SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
New Microsoft Accounts are Passwordless by Default
One year after year Microsoft began offering passkey support for consumer accounts, the company has announced that all new Microsoft accounts will be passwordless by default. The move is intended to protect customers' credentials from stuffing, brute force, and phishing attacks. Current Microsoft customers who have not yet adopted passkeys will be encouraged to do so when they sign into their accounts. Other companies, including Apple and Google, are also developing passkey support under the aegis of the Fast Identity Online (FIDO) Alliance.
Editor's Notes
- Slide 1 of 5
The good news is you will be using passkeys with your Microsoft account and you can start setting passkeys on your Microsoft accounts today, and they will default to the strongest authentication option available. The bad news is you have to use Microsoft Authenticator, as Google Authenticator, Authy and similar apps are incompatible with their system, if you want to ditch your reusable password, which we should do, so authentication can't fall back to this option.
- Slide 2 of 5
We need more moves to strong authentication as default by the big consumer IT vendors and platforms. That does not eliminate all risk, but it raises the bar tremendously and allows IT security resources to focus on the remaining risk paths.
- Slide 3 of 5
Passkeys by default for new users is actually easier than transitioning existing users, and is a good practice.
- Slide 4 of 5
MSFT slowly but surely pushing the industry forward to see the end of passwords. I mean we've only been talking about the end of passwords for a decade or more. The tie-in with the FIDO WebAuthn standard is a plus if they don't force users to install their authenticator.
- Slide 5 of 5
Let's go passwordless. This does not mean you are always safe. It's just that we should make it harder!
Slide 1 of 0- Slide 1 of 5
Other Microsoft Changes: Deprecating Password Management in Authenticator and Saying Goodbye to Skype
Microsoft has announced that the password manager feature of the Authenticator App will be phased out over the next few months, with the goal of users moving to Microsoft Edge for password management. Starting in June, users will not be able to save new passwords to Authenticator; in July, autofill will become unavailable, and in August, passwords saved in Authenticator will no longer be accessible. Authenticator will continue to support passkeys and multi-factor authentication. As of Monday, May 5, 2025, Microsoft has shut down their Skype video and messaging service. Skype debuted in 2003 and was acquired by Microsoft in 2011. Microsoft announced Skype's farewell in February of this year; Skype users are urged to migrate to Microsoft Teams.
Editor's Notes
- Slide 1 of 3Neely; NB May 6, 2025; Other Microsoft Changes: Deprecating Password Management in Authenticator and Saying Goodbye to Skype
Move your passwords stored in the MS Authenticator app to another password store. You should have migrated from Skype to an alternate, such as Teams, by now. Make sure you've set clear directions for the migration targets to avoid having "one of everything" with corresponding support and security confusion.
- Slide 2 of 3Frost; NB May 6, 2025; Other Microsoft Changes: Deprecating Password Management in Authenticator and Saying Goodbye to Skype
Deprecating a password manager is a bad move. Moving people over to the Edge system is a definitive lock-in system. I think it would be best if there were a non-Edge option. Apple has gone the other way, allowing the vault to be more integrated into the operating system. I don't think this is a good move. Also, bye Skype. You were a relic from the days of Kazaa, That's all that needs to be said.
- Slide 3 of 3Dukes; NB May 6, 2025; Other Microsoft Changes: Deprecating Password Management in Authenticator and Saying Goodbye to Skype
One gets the sense that MSFT is serious about killing off passwords and moving folks to passkeys. What isn't so nice is locking them into using MSFT products. And yes, farewell Skype, you were a killer app back in the day.
Slide 1 of 0- Slide 1 of 3
Supply Chain Attack Lay Dormant on eCommerce Sites for Six Years
Researchers from Sansec have discovered a supply chain attack that targeted multiple vendors of e-commerce software. In all, Sansec found 21 Magento extensions infected with the same malware; Sansec estimates that the malware has infected between 500 and 1,000 online merchants. While the software was infected six years ago, it was activated only last month. The malware executes in site visitors' browsers, and it is capable of stealing payment card data and other sensitive information. Sansec recommends that all e-commerce sites running software from the affected vendors - Tigren, Magesolution (MGS), and Meetanshi, all of which are based on Magento Ð check for a fake license that they name in their report.
Editor's Notes
- Slide 1 of 2Neely; NB May 6, 2025; Supply Chain Attack Lay Dormant on eCommerce Sites for Six Years
This is tricky as you're looking at an ecommerce package bundled on top of Adobe Commerce/Magento to include the card skimming malware, so you're dependent on the provider of the package, not Adobe, to provide the update, and the vendors have not yet announced updated versions. You need to check for the IoCs in the Sansec report (the backdoor code is the same, but checksum, path and license filename is unique for each vendor), and if found, remove it, ideally restoring from a known good backup.
- Slide 2 of 2Murray; NB May 6, 2025; Supply Chain Attack Lay Dormant on eCommerce Sites for Six Years
It is unlikely that SolarWinds was the first supply chain attack. It is likely that such attacks are intended to be quiet, dormant, and exploited late if at all. Prior to SolarWinds at least some, not to say many, organizations in the supply chain had not even contemplated the possibility that their product might be contaminated as a means of distributing malicious content. It is difficult to assess the risk to our infrastructure, much less how to address it. However, mitigating this risk, and resisting it in the future, must go beyond caveat emptor to holding suppliers liable for distributing malicious content.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
UK Retailer Cyberattacks: Co-op Data Compromised, NCSC Says Incidents are a "Wake-up Call"
UK retailer Co-op has disclosed that a recent cyber incident affecting the company's network did compromise some customer data. The incident, which followed a disruptive attack at Marks & Spencer and another at Harrods, has prompted the UKÕs National Cyber Security Centre's (NCSC's) CEO to call the attacks "a wake-up call to all organisations." NCSC has provided guidance for organizations and strongly urges all to adhere to best practices, including the use of multi-factor authentication, increased monitoring for account misuse with particular attention paid to domain admin, enterprise admin, and cloud admin accounts, and "ensur[ing] your security operation centres can identify logins from atypical sources such as VPNs services."
Editor's Notes
Neely; NB May 6, 2025; UK Retailer Cyberattacks: Co-op Data Compromised, NCSC Says Incidents are a "Wake-up Call"NCSC's advice should be table stakes for all of us. MFA for all, privileged and otherwise, has to be foundational. Couple that with appropriate monitoring, to include impossible logins, spoofing, and other stealth techniques to identify and block malfeasance. Have a serious conversation about what types of connections you wish to disallow, then implement corresponding controls.
Raytheon and Nightwing Agree to Pay $8.4M to Settle False Claims Act Violations
US government contractors Raytheon Company, RTX Corporation, Nightwing Group LLC, and Nightwing Intelligence Solutions LLC will collectively pay $8.4 million for violations of the False Claims Act. According to the Department of Justice, "the settlement resolves allegations that Raytheon and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), failed to implement required cybersecurity controls on an internal development system that was used to perform unclassified work on certain DoD contracts. The United States alleged that Raytheon and RCSI failed to develop and implement a system security plan for the system, as required by DoD cybersecurity regulations, and failed to ensure that the system complied with other cybersecurity requirements."
Editor's Notes
- Slide 1 of 3Neely; NB May 6, 2025; Raytheon and Nightwing Agree to Pay $8.4M to Settle False Claims Act Violations
Have you ever wondered what happens if you don't create a security plan and implement controls for DoD data, as required by 800-171/800-53, let alone claim to do so when you haven't? 800-171 applies to contractor-owned systems and allows self-attestation, while 800-53 applies to government owned systems and requires authority to operate (ATO) from a federal authorizing official. CMMC 2.0 is intended to discover and address gaps such as this. The false claim came from Raytheon's former director of engineering, as a whistleblower, who will receive more than $1.5 million of the settlement.
- Slide 2 of 3Pescatore; NB May 6, 2025; Raytheon and Nightwing Agree to Pay $8.4M to Settle False Claims Act Violations
In the spirit of 'If you see something, say something,' note that this enforcement was triggered by a 'whistle-blower,' a director of engineering at Raytheon who reported the use of a non-compliant network for multiple years. This is obviously something a standard auditor 'data call' paper review should have found early on Ð Raytheon/RTX needs to fix the auditing process.
- Slide 3 of 3Dukes; NB May 6, 2025; Raytheon and Nightwing Agree to Pay $8.4M to Settle False Claims Act Violations
The money line 'requires contractors to provide adequate security,' Over the last two years, government at both the federal and state level has held organizations accountable for not implementing reasonable cybersecurity. CIS has published a 'Guide to Defining Reasonable Cybersecurity' that provides practical guidance to organizations developing a cybersecurity program that satisfies the legal standard of reasonable cybersecurity. https://www.cisecurity.org/insights/white-papers/reasonable-cybersecurity-guide
Slide 1 of 0- Slide 1 of 3
US Schools and Universities Work to Recover From Cyberattacks
The Coweta County School System in the US state of Georgia published a press release on May 4, 2025, disclosing "an apparent cyberattack" characterized as a "network intrusion" that was discovered the previous Friday, May 2, 2025. The IT department immediately took systems offline and is continuing investigation alongside security partners; the school system has notified the Georgia Emergency Management Authority and Homeland Security of the incident. While school operations continue as normal, including use of student Chromebooks, Wi-Fi, and phones, some school system network processes are disrupted, and employees are not to use desktop devices; internal network access will remain restricted during investigation and monitoring. The school system does not believe personal information was compromised. Other US public school districts have experienced cyberattacks in recent weeks, including disruption of testing at Bartlesville Public Schools in Oklahoma and data theft as a result of ransomware at Baltimore City Public Schools in Maryland. Western New Mexico University (WNMU) is also still recovering from an April 13 cybersecurity incident, posting updates and resource information to a temporary website while the main site is being restored. WNMU isolated certain systems from the internet as part of its incident response plan and protective protocols. The attack has "disrupted the availability of certain web-based programs throughout the university system," and WNMU's IT department must check all desktop and laptop computers before they can be used. Campus Wi-Fi and VPN access are not available, and there appear to be disruptions to phone systems and the tuition payment portal; the school is allowing a grace period for Spring 2025 tuition payment, and faculty are offering extensions on academic work.
Editor's Notes
- Slide 1 of 3Dukes; NB May 6, 2025; US Schools and Universities Work to Recover From Cyberattacks
K-16 institutions are, by nature, some the most difficult IT environments to secure. They have a large user base, utilize BYOD, and for the most part are resource-(fiscal and skills wise)-constrained. So, it isn't surprising that they are frequently targeted and exploited by evildoers. Understanding what controls were in place and how the network was compromised can be helpful to organizations facing the same threat.
- Slide 2 of 3Neely; NB May 6, 2025; US Schools and Universities Work to Recover From Cyberattacks
The timing is unfortunate given the proximity of the end of the term/graduation. Parents and students should make sure you're aware of access methods for your campus/schoolwork, so you know what plan B is. As an educator, beyond ensuring you have cyber hygiene and incident response capabilities, include a frank discussion about operating, including what can be offline, during an incident.
- Slide 3 of 3Pescatore; NB May 6, 2025; US Schools and Universities Work to Recover From Cyberattacks
There are many informational resources for K-12 school IT security staff to follow but the real issue is lack of staff/financial resources. If traditional federal support is cut, obviously the risk to school systems is greater. Partnerships between private industry and local schools (who educate their employees' children) will need to be explored if the federal focus on cybersecurity continues to decline.
Slide 1 of 0- Slide 1 of 3
California Man Agrees to Plead Guilty to Accessing Disney Network and Stealing Data
A California man will plead guilty to breaking into a Disney employee's computer, gaining access to the company's network, and downloading more than a terabyte of confidential information. According to the plea agreement, Ryan Mitchell Kramer will plead guilty to "one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer," both of which are felony charges. The plea agreement also provides details about how Kramer gained access to the computer: early last year, Kramer posted a program online that claimed to be an AI image generator. In fact, the program contained malware that gave Kramer access to the computers of people who downloaded it. Kramer could face up to 10 years in prison.
Editor's Notes
- Slide 1 of 2Neely; NB May 6, 2025; California Man Agrees to Plead Guilty to Accessing Disney Network and Stealing Data
The malware, an AI art generating tool, was downloaded on personal computers and accessed stored credentials for the employee's work-related slack channel. Tools like Slack/Discord/etc. are the norm in modern team communication and collaboration. Two things to follow up on here: first, make sure that work-related services, chat/email/file shares, require MFA; second, review your access control model, considering the type of data available in these services.
- Slide 2 of 2Pescatore; NB May 6, 2025; California Man Agrees to Plead Guilty to Accessing Disney Network and Stealing Data
A lot of things went wrong in this one, but the root vulnerability was an employee storing work remote access passwords on their home computers. If Disney had been using phishing-resistant MFA instead of likely relying on telling employees, 'don't store passwords on any PC,' then 99.99% probability this attack fails.
Slide 1 of 0- Slide 1 of 2
Iberian Blackout Exploited in Portuguese Airline Phishing Campaign
While the massive power outage on the Iberian peninsula on April 28 may not have been caused by a cyberattack but rather by an atmospheric phenomenon, the resulting widespread disruption was leveraged as part of a phishing campaign targeting speakers of Portuguese and Spanish. Cofense has published a blog post showing email messages sent during the blackout impersonating the Portuguese national airline TAP Air Portugal, invoking an EU regulation on air passengers' rights and offering compensation for delayed or cancelled flights through a WordPress phishing page aimed at collecting the target's name, date of birth, mailing address, email address, phone number, and credit card details. Dark Reading urges wariness of communications that relate current events to financial transactions, noting that the COVID-19 pandemic has also been leveraged before as part of opportunistic social engineering attacks.
Editor's Notes
Neely; NB May 6, 2025; Iberian Blackout Exploited in Portuguese Airline Phishing CampaignThis campaign started while the power was still out, leveraging the reaction to impacted services, in this case cancelled flights. Teaching family and users to step back and verify communication is genuine, particularly when emotions are running hot, is difficult and essential. Double check the reference used to get a legitimate POC, because typos happen.
High-Severity Vulnerabilities in MicroDicom DICOM Viewer
The US Cybersecurity and Infrastructure Security Agency has published an ICS Medical Advisory warning of two high-severity vulnerabilities affecting MicroDicom DICOM Viewer. DICOM (Digital Imaging and Communications in Medicine) is an international image format standard for storing and transmitting medical images. CVE-2025-35975 is an out-of-bounds write vulnerability that could be exploited to achieve arbitrary code execution. CVE-2025-36521 is an out-of-bounds read vulnerability that could be exploited to achieve memory corruption. The flaws affect MicroDicom DICOM Viewer versions 2025.1 (build 3321) and prior. Users are urged to update to MicroDicom DICOM Viewer version 2025.2 or later.
Editor's Notes
- Slide 1 of 2Neely; NB May 6, 2025; High-Severity Vulnerabilities in MicroDicom DICOM Viewer
Digital Imaging and Communications in Medicine (DICOM) is the standard for sharing medical imaging information and related data. The viewer is used to both view images as well as burn them onto CDs/DVDs which can be viewed without the software. The flaws require user interaction to open a specially crafted .DCM file. The fix is to update to 2025.2, then make sure that your DICOM viewer is not Internet-facing; use a VPN if remote access to the viewer is needed. Also, use caution opening .DCM files; make sure they are genuine.
- Slide 2 of 2Frost; NB May 6, 2025; High-Severity Vulnerabilities in MicroDicom DICOM Viewer
DICOM is a widely used protocol in the medical space, specifically for radiology images. MicroDICOM is a free-to-use DICOM viewer with a commercial license. This particular license is relatively inexpensive. Why was this viewer singled out? I suspect it's the availability of the product to the researchers. DICOM is a relatively unexplored protocol. I suspect servers and clients will have issues, but we lack product access. Watch these systems closely.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
SANS Internet Storm Center StormCast Tuesday, May 6, 2025
Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost
https://isc.sans.edu/podcastdetail/9438
Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399
The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in SamsungÕs MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far.
https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920
New Kali Linux Signing Key
The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward.
https://www.kali.org/blog/new-kali-archive-signing-key/
The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster
Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authentication
SANS Internet Storm Center StormCast Monday, May 5, 2025
Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored
https://isc.sans.edu/podcastdetail/9436
Steganography Challenge
Didier published a fun steganography challenge. A solution will be offered on Saturday.
https://isc.sans.edu/diary/Steganography+Challenge/31910
Microsoft Makes Passkeys Default Authentication Method
Microsoft is now encouraging new users to use Passkeys as the ÒdefaultÓ and only login method, further moving away from passwords
Microsoft Authenticator Autofill Changes
Microsoft will no longer support the use of Microsoft Authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator
Backdoor found in popular e-commerce components
SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point.