SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsFollowing an alleged threat actor’s social media and email claims of data theft from Red Hat, the software company has stated to news sources, "[We are] aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," also clarifying that the incident "is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub." The Centre for Cybersecurity Belgium (CCB) has published an advisory containing more details, informing Belgian organizations that a data breach at Red Hat Consulting Services compromised "repositories containing Customer Engagement Reports (CERs)" which may include network information, authentication tokens and keys, configuration data, and other details. Red Hat has not publicly commented on these details. The CCB warns of "high risk" to organizations who have interacted with Red Hat Consulting and shared credentials, tokens, or configuration data; those who have implemented integrations involving Red Hat systems; and those who have used Red Hat Consulting services or worked with third-party providers who have, posing a supply chain risk. The CCB advisory recommends that organizations revoke and rotate tokens, keys, and credentials; consult third parties about possible exposure; contact Red Hat directly for guidance; and "increase Monitoring of authentication events, API calls, and system access for anomalies." Unrelatedly, Red Hat also recently disclosed and patched CVE-2025-10725, a CVSS 9.9 flaw in its OpenShift AI platform that allows "a low-privileged attacker with access to an authenticated account" to achieve "a total breach of the platform and all applications hosted on it" by escalating privileges to a full cluster administrator.
You may want to revoke all credentials/keys and tokens shared with Red Hat or used in integrations and work to get them re-issued. If you’re using OpenShift AI or just want to up your game on cluster privileges, you want to remove the ClusterRoleBinding which links the kueue-batch-user-role to the system:authenticated group, which means you’re going to need to re-grant permission to create jobs to specific users or groups, only as-needed.
Center for Cybersecurity Belgium
Dark Reading
Bleeping Computer
The Register
The Register
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the command line utility sudo, used in Linux and Unix-like operating systems including macOS, to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-32463, CVSS score 9.3, allows a local attacker not listed in the permitted sudoers file to run arbitrary commands as root by leveraging the -R (--chroot) option to load /etc/nsswitch[.]conf from a user-controlled directory. Rich Mirch with the Stratascale Cyber Research Unit (CRU) originally discovered and reported the flaw, which was patched and publicly disclosed in June 2025 as of sudo 1.9.17p1, with a proof of concept exploit published in July. Federal Civilian Executive Branch agencies are required to patch this vulnerability by October 20.
This impacts sudo 1.9.14 to 1.9.17 on systems that support /etc/nsswitch[.]conf. Not all Linux distributions are on impacted versions, so you may catch a break; still check, don't assume. A change was made in sudo 1.9.14 to resolve paths via chroot() while the sudoers file was still being evaluated, and if the chroot directory has an /etc/nsswitch[.]conf and corresponding (bogus) libraries/files, these are processed rather than the system defaults. This change was reverted in 1.9.17p1 and the chroot function of sudo is marked as deprecated.
CISA
Bleeping Computer
The Hacker News
SecurityWeek
The US Cybersecurity and Infrastructure Security Agency (CISA) has ended its "cooperative agreement with the Center for Internet Security (CIS) [as of] September 30, 2025." CIS president and CEO John Gilligan told The Register that "CIS has been informed that the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have chosen not to renew federal funding that for the past 20 years has supported the MS-ISAC’s (Multi-State ISAC's) highly effective work to increase the security resilience for state, local, tribal, and territorial (SLTT) organizations," adding that "CIS remains committed to the SLTT community. The new fee-based membership model for the MS-ISAC will permit it to continue to deliver high-impact cybersecurity services including threat intelligence in a variety of forms and formats, best practices and collaboration opportunities, and effective monitoring, blocking, and response to cyber attacks." CISA says it plans to support state, local, tribal, and territorial (SLTT) governments through access to grant funding from the Department of Homeland Security (DHS) and other services.
I don't understand how defunding the most effective SLTT platform (MS-ISAC) empowers anyone at the state, local, territorial, and tribal level. 😒 Kudos to CIS for pushing forward with scalable member dues. Here's hoping they can continue their critically important work without direct federal funding!
MS-ISAC is operated by CIS, which announced a fee-based model on September 1, with existing benefits to expire October 1, to continue services you need to sign up for the fee based service post-haste. The services include threat intelligence, incident response and forensic services, malicious domain blocking and reporting, annual self-assessments, and SOC services, and are well worth the investment. This, mixed with CISA's announcement to provide grants to SLTT organizations, may provide grants to offset the costs of the fee based services; expect some complexities until the current shutdown is resolved.
In complete transparency, I am a CIS employee. Unfortunately, one of the support tools referenced by CISA, the State and Local Cybersecurity Grant Program (SLCGP) also lapsed on 1 October. That said, it is heartening to hear that CIS will continue to serve as the ISAC for the SLTT community, providing cybersecurity services.
StateScoop
The Register
Help Net Security
CIS Security
CISA
Earlier this week, Broadcom has released two advisories to address a total of six vulnerabilities. The first advisory, VMSA-2025-0015, addresses three vulnerabilities in VMware Aria Operations and VMware Tools: a local privilege escalation vulnerability (CVE-2025-41244); a VMware Aria Operations Information disclosure vulnerability (CVE-2025-41245); and a VMware Tools improper authorization vulnerability (CVE-2025-41246). Researchers at NVISO say that CVE-2025-41244 has been exploited as a zero-day vulnerability since mid-October 2024. The second advisory, VMSA-2025-0016, addresses three vulnerabilities in VMware vCenter and NSX: a vCenter SMTP header injection vulnerability (CVE-2025-41250); an NSX weak password recovery mechanism vulnerability (CVE-2025-41251); and an NSX username enumeration vulnerability (CVE-2025-41252). Affected products include VMware NSX, NSX-T, VMware Cloud Foundation, VMware vCenter Server, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure. All three flaws are rated high severity. Broadcom was alerted to the vulnerabilities by the US National Security Agency.
Don't overlook the update to VMware Tools on Windows guests, particularly if you're still on version 11; move to 12.5.4 or better still 13.0.5.0. The updates are more friendly than the workarounds, where they apply.
Broadcom
Broadcom
Security Week
SC Media
NVISO
The OpenSSL project has released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd of the OpenSSL Library to address three vulnerabilities: CVE-2025-9230, a moderate severity out-of-bounds read/write issue that can be exploited for arbitrary code execution or DoS attacks; CVE-2025-9231, a moderate severity timing side-channel in the SM2 algorithm implementation on 64 bit ARM platforms that could potentially allow remote recovery of the private key; and CVE-2025-9232, a low severity out-of-bounds read issue that can trigger a crash, leading to denial-of-service conditions. Users are urged to update to fixed versions of OpenSSL.
Deploy updated OpenSSL libraries as they become available for your platforms. The CMS messages in CVE-2025-9230 and SM2 keys in CVE-2025-9342 are not commonly used, but you still want to roll the updated code when it's available as they can be added and exploited.
The US National Institute of Standards and Technology's (NIST's) National Cybersecurity Center of Excellence (NCCoE) has published guidance for reducing the cybersecurity risks of portable storage media in OT environments. The document focuses primarily on USB devices, but also addresses external hard drives and CD and DVD drives. "The NCCoE has developed cybersecurity considerations to be integrated into a broader cybersecurity risk management program to help OT personnel use portable storage media securely and effectively," including procedural, physical, and technical controls, and transport and sanitization recommendations.
Media transfer is the most effective way to get malware to air-gapped systems, and many of you have already implemented controls for scanning and restricting which media can be used. Even so, read NIST SP 1334 (it's only two pages) to make sure you're not missing any tricks. You may want to not only restrict media inserted in your OT systems but also configure your traditional IT systems to only accept approved media; your EDR is likely already able to both restrict and scan removable media. Investigate media transfer stations which scan and transfer information from unsafe media to approved devices.
The European Union Agency for Cybersecurity (ENISA) has published the ENISA Threat Landscape 2025 report. The report analyzes nearly 4,900 cyber incidents affecting European organizations between July 2024 and June 2025. Among the findings: the most common initial infection vector was phishing (60%), followed by vulnerabilities (21.3%), botnets (9.9%), and malicious applications (8%). The majority of incident types were identified as DDoS (76.7%), followed by intrusion (17.8%), and the distribution of threats was headed by mobile (42.4%), then web threats (27.3%), operational technology (18.2%), and supply chain (10.6%). The report "integrates additional analysis of adversary behaviours, vulnerabilities and geopolitical drivers, aimed at both strategic and operational audiences, offering an actionable perspective on trends shaping the EU’s cyber threat environment."
The report reinforces your work on phishing and DDoS protections; expenditures for mobile device security and that your OT systems are targets. Read the report to make sure that you're ready for the current techniques, the use of AI makes things a little different, for example, expect increasingly sophisticated phishing, with some of our old giveaways becoming a thing of the past.
Three North American companies that experienced data breaches in the summer of 2025 have filed reports with the Office of the Maine Attorney General and are sending notification letters to those affected. Calgary-based airline WestJet discovered unauthorized access to their systems on June 13; they immediately secured their environment, notified authorities, and began investigating with the aid of internal and external experts. WestJet's analysis of the breach concluded on September 15 and determined that 1.2 million individuals' data may have been compromised, including "name, date of birth, [and] mailing address," as well as information about travel documents, accommodations, and complaints. While "no credit card or debit card numbers, expiry dates or CVV numbers or account passwords were involved," WestJet credit card identifier type and WestJet Rewards ID number and points balance along with associated account information, excluding passwords, may also be compromised. The airline recommends affected customers notify others who may have traveled under the same booking number. WestJet is offering 24 months of free identity theft and monitoring through myTrueIdentity, including proactive fraud assistance and expense reimbursement insurance. On July 16, a threat actor breached a third-party cloud customer relationship management (CRM) system used by Insurance company Allianz Life; Allianz immediately contained and mitigated the attack, and has found no evidence that Allianz's own network or company systems were accessed. Investigation revealed that information belonging to nearly 1.5 million "customers, financial professionals, and select Allianz Life employees" may have been compromised, including "name, address, date of birth and Social Security number." Allianz is offering 24 months of identity monitoring through Kroll. On August 19, vehicle dealership software developer Motility detected unauthorized access to their servers by a threat actor who exfiltrated customer data before encrypting a portion of the company's systems. Motility implemented preventative security measures, restored systems from backups, established dark net monitoring, and engaged experts and legal counsel. Investigation determined that 766,670 customers' information was affected, including "full name, postal address, e-mail address, telephone number, date of birth, social security number, and driver’s license number." Motility is offering 12 months of free identity monitoring services through LifeLock.
This boils down to about 3.7 million breach notices being sent. Not necessarily the start to fall you're expecting. Your ID Protection service likely already emailed you a heads up, particularly if you're impacted, so make sure your notifications are configured if it didn't. For the enterprise, take a look at the steps Motility took; you should be set to do all the same things. Verify the team is on the same page and prepared.
I realize that I may sound like a broken record but the length of time from determination of security breach to victim notification is still too great. A security incident investigation taking between 2-4 months leaves ample time for the evildoer to monetize the data. Offering identity theft and monitoring service is a start but not a solution when the bad guy has a 60-120 day head start.
Maine AG
Maine AG
Maine AG
The Register
The Record
Bleeping Computer
Bleeping Computer
SecurityWeek
The UK Government has reportedly issued a second Technical Capability Notice (TCN) to Apple under the country's Investigatory Powers Act, once again demanding the right to access to users' encrypted data, but this time limiting the scope to users in the UK. While the Home Office and Apple are not legally permitted to comment, the Financial Times and BBC report that this new notice "targeting only British users’ data" may represent a compromise following January 2025's TCN targeting all Apple users -- also initially neither confirmed nor denied -- which was withdrawn in August according to US Director of National Intelligence Tulsi Gabbard. Since February, Apple has rescinded and disabled Advanced Data Protection (ADP) encryption for UK users, even after the alleged withdrawal. During an April appeal hearing for the first TCN, the Investigatory Powers Tribunal ruled that the government's desire to withhold the "bare details of the case" from public knowledge is not justified by the possible impacts to public interest and national security. According to the BBC, "A tribunal hearing is still due to take place in January 2026."
The upshot is that ADP is still not available to UK users. Time to read up on ADP. ADP adds end-to-end encryption to ten iCloud services on top of the base 14 where it already is. This still leaves five data sets, including Mail, Contacts, and Calendars, using standard data protection due to how they interact with other services. When enabled, Apple truly cannot restore access to your data, nor help recover your data if you lose your device. You may have a few use cases where you want to require it, such as when traveling in risky areas. It can be turned off once enabled by the user. Note that it cannot be used for managed Apple accounts and child accounts, and requires users to set up a recovery method. This would be a good time to seriously look at turning ADP on if you haven't already. ADP closes the gap on services which are not end-to-end encrypted in iCloud.
The UK Government has learned from recent global blowback and have adapted the capability notice. The primary losers in this are the UK citizens that won’t have access to advanced protection capabilities provided organically by AAPL. Other countries will likely follow the UK’s process to gain access to end-to-end encrypted data.
Ars Technica
BBC
The Guardian
TechCrunch
EFF
Emirates (UAE). The malware specimens, which are delivered through maliciously crafted web sites and social engineering, are disguised as Android Signal and ToTok apps. The spyware "exfiltrate[s] user data, including documents, media, files, contacts, and chat backups," to servers controlled by the attackers. The spyware campaigns were detected in June 2025; one appears to have been active since 2022, and the other is believed to have been active since 2024. The apps were not available in official app stores – instead, users needed to install them manually from third-party sites. One of the malicious websites is a phony version of the Samsung Galaxy Store.
The downside of unofficial app stores is that they don't have the same restrictions the official ones do, and users can be tricked into loading software under false pretenses, such as an apparently improved Signal or ToTok app. Google Protect is detecting/blocking known versions of this spyware. Even so, develop strong guidance if you are permitting unofficial app store use. Note, I had to check: they *do* mean ToTok, which is a messaging and VoIP application developed by G42 around 2019.
Seems like old tradecraft repurposed that continues to prove effective for the evildoer: website watering holes and social engineering. We continue to have a collective user awareness problem. Training can help, but ultimately secure configuration, effective patch management, and active monitoring are what's required.
SANS Internet Storm Center StormCast Friday, October 3, 2025
More .well-known Scans; RedHat Openshift Patch; TOTOLINK Vuln; DrayOS Vulnerability
https://isc.sans.edu/podcastdetail/9640
More .well-known scans
Attackers are using API documentation automatically published in the .well-known directory for reconnaissance.
https://isc.sans.edu/diary/More+wellknown+Scans/32340
RedHat Patches Openshift AI Services
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator.
https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages
TOTOLINK X6000R Vulnerabilities
Palo Alto released details regarding three recently patched vulnerabilities in TOTOLINK-X6000R routers.
https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
DrayOS Vulnerability Patched
Draytek fixed a single memory corruption vulnerability in its Vigor series router. An unauthenticated user may use it to execute arbitrary code.
https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities
SANS Internet Storm Center StormCast Thursday, October 2, 2025
Honeypot Passwords; OneLogin Vuln; Breaking Intel SGX; OpenSSL Patch
https://isc.sans.edu/podcastdetail/9638
Comparing Honeypot Passwords with HIBP
Most passwords used against our honeypots are also found in the “Have I been pwn3d” list. However, the few percent that are not found tend to be variations of known passwords, extending them to find likely mutations.
https://isc.sans.edu/diary/Guest+Diary+Comparing+Honeypot+Passwords+with+HIBP/32310
Breaking Server SGX via DRAM Inspection
By observing read and write operations to memory, it is possible to derive keys stored in SGX and break the security of systems relying on SGX.
https://wiretap.fail/files/wiretap.pdf
OneLogin OIDC Vulnerability
A vulnerability in OneLogin can be used to read secret application keys
OpenSSL Patch
OpenSSL patched three vulnerabilities. One could lead to remote code execution, but the feature is used infrequently, and the exploit is difficult, according to OpenSSL
https://openssl-library.org/news/secadv/20250930.txt
SANS Internet Storm Center StormCast Wednesday, October 1, 2025
Cookie Auth Issues; Western Digital Command Injection; sudo exploited
https://isc.sans.edu/podcastdetail/9636
Sometimes you don’t even need to log in
Applications using simple, predictable cookies to verify a user’s identity are still exploited, and relatively recent vulnerabilities are still due to this very basic mistake.
https://isc.sans.edu/diary/useradmin+Sometimes+you+dont+even+need+to+log+in/32334
Western Digital My Cloud Vulnerability
Western Digital patched a critical vulnerability in its “MyCloud” device.
https://nvd.nist.gov/vuln/detail/CVE-2025-30247
sudo vulnerability exploited
A recently patched vulnerability in sudo is now being exploited.
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveSpecial Virtual Event | SANS 2025 Fall Cyber Solutions Fest | November 4 - 6, 2025 Five great track over 3 days including Emerging Technology, Cloud Identity Management, SOC, Threat Intelligence and Artificial Intelligence. Join SANS experts Dave Shackleford, Chris Edmundson, Chris Crowley, Ismael Valenzuela, Matt Bromiley and over 50 other speakers at SANS' biggest event of the year.
Virtual Event | SANS 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30am ET Join Chris Dale, SANS Chief Hacking Officer as he explores the results of SANS's 2025 survey and hosts a series of industry experts specializing in Exposure Management.
Webcast | Continuous Penetration Testing: Closing the Gaps Between Threat and Response | Thursday, October 23, 2025 at 10:30 AM ET Traditional penetration testing provides only a snapshot in time—a brief glimpse of your vulnerabilities that may already be outdated before the report reaches your desk. Continuous Penetration Testing (CPT) changes the game. By integrating attack surface management with offensive and defensive collaboration, CPT delivers real-time, actionable insight into your security posture.
Webcast | Closing the Gaps: Zero Trust Microsegmentation in Hybrid Cloud Environments | Monday, October 20, 2025 at 10:30 AM ET Join Dave Shackleford as he shares results from an in-depth hands-on review of Zscaler Microsegmentation, revealing how it enables real-time asset discovery, granular policy enforcement, and unified Zero Trust controls across cloud and on-premises environments.