Beyond the update, make sure writes are disabled for the default servlet (off by default) and look at disabling partial PUT (enabled by default). For services with embedded Tomcat, you're going to have to contact the supplier for information about when the update will be available, as manually updating can produce an unstable or unsupported configuration.
Slide 1 of 0- Slide 1 of 2
Micronesian Health System Offline Following Ransomware Attack
On March 11, the Department of Health Services IT unit at the Micronesian state of Yap detected a ransomware attack affecting their network. The entire network was taken offline and all computers were turned off, so they have no email communication through official servers and no access to digital health records. The department is working with government officials and private IT contractors to remediate the situation. This is the most recent in a series of ransomware attacks targeting Pacific island countries.
Editor's Notes
If you're in the healthcare industry you're a target. Make sure that you're not ignoring cyber hygiene, and you're doing regular independent assessments/validation. There are free/low cost resources available to help, connect your local ISAC, CISA, or professional associations for options.
Botnets are Exploiting Flaw in Edimax IoT Devices
Akamai's Security Intelligence and Response Team (SIRT) has identified a critical OS command injection vulnerability in Edimax Internet of Things (IoT) devices that is being actively exploited by multiple botnets. There is currently no fix available. The flaw appears to have been exploited as far back as May 2024; a proof-of-concept exploit was available in June 2023. Multiple botnets have been exploiting the flaw. Akamai's report includes a list of indicators of compromise (IoC).
Editor's Notes
Security by design is significantly easier in single-application purpose-built devices, than in full-function general-purpose computers. Unfortunately, that is not what is happening. Rather, the designers start with a full-function operating system. Even it they were able to achieve a reasonably secure implementation, all that functionality is a target for botnet operators.
Mora_001 Threat Actor Group is Exploiting Known Fortinet Vulnerabilities
A ransomware group that appears to have ties to Lockbit is exploiting known vulnerabilities in Fortinet FortiOS and FortiProxy. The series of intrusions was detected by researchers from Forescout Research Ð Vedere Labs; they are calling the threat actor behind these attacks Mora_001. Fortinet has released fixes for both flaws. One of the vulnerabilities, CVE-2024-55591, was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog in January with a one-week mitigation deadline.
Editor's Notes
The KEV is your friend. It enables you to make your expensive but necessary patching activity more efficient and timely.
Internet Storm Center Tech Corner
SANS ISC StormCast Tuesday, March 18, 2025
Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation
https://isc.sans.edu/podcastdetail/9368
Static Analysis of GUID Encoded Shellcode
Didier explains how to decode shell code embedded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobalt Strike configuration information from the code.
https://isc.sans.edu/diary/Static+Analysis+of+GUID+Encoded+Shellcode/31774
SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries
xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities.
https://workos.com/blog/samlstorm
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild
A just made public deserialization vulnerability in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserialization vulnerabilities.
https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
CSS Abuse for Evasion and Tracking
Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users
https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/
SANS ISC Stormcast Monday, March 17, 2025
Mirai Makes Mistakes; Compromised Github Action; ruby-saml vulnerability; Fake GitHub Security Alert Phishing
https://isc.sans.edu/podcastdetail/9366
Mirai Bot Now Incorporating Malformed DrayTek Vigor Router Exploits
One of the many versions of the Mirai botnet added some new exploit strings attempting to take advantage of an old DrayTek Vigor Router vulnerability, but they got the URL wrong.
https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770
Compromised GitHub Action
The popular GitHub action tj-actions/changed-files was compromised and leaks credentials via the action logs
ruby-saml authentication bypass
A confusion in how to parse SAML messages between two XML parsers used by Ruby leads to an authentication bypass in saml-ruby.
GitHub Fake Security Alerts
Fake GitHub security alerts are used to trick package maintainers into adding OAUTH privileges to malicious apps.