SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsTwenty years ago, Alan Paller, the founder of the SANS Institute, and Mike Assante, an industry leader shaping critical infrastructure cybersecurity defense, collaborated on their vision of an event to bring together the ICS/OT community of practitioners to share information, approaches, lessons learned, and actionable information that would immediately make a difference as participants returned to work securing essential services, and from these two leaders the SANS ICS Summits were born. Over the 20 years of Summits, the event format has changed to meet attendees where they are in an ever-changing environment of regulation, threats, defense capabilities, technology innovations, and industry dynamic growth. As the summits adapted we saw increasing changes from year to year in the talks delivered, in the inclusion of immersive training courses, competitions, vendors, solution providers, and practitioner what works sessions, all the while remaining in line with the underlying mission of why the Summits were created: Help the defenders of the most critical systems that impact our lives. The 20th anniversary summit is a must-attend event with two days of topic-focused workshops led by SANS instructors covering emerging ICS/OT cybersecurity topics tuned to attendee roles and experience, as well as a full day of asset owner and operator practitioner-delivered talks. These three days of summit will inform, equip, and enable attendees with tactical and strategic actions to immediately pursue. This is not just another ICS cybersecurity conference -- for practitioners fighting the fight, this is your event.
- Tim Conway, SANS Fellow & Summit Co-Chair
https://www.sans.org/cyber-security-training-events/ics-security-summit-2025/
German enterprise software company Systemanalyse Programmentwicklung (SAP) has issued an emergency patch for a vulnerability in SAP NetWeaver Visual Composer Framework 7.50 after researchers from ReliaQuest discovered the flaw under exploitation. CVE-2025-31324, CVSS score 10.0, allows an unauthenticated agent to compromise the "confidentiality, integrity, and availability" of a system by uploading malicious executable binaries, due to a missing authorization check in the SAP NetWeaver Visual Composer Metadata Uploader component. While SAP has made statements disputing successful exploitation, Onapsis and watchTowr have also confirmed active exploitation, observing attackers using the vulnerability to drop web shell backdoors onto vulnerable systems. SAP's April 2025 "Patch Day" update release does not include the fix for CVE-2025-31324, so users must apply the separately released update, or if updates are not possible take mitigation measures: disable Visual Composer, disable the application alias "developmentserver," Forward SAP NetWeaver logs to a centralized system, and review for suspicious files. ReliaQuest notes "SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers."
Attackers target SAP NetWeaver systems leveraging JSP webshells for unauthorized file uploads and execution. The patch from SAP was released on April 24th. With a CVSS score of 10.0, and an out-of-band patch (SAP releases patches on the second Tuesday of the month), avoid the meeting and apply the patch. Also, make sure Visual Composer is disabled, it was deprecated in 2015; confirm the application alias "developmentserver" is disabled and your development server access is restricted; then hunt for the IOCs provided by ReliaQuest.
This SAP issue has spread like wildfire online. I haven t seen any stories of widespread exploitation, but this could be a similar issue to the one we saw with other edge systems like MoveIT. SAP is installed in some of the largest companies in the world, and as such, it can be a big target. This particular exploit is nasty as it is an unauthenticated file upload vulnerability. It has been weaponized easily as the building blocks are mostly there, with the only knowledge you need to understand being how to make a Java WebShell and recall it. No one has said publicly that they have been hit with this exploit as part of a larger intrusion, but we are still in the early days. The biggest challenge with this is that the patch is not part of the larger collection of monthly patches by SAP, which means administrators may not know that they are missing a critical patch. This one may have some legs.
Back in 2016 SAP issued fixes for several missing authorization checks in their software. I think that flaw has been on the OWASP Top Ten even before that. SAP owes customers an explanation on how this type of defect remained in production software.
It's a 10, if you're running the visual composer framework, patch now. Nothing more needs to be said.
If you are an SAP customer, you know who you are, and this is a priority patch.
ReliaQuest
CyberScoop
The Hacker News
BleepingComputer
BleepingComputer
In a forthcoming paper, researchers from Austria's Graz University of Technology demonstrate three means of bypassing mobile devices' USB security meant to defend against a malicious charger connection, successfully accessing files or achieving code execution on iOS and Android devices from eight major vendors, with two cases even allowing file extraction from locked devices. Dubbed "choicejacking" -- after Brian Krebs's 2011 coined term "juicejacking" for malicious USB charger attacks -- the researchers' attack techniques are effective against the standard juicejacking mitigation of requiring user consent to establish a data connection. The paper states that the researchers' presentation of multiple attack techniques "intends to provoke a more wholistic way of thinking about dual-role USB and connectivity adversaries in mobile platforms." The researchers suggest existing mitigations such as USB data blockers, user authentication for critical security functions, and lockdown mode, and they urge the creation of consent prompts for USB and accessory input devices, stating that "default trust in USB input devices and accessories needs to be cut." Devices running Android 15 and later and iOS/iPadOS 18.4 and later include updated confirmation dialogs requiring additional authentication. Dan Goodin of Ars Technica notes that there have been no documented cases of juicejacking nor choicejacking in the wild.
The simplest mitigation is not to use/allow unknown USB connections. Which can be really tempting in a rental car, airplane or hotel. Back that up by making sure you're running the latest OS, e.g., Android 15 or iOS 18.4, to ensure you have current protections from attacks. USB data blockers are still a thing and reduce the risk by only allowing the power leads for under $10. Your mobile fleet, regardless of ownership, is a critical platform. Set enforceable minimum hardware, software and security standards.
Seems like this one was simple for Apple and Google to fix, at least to add user prompting when a charging outlet pretends to be a peripheral. But it points out both did incomplete threat modeling on the original USB threat. I can t resist an old Saturday Night Live analogy: it is kinda like opening the door after you ask, Who s there? and the LandShark responds, Candygram.
Battery life has improved to the point that we no longer spend our lives planning our next power fix. However, it remains good practice to always use one's own cable and power supply.
The governments of Spain and Portugal have declared states of emergency following a massive power outage affecting the Iberian peninsula on Monday, April 28. While there is no clear answer as to what caused the outage in Spain, Portugal, and parts of France, former Portuguese Prime Minister and current European Council president Pedro Sanchez said there is no indication that it was due to a cyberattack. Power is returning in some of the affected areas. The outage disrupted train, metro, and airport services; hospitals have been relying on emergency generators.
Keep in mind that, under the best of circumstances, in order to balance load and source, restoration takes time. Also, grids are designed to shut down in an orderly non-destructive way. That they have already restored some service and have said that they would restore in hours, rather than days, is evidence that the shut-down was orderly. Orderly shutdowns are usually in response to multiple simultaneous component failures, beyond the ability of the grid to compensate, and/or a load imbalance. They are planned, normal, and inevitable. Incidentally, in the northeastern US, the mean time between such events has been about twenty years. The last one was in 2003. Restoration to the 90% service level took about 72 hours. While most enterprises can survive such a short term general outage, others should consider back-up generators and UPS systems.
By the time you're reading this, the services are restored, albeit backlogs are still being cleared and travelers rescheduled. The outage was triggered when Spain lost 15GW of power in just five seconds. Portugal has called for an independent audit from the EU's Agency for the Cooperation of Energy Regulators to determine the root cause of the outage. It will be interesting to see what mitigations are possible, as it's likely safety/isolation systems were triggered by that 15GW dip.
While this incident demonstrates the huge dependency our modern world has on a stable electricity supply it was disappointing to see the number of claims that a possible cause was a cyberattack without any data or evidence to support that speculation. As an industry we need to stop using FUD (Fear Uncertainty and Doubt) as a way to raise the importance of cybersecurity.
It does bring up the question, what critical infrastructure would have the most impact on people? Many would say water. Water loss is dire to human existence, but attacks would be highly localized. My top two are power and financial. With financial, don t put all your eggs in digital currency; keep some Benjamins in the purse for barter. Power, especially with the dependency on a shared grid, can cause chaos for a prolonged time and can impact large numbers of people.
On April 25, 2025, UK retailer Marks & Spencer (M&S) posted a further update on the cyber incident reported April 22, 2025. The company states that in addition to the suspension of "Click & Collect" orders and contactless payments, they have now "made the decision to pause taking orders via [the] M&S.com websites and apps," though the website remains up for browsing, and stores remain open. The company is continuing to investigate and restore online and app shopping, and will notify customers if any action is required on their part. Additionally, about 200 agency-employed M&S employees at the Castle Donington clothing and homewares logistics centre have had their work shifts cancelled. The nature and full scope of the incident have not been disclosed.
M&S has been keeping their site updated, under Press Releases. These updates are focused on customer impacts, so check before attempting online shopping. While they are working to minimize store operations impacts, they have about 1400+ stores, with over 1000 in the UK, it'd be a good idea to check online before heading to your local store.
Marks & Spencer
The Record
The Record
The Register
BleepingComputer
Johannesburg-based telecommunications company MTN Group disclosed "a cybersecurity incident that resulted in unauthorised access to personal information of some MTN customers in certain markets." MTN says their billing and financial infrastructure appears to be unaffected. The company has reported the incident to law enforcement and is supporting their investigations. MTN has approximately 288 million customers in more than 20 countries.
South African telecom continues to be a target; last year Cell C was compromised, as were many other critical infrastructure providers. If you're a critical infrastructure provider, make sure you are not only ready to repel boarders, but also to respond in the event of a breach, to include verifying who you're going to call for help. MTN will be notifying affected customers as the investigation continues. In the interim, they have published a status page with good advice for customers to secure their identity and accounts.
This appears to be an attack against one of the largest telcos in the world, let alone on the African continent. This company makes a relatively large amount of revenue in Nigeria. A cyberattack on them could compromise a reasonably large number of individuals. For those in the US that may not be familiar with this, Telcos in this area also serve as banks, so this is both a telecom issue, like we have had potentially with T-Mobile and ATT in the US, and a FinTech issue something to watch for sure.
MTN
The Record
Business Insider
SecurityWeek
Bleeping Computer
Houston-based employee benefits administrator VeriSource Services has begun notifying four million individuals that their personal information was compromised in a February 2024 breach. In an August 2024 filing with the US Department of Health and Human Services Office for Civil Rights (HHS OCR) VeriSource said the incident affected about 112,000 individuals; in a notification filed earlier this month with the Maine Attorney general, the number of affected individuals was listed as four million. VeriSource said it took them until the middle of April to determine who was affected by the breach.
A full year has passed since the data breach. At least six months has passed since HHS notification of the data breach. Finally, victims are being notified of loss of PII. Obligatory apology notice we take security seriously; it s a top priority working with law enforcement free credit monitoring services for 12 months. What s wrong with this picture?
In the wake of a cyber incident that rendered servers unresponsive, the city of Abilene, Texas, has temporarily suspended Texas State Public Information Act requirements, which "requires government bodies to release information in response to formal requests." Texas state statute allows a suspension of these requirements in the event of a catastrophe, which is defined as "fire, flood, earthquake, hurricane, tornado, or wind, rain, or snow storm; power failure, transportation failure, or interruption of communication facilities; epidemic; or riot, civil disturbance, enemy attack, or other actual or threatened act of lawlessness or violence."
The actions allow the city to hang out the proverbial "out to lunch" sign while they recover from the incident. Something to consider when working on your incident response plan: what services should be suspended during system recovery? Consider services which could be added distractions or otherwise hamper recovery; then find out what steps, such as public notification, are needed and add them to your plan.
Threat actors are targeting WooCommerce users in a phishing campaign that uses a phony patch as bait. The security alert arrives as an email urging the users to download a patch for a critical unauthenticated administrative access vulnerability. The message exhorts users to visit a malicious site that is disguised as the WooCommerce website using an internationalized domain name (IDN) homograph attack, which uses characters from other alphabets to appear legitimate. If users download the patch as instructed, the malicious website instead downloads malware that allows the attackers to take control of the user s site.
Yay, here's a patch for your WooCommerce plugin, boo, it's a link to malware! Make sure that you're not only downloading updates from their official source, but also validating their signature; your automated updates do that, so use the WordPress UI to perform the update not the emailed link. Also, when being alerted about security issues/updates/scan results, verify they are legitimate, to include reporting of suspect messages.
The lesson here, besides crime doesn't pay, is that employee removal processes must be closely coordinated between HR, Legal, and IT staffs. The IT staff should lock out all account access, including third party software, ideally upon employee removal, and monitor those accounts for a period. Unfortunately, this is a lesson we get to learn far too often.
Justice
The Register
USA Today
Internet Storm Center StormCast Tuesday, April 29, 2025
SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC
https://isc.sans.edu/podcastdetail/9428
SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics
Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Windows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data.
https://isc.sans.edu/diary/SRUMDUMP+Version+3+Uncovering+Malware+Activity+in+Forensics/31896
Novel Universal Bypass For All Major LLMS
Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models.
The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy.
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/
CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago
The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it.
https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf
SANS @RSA: https://www.sans.org/mlp/rsac/
Internet Storm Center StormCast Monday, April 28, 2025
Image Steganography; SAP NetWeaver Exploited; Any.Run Reports False Positive Uploads
https://isc.sans.edu/podcastdetail/9426
Example of a Payload Delivered Through Steganography
Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary.
https://isc.sans.edu/diary/Example+of+a+Payload+Delivered+Through+Steganography/31892
https://isc.sans.edu/diary/Steganography+Analysis+With+pngdumppy/31894/
SAP NetWeaver Exploited CVE-2025-31324
An arbitrary file upload vulnerability in SAP s NetWeaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of NetWeaver must turn off the development server alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue.
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
Any.Run Reports False Positive Uploads
Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveJoin us for this interactive Live Online Summit as we bring together the brightest minds in cybersecurity to tackle the battles of tomorrow, today.
Modern cloud attacks are fast, stealthy, and constantly evolving can your security strategy keep up?
Webcast | Resiliency and Business Continuity in the Cloud Era | May 22, 1:00 pm ET Join Dave Shackleford and Chris Newman as they discuss: How cloud use is growing and changing, with some emphasis on zero trust and user access strategies The types of security controls most organizations have implemented in the cloud Changing compliance and regulatory requirements Why and how we need to rethink business continuity to ensure consistent coverage, even when outages occur Save your seat today https://www.sans.org/info/232280
Join us for this practical, insight-packed webcast and learn how to confidently launch or strengthen your DLP program for immediate value and long-term success.