SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
CISA Adds Cisco CSLU Flaw to Known Exploited Vulnerabilities Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical hardcoded credentials flaw in Cisco Smart Licensing Utility (CSLU) to the Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability (CVE-2024-20439) was disclosed on September 4, 2024; Cisco released updates to address the issue at that time. CISA added the flaw to the KEV after confirmation that it is being actively exploited. In mid-March, Johannes Ullrich wrote in an Internet Storm Center diary that they were "seeing some exploit activity" of the flaw, chained with a second flaw that Cisco also patched in September, and in an April 1 update to the September advisory, Cisco notes, "In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild."
Editor's Notes
- Slide 1 of 4
Last week, we detected the use of the exploit against some of our honeypots. The exploit is trivial, and the password used has been known for several months. The exploit had likely been used in more limited attacks well before we detected the use against our honeypots.
- Slide 2 of 4
CVE-2024-20439 has a CVSS score of 9.8, and allows an attacker to login using a static administrative credential. Johannes discovered this flaw is being chained with an exploit of CVE-2024-20440, CSLU information disclosure vulnerability, to access log files and API credentials. The fix (there are no workarounds) is to deploy the fixed version of CSLU you're licensed for. This is a free update.
- Slide 3 of 4
Six months is long enough for any organization to patch for a known hardcoded credential flaw. So, if adding the vulnerability to the KEV spurs organizations to action, so be it. If I were on the company risk committee, I would be asking what took you so long.
- Slide 4 of 4
Are these Cisco Licensing Systems exposed to the internet? I've never seen one exposed, so I'm curious to know who runs this on the internet as if it's a router. Nothing should surprise me anymore, however.
Slide 1 of 0- Slide 1 of 4
Oracle Faces Class Action, Criticism Over Breach Responses
A class action lawsuit has been filed in a US district court in Texas seeking damages and financial relief from Oracle in the wake of a March 2025 data breach of Oracle Cloud that the company denies occurred despite customers' confirmations and verification of the stolen data. The Plaintiff and Class members demand a jury trial, alleging that "Oracle violated Texas state data breach notification laws in not informing the alleged victims of a breach within 60 days of becoming aware of one." The lawsuit focuses on Oracle Cloud, but also alludes to the February 2025 breach of an Oracle Health server, only privately acknowledged by Oracle in non-letterhead notices. Bloomberg reports that certain Oracle Cloud customers also received private notices that credentials were stolen, but Oracle has not commented publicly. Cybersecurity researchers Kevin Beaumont and Jake Williams believe Oracle has attempted to remove evidence of the Oracle Cloud intrusion stored in the Internet Archive's Wayback Machine. Beaumont criticizes Oracle for "attempting to wordsmith statements" by distinguishing between Oracle Cloud and Oracle Cloud Classic, misleadingly only denying that the former was breached. Beaumont writes: "Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they're doing about it. This is a matter of trust and responsibility." Connor Jones, writing for the register, characterizes Oracle's reactions as "denial and potentially deception and destruction."
Editor's Notes
- Slide 1 of 6
Oracle's legal team had to expect and advise that a lawsuit would be forthcoming. For them not to be transparent about the breach and offer assurances is baffling to most security professionals. The court will decide if Oracle Cloud exhibited a standard of reasonableness in its implementation of security controls. It's likely its cloud users will decide well before then.
- Slide 2 of 6
One would expect that cloud providers rely on customer trust to support their business. We will see if the delayed and incomplete disclosure will adversely affect Oracle's cloud business. On the other hand, cloud customers are unlikely to face compliance scrutiny and may just shrug it off as something they accept for the convenience of outsourcing the breach to a cloud provider.
- Slide 3 of 6
I am sure Oracle is struggling with transparency versus reputation damage. I attended a talk Wednesday where we came to the conclusion that reputation damage is no longer a factor. For example, remember the Target breach right before the holiday shopping season? It was followed by their best season to date. It's going to take time, and we all need to learn that full transparency about what happened coupled with strong forensic, remediation, and support for affected parties, is essential.
- Slide 4 of 6
Over 100 years ago, Supreme Court Justice Louis Brandeis said 'Sunlight is the best disinfectant.' Whether Oracle is culpable of any wrongdoing or not, this lack of communication alone should be weighted in decisions to use Oracle Cloud services.
- Slide 5 of 6
Not getting involved in this one. I'll wait for the lawsuit to see what shakes out. All I can say is that you want to enshrine confidence in your platform if you're trying to attract customers.
- Slide 6 of 6
I am a great believer in the adversarial process for getting at the truth. Even if Oracle were more forthcoming, I would still not be satisfied that I really knew what happened absent a trial.
Slide 1 of 0- Slide 1 of 6
Update Available for Ivanti Buffer Overflow Flaw Under Active Exploitation
Ivanti has released an advisory regarding a critical stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2. The flaw can be exploited to achieve remote code execution. Both Ivanti and Mandiant Incident Response researchers have noted that the vulnerability is being actively exploited by threat actors with ties to China. Ivanti has addressed the vulnerability in Ivanti Connect Secure 22.7R2.6, which was released in February. The vulnerability also affects Pulse Connect Secure 9.x, which reached end-of-life at the end of 2024; users are urged to migrate to a secure platform. Updates to address the vulnerability in Ivanti Policy Secure and Ivanti ZTA Gateways are expected to be available on April 19 and 21, respectively.
Editor's Notes
- Slide 1 of 2
Never underestimate the creativity of an attacker. The flaw was considered unexploitable just because the company was initially unable to detect the flaw and couldn't imagine it being exploited.
- Slide 2 of 2
CVE-2024-22457, stack-based buffer overflow, has a CVSS score of 9.0. Ivanti released an update for Ivanti Connect Secure in February, and updates to Policy Secure and ZTA Gateways are planned for April 21st and 19th respectively. The ZTA Gateway fix will be automatically applied. Pulse Secure 9.1 is no longer being fixed and was end-of-support on 12/31/24. You will need to migrate to a different VPN solution.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
openSNP Genetic Data Repository to Delete Data and Shut Down
Open course genetic data repository openSNP will cease operations and delete all data it holds. openSNP started in 2011, providing a platform for people to upload genetic and phenotype data to use in research and education. The site's co-founder, Bastian Greshake Tzovaras, writes that "sunsetting openSNP - along with deleting the data stored within it - feels like it is the most responsible act of stewardship for these data today." Tzovaras cites 23andMe's bankruptcy filing as the 'proximate reason' for the dissolution of the project and notes that "there's also the aspect that more and more people worry about how their data will be used now, compared to 14 years ago, which is the ultimate reason."
Editor's Notes
While the altruistic goals of openSNP to support research are laudable, in today's threat climate where genetic data is not always used as envisioned, this sharing model is insufficient to protect this data.
GitHub Makes Changes to Protect Secrets
Last year, more than 39 million secrets were found by GitHub's secret scanning service. In response GitHub is adding features to the newest version of GitHub Advanced Security Platform to bolster protection for secrets, including standalone secret protection and code security; free organization-wide secret risk assessment; push protection with delegated bypass controls; copilot-powered secret detection; and improved detection via cloud provider partnerships.
Editor's Notes
If you're still storing secrets in your repositories and you're an enterprise customer, look at GitHub's Secret Protection and Code Security products. Secret Protection is free for public repositories. Even so, minimize the secrets you're storing, so they aren't there to protect or discover in the first place.
Cybersecurity Advisory: Fast Flux is a National Security Threat
Cybersecurity agencies in Australia, Canada, New Zealand, and the US have published a joint cybersecurity advisory "to warn about how cyber actors are using a technique called fast flux to conceal their activities by rapidly changing the IP address associated with a domain name." The advisory incudes technical details about Fast Flux operations, detection techniques, and suggested mitigations.
Editor's Notes
- Slide 1 of 3
The attacks are coming from legitimate Cloud Service Providers, resulting in this traffic being blended with legitimate traffic, making it nearly impossible to detect. This is a place Protective DNS (PDNS) will shine. Make sure that you're leveraging your threat feeds to identify and block flux domains, look for DNS records with really low TTL values, and implement alerts for network or DNS activity related to fast flux patterns.
- Slide 2 of 3
It feels like this advisory comes about 15 to 20 years late. I always consider fast-flux the first 'cloud' as it preceded most cloud providers but established many ideas around what later became a large industry.
- Slide 3 of 3
Fast Flux IP Addressing is nothing new or novel. It is important to note that many parts of IT have been using it for web scraping for years.
Slide 1 of 0- Slide 1 of 3
UK's Cyber Security and Resilience Bill
The UK's Secretary of State for Science, Innovation and Technology Peter Kyle has published a Policy Statement detailing elements of the Cyber Security and Resilience Bill that will be introduced in Parliament later this year. The bill as currently envisioned rests on three pillars: increasing the types of entities the bill will cover; giving regulators increased powers of enforcement; and allowing the government to make changes to regulations quickly to "ensure the regulatory framework is adaptable to emerging threats."
Editor's Notes
The key quote from Peter John Kyle, UK Secretary of State for Science, Innovation and Technology is "Resilience is not improving at the rate necessary to keep pace with the threat and this can have serious real-world impacts." When lives are at risk, regulatory and criminal sanctions have to be part of the mix. One key issue: I'd like to see more focus on forcing faster adoption of phishing-resistant Multi-Factor Authentication; it is long past time for reusable passwords to be treated like lead in gasoline or red dye #2 in foods.
EU Security Strategy Includes PQC But Suggests E2EE Backdoors
The EU's European Commission (EC) has announced their presentation of a new European Internal Security Strategy dubbed "ProtectEU," including an increased focus on cyber and hybrid threats. Among many listed objectives are a number of cybersecurity goals including: "[Creating] a Roadmap on lawful and effective access to data for law enforcement ... [creating] a Technology Roadmap on encryption, and an impact assessment with a view to updating the EU's data retention rules ... implement[ing] the CER and NIS2 Directives ... [and introducing] a new Cybersecurity Act, and new measures to secure cloud and telecom services and developing technological sovereignty," as well as prioritizing intelligence and information exchange within the EU and with trusted countries. The EC's goals echo recent efforts by the UK and Sweden to legislate government access to encrypted data.
Editor's Notes
The EU's European Commission (EC) has announced their presentation of a new European Internal Security Strategy dubbed "ProtectEU," including an increased focus on cyber and hybrid threats. Among many listed objectives are a number of cybersecurity goals including: "[Creating] a Roadmap on lawful and effective access to data for law enforcement ... [creating] a Technology Roadmap on encryption, and an impact assessment with a view to updating the EU's data retention rules ... implement[ing] the CER and NIS2 Directives ... [and introducing] a new Cybersecurity Act, and new measures to secure cloud and telecom services and developing technological sovereignty," as well as prioritizing intelligence and information exchange within the EU and with trusted countries. The EC's goals echo recent efforts by the UK and Sweden to legislate government access to encrypted data.
Canon Printer Drivers Have Critical RCE Flaw
Canon has published a security advisory disclosing a critical vulnerability in drivers for "production printers, office/small office multifunction printers and laser printers." CVE-2025-1268, CVSS score 9.4, would allow an attacker to prevent printing and possibly execute arbitrary code when the print is processed by a malicious application, due to an out-of-bounds vulnerability in the EMF Recode processing of Generic Plus PCL6, UFR II, LIPS4, LIPSLX, and PS Printer Drivers V3.12 and earlier. Canon advises customers to install the latest drivers from "websites of your local Canon sales representatives."
Editor's Notes
- Slide 1 of 2
Organizations in general are slow to update their printer drivers, especially small office/home offices. It remains to be seen if this RCE vulnerability gets weaponized and causes mischief.
- Slide 2 of 2
Printers are appliances. While they have many features and capabilities, they are essentially single purpose devices. They should be easier to secure than general purpose computers except that so many implementations begin with a general purpose operating system. They are so vulnerable to mischief that nice people do not expose them to the Internet.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
SANS Internet Storm Center StormCast Friday, April 4, 2025
URL Frequency Analysis; Ivanti Flaw Exploited; WinRAR MotW Vuln; Tax filing scams; Oracle Breach Update
https://isc.sans.edu/podcastdetail/9394
Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive
Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity.
Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457
In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-March
WinRAR MotW Vulnerability CVE-2025-31334
WinRAR patched a vulnerability that would not apply the ÒMark of the WebÓ correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website.
https://nvd.nist.gov/vuln/detail/CVE-2025-31334
Microsoft Warns of Tax-Related Scam
With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings
Oracle Breach Update
SANS Internet Storm Center StormCast Thursday, April 3, 2025
Juniper Password Scans; Hacking Call Records; End to End Encrypted GMail
https://isc.sans.edu/podcastdetail/9392
Surge in Scans for Juniper 't128' Default User
Last week, we detected a significant surge in ssh scans for the username Òt128Ó. This user is used by JuniperÕs Session Smart Routing, a product they acquired from Ò128 TechnologiesÓ which is the reason for the somewhat unusual username.
https://isc.sans.edu/diary/Surge+in+Scans+for+Juniper+t128+Default+User/31824
Vulnerable Verizon API Allowed for Access to Call Logs
An API Verizon offered to users of its call filtering application suffered from an authentication bypass vulnerability allowing users to access any Verizon userÕs call history. While using a JWT to authenticate the user, the phone number used to retrieve the call history logs was passed in a not-authenticated header.
https://evanconnelly.github.io/post/hacking-call-records/
Google Offering End-to-End Encryption to Gmail Business Users
Google will add an end-to-end encryption feature to commercial Gmail users. However, for non Gmail users to read the emails they first must click on a link and log in to Google.
SANS Internet Storm Center StormCast Wednesday, April 2, 2025
Apple Updates Everything; VMWare Workstation Update Check Broken; NIM Postgres Vulnerability
https://isc.sans.edu/podcastdetail/9390
Apple Patches Everything
Apple released updates for all of its operating systems. Most were released on Monday with WatchOS patches released today on Tuesday. Two already exploited vulnerabilities, which were already patched in the latest iOS and macOS versions, are now patched for older operating systems as well. A total of 145 vulnerabilities were patched.
https://isc.sans.edu/diary/Apple+Patches+Everything+March+31st+2025+Edition/31816
VMWare Workstation and Fusion update check broken
VMWare's automatic update check in its Workstation and Fusion products is currently broken due to a redirect added as part of the Broadcom transition.
NIM Postgres Vulnerability
NIM Developers using prepared statements to send SQL queries to Postgres may expose themselves to a SQL injection vulnerability. NIMÕs Postgres library does not appear to use actual prepared statements; instead, it assembles the code and the user data as a string and passes them on to the database. This may lead to a SQL injection vulnerability.