SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Patch Cisco IOS XE Wireless Controllers Now
Technical details for exploiting a known vulnerability in Cisco IOS XE wireless controllers have been released; users are urged to patch affected systems as soon as possible. Cisco addressed the critical arbitrary file upload vulnerability in an update on May 7. Cisco describes the issue as "a vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) [that] could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system." Researchers from Horizon3 published an analysis of the vulnerability that includes technical details, making the vulnerability a must-patch-now issue.
Editor's Notes
- Slide 1 of 3
This now puts us into a "fix it now" scenario as the information is now publicly available to create an exploit. At its core CVE-2025-20188 stems from a hard coded authentication token, which can only be addressed by applying the update.
- Slide 2 of 3
It's been a while since I've been at Cisco looking at the Wireless Controllers, but the last time I remember, the IOS XE one is built into the switches themselves and is not part of the WLC core product line. It's challenging for me to estimate how many of these are deployed in the wild like this. I would have assumed most companies are still using the WLC Controller model. Either way, it's not a bad idea to patch.
- Slide 3 of 3
Ugh, hard-coded credential, found, and soon to be exploited. It sure seems like a poor secure-by-design choice by the folks from Cisco, who know better. Given the CVSS rating, 10.0, it's a must-fix with a patch being available for almost a month. Let's hope that by now, everyone affected has downloaded and patched. Hey, a person can hope canÕt they?
Slide 1 of 0- Slide 1 of 3
Microsoft Reminds Users of Authenticator Autofill Deprecation
Microsoft Authenticator has begun issuing reminders to users that the app no longer allows them to save new passwords, and that as of July 1, 2025, Authenticator will no longer allow the use of autofill. The changes culminate on August 1, 2025, when passwords saved in Authenticator will no longer be accessible. The full screen banner notification urges users to export their saved passwords by July 1 or to switch to Microsoft Edge. Users who do not wish to switch to Edge may export their passwords to a CSV file so they can be moved to a different password manager.
Editor's Notes
- Slide 1 of 4
You should already be getting a prompt in MS Authenticator to move those stored passwords. Regardless of where you move them to, make sure that you click the passwords tab and ensure they are all migrated. Make sure you've communicated a path to users now as July 1st will be here before you realize it.
- Slide 2 of 4
This is most likely part of Microsoft's long-term strategy of moving to a 'passwordless' environment, i.e. Passkeys. While I think this is a fantastic concept (everyone hates passwords) I'm finding Passkeys much more confusing to manage than expected. I've been accepting Passkeys from almost every website that offers them. Every time, I find myself confused: is it saving it to my operating system, to my password manager, somewhere else? Each device and each website handles it differently. I've literally had apps 'arguing' on my system which app will store the passkey. How do I handle devices that do not support biometrics? Different organizations can also implement Passkeys internally different ways, making what should be simple complex and hard. I know we are all excited with Passkeys as the way to simplify and strengthen authentication, my concern is we are going to make the process just as painful as passwords/MFA in the past.
- Slide 3 of 4
This one, honestly, sucks. If you used Authenticator as an Autofill system, you will lose access. When features like this are deprecated, users sometimes lose access to their data. Keeping your users informed is what I recommend.
- Slide 4 of 4
Good on MSFT for pushing folks to embrace MFA and to use modern, more secure, browsers. Bad on MSFT for steering folks to their Edge browser as the preferred solution.
Slide 1 of 0- Slide 1 of 4
Chrome Rescinds Confidence in Chunghwa Telecom and Netlock as Certificate Authority Owner
Google has announced that it will no longer trust certificates issued by Certificate Authority (CA) Owners Chunghwa Telecom and Netlock "due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome." Starting with Chrome 139, which is scheduled to be released on August 1,2025, Google will distrust Transport Layer Security (TLS) certificates issued by Chunghwa Telecom and Netlock after July 31, 2025 11:59:59 PM UTC. Google provides instructions for website operators to check if their sites are affected and to understand what they can do if they find they are affected.
Editor's Notes
- Slide 1 of 4
Over the last few years, Google's influence has substantially improved the security of the certificate authority ecosystem. The CA/Browser forum's requirements have become substantially more stringent, and enforcement, as seen here, has been swift. Chungwha Telecom did not properly enforce the CAA DNS records, and Netlock issued unpublished intermediate certificates. It is important to note that both could have remained in 'good standing' if they had responded quickly and revoked the issued certificates. Certificates issued before August 1st will remain trusted for both CAs. Any certificates issued after July 31st will no longer be trusted. Each CAÕs market share is less than 0.1%, according to w3tech. But keep in mind to not only enumerate certificate authorities you are using, but also CAs used by your business partners to avoid disruption in connectivity should a certificate authority no longer be trusted.
- Slide 2 of 4
If you're using certificates issued by Chunghwa Telecom or Netlock, you have two options. Either replace these certificates with ones from a different CA or add the corresponding root CA certificate as a trusted root CA, vi profile, GPO, or manually. For anything public facing, you probably want to just go to different issuer to avoid any disruptions relating to Chunghwa/Netlock's process to regain that trust.
- Slide 3 of 4
Back in March, Google issued needed updates for the security requirements of CAs to be trusted in Chrome. Certificate management processes should be in place to know where and from which CAs certificates are in use to enable dealing with CA trust revocation.
- Slide 4 of 4
I've never actually looked into what happens to a company after you get delisted from the Chrome Trust Authority. Do they rebrand and reapply? It's kind of an odd thing about what happens after this occurs. I would strongly doubt they close their shop and rm -rf all their tech.
Slide 1 of 0- Slide 1 of 4
The Rest of the Week's News
Australian Law Requires Ransomware Victims to Report Payments
As of Friday, May 30, 2025, organizations in Australia that have an annual turnover of AUD$3M (USD$1.95M) or more must report any ransomware payments they make or that are made on their behalf to the Australian Signals Directorate (ASD) within 72 hours. The requirement also applies to certain critical infrastructure entities. Australia's Department of Home Affairs plans to allow a six-month grace period, after which time they will pursue action against instances of "egregious non-compliance." The law considers "both monetary and non-monetary benefits that are given or exchanged to an extorting entity as being ransomware or cyber extortion payments." The Australian government is gathering this information to keep track of which threat actors are most active, which organizations the threat actors are targeting, and which tactics, techniques, and procedures (TTPs) threat actors employ.
Editor's Notes
- Slide 1 of 2
The requirement is designed to target Australia's largest companies, and failure to report after the grace period results in a fine of 60 penalty units, currently $12,700 USD, and this is expected to increase. Paying the ransom in Australia is not illegal. Indications remain that despite guidance to the contrary as many as 90% of companies pay the fine, and as many as 40% of those who paid are provided a corrupt decryption key. Further, there are starting to be cases where ransomed data is not actually removed. Make sure when considering your ransomware payment response to include both reporting requirements (US reporting requirements are expected this October) and legality of that payment, e.g., OFAC in the US.
- Slide 2 of 2
This should be interesting as we have many multinational companies with businesses registered in Australia. If, say, a US registered company that also has a registration in Australia gets a part of its operations in another country ransomwared, do they have to let the ASD know? This is an interesting one to watch for sure as it will impact all manner of companies.
Slide 1 of 0- Slide 1 of 2
CrowdStrike and Microsoft are Collaborating on Aligning Threat Actor Taxonomies
CrowdStrike and Microsoft are joining forces "to create alignment across [their] individual threat actor taxonomies." The purpose of the project is not to create a single naming standard, but to make it easier to identify threat actor groups and expand attribution. CrowdStrike writes that the goal is "Deconflicting adversary names to build a cohesive and enduring mapping of existing naming systems to one another. In addition, where telemetry complements one another, there's an opportunity to extend attribution across more planes and vectors Ñ building a richer, more accurate view of adversary campaigns that benefits the entire community."
Editor's Notes
- Slide 1 of 3
For most enterprises and the vast majority of incidents, the vulnerability exploited is way more important than who did the exploiting. It is kinda like weather - we don't name 100,000 thunderstorms that hit the US each year, or even the 10,000 or so severe ones. But we do name the 25 or so hurricanes that reach certain levels of dangerous winds and pose danger to large numbers of people. For 'cyber weather,' harmonizing naming threat actors is better than confusion but will only be meaningful for a small number of organizations where more than lack of basic security hygiene was the root cause.
- Slide 2 of 3
A consistent naming standard is helpful, and Palo Alto's Unit 42 and Google/Mandiant are joining the collaboration. This new standard includes common designations, such as all threat actors from China will have a name followed by Typhoon, while Ukraine-backed organizations will end in Frost.
- Slide 3 of 3
When every incident write you see includes things like: SOMETHING BEAR aka APT42 aka VOID TAKE ME, it's hard not to say, ok, can we just agree to call them BANANA HACKERGROUP instead.
Slide 1 of 0- Slide 1 of 3
MITRE Post-Quantum Cryptography Migration Roadmap
MITRE's Post-Quantum Cryptography Coalition (PQCC) has published a roadmap for post-quantum cryptography (PQC) migration. The document, which is designed for CIOs and CISOs, divides the process into four categories: Preparation, Baseline Understanding, Planning and Execution, and Monitoring and Evaluation. Within each category, the roadmap describes practical activities to move the migration process forward. MITRE notes that migration takes time and that starting the process early "mitigates the threat of data being collected now for an adversary to decrypt later."
Editor's Notes
Don't get caught up in the term PQC; consider this as a driver to move to a more secure solution for protecting data where needed. This roadmap provides a sane, organized approach to updating all your cryptography to the latest/strongest available. You may not know all the places you're using crypto, let along how good (or bad) that implementation is. You may not only be in better shape than you think, but also have a better understanding of where you need to move the bar to.
Out-of-Band Update Addresses Windows 11 Startup Failure
Microsoft has shipped an out-of-band update to address an issue that was causing some Windows 11 systems to fail to start after installation of the May 13, 2025 security update (KB5058405). The ComputerWorld article describes the issue: "While installing the May Windows security update (KB5058405) on some of these computers, the OS thinks a crucial file Ð ACPI.sys Ð is missing. The Advanced Configuration and Power Interface is a critical Windows system driver that enables Windows to manage hardware resources and power states. Lacking the file, Windows won't load, and an error message with the code 0xc0000098 pops up listing the missing file." Microsoft notes that the new update (KB5062170) "will not install on systems that successfully applied KB5058405."
Editor's Notes
This flaw primarily affects virtual environments and only applies to Windows 11 version 23H2 and 22H2, meaning your physical home/pro installs as well as those running 24H2 get a pass. The out-of-band update is cumulative and should be installed instead of the prior May update.
Qualcomm Releases Patches for Trio of Zero-days in Adreno GPU Driver
Qualcomm has released updates to address three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver. Qualcomm learned of the flaws from the Google Android Security team. The vulnerabilities affect multiple chipsets. Qualcomm shipped patches to original equipment manufacturers (OEMs) and phone manufacturers in May; they are being urged to push out updates as soon as possible. CVE-2025-21479 and CVE-2025-21480 are incorrect authorization vulnerabilities; both received CVSS scores of 8.6. CVE-2025-27038 is a use-after free vulnerability, which received a CVSS score of 7.5.
Editor's Notes
While these flaws don't appear to be actively exploited, over the past year, threat actors have been targeting other GPU zero-day flaws, so assume they will be looking at these as well. Applying the update to your device will be dependent on the OEM's process for delivering security updates; all you can do is monitor for releases which address the flaws and ensure that they are being applied in a timely fashion.
DIA IT Specialist Arrested for Allegedly Attempting to Share Classified Information With a "Friendly Foreign Government"
A US Defense Intelligence Agency (DIA) IT specialist has been arrested for allegedly "attempting to transmit national defense information to an officer or agent of a foreign government." Nathan Vilas Laatsch joined DIA as a civilian employee in 2019, working with the Insider Threat Division. Laatsch became the subject of an FBI investigation after the agency received a tip that Laatsch had made known his willingness to share intelligence with a "friendly foreign government." Laatsch began communicating with an individual he believed to be a representative of that government, but who was actually an FBI agent. Laatsch allegedly provided the agent with classified information and was arrested on Thursday, May 29.
Editor's Notes
- Slide 1 of 3
This had been a vetted person in the insider threat division of the agency who was motivated by the change in administration. Foreign agents are leveraging dissatisfaction with the change in administration as well as recent layoffs to obtain sensitive information, posing as headhunters, consulting firms, think tanks, etc. to target government workers. Consider that as you look at staff handling your sensitive information and assess the continued protection of that information, are you prepared to not only vet them initially and periodically but also to detect any untoward information sharing?
- Slide 2 of 3
The colloquial, 'If you do the crime, you do the time' seems appropriate here. IT professionals by their job description are trusted. If they violate that trust, they should be held accountable. Good sting operation by the men and women in Blue.
- Slide 3 of 3
Well, back to the Cold War we go with spies and all that.
Slide 1 of 0- Slide 1 of 3
Covenant Health is Experiencing a Cyberattack Affecting Three Hospitals
Maine-based Covenant Health is dealing with a cyberattack that has prompted them to shut down access to their data systems. Covenant began noticing connectivity issues on May 26; they have confirmed that the problems are due to a cyberattack. The attack has affected two Covenant Health hospitals in Maine and a third Covenant Health hospital in New Hampshire. There are reports that phone systems and internet access may be affected. A spokesperson for Covenant Health said the incident "has had very limited impact to our post-acute care facilities as they are on different clinical platforms."
Editor's Notes
While the organizations are reporting nominal impact to their care services, it's still a good idea to check their web and social media sites for current information on their services. Watch for updated contact center numbers and modified service hours.
Internet Storm Center Tech Corner
SANS Internet Storm Center StormCast Tuesday, June 3, 2025
Windows SSH C2; Google Removes CAs from trusted list; MSFT issues Emergency Patch to fix Crash issue; Qualcomm Adreno GPU 0-day
https://isc.sans.edu/podcastdetail/9476
Simple SSH Backdoor
Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host.
https://isc.sans.edu/diary/Simple+SSH+Backdoor/32000
Google Chrome to Distrust CAs
Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire.
Microsoft Emergency Update to Fix Crashes Caused by May Patch
Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems.
Qualcomm Adreno Graphics Processing Unit Patch (Exploited!)
Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices.
https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html
SANS Internet Storm Center StormCast Monday, June 2, 2025
PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit
https://isc.sans.edu/podcastdetail/9474
A PNG Image With an Embedded Gift
Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit.
https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code.
https://www.darkreading.com/vulnerabilities-threats/exploitation-risk-grows-critical-cisco-bug
Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE
A change in PHP 8.1 can expose methods previously expected to be 'safe'. vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published.
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce