SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsAn affidavit unsealed in January, 2025 from a Pennsylvania district court authorized and described an operation by the FBI that took place in August, 2024, during which US agents collaborated with French law enforcement and cybersecurity firm Sekoia.io to unilaterally remove PlugX malware from thousands of Windows machines in the US. PlugX is a remote access trojan (RAT) that can spread via contaminated USB devices, maintaining persistence using registry keys that run the malware on startup. The global malware campaign is associated with a Chinese state-sponsored hacking group tracked under various names including Mustang Panda and Twill Typhoon. French authorities seized the PlugX command and control (C2) IP address in 2023, which the FBI then used to send a self-destruct command, which deleted all files created by the malware, deleted the malware's startup registry keys, and stopped and deleted the malware application and its directory. This operation affected any US-based device containing a version of PlugX that contacted the C2 server; any affected device owners will be notified by their internet service providers.
This is not the first time we have seen governments make this move; however, it does raise the question of what happens when international companies do this. I know this will sound off the wall, but what if you wanted to run PlugX? No one should, but this was forcefully uninstalled. Something rather interesting to consider is the line of delineation. Almost 100% of all users wanted this to occur, yet it is a thought experiment.
The PlugX takedown follows other actions against Volt Typhoon, Flax Typhoon and Fancy Bear, and it provides hints as to the resources and aggressiveness of these state-sponsored adversaries. For now, we've got a mulligan in that PlugX has been destroyed; what we still have to be aware of is risks of malware spreading via USB drive. I know, that feels very Stuxnet like. Make sure that your EDR is configured to scan USB drives. If possible, limit to only authorized devices, even better, require them to be encrypted.
The Register
DOJ
The Record
NextGov
US President Joseph Biden has issued a sweeping Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity, which among other directives mandates verification of security standards in government systems and federal software contractors. The Department of commerce is directed to issue guidance to businesses on cybersecurity best practices, creating a required baseline for any "companies seeking to do business with the government," and vendors who fail validation risk investigation by the Attorney General. All government IoT devices must carry the new Cyber Trust Mark label by January 4, 2027. The order gives CISA more access to agencies' security platforms to centralize defensive information and broaden its impact. Agencies must also shore up cloud platform authentication in the wake of recent attacks by China. President Biden directs the Department of Homeland Security (DHS), the Department of Commerce, and the National Science Foundation to prioritize comprehensive AI research, and directs DHS and the Department of Energy to investigate the application of AI to protect infrastructure. The order promotes agencies' adoption of digital identity documents, and includes "a provision requiring [The Office of Management and Budget] to help agencies reduce risks associated with concentration in the IT market," which WIRED calls "a not-so-veiled shot at Microsoft." Notably the order also "gives the U.S. more authority to sanction hackers, namely ransomware groups that hold victims' systems hostage in exchange for ransom payments."
Another EO on cybersecurity packed with a lot of "must do's" for government systems and federal software contractors. While there is a lot to like in this EO, I'd first like to see full implementation by the government on the cybersecurity EOs that were issued four years ago. You know, things like implementing a zero-trust architecture and securing cloud instantiations. And, for the record, there already exists excellent guidance to businesses on cybersecurity best practices (i.e., NIST CSF, ISO 27001, CIS CSC, etc.).
It is not clear if this will get rolled back or modified with the change in administration, so agencies need to move forward as if it's going to be required. Increased pressure for secure-by-design software, and use of AI to increase the effectiveness of threat analysis and response are not unexpected, although the technology may not yet be mature enough to operate without considerable human oversight. The direction to provide CISA direct access to agency security platforms and conduct unannounced threat hunting exercises, if not handled properly, could undermine the existing security teams and decrease their effectiveness. If you're a supplier to US Agencies, you should bone up on new requirements which will affect you.
The Biden administration has taken more interest in infrastructure robustness and resilience than any since Clinton. (Dick Clarke, where are you when we really need you?) The recent success of Salt Typhoon has demonstrated the fragility of our infrastructure. It is to be hoped that the new administration will follow through on these initiatives. The SolarWinds fiasco goes beyond Windows to the von Neumann Architecture. We have known about the monoculture risk since before most computer users were born. We need more fundamentally securable systems (e.g. IBM iSeries) and application-only systems.
I would read through this EO a bit further, specifically around CTM (Cyber Trust Mark); however, bear in mind that this is a government-focused item, and in many portions of the Government, the technology is not always up to date. I see this as an obvious move forward. On the IoT side, remember that IoT also has a very long shelf life, so it could be after the following two presidential terms when you see these devices updated.
Microsoft's Patch Tuesday for January 2025 includes fixes for more than 200 vulnerabilities, 23 of which have been designated critical. Three of the flaws have been actively exploited, and five were disclosed prior to the security release. The three actively exploited vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) affect the Hyper-V hypervisor, and are rated important. They can be exploited to attain system privileges. The critical flaws include remote code execution vulnerabilities in Windows Object Linking and Embedding (OLE) and Reliable Multicast Transport Driver (RMCAST).
Microsoft is kicking of 2025 with a bang, providing the largest number of fixes in a single update since 2017. Microsoft is claiming to be leveraging AI in detecting bugs. A side effect is that the number of fixes may be larger for a bit, and with luck this will eventually decrease the number of newly discovered flaws. With this volume of fixes, you're going to need to choose carefully where you do regression testing to get the updates fully deployed before the next update is released. The fix to Bitlocker (CVE-2025-21210) specifically closes a weakness where hibernation images could only be partially encrypted allowing sensitive information to be retrieved. Hibernation has become preferable to sleep mode as it allows the laptop to power off, eliminating emissions detectable by thieves.
As good as Microsoft is at finding these vulnerabilities, it would be nice if they found and fixed them before distributing the code in the first place. The same methods should be applied to testing and quality assurance. The number of patches is once again in the high tens to low hundreds. As we have seen (SolarWinds), some large enterprises cannot accept the risk to mission-critical applications of applying patches without testing them in their own environments. The cost of such testing may go up with the number of patches. Patching is an inefficient way of making code fit for use, that is to say merchantable.
Speaking of Patch Tuesday, on the 16th of January, Synaktiv published their writeup of an October 2024 Patch for SCCM that includes an Unauthenticated SQL Injection. I highly recommend you read through the entire writeup but, more importantly, patch SCCM as it is a critical piece of infrastructure. ItÕs been about 20 years, patches should be a regular thing for your environment by now, yet I still see companies running outdated systems. https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections: Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL injections
SANS Internet Storm Center
Krebs on Security
The Register
Cyberscoop
Bleeping Computer
Ars Technica
SC World
A half-dozen recently disclosed vulnerabilities in the Rsync file synchronization tool include a pair of flaws that when combined could allow arbitrary code execution: CVE-2024-12084 is a critical heap-based buffer overflow vulnerability in the rsync daemon 'due to improper handling of attacker-controlled checksum lengths (s2length) in the code.' CVE-2024-12085 is a high-severity vulnerability in the Rsync daemon that be 'be triggered when rsync compares file checksums.' The other four vulnerabilities are medium-severity issues. The results of a Shodan search by Bleeping Computer revealed 'over 660,000 IP addresses with exposed Rsync servers.'
Rsync is more heavily used than you think. This is a significant issue for many people and something most people have not considered. I highly encourage patching, specifically old systems.
Combining the heap buffer overflow and information leak flaws would allow a client to execute arbitrary code, requiring unauthenticated (anonymous) access. Step one, install the updated Rsync, not just the OS version, but also embedded copies provided with packages. While this affects version 3.3.0 and below, some of the updates, which address the issues, may not bring you up to version 3.3.1. The CMU site lists 78 different Linux versions and their state, and the majority are marked unknown.
CERT
Openwall
Github
SC World
Bleeping Computer
Help Net Security
NVD
NVD
Chinese drone manufacturer DJI has updated its geofencing software in most US-sold products so that it no longer automatically enforces keeping the drones from entering US Federal Aviation Administration (FAA) designated no-fly zones. Drone operators will receive in-app alerts if their drones are approaching no-fly zones, but will bear sole responsibility for ensuring they do not enter areas where they are not permitted. DJI implemented a similar policy in the European Union last year. The announcement about drones sold in the US comes about a week after a DJI drone damaged and grounded a firefighting plane in California.
This change affects, in particular, consumer devices that are predominantly used by hobbyists who may not always be aware of current regulations. Professionals with the respective licenses could always request an override for the geo-fencing feature. This change could be especially problematic for smaller devices that do not automatically broadcast their location.
DJI
The Register
The Verge
PC Mag
According to a proposed settlement order, the US Federal Trade Commission (FTC) is requiring GoDaddy to 'implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers' websites.' The FTC's complaint alleges that since 2018, GoDaddy has failed to adopt 'reasonable and appropriate security measures' and has misled customers regarding security protections provided by their web hosting services. According to the complaint, GoDaddy failed to 'inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments.' While the FTC voted to accept the consent agreement, it will remain open to public comment for 30 days, at which time the commissioners will decide whether or not to finalize the agreement.
It seems insufficient to simply require that they do only what they should have been doing in the first place. Perhaps a fine large enough to impact profitability?
FTC
The Record
The Register
Bleeping Computer
Gov Infosecurity
Document Cloud
Document Cloud
A report filed with the Norwegian Data Protection Authority discloses a data breach of Unacast/Gravy Analytics' Amazon Web Services (AWS) cloud storage environment by an "unauthorized person" using a "misappropriated access key." The data broker was not aware of the breach until notified by the hacker on January 4, 2025, and has since taken its main website and associated domains offline and secured its AWS environment. Unacast posits that the stolen data are "associated with users of third-party services that supply this data to Gravy Analytics," which according to 404 Media may include "Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps." The total duration of unauthorized access and exact scope of data stolen remain under investigation, but this breach has the potential to expose millions of people's sensitive and personally-identifiable location information. Norway's Unacast is the parent company of Gravy Analytics and its subsidiary Venntel, a major supplier of location data to US law enforcement. In December, 2024, Gravy and Venntel were reprimanded for violations of the FTC Act, and barred from collecting and selling sensitive data without consent.
Yet another cyberattack that has at its core a compromise of identity credentials. Remember, two-factor authentication can help protect identity credentials and is widely considered a requirement for implementing reasonable cybersecurity.
Gravy Analytics is already banned from providing location data on Americans without consumer consent. Much of this data is gleaned from online ads. The best fix is to use ad blockers, or mobile content blocker, as well as not enabling personalized advertising or tracking; on iOS this is under the Tracking settings and on Android this is under Privacy/Ads. If you don't have such a setting, regularly delete/reset your advertising ID. Lastly, only allow apps (and your browser) to access your location when needed.
Datatilsynet
NRK
TechCrunch
The Record
404 Media
Additional information about the late 2024 data breach of PowerSchool systems has been shared with TechCrunch by school districts affected by the attack. Reports indicate that the attack was not limited to the approximately 18,000 school districts and their current students served by PowerSchool; rather, it also included data belonging to inactive former customers, and in some cases included historical data of alumni, former students, and former personnel going back over a decade, all accessible to the single subcontractor account compromised by the attacker. Mark Racine, co-founder of RootED solutions, notes "PowerSchool has achieved SOC 2 Type 2 certification," but suggests that the details of the attack "raises questions" about the company's compliance and monitoring.
The short version is that ALL the PowerSchool data was accessed, affecting about 60 million students. The attack used a single compromised credential belonging to a sub-contractor. Beyond making sure a service provider has a SOC 2 Type 2 certification, make sure that you're not only using MFA, and supported monitoring to include timely account removal or lock-out, but also that you're performing permission reviews. Make sure that only current authorized accounts exist, but also that they are in the correct groups and that those groups only have the minimum access needed. Involve data, service, and process owners, who really know who should or should not have access to their data, and perform these reviews at least annually.
Two points to make here, 1) Stolen credentials enabled the attack, and 2) Lack of basic cyber hygiene by the EdTech company led to loss of data. We've seen a dramatic increase in the theft of identity credentials over the last few years. It's the easiest way for an evildoer to get into an organizations network. Once there, not doing the basics, patching, secure configuration, and monitoring leads to privilege escalation and complete compromise. Bottom line, the company didn't implement reasonable cybersecurity on its platform leading to the loss of PII.
In the wake of rising ransomware attacks on the UK's public sector, the government is consulting on proposals aimed at discouraging attackers by "banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments." Government departments are already banned from making such payments. Three main proposals are under consideration: banning ransomware payments by critical national infrastructure and public sector entities; involving the National Crime Agency (NCA) in intelligence gathering, guidance, and blocking payments; and instituting mandatory reporting of ransomware incidents. The announcement of the consultation highlights the threat of Russian attackers, and notes that the National Cyber Security Center (NCSC) calls ransomware the "most immediate and disruptive threat to the UK's critical national infrastructure." The government's response and any resulting legislation will be introduced after the consultation period ends on April 8, 2025.
Part of the plan is to force organizations to increase their ability to operate in spite of successful ransomware attacks. Beyond backups, tested plans need to be in place to continue operations, including rebuilding systems from backups.
While I agree, organizations shouldn't pay ransoms, it can't be a one-size-fits-all answer. Look at the recent discovery of an attacker using AWS's Server-Side Encryption with Customer provided keys (SSE-C) to encrypt data. Recovery is impossible without the encryption key, controlled by the evildoer. Granted, the organization failed in other aspects of its cybersecurity program (i.e., credential loss), but now you're doubling the penalty - loss of business opportunity with loss of data; and liability for not implementing reasonable cybersecurity measures.
The risk is that such measures may have unintended consequences. We really need to be devoting more resources and creativity to identifying and punishing the perpetrators.
The US Department of Health and Human Services Office for Civil Rights (HHS OCR) maintains a database of all reported healthcare sector data security incidents that are currently under investigation and affect 500 or more individuals. A SecurityWeek analysis of the 2024 data found that the 585 reported breaches affected nearly 180 million user records. Of those 585 incidents, 440 were at healthcare providers, and nearly 100 were healthcare business associates. The significant majority of the breaches were classified as hacking or IT incidents.
These healthcare breaches are impacting many providers. Top impacts, out of a list of 873 are: Change Healthcare: 100 million individuals, Kaiser Permanente: 13.4 million, Ascension Health: 5.5 million, HealthEquity: 4.3 million, Concentra Health Services: 3.9 million, Centers for Medicare & Medicaid Services: 3.1 million, Acadian Ambulance Service: 2.8 million, A&A services (Sav-Rx): 2.8 million, and Integris Health: 2.3 million. The hard part is switching to a secure-by-design model for healthcare providers where life-safety is job 1. This is not entirely an IT problem, except that cyber & IT need to be prepared with secure implementations which meet mission objectives so they can execute rapidly.
SANS ISC Stormcast, Jan 17, 2025
In this episode, we explore the efficient storage of honeypot logs in databases, issues with Citrix's Session Recording Agent and Windows Update. Ivanti is having another interesting security event and our SANS.edu graduate student Rich Green talks about his research on Passkeys.
https://isc.sans.edu/podcastdetail/9284
Extracting Practical Observations from Impractical Datasets:
A SANS Internet Storm Center diary entry discusses strategies for analyzing complex datasets to derive actionable insights.
https://isc.sans.edu/diary/Extracting+Practical+Observations+from+Impractical+Datasets/31582
Citrix Session Recording Agent Update Issue:
Citrix reports that Microsoft's January security update fails or reverts on machines with the 2411 Session Recording Agent installed, providing guidance on addressing this issue.
Ivanti Endpoint Manager Security Advisory:
Ivanti releases a security advisory for Endpoint Manager versions 2024 and 2022 SU6, detailing vulnerabilities and recommended actions.
Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords:
A SANS.edu research paper explores the shift from traditional passwords to passkeys, highlighting the benefits and challenges of adopting passwordless authentication methods.
SANS ISC Stormcast, Jan 16, 2025
Today's episode covers an odd 12 year old Netgear vulnerability that only received a proper CVE number last year. Learn about how to properly identify OpenID connect users and avoid domain name reuse. Good old rsync turns out to be in need of patching and Fortinet: Not sure if it needs patching. Probably it does. Go ahead and patch it.
https://isc.sans.edu/podcastdetail/9282
The Curious Case of a 12-Year-Old Netgear Router Vulnerability
Outdated Netgear routers remain a security risk, with attackers actively exploiting a 2013 vulnerability to deploy crypto miners. Learn how to protect your network by updating or replacing legacy hardware.
https://isc.sans.edu/diary/The+Curious+Case+of+a+12YearOld+Netgear+Router+Vulnerability/31592
Millions at Risk Due to Google's OAuth Flaw
A flaw in Google's OAuth implementation enables attackers to exploit defunct domain accounts, exposing sensitive data. Tips on implementing MFA and domain monitoring to reduce risks.
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
Rsync 3.4.0 Security Release
The latest rsync update fixes critical vulnerabilities, including buffer overflows and symbolic link issues. Upgrade immediately to protect your file synchronization processes.
https://download.samba.org/pub/rsync/NEWS#3.4.0
Fortinet PSIRT Advisories: Stay Secure
Fortinet's latest advisories address vulnerabilities in FortiOS, FortiProxy, and more. Review and apply patches promptly to secure your perimeter defenses.
https://www.fortiguard.com/psirt
SANS ISC Stormcast, Jan 15 2025
Today, Microsoft Patch Tuesday headlines our news with Microsoft patching 209 vulnerabilities, some of which have already been exploited. Fortinet suspects a so far unpatched Node.js authentication bypass to be behind some recent exploits of FortiOS and FortiProxy devices.
https://isc.sans.edu/podcastdetail/9280
Microsoft January 2025 Patch Tuesday
This month's Microsoft patch update addresses a total of 209 vulnerabilities, including 12 classified as critical. Among these, 3 vulnerabilities have been actively exploited in the wild, and 5 have been disclosed prior to the patch release, marking them as zero-days.
https://isc.sans.edu/diary/rss/31590
Fortinet Security Advisory FG-IR-24-535 CVE-2024-55591
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
PRTG Network Monitor Update:
Update for an already exploited XSS vulnerability in Paessler PRTG Network Monitor CVE-2024-12833
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveSymphony 2025: The ultimate SOC transformation event Join us on February 19, 2025 for a one-hour global virtual summit.
Webcast | Google SecOps: The SIEMÕs Third Act - January 22, 2025, 3:30 pm ET | Join Certified SANS Instructor Mark Orlando and Google Cloud Solution Architect Greg Kushmerek to learn how security information and event management (SIEM) function remains a cornerstone in security operations.
Webcast: February 26 at 1:00 ET | 2025 ICS Security Budget vs.
Webcast | Empowering Responders with Automated Investigation, February 19, 1:00 ET | Join Megan Roddie-Fonseca and Lee Sult from Binalyze as they discuss how with the right tooling, analysts of all backgrounds can effectively handle incidents, reducing the response time by removing the need for frequent escalation.