SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
UK Tribunal Will Not Conceal Apple's Appeal of E2EE Backdoor TCN
On April 7, 2025, the UK's Investigatory Powers Tribunal (IPT) publicly released the judgment from its closed-door hearing held March 14, 2025, dismissing the Secretary of State's application for ongoing secrecy in the case of Apple's appeal of a Technical Capability Notice (TCN) demanding government access to users' end-to-end-encrypted (E2EE) data. The court "[does] not accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security," and notes "it may well be possible for some or all future hearings to incorporate a public element, with or without reporting restrictions." The judgment also notes "potential for overlap" between Apple's appeal and a recent complaint filed by Privacy International and Liberty over "[the Secretary of State's] powers to make a technical capability notice."
Editor's Notes
- Slide 1 of 2
While the UK is seeking to keep their security concerns confidential, the TCN requesting an encryption back door, and Apple's subsequent appeal are anything but. The IPT report cites a plethora of published information regarding the TCN and appeal. The best path forward is an open and honest debate about the problem the UK (and others) wish to solve and how that contrasts with the overall benefit provided by E2EE, not just from Apple but from other service providers as well, which really needs to become SOP for protecting data in transit in a world of continuous connectivity across networks of varied security.
- Slide 2 of 2
While some 'bare' details will be made publicly available, in the long run the Government will succeed in requiring AAPL to install the backdoor. It is a UK law after all. The 'ProtectEU' internal security strategy also advocates for a law enforcement backdoor via its technology roadmap on encryption.
Slide 1 of 0- Slide 1 of 2
Critical Vulnerability in Apache Parquet Java Library
A critical (CVSS score 10) deserialization of trusted data vulnerability in the avro-parquet module of Apache Parquet could lead to arbitrary code execution. The issue affects Apache Parquet versions 1.15.0 and earlier; users are urged to upgrade to version 1.15.1. Exploitation requires that the attacker convince a user to import a maliciously-crafted Parquet file.
Editor's Notes
CVE-2025-30065, deserialization of untrusted data flaw, has a CVSS score of 10.0. Take steps to rapidly upgrade to Parquet 1.15.1. There is no current evidence of a POC or exploitation, but with the press this is getting, expect that to change quickly. Next review the OWASP's deserialization cheat sheet to see if you can implement any added controls around deserialization.
University of Maryland Medical Center Sued for Negligence After Pharmacist Allegedly Installed Keyloggers on Computers and Spied on Coworkers
Six University of Maryland Medical Center (UMMC) employees have filed a class-action lawsuit against the hospital for negligence after a pharmacist allegedly used spyware to snoop on coworkers in their homes and at work and access sensitive information. Matthew Bathula allegedly placed keystroke-logging software on hundreds of UMMC computers, using the information gleaned to steal coworkers' account credentials. The activity had been going on for a decade, although the plaintiffs learned of the situation only recently after being contacted by the FBI and shown evidence of the intrusions. Employees were notified of a "serious cyber incident" in October. The plaintiffs allege the hospital should have known that Bathula was using his badge to access rooms and machines that he had no need to access. Bathula has been fired from his position at UMMC.
Editor's Notes
- Slide 1 of 3
Definitely not a success story for the integration of physical security with computer/information security. Both disciplines have to be well run because weak plus weak usually equals worse, not better, and the skill sets and processes are really very different. It sounds like both areas had serious deficiencies that were never detected - the processes used for periodic auditing need to be overhauled along with the security practices.
- Slide 2 of 3
This case says something about the state of cybersecurity on the UMMC network. First, the ability to install unauthorized software on the network. Second, accessing protected server rooms. These actions would have been flagged if proper security controls were implemented and managed. It will be difficult for the University to argue they maintained a standard of reasonableness in protecting employee and patient privacy.
- Slide 3 of 3
The keylogging software was installed on shared computers and used to capture not only UMMC credentials but also to activate and record cameras, disabling the camera light, as well as capture personal credentials. UMMC has replaced all affected computers and installed keylogger detectors. One of the lessons is to be cautious with a shared computer accessing sensitive information such as online banking. In a word: don't; you're not truly sure what is private and what is not.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
NIST to Defer Enrichment for CVEs Prior to 2018
On April 2, the US National Institute of Standards and Technology (NIST) announced that CVEs with a publish date prior to 2018 will be designated deferred, "indicat[ing] that [they] do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE's age." The deferred status will be denoted by a banner on the CVE Detail Page. NIST intends to "prioritize any CVEs that are added to the KEV regardless of status."
Editor's Notes
- Slide 1 of 3
This sounds like a reasonable choice. But I think in the long term, NIST needs to find outside help. Makers of vulnerable software have an interest in seeing accurate information provided to NIST, and they should be enlisted to help. As a first step, NIST should suggest software vendors publish their vulnerability information in a standardized format to make it easier to automatically include the provided information. This would also help others collect vulnerability data. I still feel that academia is an underused resource in providing enrichment for vulnerabilities, or at least reviewing enrichments.
- Slide 2 of 3
NIST is facing layoffs of 500 probationary employees and making a move to adjust the workload accordingly. Enrichment of current CVEs should be prioritized over older ones, though CVEs prior to 2018 represent about 34% of the total number of CVEs. While the enrichment efforts continue, reduced scope or otherwise, you need to continue your patching discipline, applying OS, browser, and layered product updates expeditiously, and incorporating appropriate scanning/monitoring to identify shortfalls and risks, leverage NIST's KEV, and reserve deep analysis for the exception, not every CVE.
- Slide 3 of 3
NIST is essentially punting on a third of existing CVEÕs. While the reason for their decision is understandable, it does put part of the vulnerability/patch/configuration management ecosystem at risk. Bottom line: every organization should already have a process in place to immediately patch/configure as software updates are released.
Slide 1 of 0- Slide 1 of 3
Update WinRAR to Fix MotW Bypass Enabling RCE
Japan's Computer Security Incident Response Team has worked with the developer of WinRAR to publish a security advisory disclosing a flaw in the file archiver software, reported originally by Shimamine Taihei of Mitsui Bussan Secure Directions through Japan's Information Technology Promotion Agency. CVE-2025-31334, CVSS score 6.8, would allow an attacker to execute arbitrary code by bypassing the Mark of the Web (MotW) security check when a symbolic link pointing to an executable file is opened. As described by WinRAR, "If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored." The vulnerability is fixed in WinRAR version 7.10. In September, 2024, Trend Micro's Zero Day Initiative observed state-affiliated threat actors exploiting a different MotW bypass in open-source archiver 7-Zip (fixed in version 24.09) to deliver malware payloads. Neither WinRAR nor 7-Zip automatically update, so users must download the patched versions.
Editor's Notes
- Slide 1 of 3
Applying the MotW to compound file formats like compressed files and disk images will continue to be challenging, in particular, as different operating systems implement this feature differently. It may also not be supported by all file systems.
- Slide 2 of 3
Verify your WinRAR and 7-Zip installations have been updated to at least 7.11 and 24.09 respectively. As this is a manual update, you may want to package the new version and push the update centrally for an expeditious resolution.
- Slide 3 of 3
I suspect this issue affects the non-US market more than the US market, specifically in the enterprise. I'm not sure how many US enterprises are using WinRAR more than, say, 7zip.
Slide 1 of 0- Slide 1 of 3
Chrome Beta Protects Browser History From Side-Channel Attacks
Chrome 136, released to the Beta channel on April 3, 2025, includes partitioning for link history, contextualizing the CSS :visited pseudo-class with additional information. This change aims to prevent attackers from exploiting :visited history to detect or "sniff" a user's browsing habits, then potentially using that information for unwanted advertiser profiling, cross-site tracking without cookies, fingerprinting, targeting by phishing campaigns, and other privacy violations. Side-channel attacks abusing :visited to steal users' browser history have been observed for over 20 years. As described by Lukasz Olejnik, "Instead of maintaining a global list, web browsers will store visited links with a triple-key partition," including the link's destination URL, the top-level domain of the browsing context site, and the link's frame origin.
Editor's Notes
- Slide 1 of 3
The CSS pseudo-class :visited allows sites to capture browsing habits for advertisers, cross-site tracking, phishing and social engineering as well as enhanced fingerprinting of users based on behavior. The partitioning in Chrome 136, will only allow the detection of visited sites which have been clicked on from the site you're on.
- Slide 2 of 3
There was a story a few months ago about a group that created polymorphic browser extensions that leveraged a feature that allowed you to fingerprint what extensions you had based on certain features like this. This enables more than just advertisers to figure out what you have and potentially what you are looking for. It's great that we see this protection in the base product.
- Slide 3 of 3
Maybe it is just the old cynic in me, but anytime I read phrases like "to detect or 'sniff' a user's browsing habits," it is not criminals exploiting the technology that jumps to mind but online advertising companies. When our privacy is being threatened by criminals and legitimate businesses you know that "privacy by design" and "privacy by default" are not the principles most of our technology is build on.
Slide 1 of 0- Slide 1 of 3
Port of Seattle Begins Notifying 90,000 People Their Information was Compromised in August 2024 Cyberattack
The Port of Seattle (Washington) has begun sending notification letters to 90,000 people whose personal data were compromised in an August 2024 cyberattack that affected "the Port, including Seattle-Tacoma International Airport (SEA) and maritime facilities." The threat actors downloaded information from systems used for employee, contractor, and parking data. The incident temporarily disrupted operations, forcing the airport to use dry-erase boards to post flight and baggage information. The Port of Seattle says the incident did not affect travel safety.
Editor's Notes
- Slide 1 of 2
The Rhysida ransomware gang is taking credit for this attack and the Port refused to pay any ransom demand. Data exfiltrated included names, DOB, SSNs, driverÕs license and other government ID numbers, as well as medical information, which was initially put up for auction by the gang, later some was released for free. The data doesn't appear to have any payment or traveler related information. The Port is providing affected individuals with one year of free credit monitoring/ID theft services. Time to verify your monitoring services have current information, credit is locked, and notifications are properly configured/working.
- Slide 2 of 2
Nearly nine months later the investigation concludes, and we formally learn what was lost in the ransomware attack. The good news is that the victims will get one year of credit monitoring and identity protection services. Hopefully in the intervening nine months the Port of Seattle has implemented the recommendations found in the 'Blueprint for Ransomware Defense' guide.
Slide 1 of 0- Slide 1 of 2
Australian Employee Pension Fund Accounts Targeted in Multiple Attacks
The Association of Superannuation Funds of Australia (ASFA) has released a statement regarding attempted breaches of pension accounts across the country. The brute force credential stuffing attacks have recently been targeting employee investment fund accounts. While most of the attacks did not succeed, some did manage to steal funds from various accounts. One of the funds said that the attackers were able to access the accounts using stolen passwords. The funds are contacting members affected by the incidents.
Editor's Notes
- Slide 1 of 2
Passwords continue to be the weak link in the chain. We need to help users change compromised passwords and use MFA, preferably not SMS or email based 2FA. Help users by both providing strong MFA and enabling notifications of password compromise. I've run across a mindset that a weak password coupled with a second factor is ok; correcting that mindset may be a hard sell, and needs to be incorporated in your UAT program.
- Slide 2 of 2
Reminder for the rest of us: Strong authentication is both essential and efficient.
Slide 1 of 0- Slide 1 of 2
WK Kellogg Discloses Breach of Cleo Server
Food manufacturer WK Kellogg has disclosed a data breach that occurred on December 7, 2024 and was discovered on February 27, 2025, in which an "unauthorized person" accessed servers hosted by Cleo "used for transferring employee files to WK Kellogg human resources service vendors." Because the files on the breached server contained the name and Social Security number of one resident of Maine, WK Kellogg was required to inform state regulators of the breach and mail a notification letter to the affected resident, offering credit monitoring and identity protection. The Maine attorney general's office does not list the total number of persons estimated to be affected by the attack. WK Kellog states that all its vendors must "use appropriate security measures," and has worked with Cleo "to identify the measures it has taken to address this incident."
Editor's Notes
Cleo is a file transfer utility that was targeted by the Clop ransomware gang at the end of 2024 and WK Kellogg is the latest identified victim of this attack. If you're using file transfer utilities, take a lead from WK Kellogg and have an in depth conversation about their security and mitigations. Make sure that you've implemented all the best practices, to include making sure that your solution is appropriate with today's targeting of file transfer services to capture sensitive data or disrupt operations.
Internet Storm Center Tech Corner
SANS Internet Storm Center StormCast Tuesday, April 8, 2025
XORsearch: Searching With Regexes; MCP Security Notification: Tool Poisoning Attacks; Making :visited more private
https://isc.sans.edu/podcastdetail/9398
XORsearch: Searching With Regexes
Didier explains a workaround to use his tool XORsearch to search for regular expressions instead of simple strings.
https://isc.sans.edu/diary/XORsearch+Searching+With+Regexes/31834
MCP Security Notification: Tool Poisoning Attacks
Invariant labs summarized a critical weakness in the Model Context Protocol (MCP) that allows for "Tool Poisoning Attacks." Many major providers such as Anthropic and OpenAI, workflow automation systems like Zapier, and MCP clients like Cursor are susceptible to this attack
https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks
Making :visited more private
Google Chrome changed how links are marked as ÒvisitedÓ. This new ÒpartitioningÓ scheme was introduced to improve privacy. Instead of marking a link as ÒvisitedÓ on any page where it is displayed, it is only marked as visited if the user clicks on the link while visiting the particular site where the link is displayed.
https://developer.chrome.com/blog/visited-links
SANS Internet Storm Center StormCast Monday, April 7, 2025
New Username Report; QuickShell Vulnerability; Apache Traffic Director Request Smuggling
https://isc.sans.edu/podcastdetail/9396
New SSH Username Report
A new ssh/telnet username reports makes it easier to identify new usernames attackers are using against our telnet and ssh honeypots
https://isc.sans.edu/diary/New_SSH_Username_Report/31830
QuickShell Sharing is Caring: About an RCE Attack Chain on Quick Share
The Google Quick Share protocol is susceptible to several vulnerabilities that have not yet been fully patched, allowing for some file overwrite issues that could lead to the accidental execution of malicious code.
Apache Traffic Director Request Smuggling Vulnerability