SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThe Certificate Authority Browser (CA/Browser) Forum has added two practices to its Baseline Requirements to enhance the security of HTTPS certificates. The first, Multi-Perspective Issuance Corroboration (MPIC), "enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates. Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers." CAs must also now use linting, which "ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication." Both new requirements took effect on March 15, 2025.
The idea is to offset risks from BGP attacks used to obtain fraudulent certificates. Requester domain validation will be performed from multiple geographic locations, to offset risks of routing attacks, coupled with enhanced linting to ensure good algorithms are used and errors detected, which should increase the overall integrity of certificate issuing with nominal impact on legitimate certificate requests.
These changes should be transparent to anybody requesting certificates from participating certificate authorities. So far, the more disruptive proposals, like a shortened certificate lifetime, were not implemented.
The CA/Browser Forum has been very slow to force improvements in validation and authorization before certificates are issued, even as 'SSL everywhere!' was trumpeted. Good to see this initiative become a requirement.
Does making these procedures public improve security?
BleepingComputer and Bloomberg have both reported that Electronic Health Records (EHR) company Oracle Health, formerly known as Cerner, privately communicated to its customers on plain non-letterhead paper the news of a data breach detected on February 20, 2025, involving "Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud." According to the communication, in the month before the attack was detected the threat actor accessed servers using compromised customer credentials and exfiltrated data to a remote server, possibly including patient information from electronic health records. Reportedly Oracle Health will help identify impacted individuals, but the company claims that hospitals are responsible for determining any HIPAA violations and handling further specific notifications. Oracle has not publicly acknowledged this breach, and has openly denied the separate alleged March 20, 2025 breach of Oracle Cloud servers.
This is not to be confused with the earlier claims of a breach of Oracle Cloud's Federated SSO login servers, although both incidents are lacking in formal notification. Written notices were provided, but not on company letterhead, directing customers to only communicate verbally with their CISO. In this case Oracle Health is offering to pay for the mailing vendor for patient notification and offering credit monitoring, but they are not willing to send on behalf of the affected hospitals, unlike UHG/Change Healthcare. Without more transparent breach notifications, not only are hospitals challenged to investigate/report accurately, Oracle Health may be subject to an investigation from HHS.
A key aspect in outsourcing your data and/or services with a third party is having trust with that third party. When that third party begins to deal with you during a breach using only lawyers, not publicly acknowledging they suffered a breach, and communicating with you on un-headed paper, then that third party is no longer acting as a trusted party.
Seems a bit like Change Healthcare in the way they've communicated; hopefully, they don't plan on using their incident response playbook. It's time for Oracle Health to officially own the incident and take action to lessen the impact in the loss of health records.
Almost from its first year the Verizon DBIR has warned of the risk of orphan data and servers.
BleepingComputer
MSN
Ars Technica
The Register
In a letter sent to the acting trustees and trial attorneys in the 23andMe bankruptcy case, the US Federal Trade Commission writes that whoever purchases 23andMe must uphold the company's data privacy policy. According to the 23andMe privacy statement, "If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity." 23andMe filed for Chapter 11 bankruptcy protection on March 23, 2025. Their privacy policy was last updated on March 14, 2025.
The thing about genetic data is that it is not only sensitive, but cannot be changed, unlike a phone number. Adherence to the privacy policy signed by the user is critical in this case. It's not clear that the purchasing company won't attempt to replace that with their policy with an automatic opt-in, which runs afoul of modern privacy legislation which requires notification and active acceptance. Your best bet is a data deletion request.
The sensitivity of data increases with associations. While one person's DNA is no more sensitive than other biometric data, a DNA database may contain intimate associations among individuals of which they are not even aware. One likes to think that this contractual provision will be enforceable in bankruptcy.
Don't wait for lawyers to decide what the appropriate use cases are. If you have data with 23andMe, go in and delete it now.
The Record
Bank Infosecurity
23andMe
FTC
For their State of CPS Security: Healthcare Exposures 2025 report, researchers from Claroty's Team82 conducted "an analysis of connected medical devices and systems exposed to known exploits, ransomware, and attacks leveraging insecure connectivity."
Not only do healthcare CISOs face issues posed by legacy technology and unsupported products, but the patching cycle is determined by the interactions of the vendor and the US Food and Drug Administration (FDA), "which is responsible for the validation of any cybersecurity-related changes made to medical devices." Team82 writes, "Our goal in this report is to shed light on the riskiest exposures facing healthcare devices and networks -- as well as OT within hospitals -- [to] provide some context to help identify those assets most in jeopardy, and demonstrate the number of devices burdened not only by known and exploited vulnerabilities (KEVs), but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet."
Healthcare systems are a huge target, in part due to the large attack surface, not always well secured, which is prioritized for continuous operation, making patching/security windows virtually nonexistent. Couple that with the need for FDA validation of cybersecurity changes, meaning a fix can take up to a year to implement. That means that healthcare organizations are going to need to focus on boundary and network security (protections and detection) to offset running vulnerable code on potentially unsupported operating systems. One hopes they can leverage free resources, like CISA, to offset shortage of SME or other resources.
The success of ransomware attacks suggest that hospital risk is high in part because too much is exposed to the Internet. While we do not see much abuse or misuse of medical appliances, any one may represent a risk to health and safety and 650K devices is a mammoth attack surface.
Claroty
Security Week
Help Net Security
Industrial Cyber
Mozilla has published a security advisory reporting a sandbox escape vulnerability now fixed for Windows users in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1. CVE-2025-2857, rated critical by Mozilla, would allow sandbox escape due to a compromised child process causing the parent process to return an unintentionally powerful handle. Mozilla notes that developers found this flaw following a recent report from Kaspersky of a similar sandbox escape in Chrome for Windows under active exploit: CVE-2025-2783, fixed in Chrome 134.0.6998.177/.178 and now added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) database. The Firefox flaw is not known to have been exploited. Tor Browser, which shares its codebase with Firefox, has also patched the flaw for Windows users in version 14.0.8. Users of Firefox, Chrome, and Tor for operating systems besides Windows are not affected.
Mozilla
Tor
NIST
The Register
The Record
The Hacker News
On March 31, 2025 Apple released security updates for a wide range of their products. The updates include notable backported fixes for flaws reportedly exploited as zero-days in older devices and operating systems: CVE-2025-24085, CVSS score 7.3, allows privilege elevation through a malicious application already installed on the device due to a use-after-free bug in the Core Media component. This flaw is fixed in macOS Sonoma 14.7.5, macOS Ventura 13.7.5, and iPadOS 17.7.6. CVE-2025-24200, CVSS score: 4.6, allows an actor to disable USB Restricted Mode as part of a physical cyberattack on a locked device, due to an authorization issue in the Accessibility component. CVE-2025-24201, CVSS score 8.8, allows an attacker to break out of the Web Content sandbox using crafted malicious web content due to an out-of-bounds write issue in the WebKit component. These two flaws are fixed in iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, and iPadOS 16.7.11. Other items included in the release are updates for visionOS, tvOS, macOS Sequoia, Safari, Xcode, and additional versions of iOS and iPadOS.
AAPL quietly provides security updates as part of its normal patch cycle. What's different and bears immediate attention is the fact that these vulnerabilities are being actively exploited. Update to the latest version available for the various AAPL operating systems. Further get into the habit of updating as AAPL makes updates to their product operating systems; it will save you a lot of pain-n-suffering later.
Researchers at Infoblox have published a report describing a Phishing-as-a-service (PhaaS) kit observed in use since 2020, that has grown in complexity and among other capabilities now abuses domain name server mail exchange (DNS MX) records to "dynamically serve phishing web templates that relate to the victim's email service," targeting users globally and in over a dozen languages. Referencing Cloudflare DNS over HTTPS (DoH) or Google Public DNS, the kit loads one of at least 114 spoofed HTML templates mimicking a login page relevant to the victim. Infoblox suggests organizations strengthen DNS security, "tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business," positing that "if companies can reduce the number of unimportant services in their network, they can reduce their attack surface." Heath Renfrow, co-founder and CISO at Fenix24, recommends deep DNS logging and analysis; monitoring for brand spoofing and MC record anomalies; using zero-trust gateways; enforcing DMARC, DKIM, and SPF authentication; and requiring regular anti-phishing training.
Grab the IOCs from the Infoblox blog to see if any traces of Morphing Meerkat are discovered. Review your DNS security measures, including blocking access to external/unsanctioned DoH services. Beyond having good monitoring on DNS, tracking adtech and sharing site use should be in place to fuel the discussion about blocking non-approved sites in these categories.
This is an interesting variant in that it attempts to identify the victim's email provider (Microsoft, Google,) and emulates the 'correct' phishing page for the user. Older phishing kits just added collateral like company logos based on the email domain. This version may catch a few new victims.
Short summary: reusable credentials like passwords need to be replaced with phishing-resistant strong authentication. Especially for users like the example 'high-profile professionals, such as a head of network operations for a large financial services software company' used in the report.
Never underestimate the ability of the attacker. Basically, they are now commoditizing initial access as part of ransomware as a service. DNS filtering continues to be the best defense and is offered at both the enterprise and user level.
Researchers from Sucuri found that threat actors are hiding malware in the WordPress mu-plugins directory. Must-use (mu) plugins are in a separate directory and are automatically activated. By placing the malware here, it is more likely to evade routine security checks. The researchers detected three different types of malware written in PHP: a phony update redirect, a remote code execution webshell, and a spam injector. These are not the first instances of malware found in the the mu-plugins directory: earlier this year, Sucuri found "multiple backdoors allowing attackers to execute malicious code remotely," noting that "Attackers exploit this directory to maintain persistence and evade detection, as files placed here execute automatically and are not easily disabled from the WordPress admin panel."
A design flaw with WordPress that allows attackers to maintain persistence on the system. Add the directory to regular scanning for malicious files and restrict access to only admins. Further, maintain a tight update schedule for all plugins.
Security Week
The Hacker News
SC World
Sucuri
Sucuri
The Windows 11 Insider Preview Build 26200.5516 released March 28, 2025 has removed the bypassnro.cmd script, ensuring "all users exit setup with internet connectivity and a Microsoft Account." The script's purpose was to create a registry value removing the requirement for an internet connection during setup, allowing users who preferred not to use a Microsoft Account to proceed with only a local Windows account. Microsoft's stated intention is "to enhance security and user experience" by removing the script, though Lawrence Abrams, owner and Editor in Chief of BleepingComputer, reports that "many users do not want to use a Microsoft Account, thinking it reduces their privacy and allows Microsoft to monitor their activities." The same bypass can be manually achieved using commands as long as Windows still includes the registry value.
The advantage of the Microsoft account is it allows central storing of bitlocker keys, settings, preferences, etc. The downside is users have to both have a MS account and be online to access Windows 11 systems. Running the bypassnro.cmd script during setup allowed setup networking to be bypassed and a local account created. To achieve that now, you'll need to pause setup at the network setup, open a CMD prompt and set the OOBE BypasssNRO registry value to 1, then reboot.
On March 24, 2025, the US National Institute of Standards and Technology (NIST) published NIST AI 100-2e2025, representing the agency's final guidelines on "securing applications of artificial intelligence (AI) against adversarial manipulations and attacks," offering terminology and attack taxonomy for adversarial machine learning (AML). The report identifies and classifies attacks "relative to: (i) the AI system type, (ii) the stage of the ML life cycle process in which the attack is mounted, (iii) the attacker's goals and objectives in terms of the system properties they seek to violate, (iv) the attacker's capabilities and access, and (v) the attacker's knowledge of the learning process and beyond," differentiating chiefly between Predictive AI (PredAI) and Generative AI (GenAI) and offering improved mitigation techniques.
This is pretty dense report, though almost half of the 114 pages are reference footnotes. From an action point of view, you could block replace every mention of AI and ML with 'complex database applications' and reach the same recommendations. The report acknowledges this, stating, 'For example, managing the security of AI systems will require combining mitigations from the field of AML with best practices for the development of secure software from the field of cybersecurity.' Without data governance and access control, no application (with or without AI/ML) will end up secure.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a malware analysis report (MAR) detailing malware called RESURGE that has been used to exploit a known stack-based buffer overflow vulnerability in Ivanti Connect Secure before version 22.7R2.5; Ivanti Policy Secure before version 22.7R1.2; and Ivanti Neurons for ZTA gateways before version 22.7R2.3. The MAR includes indicators of compromise, detection signatures, and suggested mitigations. As RESURGE is capable of surviving reboots, CISA recommends conducting a factory reset.
RESURGE is associated with CVE-2025-0282, CVSS score 9.0, from back in January. Regardless of patch status, grab the IOCs and go threat hunting. If for some reason you were delayed deploying the Ivanti update, assume a compromise. If you find anything, or have any doubts, perform a factory reset. Compromise of associated domain accounts should perform two password resets, revoke Kerberos and cloud tokens. Cloud joined devices will need to be disabled to revoke the device token.
The Hacker News
Security Week
Help Net Security
CISA
CISA
NVD
A former intern at the UK's Government Communications Headquarters (GCHQ) pleaded guilty to violating the Computer Misuse Act (CMA) for downloading top secret information to his mobile phone and taking it home. Hasaan Arshad's plea admits to "committing an unauthorised act which risked damaging national security." The incident occurred in August 2022; he was arrested in September 2022. Due to the nature of the stolen data, parts of the case were to have been held in closed sessions, but his plea on the first day of the trial made that unnecessary. Sentencing will take place in June.
Given that many employees are being required to return to offices, this one is good reminder to include a process for reminding them to safely dispose of work-related information on personal devices, printer memories, file folders, home/personal cloud backup systems etc.
Beyond classified data, consider the allowance of external storage device connection (to include smartphones) as well as camera use in areas where sensitive data is processed. A photograph of the screen can be as valuable as capturing a document, and a lot harder to detect, and with modern text recognition, not a big hindrance to understanding the data. Also make sure that you have a clear policy, with stated consequences, and supporting training on how and where your sensitive data are to be processed, handled and stored.
The intelligence community places a lot of trust in the individual. That said, there are also system-level checks to ensure that national security secrets are protected. Mr. Arshad intentionally violated that trust and should be held fully accountable.
We continue to see instances within the intelligence community in which junior people are not supervised in a manner consistent with the sensitivity of the information to which they have access. In this case, one can only wonder how an intern could have access to top secret data either outside a SCIF or take a mobile into a SCIF.
Internet Storm Center StormCast Tuesday, April 1, 2025
Apache Camel Exploits; New Cert Authorities Requirements; Possible Oracle Breach
https://isc.sans.edu/podcastdetail/9388
Apache Camel Exploit Attempt by Vulnerability Scans
A recently patched vulnerability in Apache Camel has been integrated into some vulnerability scanners, like for example OpenVAS. We do see some exploit attempts in our honeypots, but they appear to be part of internal vulnerability scans
New Security Requirements for Certificate Authorities
Starting in July, certificate authorities need to verify domain ownership data from multiple viewpoints around the internet. They will also have to use linters to verify certificate requests.
https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
Possible Oracle Breach
Oracle still denies being the victim of a data breach as leaked data may show different.
https://www.theregister.com/2025/03/30/infosec_news_in_brief/
Internet Storm Center StormCast Monday, March 31, 2025
Comparing Phishing Sites; DOH and MX Abuse Phishing; opkssh
https://isc.sans.edu/podcastdetail/9386
A Tale of Two Phishing Sties
Two phishing sites may use very different backends, even if the site itself appears to be visually very similar. Phishing kits are often copied and modified, leading to sites using similar visual tricks on the user facing site, but very different backends to host the sites and reporting data to the miscreant.
https://isc.sans.edu/diary/A+Tale+of+Two+Phishing+Sites/31810
A Phishing Tale of DOH and DNS MX Abuse
Infoblox discovered a new variant of the Meerkat phishing kit that uses DoH in Javascript to discover MX records, and generate better customized phishing pages.
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
Using OpenID Connect for SSH
Cloudflare opensourced it's OPKSSH too. It integrates SSO systems supporting OpenID connect with SSH.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveSymphony 2025 On Demand: The Ultimate Cybersecurity Transformation Event Symphony 2025 has set the standard as the ultimate cybersecurity event of the year.
Survey | 2025 SANS AI Survey: AI and Its Growing Role in Cybersecurity AI & Cybersecurity Leaders: Your input is needed.
Webcast | Resiliency and Business Continuity in the Cloud Era | May 22, 1:00 pm ETJoin Dave Shackleford and Chris Newman as they discuss- How cloud use is growing and changing, with some emphasis on zero trust and user access strategies - The types of security controls most organizations have implemented in the cloud - Changing compliance and regulatory requirements - Why (and how) we need to rethink business continuity to ensure consistent coverage, even when outages occurSave your seat today.
Webcast | ICS Security and Management of Change: Risks and Resilience | April 16, 10:30 ETJoin us for an in-depth webcast exploring the intersection of ICS security and management of change (MoC).