SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
ArcaneDoor Cyber Espionage Campaign Targeted Perimeter Network Devices
Cisco Talos has published a report detailing a cyber espionage campaign that targeted Cisco Adaptive Security Appliances (ASA) to gain access to government networks in several countries around the world. Cisco has released updates to address the vulnerabilities exploited in the campaign: a denial-of-service issue (CVE-2024-20353) and a persistent local execution flaw ((CVE-2024-20359). While most of the activity occurred in December 2023 and January 2024, Cisco Talos found evidence that the campaign, dubbed ArcaneDoor, was being tested last summer.
Editor's Notes
- Slide 1 of 3
The flaws patched by Cisco require authentication. Cisco states that they do not know how the attacker obtained initial access, but verify that authentication is configured properly and verify the password security for any devices. There have been persistent brute force attacks against these devices in the past.
- Slide 2 of 3
The attackers are using an in-memory implant called Line Dancer which is used to disable syslog, exfiltrate the configuration, create packet captures, write to memory, and hook the crash dump and AAA processes to allow authentication and bypass/disable crash dumps needed for forensic analysis. Persistence is maintained with a backdoor called "Line Runner" which leverages the legacy capability to pre-load updated VPN clients and plugins on ASA devices. The update from Cisco prevents this technique from working, however it doesn't remove Line Runner so you need to check for new or unusual zip files, copying them off and reporting to Cisco as requested. Details on removing them are in the Talos blog.
- Slide 3 of 3
Brute force attacks against operator-less public network facing devices have been increasing. It is important to know if your devices are seeing and resisting such attack traffic.
Slide 1 of 0- Slide 1 of 3
Licensing Cybersecurity Practitioners
Three countries Ghana, Singapore, and Malaysia have passed legislation requiring cybersecurity companies to be licensed. In some cases, the requirement applies to independent practitioners as well. Singapore has required cybersecurity service providers to be licensed since 2022; Ghana has required licensing since 2023. Malaysia passed legislation requiring cybersecurity practitioner licensing earlier this month.
Editor's Notes
- Slide 1 of 4
Businesses in general would never use an electrician or plumber that wasn't licensed and didn't carry an active business insurance policy. The same should certainly be true in selecting cybersecurity service providers. But in the US, states generally determine standards of workmanship as well as apprenticeship/licensing/certification requirements for skills/capabilities that are judged to be needed to adhere to those standards of workmanship. Federal requirements in the US for cybersecurity workmanship (let alone software quality and liability) aren't likely to happen anytime soon, if ever, in the US.
- Slide 2 of 4
This will be worth watching. Licensing has benefits as it validates a certain level of knowledge by individuals (certification) and business process by companies (accreditation). The devil will be in the details as the requirements for licensing comes later and whether they will grandfather in existing certification schemes.
- Slide 3 of 4
The idea is to offset risks of hiring unqualified professionals, possibly resulting in a registry of talent to draw upon, but the regulations also strengthen government oversight and regulation capabilities related to cyber activities, in some cases allowing for unlimited search and seizure powers as well as making activities by non-licensed cyber security researchers difficult if not illegal.
- Slide 4 of 4
It is not clear what problem such licensing is intended to solve, though our field is rife with pretenders. One recalls the abortive attempt by the state of New Jersey to license software "engineers" that was killed by the opposition of mere "programmers." One supports a requirement that one who holds oneself out as an engineer be held to the traditional standards of that profession, including licensing.
Slide 1 of 0- Slide 1 of 4
Palo Alto Networks Offers Knowledge Base Article on Remediation of PAN-OS
Palo Alto Networks has updated its security advisory for the command injection vulnerability in the GlobalProtect feature of their PAN-OS software to include a link to a knowledge base article that contains information about remediating the vulnerability.
Editor's Notes
This update contains additional insight you can leverage to make sure the updates you applied are indeed the droids you're looking for. Also note that they now state that disablement of device telemetry as NOT an effective mitigation as it is not required to exploit the vulnerability.
President's Cup Cybersecurity Competition Winners
The US Cybersecurity and Infrastructure Security Agency (CISA) hosted the final round of the fifth annual Presidents Cup Cybersecurity Competition last week, a national competition designed to recognize the top federal cybersecurity talent. This year's winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force.
Editor's Notes
The President's Cup was established in 2019, and is designed to organize and train members of the federal workspace, who can participate individually or in teams of up to five. The winners had to survive three rounds of competition, which are categorized into tasks and work roles in the NICE framework. Kudos to all who participated, and to the winners, who will likely be in high demand to keep this nation secure. The Award Ceremony is May 20th.
The Rest of the Week's News
Chrome Update
Google has updated the Chrome Stable channel to versions 124.0.6367.78/.79 for Windows and Mac and 124.0.6367.78 to Linux. The updates address fixes for four security issues, including a critical type confusion vulnerability in the ANGLE graphic layer engine.
Editor's Notes
- Slide 1 of 2
Restart your browser at least once a day, and once a week, double check if your browser is up to date. Restarting your browser is the simplest way to make sure automatic updates are applied.
- Slide 2 of 2
Of the fixes, CVE-2024-4058 (ANGLE type confusion) is rated a critical while CVE-2024-4059 (out of bounds read in V8) and CVE-2024-4060 (use after free om Dawn) are rated high. Chromium-based browsers have become really good at restoring your windows and tabs after a restart, so encourage users not to hesitate to click the restart/relaunch button when it appears. Your managed Chrome install should have an enforced time limit for that relaunch, a 48-72 hours max.
Slide 1 of 0- Slide 1 of 2
Google Delays Phasing Out Third-Party Cookies in Chrome
Google has pushed back the date for phasing out third-party cookies in Chrome to early 2025. Implementing the change depends on Google reaching agreements with the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO). Google had initially planned to begin deprecating third-party cookies in Chrome in the second half of 2024.
Editor's Notes
Google wants to phase these out as both a security and privacy measure (reduction of cross-site and cross-application tracking) while keeping online content and services free for all. Ad providers are claiming Privacy Sandbox removes site owners, agencies and marketers to target and measure campaigns using their technologies in favor of a Google provided option. Some of you are saying, yes, that is kind of the point. Use this time to get a better understand of what Google's Privacy Sandbox provides and what you'd need to do to continue to have that measurement in the future or if you want to better know how to not be tracked.
Threat Actors Were Exploiting eScan Antivirus Update Mechanism to Spread Malware
Researchers from Avast have published a report detailing how threat actors with ties to North Korea hijacked the eScan antivirus update mechanism for five years. The campaign used the vulnerability to deliver backdoors and cryptocurrency miners. The Avast researchers notified eScan of the issue, and the company fixed the vulnerability in July 2023.
Editor's Notes
- Slide 1 of 4
There are not a lot of examples of insecure update mechanisms being exploited by bad actors. Interesting to see this product being affected.
- Slide 2 of 4
The attackers were able to MITM the antivirus service, which used HTTP to deliver updates, allowing them to infect end-users with malware. For. Five. Years. Beyond not using HTTPS, the AV client didn't sufficiently enforce digital signing of updated content, so the replacement malicious content wasn't detected. My gut says when they started deploying crypto miners, the resource hit gave them away. That gives you a couple of pointed questions to ask your EDR provider.
- Slide 3 of 4
This attack exposed two secure by design flaws by the vendor: 1) updates not digitally signed, and 2) using HTTP vice HTTPS. Both are common design principles and would have significantly raised the cybersecurity bar for the cybercriminal to execute the attack.
- Slide 4 of 4
Evilgrade is still a thing. It's also a thing that we barely test for anymore, isn't it?
Slide 1 of 0- Slide 1 of 4
PAN-OS Firewall Vulnerability Affects Siemens Ruggedcom
Siemens has acknowledged that the command injection vulnerability in Palo Alto Networks PAN-OS software may affect their Ruggedcom APE 1808 devices that are configured with a Palo Alto networks next-generation firewall. Siemens is developing fixes and have suggested workarounds and mitigations to use until the fixes are ready.
Editor's Notes
- Slide 1 of 2
The Siemens Ruggedcom APE 1808 integrates security solutions from Palo Alto Networks, Fortinet and Nozomi Networks, and is an industrial application hosting platform for edge computing and cyber security in an industrial environment. As such, vulnerabilities in those components apply, in this case the updates to GlobalProtect which are pending release from Siemens. The workaround is to disable GlobalProtect gateway and portal, (these are disabled by default) until the update can be applied.
- Slide 2 of 2
Cisco, Palo Alto, and others have OEM agreements with Siemens and other vendors. Expect that as firewall issues occur (or switching issues occur), there will be some lag time for these OEMs to roll them into the equipment upgrade paths. That alone does not mean that they will be immediately pushed out to these OT systems.
Slide 1 of 0- Slide 1 of 2
Octapharma Beginning to Recover from Ransomware Attack
Switzerland-based Octapharma is starting to recover from a ransomware attack that began on April 17 and resulted in the temporary closure of 180 plasma donation centers last week. Octapharma began reopening centers earlier this week.
Editor's Notes
They are opening more locations, albeit with modified hours, in attempts to restore services to customers. They advise customers with appointments to verify their local office is open and operating. In today's climate, that is a fairly rapid return of services, and should spark conversations about whether you want to do partial service restoration, or a full waterfall, and how you'd communicate in either situation.
Los Angeles (California) County Health Services Notifies Affected Patients of Data Compromise
The Los Angeles (California) County Department of Health Services (DHS) has sent notification letters regarding a phishing attack that resulted in compromised patient data. According to the letters, email account credentials belonging to 23 DHS employees were stolen earlier this year. The associated mailboxes contained patient data, including names, medical record numbers, medical diagnoses, treatment, medication, and test result information.
Editor's Notes
This attack exposes an inconvenient truth: large amounts of data (i.e., PHI, PII, company confidential) are often stored on company email and messaging servers. Email is still the preferred communication method, even more so, now that most companies employ a remote workforce. Encrypt data in transit, at rest, and on end-user devices.
Internet Storm Center Tech Corner
Struts2 devmode Still a Problem Ten Years Later
https://isc.sans.edu/diary/Struts+devmode+Still+a+problem+ten+years+later/30866
API Rug Pull - The NIST NVD Database and API
https://isc.sans.edu/diary/API+Rug+Pull+The+NIST+NVD+Database+and+API+Part+4+of+3/30868
Does it matter if iptables isn't running on my honeypot?
https://isc.sans.edu/diary/Does+it+matter+if+iptables+isnt+running+on+my+honeypot/30862
Matthew Alan Vorhees: Prevention Strategies for Modern Living Off the Land Usage
https://www.sans.edu/cyber-research/prevention-strategies-modern-living-off-land-usage/
Unplugging PlugX: Singholing the PlugX USB worm botnet
https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/
pfSense Updates
https://docs.netgate.com/advisories/index.html
GitLab Updates
https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/
Cisco Patches Vulnerabilities and Discovers Arcane Backdoor
Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers
MySQL2: Dangers of User-Defined Database Connections
https://blog.slonser.info/posts/mysql2-attacker-configuration/
Netgear Nighthawk Vulnerabilities
https://jvn.jp/en/vu/JVNVU91883072/
Analyzing Forest Blizzard's Custom Post-Compromise Tool for exploiting CVE-2022-38028
April 2024 Exchange Server Hotfix Update
CVE-2024-2389: Command Injection Vulnerability in Progress Flowmon
https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining