SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Telefónica Discloses Breach
Spanish multinational telecommunications firm Telefónica has disclosed a breach of their internal ticketing system. The disclosure was made following the appearance of information from Telefónica’s Jira database on a hacking forum. The system was reportedly breached using stolen employee credentials; Telefónica has reset passwords on affected accounts.
Editor's Notes
- Slide 1 of 4
In today's threat environment, implementing Multi-Factor Authentication (MFA) is now table stakes for all systems, but in particular sensitive systems, whether they are internal or external-facing. MFA should now be viewed in the same regard as seatbelts in a car, and those that don't use MFA viewed in the same way as those who don't wear seat belts
- Slide 2 of 4
Strong authentication, multi-factor and resistant to fraudulent reuse, is both essential and efficient. Well-chosen and implemented, it is more convenient than so-called strong passwords, whose convenience goes down as their strength goes up.
- Slide 3 of 4
The breach resulted in exfiltration about 2.3GB of documents, tickets and data. Make sure you're tied into credential breach notification for proactive password changing, or better still, move away from reusable passwords. As this internal Jira system was breached with compromised credentials, I would ask what other controls should have been in place to prevent external access to an internal system.
- Slide 4 of 4
Credential harvesting has been on the rise over the last couple years. It is perhaps the easiest means for an evildoer to access an organization and compromise. Multi-factor authentication (MFA) has proven to be effective in mitigating loss of passwords. It’s a best practice as part of Implementation Group 1 of the CIS Critical Security Controls.
Slide 1 of 0- Slide 1 of 4
UN Aviation Agency Data Breach
The United Nations’ (UN’s) International Civil Aviation Organization (ICAO) has acknowledged that a data breach compromised more than 42,000 recruitment-related documents. ICAO has determined that the incident affects 11,929 people who applied to the agency between April 2016 and July 2024; compromised data include names, dates of birth, email addresses, and employment history.
Editor's Notes
- Slide 1 of 4
The ICAO statement that the breach does not affect the security of airtraffic is solely based on the compromised system not being connected to any aviation systems. However, this does not consider whether the stolen data could be used to disrupt air traffic in the future. It is also unclear if this was a targeted attack or if ICAO just got caught in a threat actor vacuuming up data spilled by careless employment application systems, regardless of where the data originated.
- Slide 2 of 4
While the compromise is unfortunate, it would be helpful to understand what “…additional security measures [were implemented] to protect its systems from future attacks.” This way we all learn and can offer better protection against cyber-attacks.
- Slide 3 of 4
Deciding whether one is a likely target of choice is fundamental to choosing one's risk tolerance and security policy. Most large enterprises should assume that they are targets of choice for so-called APTs and that they must be prepared to resist resourceful and persistent attacks.
- Slide 4 of 4
This appears to be work of the Natohub threat actor, who is claiming to have released the information. ICAO is reaching out to the affected individuals directly. While it is common to have resume/CV data online, during an application or background check additional sensitive data is combined with that information, and as an individual you should be prepared in case that data gets compromised. As an employer, make sure you have contingency plans for the compromise of these systems, which are often outsourced these days, to include notification, ID monitoring/restoration for individuals as well as having your responsibilities and liabilities clearly defined. Include your legal team.
Slide 1 of 0- Slide 1 of 4
Slovakian Land Registry Suffers Cyberattack
The Office of Geodesy, Cartography and Cadastre of the Slovak Republic (UGKK), the country’s land registry, suffered a cyberattack last week. The agency’s system has been temporarily removed from the internet while restoration is underway; it is not clear how long the recovery will take. Some reports indicate that a ransom demand has been made; government officials say the agency’s data are backed up. According to Pavlina Pavlova, a cyber policy expert from Slovakia and New America Fellow, “the real estate and mortgage markets are paralyzed, property transactions are stalled, purchases delayed, and some connected public services, such as issuing parking permits in Bratislava, are rendered inaccessible.”
Editor's Notes
- Slide 1 of 2
One question executive management might well ask is "what is the expected mean time to recovery from a ransomware attack." The answer to the question would be useful in choosing between prevention and recovery.
- Slide 2 of 2
This appears to be another politically motivated attack; in this case indications are it came from the Ukraine. The bigger concern is how long it will take to restore systems. Make sure that you have clear understanding of your RTO and RPO, and that both your backups and team are sufficient (training, experience and equipment) to meet these. Be sure you've executed restorations, not just tabletops, which included running dummy transactions. You don't want to figure this out when the chips are down.
Slide 1 of 0- Slide 1 of 2
The Rest of the Week's News
Hackers Who Breached US Treasury Systems Accessed Committee on Foreign Investment in the US Office
When Chinese state-sponsored cyberthreat actors breached the US Treasury Department’s network in December, their targets included the network of the Committee on Foreign Investment in the US (CFIUS). CFIUS routinely investigated foreign investments in businesses and real estate transactions to determine whether they pose national security risks. Late last year, a new rule “significantly expand[ed CFIUS’s] ability to review certain real estate transactions by foreign persons near more than 60 military bases and installations across 30 states.”
Editor's Notes
- Slide 1 of 2
The security of any government systems, even those not essential to national security, may be essential to public trust and confidence and should be managed accordingly.
- Slide 2 of 2
There is no shortage of political wrangling around foreign investment and control of US companies and assets, which will drive a lot of high level conversations about what is behind the attack. There was also a similarly motivated attack targeting the Office of Foreign Assets Control (OFAC). The trick will be focusing on remediation and prevention of recurrence. The Treasury compromise leveraged an API key for the BeyondTrust remote support agent as well as a corresponding zero-day. Have you considered the risks of any remote support/assistance agents you have on systems, to include factoring in not only working from home but also changes relating to a zero-trust environment? Check in on that ubiquitous MFA implementation as well as your monitoring and response capabilities. Compare what information you're capturing against OMB's M-21-31 logging levels for possible gaps.
Slide 1 of 0- Slide 1 of 2
Microsoft Files Complaint Alleges Defendants are Operating an Azure Abuse Network
Microsoft has filed a complaint in US District Court in Virginia, seeking “to disrupt cybercriminals who intentionally develop tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft’s, to create offensive and harmful content.” The December 19, 2024, complaint alleges that the unnamed individuals violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influence and Corrupt Organizations Act, as well as Virginia state laws.
Editor's Notes
Given the focus on the potential for misuse and abuse of AI, one is left to wonder if the potential increase in productivity will be sufficient to justify its use.
Phony LDAP Proof-of-Concept is Being Used to Deploy Infostealer
Researchers from TrendMicro have detected a fake proof-of-concept (PoC) exploit for a known vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that is being used to install an infostealer. The code is being hosted on GitHub. The high-severity out-of-bounds read vulnerability (CVE-2024-49113) could be exploited to create denial-of-service conditions. Microsoft addressed the vulnerability in their December Patch Tuesday security release.
Editor's Notes
There are two issues. First, CVE-2024-49113, LDAP denial of service flaw, CVSS score 7.5, which needs to be patched. Second, the fake POC exploit for CVE-2024-49113, dubbed LDAPNightmare, which installs an infostealer on your system. Address the LDAP flaw by rolling the December 2024 patch bundle, which also addresses CVE-2024-49112, a remote code execution flaw. Next, get the IOCs from the TrendMicro blog post to check for LDAPNightmare activity. Make sure your exploit POC researchers are using reputable/validated sources as well as sufficiently isolated environments. Consider not only reviewing the POC code but also uploading binaries to VirusTotal before executing.
Aviatrix Controller Vulnerability
A critical OS command injection vulnerability in Aviatrix Controller is being actively exploited, according to researchers at Wiz. The vulnerability (CVE-2024-50603) “allows unauthenticated attackers to execute arbitrary commands on the system remotely.” Aviatrix recommends that users “install security patch CVE-2024-50603 - Critical Vulnerability Security Patch or update the Controller to either 7.1.4191 or 7.2.4996. Additionally, Aviatrix recommends following the Controller IP Access guidance and ensuring that the controller does not have port 443 exposed to the Internet.”
Editor's Notes
- Slide 1 of 2
CVE-2024-50603, improper handling of user parameters, has a CVSS score of 10.0. When the Aviatrix Controller is deployed to AWS, it allows privilege escalation by default. You need to take three steps here. First, upgrade to the latest version; second, restrict access to the controller regardless of how implemented; and lastly, forensicate your environment looking for the IOCs in the Wiz blog.
- Slide 2 of 2
Given that exploit code has existed for a week and that the controller operates with elevated privileges makes this a must patch immediately.
Slide 1 of 0- Slide 1 of 2
Card Skimmer Malware Targets WordPress Sites
Researchers at Sucuri have identified payment card skimming malware that is being used to target WordPress websites by injecting JavaScript code into database tables. Sucuri writes that “the malicious code was embedded in the WordPress database under the wp_options table,” which allows it to evade detection by file-scanning tools and to maintain persistence on compromised sites.
Editor's Notes
This is a database compromise, where malicious code is injected into the wp_options table, which isn't where you're normally looking for issues. Beyond looking for the IoC in the table, make sure you've got an active/enabled WAF, are actively keeping plugins updated, enforcing MFA on your WordPress accounts, and lastly (this is the hard one), remove and replace deprecated/abandoned/no-longer-supported plugins.
CISA Adds Another BeyondTrust Vulnerability to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a second BeyondTrust vulnerability to their Known Exploited Vulnerabilities (KEV) catalog. The medium-severity OS command injection vulnerability (CVE-2024-12686), which affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products, was initially disclosed in December 2024. US Federal Civilian Executive Branch (FCEB) agencies have until February 3, 2025 to mitigate the issue. CISA added another BeyondTrust vulnerability to the KEV catalog in mid-December.
Editor's Notes
BeyondTrust applied a patch to all their cloud hosted RS/RPA customers on December 16th. On-premises RS/RPA environments need to apply the patch, which fixes all versions 22.1.x and higher. If you're running versions older than 22.1, you'll need to upgrade before you'll be able to apply the patch.
Internet Storm Center Tech Corner
SANS ISC Stormcast, Jan 14, 2025
This episode covers brute-force attacks on the password reset functionality of Hikvision devices, a macOS SIP bypass vulnerability, Linux rootkit malware, and a novel ransomware campaign targeting AWS S3 buckets.
https://isc.sans.edu/podcastdetail/9278
Hikvision Password Reset Brute Forcing
Hikvision devices are being targeted using old brute-force attacks exploiting predictable password reset codes.
https://isc.sans.edu/diary/Hikvision+Password+Reset+Brute+Forcing/31586
Analyzing CVE-2024-44243: A macOS System Integrity Protection Bypass
Microsoft details a macOS vulnerability allowing attackers to bypass SIP using kernel extensions.
Rootkit Malware Controls Linux Systems Remotely
A sophisticated rootkit targeting Linux systems uses zero-day vulnerabilities for remote control.
https://cybersecuritynews.com/rootkit-malware-controls-linux-systems-remotely/
Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C
Attackers are using AWS’s SSE-C encryption to lock S3 buckets during ransomware campaigns. We cover how the attack works and how to protect your AWS environment.
https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
SANS ISC Stormcast, Jan 13, 2025
Defender Updates, Ivanti RCE, Apple USB-C Hack and more
https://isc.sans.edu/podcastdetail/9276
Windows Defender Enhances Chrome Extension Detection
Microsoft's Defender now catalogs Chrome extensions to identify malicious ones. Learn how this improves enterprise security.
https://isc.sans.edu/diary/Windows+Defender+Chrome+Extension+Detection/31574
Multi-OLE Analysis in Malicious Documents
A look at how attackers embed OLE files in Office documents to evade detection and the tools to combat it.
https://isc.sans.edu/diary/Multi-OLE/31580
Ivanti Connect Secure RCE Vulnerability (CVE-2025-0282)
Details of a critical vulnerability affecting Ivanti products and the patching timelines.
Apple USB-C Controller Compromised
Researchers hacked Apple’s ACE3 USB-C controller, highlighting hardware security challenges.
https://cybersecuritynews.com/apples-new-usb-c-controller-hacked/
IRS Pushes for IP PIN Enrollment
Protect yourself from tax-related identity theft by securing your IP PIN for the 2025 tax season.