SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Microsoft Subcontractor “Escorts” Handle Sensitive DOD Data
For almost ten years, Microsoft has employed global software engineers to help maintain US Department of Defense (DOD) computer systems. Because non-US citizens may not handle the sensitive Impact Level 4 and 5 DOD data -- whose "loss of confidentiality, integrity, or availability ... could be expected to have a severe or catastrophic effect," -- these engineers must be "escorted" by US citizens with security clearances who execute instructions from their international experts, copying and pasting their commands into the federal cloud. However, hiring documentation and insider reports indicate these chaperones "often lack the technical expertise to police foreign engineers with far more advanced skills." One current escort hired by Microsoft's third-party contractor, Insight Global, anonymously told ProPublica that escorts are inadequately trained: "We’re trusting that what they’re doing isn’t malicious, but we really can’t tell. [...] People are getting these jobs because they are cleared, not because they’re software engineers." Indy Crowley, who liaised for Microsoft with the government per the Federal Risk and Authorization Management Program (FedRAMP), characterized the escort program as "the path of least resistance" over security and cost concerns to win the DOD cloud contract and FedRAMP accreditation in 2016. This program has not been publicly reported before 2025, and its existence is unknown among former federal government and intelligence staffers and administrators, many of whom express concern about the knowledge gap between experts and escorts, and specifically about risks posed by state-sponsored threats from China, citing the 2015 breach of the Office of Personnel Management via a third-party contractor's system, and the 2023 breach of State Department emails through a Microsoft engineer's compromised account. Microsoft insiders interviewed by ProPublica indicate a history of security concerns raised internally about the escort program.
Editor's Notes
- Slide 1 of 4
If the cost of only using US citizen technicians vs. using a non-US technician PLUS an escort is high enough to lead to meaningful cost savings, then there is no way the escort program can be more than eyewash. The contractual wording that enables this kind of compromise obviously needs to be reviewed and actual audits of physical security activities (not just policies) should be required. Example: checking to see if anyone ever challenges someone walking around with no badge, or someone tailgating at entrances, etc. – often also eyewash.
- Slide 2 of 4
While this story is talking about sensitive US Government data, we all have sensitive/IP we need to protect and should consider this use case in the context of our business. This started off as a well-intentioned plan to protect/monitor access from remote, much as you would apply guardrails for a support person to remotely access your system to help fix it. The problem is, oversight/escorting for an occasional support call doesn't scale well to a team working remotely. In addition, the remote worker capabilities and loyalties need to be considered before enabling this sort of plan. Make sure your contracts include language for staff with an appropriate level of assurance/risk. For example, my team sought out US Person/US-Only support options, which resulted in a better understanding of who was going to be on the far end, surfaced risks which may have been overlooked, and identified showstoppers before problems arose.
- Slide 3 of 4
Outside of the fact that there is a tech support for Microsoft in China, this would apply globally to anyone using this program. There is a skills gap that needs to be addressed, and that will be a challenging task, to be sure. I would imagine you could “solve” this in some ways by using monitoring on systems, but we all know that things can happen. This is an interesting “insider threat” issue.
- Slide 4 of 4
Ugh, this looks bad, just bad. I would be shocked if the government wasn’t aware and had ‘signed off’ on this arrangement. This was simply ‘window-dressing’ to keep costs down and profits up.
Slide 1 of 0- Slide 1 of 4
Salt Typhoon Compromised US Army National Guard Network
Salt Typhoon threat actors had access to the network of a US state's Army National Guard between March and December 2024. A June 11 Department of Homeland Security Office of Intelligence and Analysis memo obtained through a Freedom of Information Act request says that the threat actors "collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units." Salt Typhoon is believed to be responsible for cyberattacks against telecommunications companies in the US and around the world.
Editor's Notes
- Slide 1 of 4
What is concerning is it appears Salt Typhoon maintained their access to the network for over a year. Don't get tunnel vision trying to block a single adversary like Salt Typhoon; focus on broad measures to raise the bar across the board. Beyond verifying your monitoring and response capabilities are dialed in to detect adversaries on your network, make sure you've fully embraced and implemented MFA, EDR, and robust vulnerability management.
- Slide 2 of 4
The quote from Kevin Surace in the SCWorld piece captures the big issue here: “Disrupting one group temporarily limits active campaigns, but the underlying vulnerabilities remain, […] Until organizations address the root problem — reliance on credentials and outdated authentication methods — new groups will continue to gain access using the same techniques.”
- Slide 3 of 4
The hits just keep coming with Salt Typhoon. The draft of the fiscal 2026 NDAA calls for “…DoD to develop a deterrence strategy against cyber activity on critical infrastructure.” What seems to be missing in congressional thinking is the understanding that defense of this country and its critical infrastructure is more than a military function. Somehow, they bought into the trope that we just have to conduct offensive cyber operations to keep the enemy at bay.
- Slide 4 of 4
Salt Typhoon compromised a lot of networks, some of which we may never know about.
Slide 1 of 0- Slide 1 of 4
Congressional Hearing on Stuxnet and Cyber Threats to Critical Infrastructure Scheduled for Next Week
On Tuesday, July 22 at 10am ET, the US House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing titled “Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure.” Witnesses scheduled to provide testimony include Tatyana Bolton, Executive Director, Operational Technology Cyber Coalition (OTCC); Kim Zetter, Author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” and Cybersecurity and National Security Reporter, WIRED; Robert M. Lee, CEO and Co-Founder, Dragos; and Nate Gleason, Program Leader, Lawrence Livermore National Laboratory.
Editor's Notes
- Slide 1 of 3
Given the ongoing and increased frequency of attacks targeting critical infrastructure, it's not a bad idea to look back at Stuxnet to see if we've missed any lessons learned, particularly as time diminishes memory and security workarounds evolve. From the basics, PR photos containing recognizable OT components, to unsafe media transfer practices, or even ignoring/disabling alerts, we need to make sure we're (still) diligent. The hearing is bringing their A-Team, and their recommendations will be noteworthy.
- Slide 2 of 3
This is a hearing on the occasion of Stuxnet 15 years ago, on the evolution of threats to our infrastructure, rather than on Stuxnet itself. It is not likely to leak any information about Stuxnet that might be useful to our adversaries.
- Slide 3 of 3
From what I’ve read the key to Stuxnet success was the ability to coopt a trusted insider. And we all know the most difficult threat to protect against is… the trusted insider.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Cloudflare: 1.1.1.1 DNS Resolver Outage Was Due to Internal Misconfiguration
In a blog post, Cloudflare writes that “the root cause [of the global July 14 1.1.1.1 DNS Resolver outage] was an internal configuration error and not the result of an attack or a BGP hijack. Cloudflare explained that "On 14 July 2025, [we] made a change to our service topologies that caused an outage for 1.1.1.1 on the edge, resulting in downtime for 62 minutes for customers using the 1.1.1.1 public DNS Resolver as well as intermittent degradation of service for Gateway DNS." For many users, the incident meant that they were not able to access internet services. In their blog post, Cloudflare offers a technical explanation of how the misconfiguration occurred, how the misconfiguration caused the outage, and what the company is doing to ensure this does not happen again.
Editor's Notes
- Slide 1 of 3
Interestingly, the DoH traffic to Cloudflare was not impacted as it uses different addresses and is often setup by domain name rather than IP address. Using secure DNS resolvers is becoming a best practice, and you need to have more than one IP address configured. While you're considering having a backup to the 1.1.1.1 DNS Resolver, or any other external DNS resolver, make sure you test fail-over.
- Slide 2 of 3
Two points here: (1) free services generally don’t come with SLAs (1.1.1.1 does not) so some of the savings need to be “banked” to have tested backup capabilities in place; and (2) even services with SLAs don’t guarantee 100% up time, or only convenient outages, or any overall limit on length of any individual incident, or frequency of short disruptions – stuff happens!
- Slide 3 of 3
So it wasn’t BGP this time… just DNS. In all seriousness, this is a tricky one. Do you plan for your DNS Resolver to go completely out? How do you back up? Primarily, if you rely on DNS for Security, having a third or fourth resolver as an always-available backup to a different provider could result in some queries being unfiltered from time to time. How do you balance this one out?
Slide 1 of 0- Slide 1 of 3
SonicWall SMA 100 Backdoor Malware Campaign Ongoing
Google Threat Intelligence Group (GTIG) and Mandiant have published a blog post detailing an active malware campaign targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, which act as secure network access gateways for mobile devices. The attackers, tracked by Mandiant as UNC6148, appear to have gained access using previously stolen credentials and one-time password (OPT) seeds, though the initial infection vector is unclear due to the malware's ability to selectively delete logs. GTIG suggests but cannot confirm the possible exploitation of five known CVEs publicly associated with SMA 100 appliances, and "assesses with moderate confidence" that the attackers may have leveraged an unknown zero-day remote code execution flaw to deploy the malware. Dubbed "OVERSTEP" by GTIG, the malware is a backdoor specifically designed for this appliance, hiding itself through rootkit capabilities and log deletion, establishing a reverse shell, and exfiltrating credentials, communicating indirectly with a command-and-control server. An unknown vulnerability may have been used to gain shell access, as this should be impossible by design on SMA 100 appliances. The total number of known attacks is undisclosed but "limited." GTIG urges organizations to immediately isolate and analyze affected appliances, "acquir[ing] disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities." The blog post provides indicators of compromise (IoCs) and a YARA rule; GTIG recommends users reset all credentials including passwords and OTP bindings to ensure secrets stolen from previous compromises are invalidated, and revoke and reissue any certificates with private keys stored on the affected appliance. SonicWall is working with GTIG, and intends to help customers migrate to SMA 1000 and the Cloud Secure Edge service, emphasizing that while the company will continue releasing firmware updates, the vulnerable SMA 100 has reached "end-of-sale," and SonicWall's goal is a safe transition to cloud-native architectures.
Editor's Notes
- Slide 1 of 2
The SonicWall SMA 100 series is EOL: you can't buy new ones, and support is hit or miss depending on the model. Plan A needs to be replace/retire these now. Assume they have been compromised, so you need to rotate credentials no matter what. UNC6148 is exploiting a combination of five fixed flaws, CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 and CVE-2025-32819. The Google Cloud blog has the IoCs for your threat hunters.
- Slide 2 of 2
These are relatively old SonicWall Devices; these types of devices are typically run until they are no longer functional, and pulling these devices back out will be difficult, I’m sure, for SonicWall. This isn’t solely a SonicWall issue; it's a general issue with many vendors, where their products run eternally. If you are running a network, check and ensure that all your devices are not only patched but also still under support and not at end of life.
Slide 1 of 0- Slide 1 of 2
Oracle Critical Patch Update, July 2025, and a Fix for an RCE Flaw in Oracle Cloud Infrastructure Code Editor
On Wednesday, July 16, Oracle released more than 300 patches to address roughly 200 discrete CVEs affecting more than 100 of their products. Of those, nine are rated critical. Eighty-four of the fixes address vulnerabilities in Oracle Communications; of those, 50 are remotely exploitable without authentication. Other products receiving multiple fixes include MySQL (40 vulnerabilities), Fusion Middleware (36 vulnerabilities), and Communications Applications (29 vulnerabilities). In a related story, Tenable Security has written a blog post describing a remote code execution vulnerability they discovered in Oracle Cloud Infrastructure (OCI) Code Editor. Tenable notes that "Oracle Cloud Infrastructure addressed the vulnerability by implementing an additional layer of protection in the form of a required custom HTTP header."
Editor's Notes
- Slide 1 of 2
While the number of patches seems large, remember they span 111 products, and last quarter they addressed 378 vulnerabilities. The hard part is once you fix the underlying apps – Fusion, MySQL, Oracle DB, Java – you need to make sure that application layer updates are also applied. In some cases these need to be coordinated with the other updates; it's a good time to take your business unit contacts to lunch. The good news here is that the OCI Code Editor flaw is fixed, doubly so as the Tenable writeup includes how to exploit the flaw.
- Slide 2 of 2
Major update for Oracle, and the words “unauthenticated RCE” should cause some attention. Given the numerous products Oracle has in its wheelhouse, please verify that you are not running one of them.
Slide 1 of 0- Slide 1 of 2
Cisco Releases Updates to Address Multiple Vulnerabilities
Cisco has released security bulletins to address seven new CVEs. The first is an update to an existing (June 25, 2025) bulletin to add another critical remote code execution vulnerability affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The two CVEs identified in June (CVE-2025-20281 and CVE-2025-20282) and the newly-added CVE (CVE-2025-20337) all have CVSS scores of 10.0. Cisco has also released a bulletin to address a high-severity vulnerability (CVE-2025-20274) affecting "the web-based management interface of Cisco Unified Intelligence Center [that] could allow an authenticated, remote attacker to upload arbitrary files to an affected device." And finally, Cisco has published three medium-severity advisories to address a total of five vulnerabilities in ISE and ISE-PIC, Evolved Programmable Network Manager (EPNM), Prime Infrastructure, and Unified Intelligence Center.
Editor's Notes
- Slide 1 of 2
There are no current indications of active exploitation, but with this news making the rounds that will change quickly. If you're running Cisco ISE, you should update to 3.4 Patch 2 or if you're staying with 3.3, update to patch 7; there are no workarounds. The updates are hot patches, which should facilitate the process.
- Slide 2 of 2
This is going to confuse everyone. The ISE Unauthenticated RCE from last month differs from the current ISE RCE. This ISE RCE affects the same API as the RCE reported in the previous month and is the same type of vulnerability. In other words, if you patched last month because it was urgent, it’s time for that same urgency again. What will August have in store for us?
Slide 1 of 0- Slide 1 of 2
UNFI Estimates Financial Impact of June Cyberattack
United Natural Foods Inc. (UNFI) has published a press release providing 2025 fiscal information including the estimated impact of operational disruptions and shutdown of the ordering system resulting from a June 2025 cyberattack. "The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million," apart from "adequate" forthcoming insurance proceeds. UNFI executives stated during a July 16 call with investors that the financial impact is not expected to extend beyond the current quarter. Remediation costs including cybersecurity, legal, and governance consultation, are reportedly estimated to have cost $5M, with another $20M "incurred as the company used manual workarounds."
Editor's Notes
- Slide 1 of 4
While often the cost (premiums plus deductible) of “adequate” cyber-insurance exceeds the cost of avoiding most incidents, one benefit is it does drive victims to make public declarations of cost as part of going after insurance payouts. The UNFI financial report has some good numbers to point out to your CIO: UNFI will reduce “capital and cloud expenditures” by 32% in 2025, likely as part of reducing the financial impact of the incident.
- Slide 2 of 4
While $350-$400 million seems like a big number, UNFI net sales are expected to be about $31.7 billion, which is how you get to the impact not extending beyond the current quarter.
- Slide 3 of 4
This is the kind of information of interest to investors which the SEC regulation is intended to elicit but often fails to do.
- Slide 4 of 4
Validation for why every organization should have cyber insurance. The downside, though, is that cyber insurance premiums are sure to rise across the board. The insurance industry could also do a better job enforcing a minimum cybersecurity baseline that organizations must meet to obtain the policy. Otherwise, we stay in this ‘rinse and repeat’ cyber incident cycle.
Slide 1 of 0- Slide 1 of 4
Co-op CEO: All 6.5M Members’ Data Stolen in April
UK consumer organization Co-op Group's CEO Shirine Khoury-Haq stated to the BBC that while the company was able to shut down its network in April 2025 before ransomware could be installed, investigation revealed that the attackers successfully copied and stole files belonging to all 6.5 million Co-op members. Members are consumers who pay a £1 (US$1.34) fee for part-ownership, granting the opportunity to vote on some business decisions, among other benefits. Khoury-Haq characterized the information stolen as "out there anyway," stating that "names and addresses and contact information" were taken, but no financial or transaction data. Insurance Insider reports that Co-op was not covered by cybersecurity insurance at the time of the attack.
Editor's Notes
- Slide 1 of 2
Well at least the members know they are all impacted and can respond accordingly. The better news is the actions the Co-op Group took to block the attack prevented any cleanup, so they were able to capture everything they did as well as prevent deployment of ransomware. While the game is changing to more of an exfiltration/extortion (minus ransomware) it's worth learning all the actions taken by their team to see if you can increase your preparedness.
- Slide 2 of 2
We may well be approaching the point where the cost of acquiring PII by breaching systems will exceed the cost of simply buying it from the data brokers.
Slide 1 of 0- Slide 1 of 2
UK NCSC's Vulnerability Research Initiative
The UK National Cyber Security Centre (NCSC) has launched a Vulnerability Research Initiative (VRI), which will expand the breadth of their vulnerability research by working with external experts. Until now, NCSC's vulnerability research was conducted by an in-house team. NCSC writes that establishing the VRI was necessitated by the fact that "Developing deep understanding and expertise of technologies, security mitigations and products takes time. Technology growth is constant, ever complex, security is improving, and thus VR is getting harder. This means the NCSC demand for VR continues to grow. [...] The VRI’s mission is to strengthen the UK’s ability to carry out VR."
Editor's Notes
- Slide 1 of 2
NCSC is working to leverage external expertise, particularly as AI starts impacting vulnerability research. If you want to participate in the external security research, send your skills and focus areas to VRI at ncsc.gov.uk. NCSC has a separate portal, which leverages the HackerOne platform for reporting discovered vulnerabilities: https://www.ncsc.gov.uk/information/vulnerability-reporting
- Slide 2 of 2
NCSC’s decision is but a reflection that cyber talent is now largely pooled outside of government. Today, graduates are lured away from government service by better pay, benefits, and perhaps more importantly, the opportunity to innovate. Organizations like NCSC, in other countries, have been on this path for years.
Slide 1 of 0- Slide 1 of 2
Former US Army Soldier Pleads Guilty to Cybercrimes
Earlier this week, former US Army soldier Cameron John Wagenius "pleaded guilty to conspiracy to commit wire fraud, extortion in relation to computer fraud, and aggravated identity theft" for his role in a series of cyberattacks targeting telecommunications and technology companies. Wagenius conspired with other individuals to gain access to the companies' networks, access sensitive information, and attempt to extort the companies by threatening to publish the stolen data unless they were paid a ransom. Wagenius will face up to 27 years in prison when he is sentenced later this year.
Editor's Notes
- Slide 1 of 2
Wagenius and his cohort exfiltrated data and were able to extort at least $1 million from their victims. You may not want to search for "can hacking be treason" and "US military personnel defecting to Russia" on a corporate system, let alone brag in public forums about the data you've exfiltrated, let alone immediately purchase a new laptop after your electronics were seized.
- Slide 2 of 2
The DoD has excellent technical schools for its computer network operators. In fact, it’s one of the quickest ways to obtain valuable skills that are highly marketable in the private sector. Unfortunately, the enlisted ranks are not well compensated, leading to thoughts on how to make a quick buck. This appears to be a case in point.
Slide 1 of 0- Slide 1 of 2
Internet Storm Center Tech Corner
SANS Internet Storm Center StormCast Friday, July 18, 2025
Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches
https://isc.sans.edu/podcastdetail/9532
Hiding Payloads in Linux Extended File Attributes
Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data.
https://isc.sans.edu/diary/Hiding+Payloads+in+Linux+Extended+File+Attributes/32116
Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282
An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco’s Identity Services Engine.
Oracle Critical Patch Update
Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher.
https://www.oracle.com/security-alerts/cpujul2025.html
Broadcom releases VMware Updates
Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools.
SANS Internet Storm Center StormCast Thursday, July 17, 2025
catbox.moe abuse; Sonicwall Attacks; Rendering Issues
https://isc.sans.edu/podcastdetail/9530
More Free File Sharing Services Abuse
The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused
https://isc.sans.edu/diary/More+Free+File+Sharing+Services+Abuse/32112
Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices are compromised because credentials were leaked during prior attacks. The attacker installs the OVERSTEP backdoor after compromising the device.
Weaponizing Trust in File Rendering Pipelines
RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust mechanisms and background processing in file systems, email clients, antivirus tools, and graphical user interfaces to deliver payloads without requiring any user interaction.
https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/
SANS Internet Storm Center StormCast Wednesday, July 16, 2025
ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions
https://isc.sans.edu/podcastdetail/9528
Keylogger Data Stored in an ADS
Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data
https://isc.sans.edu/diary/Keylogger+Data+Stored+in+an+ADS/32108
Malvertising Homebrew
An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker’s GitHub repo.
https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc
CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM
LRQA have discovered a critical unauthenticated remote code execution (RCE) vulnerability in the Broadcom Symantec Altiris Inventory Rule Management (IRM) component of Symantec Endpoint Management.
https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/
Code highlighting with Cursor AI for $500,000
A syntax highlighting extension for Cursor AI was used to compromise a developer’s workstation and steal $500,000 in cryptocurrency.
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/