SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThis week, Cisco published security advisories addressing 17 CVEs. Of those, three are known to be actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has added two of these vulnerabilities – both of which affect Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) – to the Known Exploited Vulnerabilities database: a buffer overflow vulnerability (CVE-2025-20333) and a missing authorization vulnerability (CVE-2025-20362). Cisco has released updates to address both the vulnerabilities, and both have immediate KEV mitigation deadlines. A third actively exploited flaw, a stack-based buffer overflow vulnerability (CVE-2025-20352) exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco's IOS and IOS XE software. Cisco notes that an authenticated remote attacker with low privileges could exploit the flaw to create denial-of-service conditions on vulnerable devices running Cisco IOS and IOS XE software, and an authenticated remote attacker with high privileges could exploit the flaw to execute code with root privileges on vulnerable devices running Cisco IOS XE software. The issue affects all versions of SNMP. Users are urged to update to fixed versions of Cisco IOS and IOS XE software. While there are no workarounds for this vulnerability, Cisco's security advisory does include a mitigation for users unable to update their software immediately.
CVE-2025-20333, ASA and FTD buffer overflow vulnerability, and CVE-2025-20362 ASA and FTD missing authorization vulnerability, were both added to the KEV yesterday with due dates of today, September 26th. Generally, KEV entries don't have an overnight due date, making this a call for immediate action. Irrespective of being an agency held to the KEV requirement, leverage ED 25-03 (link below) for instructions on detecting compromised devices as well as mitigation actions. Note older ASA devices which are out of support before 9/30/25 need to be decommissioned as there is no effective fix or workaround.
No vendor gets a pass on this. If you're a Cisco customer on either FTD or ASA you should patch now. I would even say just patch to the latest recommended build if you haven't done this in a while.
This is one of the times that the “hard to move objection” (network down time) needs to be overcome by the irresistibly forceful need to mitigate the risk of much longer down time.
NextGov/FCW
BleepingComputer
CISA
The Register
Ars Technica
Help Net Security
Cisco
Cisco
NIST
NIST
NIST
Following several 2025 supply chain attacks in which GitHub compromises were leveraged to attack the npm ecosystem, GitHub is announcing changes to its authentication and publishing processes. Local publishing will require FIDO-based two-factor authentication (2FA); all access tokens will become "granular," with specifically delimited permissions and 7-day lifetimes; and publishers will be strongly encouraged to configure the Trusted Publishers security capability, which authenticates publishing by "exchanging OIDC identity tokens for short-lived and tightly scoped API tokens for authenticating with package repository publishing APIs," removing reliance on longer-lived and highly privileged API tokens. The eligible providers for trusted publishing will also be expanded. GitHub will deprecate legacy classic tokens and time-based one-time password (TOTP) 2FA; enforce short expirations for granular tokens with publishing permissions; disallow tokens by default for publishing access; and remove the option to bypass 2FA for local package publishing. Maintainers in npm are urged to use trusted publishing, require 2FA for all writes and publishing actions, and use WebAuthn instead of TOTP when configuring 2FA.
GitHub made some great moves to drive secure authentication practices, but it's ultimately up to the software publishers and consumers to adopt, implement, and enforce those practices. See also: shared responsibility model.
GitHub is rolling the changes gradually to minimize impact. Even so, have package maintainers implement trusted publishing instead of tokens, update publishing settings to require 2FA for publishing actions or writes, and change 2FA to use WebAuthn now.
NPM is a broken system from a security standpoint. We all know this, but we are also probably very unsure as to how to fix this. I'm glad GitHub is taking steps, but architecturally NPM is scary.
Good to see continued momentum in deprecating weak authentication and forcing movement to phishing-resistant forms. I’d like to see cyber insurance policies require this or at least charge much higher rates/riders for lack of strong authentication.
GitHub has always had an authentication problem. For the last year they have even been aware of the problem. If Microsoft can force strong authentication on its users, GitHub can and should. Just for example, passkeys, Microsoft's strong authentication choice, are sufficiently more secure and more convenient to justify the one-time inconvenience of initialization.
GitHub Blog
The Register
BleepingComputer
The Hacker News
SecurityWeek
Following pressure from a European consumer protection organization, Microsoft has agreed to offer one year of free Extended Security Updates (ESU) for Windows 10 users in the European Economic Area (EEA), which comprises all 27 European Union (EU) member states, as well as Iceland, Liechtenstein, and Norway. In a letter to Microsoft. Luxembourg-based Euroconsumers writes that they are "pleased" with the plan, noting they "are also glad this option will not require users to back up settings, apps, or credentials, or use Microsoft Rewards, ... as linking access to essential security updates to engagement with Microsoft's own services raised reasonable doubt of compliance with obligations under Article 6(6) of the DMA." In the same letter, Euroconsumers also expresses concern about the "short-term measure [which] falls short of what consumers can reasonably expect for a product that remains widely used and does not align with the spirit of the Digital Content Directive (DCD), nor the EU’s broader sustainable goals," as upgrading to the Windows 11 operating system requires a hardware upgrade as well.
Note that the EEA users must enroll their systems in Microsoft Support and be signing into their system with a Microsoft Account (MSA). If they log out of the account for 60 days, the process will need to be repeated (login and re-enroll) to continue to receive updates. As we approach zero hour for Windows 10 support, you should have your plan well in hand. Now's the time to motivate users who have replacement systems but who have not taken steps to finalize the transition, to do so. Don't overlook OT/ICS systems which won't be available with Windows 11 options for a while, so other mitigations are needed.
Good reminder to make sure you have an accurate inventory of Windows 10 PCs at work and a plan for upgrading/replacing/signing up for ESU. Home PCs have to wait until Windows Update enables ESU – remote users should be warned and educated about the options available from Microsoft – a free ESU option requires backing up to OneCloud first, which opens up data disclosure issues.
To me the end of Windows 10 felt rushed compared to other builds that had a large install base. I think there are many schools of thought on this. The story is one to watch as we will see many unsupported builds in the near future, I'm sure.
Well, if it’s good enough for Europe, why not make it available globally? I mean c’mon Europe, Windows 10 has been out for ten years, you must have upgraded hardware at least once in that timeframe. The average for upgrades is 3-5 years. Windows 11 has been available for four years now. Pssst, I’ll let you in on a little secret: upgrading to the latest equipment (HW/SW) also has security benefits. Kudos to MSFT, I guess, for extending one more year.
Microsoft is being dragged, screaming and kicking, to a good place, a defensible position.
Euroconsumers
Engadget
The Verge
BleepingComputer
Windows Central
Consumer Reports
Earlier this week, SonicWall released a firmware update that should help users remove rootkit malware that was deployed in attacks against SonicWall Secure Mobile Access (SMA) 100 series appliances over the past several months. In July, the Google Threat Intelligence Group wrote that threat actors had been exploiting an until-then unknown backdoor in end-of-life SonicWall SMA 100 appliances and deploying rootkit malware dubbed OVERSTEP. The malware establishes a reverse shell on compromised devices, exfiltrates sensitive information, and helps intruders maintain persistent access. In a September 22 advisory, SonicWall "strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."
With the release of this update, you'd be hard pressed to defend not updating affected devices to 10.2.2.2-92sv. Then, follow the steps in SonicWall's advisory for addressing rootkits and other critical vulnerabilities in their SMA 100 series appliances, which include rebuilding and hardening steps.
The Register
BleepingComputer
SonicWall
SalesForce has released updates to address "a critical ... vulnerability chain in Salesforce Agentforce." The issue, which was detected by researchers at Noma Labs in late July, could potentially be exploited "to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection." The issue affects organizations that use the SalesForce customer relationship management (CRM) platform with Web-to-Lead functionality enabled. Organizations are advised to apply actions recommended by Salesforce; audit lead data for unusual or suspicious submissions; implement strict input validation; and sanitize data from untrusted sources.
LLM chatbots are notoriously difficult to secure. We pentesters have myriad methods to bypass input and output filtering, system prompts, and other controls. Any organization giving such systems access to sensitive information must understand the risk they are accepting.
The actions include enforcing trusted URLs for Agentforce and Einstein AI; auditing all existing leads for suspicious instructions or formatting which could be used for prompt injection; implementing strict input validation and prompt injection detection on user-controlled data fields; and sanitizing data from untrusted sources.
Lots of AI prompt injection vulnerabilities showing up in smaller market share business software, not just Salesforce. Check all use of AI for assurances of mitigation of this threat.
Noma
The Hacker News
Infosecurity Magazine
Salesforce
SolarWinds has released a hot fix to address a critical unauthenticated AjaxProxy deserialization remote code execution vulnerability (CVE-2025-26399) in Web Help Desk. In their security advisory, SolarWinds notes that "this vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986." The first hotfix, for CVE-2024-28986, was released in August 2024; the CVE was later added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Users are urged to update to SolarWinds Web Help Desk 12.8.7 HF1.
Let's hope the third time is the charm. Regardless, you need to apply the update, as the SolarWinds Web Help Desk is still a target, due to the prior issues, and CVE-2025-26399 has a CVSS score of 9.8. Also investigate not only limiting access to your Web Help Desk, but also having some level of WAF protecting it.
There’s an old saying “Fool me once with patch bypassing of a 9.8 CVE flaw in my product, shame on you. Fool me twice, shame on me.” I’d like to see communications from Solar Winds CEO on a priority effort to fix obviously broken product release quality testing.
Practice makes perfect – well, at least let’s hope so. In the meantime, SolarWinds might want to invest in some root cause analysis training. For users, given that SolarWinds has been exploited in the past, prioritize this at the top of the patch list.
The Register
Help Net Security
SecurityWeek
SolarWinds
ZeroDay Initiative
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory summarizing CISA's response to and lessons learned from a cybersecurity incident at a U.S. federal civilian executive branch (FCEB) agency in July and August 2024. The unnamed agency discovered the attack when its endpoint detection and response (EDR) tool generated an alert, which CISA determined was approximately three weeks after a threat actor first compromised the agency by exploiting a critical flaw in GeoServer, an open-source server application for handling geospatial data. CVE-2024-36401, CVSS score 9.8, allows an unauthenticated attacker to achieve remote code execution (RCE) by crafting input that receives unsafe XPath evaluation. CISA identified three major shortfalls: first, the agency did not remediate vulnerabilities promptly. The threat actor compromised two GeoServers using CVE-2024-36401, despite the flaw having been disclosed 11 days before the first compromise and 25 days before the second, including appearing in the Known Exploited Vulnerabilities (KEV) catalog four days after the first compromise. Second, the agency's incident response plan (IRP) was untested and incomplete, which "delayed certain elements of CISA’s response as the IRP did not have procedures for involving third-party assistance or for granting third-party access to their security tools." Third, EDR was not comprehensively implemented and the agency did not continuously review EDR alerts, allowing three weeks of undetected intrusion. Based on this investigation, CISA offers recommendations for improving security posture: establish a properly-prioritized vulnerability management program; "maintain, practice, and update cybersecurity IRPs"; implement and centrally aggregate comprehensive and detailed logs; require phishing-resistant MFA, and implement allowlisting.
The lessons learned here could easily apply to any of us. Make sure that you're applying updates, not only OS but also application, in a timely fashion, that your EDR is comprehensively deployed, and that alerts are monitored (and acted on). Have you tested your incident response plan? If so, to what extent have you done a physical rebuild? Or called your partners, including law enforcement, to verify you know each other? If you answer to any of these is negative, you've got homework. Lastly, phishing-resistant MFA, logging/monitoring, and allowlisting (not just execution but also access controls) need to be table stakes.
A few comments: first, vulnerability management (CIS CSC7). This takes on greater urgency given recent reporting where researchers have demonstrated using AI to generate proof of concept exploit code in as little as 15 minutes. Automate the process where possible. Second, audit log management (CIS CSC8), another control that simply must be done. Yes, it requires active analysis to detect potential attacks. And third, incident response and management (CIS CSC17). Regular training for incident response teams and communication are both crucial. Sadly, this compromise was preventable.
Take heed. These issues are not isolated to the one unnamed agency.
The UK's National Crime Agency has announced the arrest of "a man in his forties in West Sussex" in connection with the ransomware attack on Collins Aerospace Multi-User System Environment (MUSE) software that caused major disruptions to several EU airports, including Heathrow in London, starting September 19, 2025. The suspect was arrested on suspicion of violating the Computer Misuse Act, but has been released on conditional bail. Meanwhile, RTX (formerly Raytheon Technologies), the parent conglomerate owning Collins Aerospace, has filed form 8-K with the US Securities and Exchange Commission (SEC), disclosing their September 19 discovery of ransomware on systems supporting MUSE software, a product RTX describes as allowing "multiple airlines to share check-in and gate resources at airports, including baggage handling." Upon detection, RTX assessed and worked to contain and remediate the incident per the company's incident response plan, notifying domestic and international authorities and continuing to investigate with the aid of third-party cybersecurity experts. RTX does not believe the incident will have a material impact; the company says it is communicating with customers to provide support and guidance, noting that those affected "have shifted to back-up or manual processes and have experienced certain flight delays and cancellations." As of this writing, airports are still waiting on RTX and Collins to restore systems. Cybersecurity experts Kevin Beaumont and Dominic Alvieri have noted on social media and to news sources that evidence suggests the ransomware involved is HardBit.
An interesting twist to the HardBit ransomware is that there doesn't appear to be a site where they name victims and leak data. Harder still is that restoration efforts are being hampered by reinfection of restored systems. No matter how much pressure and temptation you have to get systems restored immediately (if not sooner), unless you have the attack vector(s) neutralized, you're going to be looping.
The coppers got their man, well done. It would be great if during the investigation they share details on how the evildoer was able to elevate privileges and exploit the system. Somehow, I suspect, RTX will skip those details in future 8-K guidance.
NCA
SEC
BBC
The Record
SecurityWeek
SecurityWeek
The Register
The US Secret Service has published a press release announcing their dismantling and ongoing investigation of a network comprising "300 co-located SIM servers and 100,000 SIM cards across multiple sites" in New York, New Jersey, and Connecticut. These SIM farm facilities were all located within 35 miles of the headquarters of the United Nations in Manhattan; the Secret Service's announcement comes during the high-level week of the UN General Assembly's 80th session currently underway. Matt McCool, Special Agent In Charge of the Secret Service's New York Field Office, suggests a connection between the equipment and "multiple telecommunications-related imminent threats directed towards senior US government officials this spring." McCool alleges that the system had "potential to disable cell phone towers and essentially shut down the cellular network in New York City," and may have facilitated communication between "potential threat actors and criminal enterprises [...] [including] cellular communications between foreign actors and individuals that are known to federal law enforcement." WIRED notes that the capabilities of SIM farms include "everything from spam to swatting to fake account creation and fraudulent engagement with social media or advertising campaigns." The equipment and data are still under forensic examination.
There is some debate over what the SIM farm’s intended use was. The farm was a collection of computers each with at least 128 SIM cards and 32 baseband radios, likely running Linux. Whether disrupting cell service or normal criminal activity of spamming SMS messages or relaying international calls giving them a domestic caller ID, shutting down this operation and others like it is a score for the good guys. One hopes that in the future the Secret Service will be able to help locate and decommission similar operations.
The Secret Service press release ends with “This is an ongoing investigation.” Part of the investigation needs to be why threat actors were able to do this and what actions the FCC should take to force the telecom networks to raise the bar on cellular network security. Simple example: the FCC publishes list of bogus area codes used in “One ring scam.” Why are known bogus/evil area codes (and other known malicious content) allowed to show up on our phones, or even initiate a network call at all?
A lot of lessons learned here, unfortunately some we continue to learn. It just feels like the telecom industry and associated standards bodies could do more to combat these threats. In the meantime, kudos to law enforcement for removing the threat.
Secret Service
WIRED
The Register
The Record
CyberScoop
SecurityWeek
SANS Internet Storm Center StormCast Friday, September 26, 2025
Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details
https://isc.sans.edu/podcastdetail/9630
Webshells Hiding in .well-known Places
Our honeypots registered an increase in scans for URLs in the .well-known directory, which appears to be looking for webshells.
https://isc.sans.edu/diary/Webshells+Hiding+in+wellknown+Places/32320
Cisco Patches Critical Exploited Vulnerabilities
Cisco released updates addressing already-exploited vulnerabilities in the VPN web server for the ASA and FTD appliances.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB (CVE-2025-20333)
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW (CVE-2025-20362)
XCSSET Evolves Again
Microsoft detected a new XCSSET variant, an infostealer infecting X-Code projects.
Exploitation of Fortra GoAnywhere MFT CVE-2025-10035
watchTowr analyzed the latest GoAnywhere MFT vulnerability and exploits used against it.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
SANS Internet Storm Center StormCast Thursday, September 25, 2025
Hikvision Exploits; Cisco Patches; SonicWall Anti-Rootkit Patch; Windows 10 Support
https://isc.sans.edu/podcastdetail/9628
Exploit Attempts Against Older Hikvision Camera Vulnerability
Our honeypots observed an increase in attacks against some older Hikvision issues. A big part of the problem is weak passwords, and the ability to send credentials as part of the URL.
https://isc.sans.edu/diary/Exploit+Attempts+Against+Older+Hikvision+Camera+Vulnerability/32316
Cisco Patches Already Exploited SNMP Vulnerability
Cisco patched a stack-based buffer overflow in the SNMP subsystem. It is already exploited in the wild, but requires admin privileges to achieve code execution.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
SonicWall Anti-Rootkit Update
SonicWall released a firmware update for its SMA100 devices specifically designed to eradicate a commonly deployed rootkit.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0015
Extended Windows 10 Support
Microsoft will extend free Windows 10 essential support for US and European customers.
https://www.straitstimes.com/world/united-states/microsoft-offers-no-cost-windows-10-lifeline
SANS Internet Storm Center StormCast Wednesday, September 24, 2025
DoS against the Analyst; GitHub Improvements; SolarWinds and Supermicro BMC vulnerabilities
https://isc.sans.edu/podcastdetail/9626
Distracting the Analyst for Fun and Profit
Our undergraduate intern, Tyler House analyzed what may have been a small DoS attack that was likely more meant to distract than to actually cause a denial of service
https://isc.sans.edu/diary/Guest+Diary+Distracting+the+Analyst+for+Fun+and+Profit/32308
GitHub’s plan for a more secure npm supply chain
GitHub outlined its plan to harden the supply chain, in particular in light of the recent attack against npm packages
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
SolarWinds Web Help Desk AjaxProxy Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2025-26399)
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399
Vulnerabilities in Supermicro BMC Firmware CVE-2025-7937 CVE-2025-6198
Supermicro fixed two vulnerabilities that could allow an attacker to compromise the BMC with rogue firmware.
https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveWebcast | SANS CloudSecNext Summit Solutions Track 2025 | Friday, October 3, 2025 at 10:00AM MT Explore cutting-edge cloud security tools and walk away with real-world strategies to implement immediately in your environment.
Webcast | Modernizing OT Security | Wednesday, October 1, 2025 at 10:30AM ET Hear from SANS experts Tim Conway & Jason Dely on how Digital Twin Technology, AI and Threat Emulation are being utilized to transform OT defense and compliance readiness.
Webcast | Continuous Penetration Testing: Closing the Gaps Between Threat and Response | Thursday, October 23, 2025 at 10:30AM ET Discover how ongoing testing exposes blind spots traditional assessments miss—keeping your defenses sharp year-round.
Webcast | Fall Cyber Solutions Fest 2025: Cloud Identity & Access Management Track | Wednesday, November 5, 2025 at 9:30AM ET Learn how organizations are tackling identity sprawl, securing access, and implementing Zero Trust across complex cloud environments.