SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
SharePoint Vulnerability is Being Actively Exploited
A critical privilege elevation vulnerability in Microsoft SharePoint is reportedly being actively exploited. The vulnerability, which was patched in June, can be chained with other vulnerabilities to achieve remote code execution. The flaw, CVE-2023-29357,“allows attackers to use spoofed JSON web tokens (JWTs) to gain Administrator privileges on the SharePoint host.” The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog last week. US Federal Civilian Executive Branch agencies must address the vulnerability by January 31.
Editor's Notes
- Slide 1 of 4
Details about this vulnerability, including PoC exploits, appear to have been available for a couple months now. If anything, adding it to the KEV catalog is a bit late. As with any KEV: Assume compromise at this point.
- Slide 2 of 4
Any critical privilege elevation vulnerability in any product with “Share” in its name requires priority patching measured in days not multiple months to be at a due diligence level.
- Slide 3 of 4
The flaw is in SharePoint Server 2019, version 16.0.0 below 16.0.1039.20005. CVE-2023-29357 has a CVSS score of 9.8. This can be exploited over the network with a low difficulty level. Verify that you’ve deployed the update, which came out in June; this would be a good time to discover and remediate any rogue or unmanaged SharePoint servers as well as look at why you’re still hosting SharePoint locally.
- Slide 4 of 4
While adding the vulnerability to the KEV flags that it is being actively exploited, organizations should have already prioritized it for patching back in June. A RCE demonstration and separately, a POC privilege escalation attack was published shortly after the vulnerability was released. It was simply a matter of time for evildoers to work the vulnerability into their workflow and deploy an exploit.
Slide 1 of 0- Slide 1 of 4
Juniper Advisories Address 100+ Vulnerabilities, Including Critical RCE Flaw
Last week, Juniper released 28 security advisories that address more than 100 vulnerabilities in multiple products. The batch of advisories includes a fix for a critical out-of-bounds write vulnerability that affects Junos OS on SRX Series and EX Series, as well as for critical flaws in third-party components used in some Juniper products.
Editor's Notes
CVE-2024-21591, a J-WEB RC flaw, carries a CVSS score of 9.8, similar to the flaw from last August. Researchers are finding many sites didn’t deploy that update. In addition to verifying you’ve deployed the update, take another look at disabling or severely restricting access to the J-WEB interface.
The Rest of the Week's News
FBot Python-Based Hacking Tool
Researchers at SentinelOne have discovered FBot, a Python-based tool that has been observed being used in attacks against web servers, cloud services, and Software as a service (SaaS) platforms. FBot’s capabilities include harvesting credentials, hijacking AWS accounts, and “functions to enable attacks against PayPal and various SaaS accounts.” SentinelOne’s write-up includes indicators of compromise.
Editor's Notes
This is a new hacking tool, which has a lot of original work, under active development, and unlike many other tools doesn’t simply leverage existing tools such as the Androxgh0st code. The primary mitigations, at this time, are to implement MFA and monitor for adding new accounts (particularly in AWS) or email service configuration changes. Incorporate the IOCs from SentinelOne into your hunting processes. This tool targets AWS, Office365, PayPal, Twilio and Sendgrid.
GitLab Security Release Addresses Two Critical Flaws
On January 11, GitLab released critical security updates to addresses five vulnerabilities, two of which are considered critical. The first critic al flaws in an account takeover via password reset without user interaction issue; the second involved incorrect authorization checks in GitLab CE/EE and could be exploited to allow an “attacker [to] abuse Slack/Mattermost integrations to execute slash commands as another user.” The issues are addressed in GitLab versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Editor's Notes
The five flaws: CVE-2023-7028, account takeover, CVSS score 10.0, CVE-2023-5356, Slack/Mattermost integration flaw, CVSS score 9.6, CVE-2023-4812, CODEOWNER approval bypass, CVSS score of 7.6, CVE-2023-6965, unauthorized workspace creation, CVSS score of 6.6, CVE-2023-2030, signed commit metadata altering, CVSS score of 3.5 are all addressed in the update. Three steps you need to follow here: First, upgrade all your GItLab editions to a supported version; be methodical and don’t skip steps as that can introduce instability. Second, enable 2FA for ALL your GitLab accounts, no exceptions. Third, review the GitLab security best practices. If you think you were compromised, add rotating all secrets (API keys, certificates, tokens, etc.) to your task list.
Recorded Future: Lock Down GitHub Services
According to a report from researchers at Recorded Future’s Insikt Group, threat actors are increasingly using GitHub services for dead drop resolving and to deliver payloads, operate command-and-control systems, and exfiltrate data. The Insikt Group notes that, “There is no universal solution for GitHub abuse detection. A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others.”
Editor's Notes
It’s not a huge leap to find threat actors are leveraging trust relationships. With the number of cloud and other off-site services we’re all using, the number of these relationships we have has increased exponentially. While there is no silver bullet here, start with a mantra of smallest possible trust. Make sure that you’re limiting trust to the sites and services you’ve approved as well as monitoring those interactions.
British Library Catalog is Back Online
The British Library’s online services are gradually becoming available, months after the library took services offline following a ransomware attack. Users may now access the library’s online catalog in a read-only format. The British Library experienced a cybersecurity incident in late October 2023.
Editor's Notes
- Slide 1 of 2
Hopefully the British Library will document and widely brief on the state of cybersecurity at the library system before the attack. Details should also be shared on what processes helped or hindered re-establishing full operating capability. Let’s turn the attack into something positive and educate users and organizations.
- Slide 2 of 2
While back on-line, users need to be aware that some functionality is not yet restored, and you may have to come in to utilize or access some services. The library is not planning to disclose details of the incident until after March, so it’ll be a while before we can learn from the root cause. Even so, you can make sure you’re following vendor security best practices for your online services, and verify you’ve got active monitoring and strong authentication in place.
Slide 1 of 0- Slide 1 of 2
Bosch Smart Thermostat Vulnerability
Researchers at Bitdefender have discovered an always-open port vulnerability in Bosch BCC101/BCC102/BCC50 Thermostats. The flaw “lets an attacker on the same network replace the device firmware with a rogue version.” Bitdefender first notified Bosch about the issue in August 2023; Bosch fixed the vulnerability in October.
Editor's Notes
- Slide 1 of 2
Bosch pushed the update to customer devices in October 2023, closing port 8899 which is used for this hack. Best practice here is to have a separate network for your home IoT devices. You may be able to leverage the guest network most home routers include. If you choose to use an old router you’ve been keeping, make sure that it’s not EOL, as you’re going to want to keep it updated.
- Slide 2 of 2
Bitdefender is to be applauded for its responsible vulnerability disclosure. Hopefully, Bosch’s software development team will make changes in their secure software development process going forward. The Microsoft SDL process is an excellent resource as well as recent CISA Secure-by-Design guidance.
Slide 1 of 0- Slide 1 of 2
Cryptojacking Arrest in Ukraine
Police in Ukraine, with assistance from Europol, have arrested an individual who allegedly conducted a cryptojacking campaign. The individual is believed to have mined more than EUR 1.8 million (USD 2 million) worth of virtual currency. Europol was alerted to the situation a year ago, when a cloud service provider contacted them regarding compromised user accounts.
Editor's Notes
- Slide 1 of 2
Cryptojacking is becoming popular as it allows the criminal to leverage your cloud resources for their crypto mining, so they don’t have to pay the IT or power costs. Activities have been observed leveraging GCP, AWS, and Azure services. Your best bet to mitigate the risk is to implement strong authentication, active monitoring, keep services updated and leverage the security services of your cloud provider.
- Slide 2 of 2
Because of their compute capabilities, cloud service providers are often targeted by crypto miners. What is surprising is that the CSP’s customers did not notice the increase in compute costs as well as failed attempts by the attacker using automated brute-force password guessing. Some lessons learned here for those companies using cloud resources.
Slide 1 of 0- Slide 1 of 2
Known Windows SmartScreen Vulnerability is Being Exploited to Spread Malware
Researchers at Trend Micro have detected a malware campaign that exploited a known security feature bypass vulnerability in Microsoft Windows Defender SmartScreen. The flaw is reportedly being used to spread malware known as Phemedrone Stealer. Microsoft released a patch for the vulnerability in November 2023 and CISA added it to the KEV catalog that same month.
Editor's Notes
While the patch was released in November, it’s still being exploited, so not everyone rolled out the update. Verify it didn’t get missed during the holiday season. POC code, including screenshots, is being shared on social media and dark web sites.