SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Ransomware Attack on Romanian Water Management Authority Affected More than 1,000 Systems
Romania's National Cyber Security Directorate (DNSC) said that the country's water management authority, Administrația Națională Apele Române (National Romanian Waters Administration) experienced a ransomware attack that began on Saturday, December 20. The organization "oversees the country's water infrastructure, including dams, waterways, drinking water supplies, and monitoring systems." The incident affected approximately 1,000 systems including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows servers, email/web servers, and Domain Name Servers (DNS) at Romanian Waters and 10 of the country's 11 water basin administrations. The attack is being investigated by multiple entities, including the Romanian Intelligence Service's National Cyberint Center, which says the attackers used Windows BitLocker to encrypt files on targeted machines. DNSA reports that the incident did not affect the organization's Operational Technology (OT).
Editor's Notes
- Slide 1 of 5
From an engineering standpoint this is a reminder that IT systems are not just “supporting” systems but are part of the complete operational structure. You can keep the pumps running manually, however if GIS, databases, DNS, and communications are down, operators are effectively flying blind. The fact that OT was untouched is good news and shows that there was some sort of logical or physical gap between IT and OT systems. That being said, resilience has to be designed across IT and OT together, because failure in one directly degrades the safe operation of the other.
- Slide 2 of 5
The attackers used BitLocker to encrypt systems; this is likely a variant of the ShrinkLocker malware. They are neither paying nor negotiating with the attackers. That the incident didn't impact their OT systems indicates sufficient separations existed to protect them, which also means their delivery to customers isn't impacted. Further, they ask that their IT team not be contacted directly while they are recovering from the incident. These are interesting topics of conversation for your next tabletop, not only service delivery but also clearly defined POCs to avoid distracting your responders. Another interesting point is the notification makes note that they are not currently covered by the Romanian cyber security system, which provides additional protections for critical infrastructure, but that they are taking steps to correct this.
- Slide 3 of 5
Any attack on critical infrastructure is concerning, especially drinking water. In this case, having segregated the OT and IT networks was fortuitous. Although it is being considered as a ransomware attack, one does wonder if this isn’t part of a greater gray-zone conflict given recent actions by the Romanian government. Only time will tell, as no ransomware gang has yet claimed credit.
- Slide 4 of 5
Water systems are serious business and tend to have lagged in cybersecurity compared to other critical infrastructures. Thankfully, according to the disclosing agency, this didn’t impact their OT environment. Still, it’s a major area of concern.
- Slide 5 of 5
While water systems are not as interconnected as electric utilities, they do share services and software.
Slide 1 of 0- Slide 1 of 5
Widespread Microsoft 365 OAuth Attacks
Proofpoint has published research describing both state-affiliated and financially-motivated phishing campaigns "using the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 user accounts by approving access for various applications." These attacks trick a target into using their Microsoft account to authenticate a legitimate OAuth device code for a device controlled by the threat actor. Some of these attacks abuse the SquarePhish2 red team tool or the Graphish phishing kit. While these techniques are well-known, by September 2025 Proofpoint "observed widespread campaigns using these attack flows, which was highly unusual. [...] It is notable to see it used increasingly by multiple threat clusters including a tracked cybercriminal threat actor." Proofpoint recommends blocking device code flow where possible or implementing Conditional Access with an allow-list; requiring sign ins only from compliant or registered devices; and training users to be aware of device code phishing.
Editor's Notes
- Slide 1 of 5
We’ve been including manipulation of OAuth 2.0 Device Authorization Grants in our penetration tests and red teaming for a while now, with some notable successes in gaining access through the technique. If you are a penetration tester or red teamer and these techniques aren’t in your bag of tricks, you really should consider building your skills on them to better demonstrate real-world risks that attackers are taking advantage of NOW.
- Slide 2 of 5
We use Device Code Flow quite often, and in the last few attempts, Microsoft has enabled a default control or block for it. This is a decently smart move as it removes one of the vectors. Outside of “IT” and “highly privileged” accounts, I’m not sure who is actually using device code in Entra ID for legitimate purposes. If you haven’t tested for this, test for it and disable Device Code Flows, which is something we dive into in detail in the Cloud Penetration Testing courses.
- Slide 3 of 5
Conditional Access (CA) is your friend here. You can use report only mode or leverage the "Policy Impact" option to see the impact against sign-in log records before enabling policy settings. Leverage CA’s ability to require compliant or domain joined devices to raise the bar on what can authenticate; you may have some exceptions here. Worst case, you can use it to identify trusted networks or IP ranges. If you're already using CA, review the implementation to see if you need to raise the bar.
- Slide 4 of 5
M365 is and will continue to be a target of cyber criminals. Bottom line: they will do everything possible to trick a user into authenticating an account. It really comes down to user training and awareness: stop and think before clicking.
- Slide 5 of 5
The temptation for both service providers and users to employ federated identity and authentication services is great but risky. They are attractive targets and their track record is not great.
Slide 1 of 0- Slide 1 of 5
Patch WatchGuard Fireware OS for Exploited Critical Flaw
WatchGuard has published a security advisory including a patch for an actively exploited critical flaw in WatchGuard Fireware OS for Firebox firewalls, affecting the Internet Key Exchange (IKE) service. CVE-2025-14733, CVSS score 9.3, allows a remote unauthenticated attacker to execute arbitrary code by exploiting an out of bounds write vulnerability in the OS IKED process. WatchGuard notes, "this vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured." The advisory offers four IP addresses as indicators of attack (IoAs), stating that outbound connections to these are a strong indicator of compromise. The US Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog with a patch deadline of December 26, 2025, one week from its addition. Users must update to versions 2025.1.4, 12.11.6, 12.5.15, and 12.3.1_Update4 (B728352); vulnerable version 11.x has not been resolved as it has reached end of life. Additionally, administrators must rotate all locally stored secrets on vulnerable appliances with confirmed threat actor activity.
Editor's Notes
- Slide 1 of 4
If you're using Firebox firewalls, you have three steps. First update to the most current supported OS. Second, rotate your keys/secrets. Lastly, make sure that your threat hunters have the IoCs; this exploit isn't the holiday gift you're looking for.
- Slide 2 of 4
It is really hard to track these edge-security device vulnerabilities. Last week at least three vendors were affected. Add a calendar reminder to check your router/firewall at least once a month to see if it needs an update (in particular for home/small business systems, which may not make the news).
- Slide 3 of 4
You probably don’t think of WatchGuard too often in the enterprise space, but many MSPs use the systems. If you are in this group, patch your firewalls routinely.
- Slide 4 of 4
Ugh! Another critical flaw in a security device. Very grinchy.
Slide 1 of 0- Slide 1 of 4
The Rest of the Week's News
Nigerian Authorities Arrest RaccoonO365 Suspects
The Nigeria Police Force National Cybercrime Centre (NPF-NCCC) disclosed via social media on December 18, 2025 that three suspects have been arrested in connection with the phishing-as-a-service (PaaS) scheme known as "RacoonO365," employed for internet fraud and "targeted cyberattacks against the email systems of major corporate organisations through the deployment of phishing links and malicious software." RacoonO365 enables the creation of counterfeit Microsoft 365 communications and login portals to deceive users and steal credentials. The NPF-NCCC collaborated with Microsoft, the FBI, and the US Secret Service to investigate and carry out an "intelligence-driven operation" leading to the three arrests and the seizure of laptops, mobile devices, and other equipment. One of the three suspects is Okitipi Samuel, believed to be the developer of RaccoonO365, but no evidence links the other two suspects to the creation or operation of the PaaS. Microsoft and Cloudflare had previously disrupted RaccoonO365 by seizing 338 domains in September 2025.
Editor's Notes
- Slide 1 of 2
RacoonO365 was a subscription service costing about $365/month and generally targeting 9,000 emails a day. Their fake logins were successful in thwarting some MFA protections. These arrests targeted the developer and marketing team to prevent a re-emergence of this capability under another name. What you need to do is make sure that you've implemented phishing-resistant MFA for everyone. Where you have implemented MFA, make sure it is securely implemented and doesn't permit fallback to unsecure options. Make sure that any "break-glass" accounts are really only used for that, and that the use process includes immediate credential changes.
- Slide 2 of 2
Office365 is such a massive target, just given how many companies use it. If you are using Office — and the chances of this are high given their market share — enable phishing resistant MFA, use a secure (enterprise) browser, and make sure that you have educated your customers on what phishing attacks look like.
Slide 1 of 0- Slide 1 of 2
Indictments Charge 54 People in Connection with ATM Jackpotting Scheme Using Ploutus Malware
The US Justice Department (DoJ) has announced that a federal grand jury in Nebraska has returned indictments charging 54 individuals for activity related to an ATM jackpotting scheme. A December 9, 2025 indictment charges 22 defendants; an earlier indictment, returned on October 21, 2025, charges 32 individuals. The charges include bank fraud and conspiracy to commit bank fraud, bank burglary and conspiracy to commit bank burglary and computer fraud, damage to computers, conspiracy to provide material support to terrorists, and conspiracy to commit money laundering. The defendants allegedly manipulated automated teller machines (ATMs) to dispense cash at their will by replacing hard drives in targeted ATMs with others that contained a variant of the Ploutus malware, or by connecting an external device to the ATMs to deploy the malware.
Editor's Notes
- Slide 1 of 3
The threat actors open the "hood" of the ATM, then watch for a response or alarm. If none results, they then continue to introduce malware which permits jackpotting. The protections for this attack fall to the institution, which needs to verify the existing security controls are working as well as look at options which include using upgraded security locks on the hood, using a hood with an interconnected security system with monitoring and alerting, or even having a 140db alarm right at the ATM. Other options to consider include connecting the ATM power to a remotely operable switch, turning them off after hours, and implementing shutdown options for certain tamper indicators. If your facility houses ATMs, make sure that they are not only properly secured, but also that your role in their security is understood.
- Slide 2 of 3
Haven’t seen a jackpotting scam talked about in a long time. This one is interesting, and they are backdooring the drives of the machines with malware. This presumes that there is no BitLocker or secure boot mechanism to tamper with the systems physically. Adding or swapping a drive is a very curious thing as well.
- Slide 3 of 3
Schemes involving tens of people are likely to be discovered and are relatively easy to prosecute. While ATMs were originally on bank premises and serviced by bankers, today they are everywhere and most are serviced by third parties. There are bound to be instances where physical security fails. While early services used proprietary hardware, software, and networks, today's systems include common hardware and Windows software, and use the public networks.
Slide 1 of 0- Slide 1 of 3
UK Foreign Office Says it is Investigating Breach
UK government trade minister Sir Chris Bryant has confirmed that a Foreign Office system was breached earlier this year and that they have been investigating the incident. Bryant said, “There certainly has been a hack at the FCDO [Foreign, Commonwealth and Development Office] and we’ve been aware of that since October.” The government disclosure comes in response to a news report containing unconfirmed details. The government has declined to speculate as to who is responsible for the attack or what specific information was compromised.
Editor's Notes
The Sun reports that Storm-1849, aka UAT4356, is behind the attack. This group is known for exploiting flaws in Cisco edge devices. However, there is disagreement about the accuracy of that claim. The thought exercise here is, when and what do you disclose after an attack? Consider if you want to be reacting to other information versus controlling the story. If you do need to respond to an inaccurate claim, decide ahead of time who will be speaking for you, then prep them accordingly — with a nod to Harold Ramis, you don't want to be shouting "all is well" while being trampled underfoot.
University of Phoenix Sends Notifications After Oracle Breach
The University of Phoenix (UoPX) has begun notifying those affected by a data breach that took place on November 21, 2025, first disclosed on December 2. UoPX became aware of a flaw in Oracle E-Business Suite (EBS) and detected a cybersecurity incident underway, starting an investigation alongside third-party cybersecurity firms, notifying law enforcement and the FBI, and installing the necessary patches as well as "implement[ing] measures to enhance security and minimize the risk of a similar incident occurring in the future." Investigation has shown that an unauthorized third party exploited a zero-day vulnerability in EBS (believed to be CVE-2025-61882) and exfiltrated data between August 13 and 22, 2025. The stolen data may include "names and contact information, dates of birth, social security numbers, and bank account and routing numbers" belonging to current and former students, employees, faculty, and suppliers. The breach notification filed with the Office of the Maine Attorney General estimates a total of 3,489,274 people are affected, of whom 9,131 are Maine residents. UoPX has established a toll-free call center and is offering at least 12 months of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services to those affected.
Editor's Notes
Kudos to UoPX on responding quickly. The incident was detected November 21 and they have already implemented security fixes as well as identified affected users and started notifications. The Clop ransomware gang is behind this incident, and the detection may have been triggered by the gang posting the exploit to their data leak site, showing the value of services which monitor these sites as a supplement to your other security monitoring. Two takeaways here: first see if you have dark web monitoring; second, if you're an EBS site, see which CPUs are installed and to what extent. If you're still regression testing the October CPU, you’ve got work to do: not only getting that rolled out, but also looking for exploits of CVE-2025-61882.
Malicious npm Package Steals WhatsApp Data
Researchers have detected a malicious npm package that masquerades as a WhatsApp API library. Published as a fork of the legitimate @whiskeysockets/baileys package, the malicious npm package actually provides the functionality that users expect but also steals information and hijacks WhatsApp accounts. Koi Security researchers say the package has been available for six months; in that time has been downloaded more than 56,000 times, and it was still live when Koi published their findings on December 21. According to Koi's write-up, the malicious package steals "authentication tokens and session keys; complete message history (past and present); full contact lists with phone numbers; media files and document; [and obtains] persistent backdoor access to [a user's] WhatsApp account." Developers who have used the malicious package, which has been dubbed “lotusbail,” are advised to remove it and check their WhatsApp accounts for suspicious activity.
Editor's Notes
- Slide 1 of 3
The package includes functionality that hijacks device linking, so when you link your device to your WhatsApp account, you also link the attacker's device. This means that even after you get rid of the malicious package, you need to review linked devices, removing any unknown/questionable devices.
- Slide 2 of 3
Supply chain attacks are insidious. I was just talking yesterday with Josh Wright (SANS Instructor and Author) about incident response in supply chain attacks. It’s HARD. I urge you to model supply chain attacks in a Table Top eXercise (TTX) sometime in 2026, perhaps in Q1. While you’re at it, you may want to have a TTX that models interaction with a subset of the board of directors for your organization (such as the head of a technology-related committee), so you can practice informing them when something big goes bump in the night.
- Slide 3 of 3
One more use case for a digital software bill of materials (SBOM). It is time to eschew the use of packages that do not come with one.
Slide 1 of 0- Slide 1 of 3
University of Sydney Discloses Data Breach, Reviews Data Practices
On December 18, 2025, the University of Sydney (USYD, Australia) disclosed a cyber incident that took place the preceding week. USYD detected suspicious activity in an online IT code library and responded by blocking the unauthorized access, securing the environment, launching an investigation aided by third-party partners, implementing cybersecurity response procedures, purging the affected datasets from the code library, notifying "NSW Privacy Commissioner, Australian Cyber Security Centre, the Tertiary Education Quality and Standards Agency, the National Student Ombudsman, and ID Support NSW," and monitoring online for any leaks of the data. The code accessed was used for storage and development, but also included files containing personal data possibly used for testing purposes. The university has assessed that the compromised information includes personal data stored as of September 4, 2018, belonging to around 10,000 current staff, 12,500 former staff, and affiliates, as well as historical datasets from 2010-2019 with personal information belonging to 5,000 alumni and students, as well as to six supporters. USYD began notifying affected individuals immediately, and expects to complete the process in January 2026, in the mean time offering enquiry and assistance forms, information on USYD cybersecurity practices, and government guidance for victims of data breaches and identity theft. Recommended precautions include monitoring for suspicious account activity and communications; changing passwords and using MFA; reporting misuse of information to law enforcement and the University Cyber Security Team; notifying friends and family to be wary of possible data misuse; avoiding mentioning the incident on social media; and verifying all messages come from legitimate sources. USYD is currently three years into a review and reinforcement of data management practices and implementation of its privacy resilience program.
Editor's Notes
- Slide 1 of 2
Clearly USYD had a response plan ready to go and were able to actively and rapidly respond to the incident, including notifications to regulators and affected individuals and entities. Beyond making sure you're prepared for your turn in the barrel, make sure that you're actively monitoring code libraries and other externally accessible datastores for the introduction of malicious content.
- Slide 2 of 2
We have reported in recent weeks on multiple breaches that resulted in the compromise of PII (e.g., license and Social Security numbers). We should take these as an occasion to review our data retention policies and procedures with emphasis on PII. If one does not keep PII any longer than necessary, one reduces the risk that one will compromise it. PII should not be retained just because one might discover a use in the future.
Slide 1 of 0- Slide 1 of 2
NIST Internet Time Services May Be Inaccurate After Pre-emptive Power Outage in Colorado
On Friday, December 19, Jeff Sherman, a Supervisory Physicist at the National Institute of Standards and Technology (NIST), wrote that "the atomic ensemble time scale at our Boulder campus has failed due to a prolonged utility power outage." Earlier in the week, high winds in parts of Colorado damaged utility power lines and prompted pre-emptive deliberate power outages as a precautionary measure against wildfires. The planned outages, coupled with the failure of a backup generator, "resulted in NIST UTC [universal coordinated time] being 4.8 microseconds slower than it should have been," according to am email from NIST spokesperson Rebecca Jacobson. On December 21, Sherman wrote that repair activity is in progress.
Editor's Notes
- Slide 1 of 3
Have you ever said, “we're good until the generator kicks in”? Have you pulled that thread? Whether you have rack or facility-level UPSs, you need to understand their capability, and make sure they are maintained. Those batteries have a finite lifespan. Have you tested them? How about the assumption that the generator will operate indefinitely? My old employer's DR plan included a schedule whereby fuel trucks would refill generators on a defined schedule, and they owned the trucks and supporting infrastructure; even so, you needed to follow the process to be included in that schedule. They also had generator testing services, which you need to understand, as cutover testing is a best practice.
- Slide 2 of 3
Interesting event, but remember that you should not sync with NIST (or the good old tick and tock operated by the Navy) directly. The “NTP Pool” servers are plenty accurate and reliable for 99% of networks. It often beats running your own time standards. If you run your own internal servers, carefully review the requirements of RFC 8633 (e.g., section 3.3).
- Slide 3 of 3
Channeling my inner Christopher Nolan, it turns out that time is significant for how many of our systems work (like GPS, Certificates, Cron Jobs, etc.). I’m glad it’s only off by fractions of a second; however, for systems that rely on Precision Time Protocol (PTP), that may be a large difference. If you really think that time is essential to you, consider purchasing a Stratum 1 device. You can build a miniature version of one yourself using a Raspberry Pi, although it won’t be as good as a real Strat 1.
Slide 1 of 0- Slide 1 of 3