SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsResearchers from HP Wolf Security have observed increasing use of counterfeit CAPTCHA checks to lead users into "ClickFix" phishing attacks. These rely on "the user's own complacency" in completing the test to trick them into pasting and executing a PowerShell script in the Windows "Run" prompt that downloads and installs a malware payload, often from a legitimate cloud hosting service with a reputable IP address, thereby circumventing security alerts. Microsoft recently published a report observing a faked CAPTCHA overlaid on a site mimicking Booking.com to deliver the same type of attack. Sekoia Threat Detection & Research (TDR) has observed the spread of ClearFake malware using faked Google reCAPTCHA and Cloudflare Turnstile verifications as lures. In early March 2025, Arctic Wolf warned that "widely used physical therapy video site HEP2go" had been compromised and was being used to target the healthcare sector with ClickFix using a counterfeit CAPTCHA. Suggested mitigations and preventions of this technique are thorough awareness training on signs of phishing, and administrative limits on the clipboard and the "Run" command if needed.
Never underestimate the craftiness of evildoers. That said, the red flag was being asked to run a set of commands on your device. That's a stop, think, stop again, think again moment before declaring it too dodgy and leaving the site. Unfortunately for far too many people, they never enter the stop think stage, so I suspect there is a good ROI for the evildoer.
Talked about this issue last year (https://isc.sans.edu/diary/31282) and it has only become more common since then. Controlling powershell script execution has been important even before that as attackers have used various tricks to execute malicious powershell scripts for years. Nothing fundamentally new here.
CAPTCHA as bait, ranks right up there with "Click here to get the latest version of Adobe Reader."
A CAPTCHA that entices you to run copy/pasted content should be an immediate red flag. The attack tells the user to hit the Win+R key combination to run the pasted script. Consider implementing a GPO which prevents the run command when Win+R is pressed.
This one is interesting; it's the 2025 version of the IRC chat channel telling you to type rm -Rf / in a terminal to fix your issues. It's many decades later, and this is still a vector. This time, however, it's a phishing lure disguised as a captcha. Maybe in 5 years, ChatGPT will let me know that rm -Rf / fixes all my problems; In the meantime, this will be an educational lesson for some that you can't just copy/paste into a terminal. Unfortunately, I am not sure how we can protect against this one.
HP
Microsoft
Sekoia
Arctic Wolf
Krebs on Security
SCWorld
SCWorld
The Hacker News
A vulnerability allowing hidden command line arguments to be executed from Windows Shortcut files (.LNK) has been exploited for at least eight years by state-sponsored hacking groups associated with North Korea, Iran, Russia, and China to deploy a variety of malware payloads, according to a report from Trend MicroÕs Zero Day Initiative (ZDI). Targets of the attacks include "governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies" primarily in the United States, as well as in Canada, Russia, South Korea, Vietnam, and Brazil, and ZDI's analysis suggests nearly 70% of the campaigns focus on information theft and espionage. The vulnerability, tracked as ZDI-CAN-25373, allows an attacker to use whitespace characters to prevent command line arguments in the .LNK file's target from displaying in the Properties UI, often also employing a disguised file extension and icon. Microsoft may address the flaw in a future feature release, but do not consider the UI manipulation to be a security issue requiring a patch. ZDI discovered nearly 1,000 samples of malicious .LNK files; they posit 'it is probable that the total number of exploitation attempts are much higher,' and recommend organizations be wary of suspicious files and scan for indicators of compromise (IOCs).
As stated by Trend Micro, this is an old issue, known and exploited for years. Microsoft is right in not considering it a major problem. It is not that far off from a user downloading any executable and launching it. There are optional defenses in place to prevent such scenarios.
The ZDI Initiative said 'We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.' There have been past Microsoft updates/CVEs around .LNK security flaws. We need to hear publicly from Microsoft why this one is different.
This Windows LNK issue has been known in many circles for years. Jean Maes, who authors our Red Team Course, has been talking about it for at least the time the course has been around, if not longer. This is a well-known vector; the fact that it's getting attention now because protections are available is kind of interesting. I'm not sure what to say about it other than I don't think there will be a fix for this?
The ubiquitous use of Windows puts us all at risk.
To see the augmented shortcuts in the .LNK file you need third party tools, the built in tools will not display the information. ZDI's blog post included a YARA rule to detect them. Microsoft has stated this flaw doesn't meet the threshold to release a fix, however Defender now includes protections to detect and block this flaw. Expect EDR providers to include similar protections soon.
TrendMicro
Zero Day Initiative
The Register
The Record
The Hacker News
BleepingComputer
Analysis by Wiz Research has revealed a second compromise that researchers believe may be part of a "cascading supply chain attack" leading to the compromise of the tj-actions/changed-files GitHub action that caused CI/CD secrets to be dumped into workflow logs of up to 23,000 repositories. Researchers posit that attackers first compromised the v1 tag of the "reviewdog/action-setup" action on March 11, 2025, which may have allowed them to steal the GitHub Personal Access Token (PAT) to access tj-actions on or before March 14: "tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token." Wiz states "immediate response is necessary to mitigate the risk of credential theft and CI pipeline compromise," recommending that organizations query for references to affected actions in their repositories, rotate secrets, remove and/or replace all references to the actions, and download and delete workflow logs as needed. To prevent future risk, Wiz recommends "pin[ning] all GitHub Actions to specific commit hashes," auditing logs for suspicious activity, and blocking unauthorized actions using GitHub's allow-listing feature. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw in tj-actions, CVE-2025-30066, CVSS score 8.6, to the Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must update to tj-actions/changed-files 46.0.1 by April 4, 2025.
I just did a video on this earlier this week. Since that video, there have been some very good write-ups piecing together this information. Some of the incident response reports I have seen show that researchers have done excellent investigative work and are trying to piece together the total attack. This may have stemmed from a different GitHub action attack path that may or may have been targeting Coinbase's GitHub. CISA is now recommending that all government agencies use a specific lockdown version of these GitHub actions.
Compromised GitHub actions have not really been on the radar for many DevOps organizations, but they should have been. The rush to the cloud and SaaS solutions often leaves vendor management in the dust. Open source, and solutions like GitHub, need to be treated as vendors and managed accordingly.
This may be a cascading supply chain where the compromised actions are used to inject malicious code. GitHub has scripts to scan your repository to identify areas of concern, as well as guidance about what is not an issue.
Wiz
GitHub
The Hacker News
BleepingComputer
IBM released fixes for two critical vulnerabilities in their Advanced Interactive eXecutive (AIX) operating system. Both are arbitrary command execution issues due to improper process controls. The flaws affect AIX versions 7.2 and 7.3. One of the flaws, CVE-2024-56346, affects AIX's Network Installation Management (NIM) master service. The second, CVE-2024-56347, affects IBM AIX nimsh service SSL/TLS protection mechanisms. IBM has also released fixes to address multiple vulnerabilities in IBM License Metric Tool v9.
One might well take note of the difference in the number of patches from IBM with the numbers from some of its competitors.
The good news is AIX isn't as mainstream an operating system as Windows, Linux, MacOS. The bad news is there is still a reasonable user base, and evildoers with the skillset will find a rich target environment as organizations scramble to patch the vulnerability.
If you're an AIX shop this bug's for you. CVE-2024-56346, NIM Master Service flaw, CVSS score 10.0, and CVE-2024-56347 nimsh service flaw, CVSS score 9.9, are both present in AIX 7.2 & 7.3 which you need to update immediately. IBM has released interim fixes, but the best plan is to install the service pack for your AIX version.
Heise
The Register
IBM
IBM
NVD
NVD
Veeam has released a patch to address a critical remote code execution vulnerability in their Backup & Replication product versions 12, 12.1, 12.2, and 12.3. The flaw is due to deserialization of untrusted data. Users are urged to update to Veeam Backup & Replication 12.3.1 (build 12.3.1.1139). The vulnerability was reported by researchers from watchTowr, which has criticized Veeam for using a blacklist rather than a whitelist to address deserialization issues.
CVE-2025-23120, deserialization of untrusted data, CVSS score 9.9, can be exploited by any authenticated user for a domain joined Veeam backup server. Veeam best practices advise against joining the backup server to your domain. You need to both apply the update and review best practices to ensure you're as protected as possible. Note that Veeam provides a deny list rather than an allow list to help mitigate attempted exploits.
Fixing deserialization flaws with block lists doesn't work. WebLogic tried it with little success. Keep your Veeam patching skills sharp and expect more vulnerabilities like this from Veeam.
SC Magazine
The Register
SecurityWeek
HelpNetSecurity
watchTowr
Veeam
NVD
Cybersecurity researchers from Proactive Defense Against Future Threats (PRODAFT) have published a report disclosing two critical input sanitization vulnerabilities in widely-used Supervisory Control and Data Acquisition (SCADA) software mySCADA myPRO impacting myPRO Manager before version 1.3 and myPRO Runtime before version 9.2.1. Both flaws carry CVSS score 9.3, and allow an attacker to execute arbitrary commands on the affected system because of improper neutralization of POST requests sent to a specific port: CVE-2025-20014 exploits this using a version parameter, and CVE-2025-20061 with an email parameter. PRODAFT emphasizes the consequences of security risks in SCADA systems, urging better protection. The report recommends organizations mitigate risk by patching promptly; segmenting networks; strengthening authentication and enforcing MFA; improving monitoring; and developing and testing response plans.
In addition to the mitigations above, don't expose SCADA systems directly to the Internet, and make sure to isolate them from internal systems which don't need to interact with them. If you have remote components collecting data, make sure you're reviewing the security of that connection regularly.
Guardz Research has published a blog post detailing a Business Email Compromise (BEC) phishing campaign "leveraging legitimate Microsoft domains and tenant misconfigurations" to conduct account takeover (ATO) attacks, bypassing email security measures. Attackers appear to control a set of tenants within the Microsoft 365 infrastructure, each handling a different function in the phishing scheme, such as creating fraudulent transactions and records, impersonating the Microsoft brand, and setting up email forwarding using new administrative accounts. Attackers generate authentic signed billing emails and forward them through legitimate infrastructure, abusing display features to include lure text mimicking an unauthorized charge notification with a callback number, thereby bypassing email security measures such as SPF, DKIM, and DMARC and coercing the target toward a voice channel. Guardz suggests how to protect against this type of uniquely-disguised attack: implement email analysis that inspects all fields and metadata and checks for suspicious return-path headers; train users to recognize phishing; only use known valid support phone numbers; and be wary of newly created tenants, especially with ".onmicrosoft<.>com" domains.
The killer is, the messages are originating from internal sources (meaning checking the domain and sender isn't so effective) which then entice users to call a proffered number, directly to the scammer. Mitigation is going to take a combination of blocking bogus numbers and behavior modeling to identify illicit activity.
The UK's National Cyber Security Centre (NCSC) says organizations need to migrate to post-quantum cryptography (PQC) within the next decade. NCSC has identified three interim milestones: By 2028, organizations should have defined PQC migration goals, identified systems that will need to be upgraded, and built an initial plan; by 2031, high-priority PQC migrations should be complete, and the initial plan refined; and by 2035, PQC migration should be complete. NCSC writes, 'Although the core timelines are relevant to all organisations, this guidance is primarily aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT.Ó'NCSCÕs guidance also notes, 'like any major IT or OT upgrade, the total financial cost of PQC migration could be significant, so it's essential that organisations budget accordingly, including for preparatory activities as well as the actual migration.'
NCSC
The Record
The Register
Bleeping Computer
Industrial Cyber
CSO
Computing
The Pennsylvania State Education Association (PSEA), a labor union representing about 178,000 current, future, and retired educators, education support staff, and healthcare employees, has published a notice of a data breach that took place "on or about July 6, 2024" and was investigated and reviewed through February 18, 2025. A breach notification filed with the office of the Maine Attorney General lists the total number of persons affected as 517,487. The data accessed vary by individual, but "may include an individual's full name in combination with one or more of the following elements: Date of Birth, Driver's License or State ID, Social Security Number, Account Number, Account PIN, Security Code, Password and Routing Number, Payment Card Number, Payment Card PIN and Payment Card Expiration Date, Passport Number, Taxpayer ID Number, Username and Password, Health Insurance Information and Medical Information." PSEA notified law enforcement and worked with external cybersecurity professionals in the wake of the breach. The notice does not explicitly specify the nature of the attack, but states "We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted."
The Rhysida ransomware gang is taking credit for this attack. They are a very active gang targeting healthcare, churches, nonprofit organizations and city government organizations. PSEA is providing guidance on steps user can take to protect their credit/identity as well as offering credit monitoring to those who had their SSN compromised. They have until July 17th to enroll in the offered service.
It pretty much goes without saying, ransomware event, and they paid. What I find most troubling outside the lack of basic cyber hygiene is the need to keep all those data elements. It's a good reminder to routinely revisit your data collection and retention policies with an eye towards minimizing what is collected and for how long.
SANS ISC StormCast Friday, March 21, 2025
New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE
https://isc.sans.edu/podcastdetail/9374
Some New Data Feeds and Little Incident
We started offering additional data feeds, and an SEO spammer attempted to make us change a link from an old podcast episode.
https://isc.sans.edu/diary/Some+new+Data+Feeds+and+a+little+incident/31786
Veeam Deserialization Vulnerability
Veeam released details regarding the latest vulnerability in Veeam, pointing out the insufficient patch applied to a prior deserialization vulnerability.
IBM AIX Vulnerability
The AIX NIM service is vulnerable to an unauthenticated remote code execution vulnerability
https://www.ibm.com/support/pages/node/7186621
SANS ISC StormCast Thursday, March 20, 2025
Cisco Smart Licensing Attacks; Vulnerable Drivers again; Synology Advisories Updated
https://isc.sans.edu/podcastdetail/9372
Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 CVE-2024-20440
Attackers added last September's Cisco Smart Licensing Utility vulnerability to their toolset. These attacks originate most likely from botnets and the same attackers are scanning for a wide range of additional vulnerabilities. The vulnerability is a static credential issue and trivial to exploit after the credentials were published last fall.
Legacy Driver Exploitation Through Bypassing Certificate Verification
Ahnlab documented a new type of "bring your own vulnerable driver" vulnerability. In this case, an old driver used by an anit-malware and anti-rootkit system can be used to shut down arbitrary processes, including security related processes.
https://asec.ahnlab.com/en/86881/
Synology Vulnerability Updates
Synology updates some security advisories it release last year adding addition details and vulnerable systems.
https://www.synology.com/en-global/security/advisory/Synology_SA_24_20 (Synology-SA-24:20 DSM)
https://www.synology.com/en-global/security/advisory/Synology_SA_24_24 (Synology-SA-24:24 Synology Camera)
SANS ISC StormCast Wednesday, March 19, 2025
Python DLL Side Loading; Tomcat RCE Correction; SAML Roulette; Windows Shortcut 0-Day
https://isc.sans.edu/podcastdetail/9370
Python Bot Delivered Through DLL Side-Loading
A "normal", but vulnerable to DLL side-loading PDF reader may be used to launch additional exploit code
https://isc.sans.edu/diary/Python+Bot+Delivered+Through+DLL+SideLoading/31778
Tomcat RCE Correction
To exploit the Tomcat RCE I mentioned yesterday, two non-default configuration options must be selected by the victim.
https://x.com/dkx02668274/status/1901893656316969308
SAML Roulette: The Hacker Always Wins
This Portswigger blog explains in detail how to exploit the ruby-saml vulnerability against GitLab.
https://portswigger.net/research/saml-roulette-the-hacker-always-wins
Windows Shortcut Zero Day Exploit
Attackers are currently taking advantage of an unpatched vulnerability in how Windows displays Shortcut (.lnk file) details. Trend Micro explains how the attack works and provides PoC code. Microsoft is not planning to fix this issue
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveSANS | GIAC Workforce Leadership Summit Debuts at RSACª 2025 2025 Conference Join us at the SANS | GIAC Workforce Leadership Summit at RSACª 2025 2025 Conference, a solution-driven event where cybersecurity and HR executives discuss the latest challenges and innovative approaches to building high-performing security teams.
Survey | 2025 SANS SOC Survey: Facing Top Challenges in Security OperationsThe SANS 2025 SOC Survey uncovers the biggest challenges, trends, and innovations shaping modern SOCs.
Webcast | ICS Security and Management of Change: Risks and Resilience | April 16, 10:30 ETJoin us for an in-depth webcast exploring the intersection of ICS security and management of change (MoC).
Webcast | Securing the Future with Microsoft Defender for Cloud: Best Practices and Insights | March 26, 1:00 ETJoin Dave Shackleford, and Microsoft's Dick Lake, as they explore practical approaches to securing cloud environments.