SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Snowflake Breach Affects Ticketmaster, Santander
A data security breach at cloud provider Snowflake has affected several organizations, including Ticketmaster and Santander. In an SEC filing last week, Ticketmaster parent company Live Nation disclosed that they “identified unauthorized activity within a third-party cloud database environment containing Company data.” In mid-May, Santander released a statement noting that they “recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” In a recent update about the incident, Snowflake indicated that it believed the attack to be the result of credential-stuffing, while also noting that they discovered evidence that a threat actor obtained access credentials belonging to a former Snowflake employee.
Editor's Notes
- Slide 1 of 5
It is unclear at this point how much of this is a Snowflake issue and how much of this is a customer problem. Just because the provider offers stupid authentication options doesn't mean you have to use them.
- Slide 2 of 5
Rotate those TicketMaster credentials and enable two-factor authentication. While some of the details about how data was breached are changing, the constant is that reusable credentials were compromised. Your task is to verify that you require MFA for all access to third-party services, as well as understand their level of access and access control mechanisms. Make sure you have access control rules to only allow authorized users and systems to access these services. Are you getting logs to your SIEM? Verify you have plans for rotating credentials if required/compromised.
- Slide 3 of 5
Kudos to Snowflake in responding to the reports of the breach so quickly and in identifying the cause was not a breach of their systems. It appears the cause of these breaches are client accounts with weak or compromised passwords married with a lack of Multi-Factor Authentication enabled. This however should not let Snowflake off the hook entirely. As we become more and more reliant on cloud service providers, those same cloud service providers need to take a more proactive approach to ensure their user base has appropriate security controls in place, such as making MFA on by default, better integration with clients' Identify and Access Management platforms, providing better access to security logs, to mention just a few.
- Slide 4 of 5
Since the user count on this one is so high, good idea to remind employees that if they used Ticketmaster, they need to update every other place they used the same password. The high impacted user count will also exacerbate finger pointing on who is actually liable for the breach.
- Slide 5 of 5
The blame game continues. Credential theft is a top enabler for many security incidents. Evildoers know this and often target third-party service providers to maximize the attack and potential payoff. Bottom line: what’s common between Ticketmaster and Santander is the use of Snowflake; that fact isn’t under dispute.
Slide 1 of 0- Slide 1 of 5
Entrust’s 2024 State of Zero Trust & Encryption Study
Among the findings of Entrust’s 2024 State of Zero Trust & Encryption Study: the primary (reason) given for investing in security is to reduce the risk of breaches and other cybersecurity incidents; in past years, the primary (reason) was compliance; while overall, 62 percent of organizations have begun adoption of zero-trust, that figure is 48 percent in the US. For the study, Entrust surveyed more than 4,000 IT practitioners worldwide.
Editor's Notes
- Slide 1 of 4
Compliance does not necessarily lead to security but is better than non-compliance. Reducing risk in general, and of breaches in particular, is a better strategy. However, risk management requires special knowledge, skills, ability, and experience. The last is in particularly short supply.
- Slide 2 of 4
It is refreshing to see companies change their focus from compliance to a risk based approach. Having an effective compliance program in place may not necessarily result in effective security, but having an effective risk management program has a much better chance of not only resulting in effective security but also in meeting compliance requirements.
- Slide 3 of 4
Part of this change in mindset has been an increasing number of cybersecurity settlements at both the state and federal level, where organizations are being held accountable for data breaches. In addition to a monetary penalty, companies also agree to implement significant remedial efforts to better protect customer data. It’s part of a ‘wakeup call’ to organizations to implement reasonable cybersecurity.
- Slide 4 of 4
Zero Trust is burdened by both technology and culture change. It's not as simple as dropping the firewall and requiring MFA on every entry point. The pillars that support Zero Trust include base improvements to cyber security posture which have benefits even if you're not going full ZTA. Go through the NIST's Zero Trust Maturity Model to look at where you can raise the bar. Look to existing capabilities which are already included in products and services, such as encryption at rest and in transit from IaaS and SaaS providers, information protection, classification and monitoring from your office productivity suite and MFA capabilities in your IDP which may have been overlooked.
Slide 1 of 0- Slide 1 of 4
PoC for Check Point Vulnerability Released
Proof-of-concept exploit code for a zero-day arbitrary file read vulnerability in Check Point Security Gateway has been released. Check Point published hotfixes last week to remediate the vulnerability, which affects Security Gateway with IPSec VPN or Mobile Access blades enabled. Check Point’s support page includes a procedure to identify vulnerable gateways. Censys has observed nearly 14,000 Internet-facing devices running the products, but it is not clear how many of these are actually vulnerable. The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its KEV on May 30. Federal Civilian Executive Branch (FCEB) agencies have until June 20 to address the vulnerability.
Editor's Notes
- Slide 1 of 3
The PoC demonstrates how to retrieve the "/etc/shadow" file, showing how Checkpoint is yet another security appliance running its web server as root. While passwords are reasonably well hashed, they will be brute forced if they are too simple. We are also seeing already some scans for this vulnerability.
- Slide 2 of 3
If you were putting off deploying the hotfixes, that window has closed with the POC. Attackers are focused on compromising old local accounts with password-only authentication. You need to make sure that you not only follow the post-hotfix (important extra measures) instructions on the CheckPoint site, which addresses local accounts, but also check for IOCs to make sure you're clean. CheckPoint is helping affected customers resolve any exploitation, and the severity has been raised from 7.5 to 8.6.
- Slide 3 of 3
If you’re a user of the Check Point Security Gateway, don’t worry about checking to see if you’re vulnerable – you are. Go ahead and implement the hotfix and save yourself from additional work.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Cox Communications Cable Modem Vulnerability
A critical vulnerability in a Cox Communications API may have been used to alter the configuration or firmware of Cox managed cable modems. Cable modem ISPs load custom firmware and settings to customer modems in order to configure them to interoperate with a particular cable system. The API used to manage these settings did not authenticate properly and allowed anybody to retrieve or alter settings. The author of the post alleges that their modem was compromised possibly via this vulnerability. Cox Communications acknowledged the vulnerability but did deny any detected abuse of the vulnerability to manipulate customer modems.
Editor's Notes
Even customer owned modems are usually managed and provided with custom firmware. Your best bet is to consider the modem as "hostile" as the rest of the internet. Configure it in "bridge" mode and use your own firewall/router to provide access control and protect your own devices.
NIST NVD Contractor Identified
The contractor selected to help the US National Institute of Standards and Technology (NIST) manage the backlog of National Vulnerability Database (NVD) CVEs is Analygence, a company already contracted to perform other IT and security-related work for NIST. Analygence will help NIST with both the CVE backlog and new NVD submissions.
Editor's Notes
- Slide 1 of 2
Good to see a path forward. NVD is too important to get ground up in inter-agency competency battles. Let’s hope Analygence is actually delivering. Personally, I would have loved to see an academic partnership, but as long as this leads to a reliable product, I am all for it.
- Slide 2 of 2
Seems like it was just yesterday they said they were going to hire a company for this. That they moved this quickly indicates how seriously they are taking solving this problem. A big advantage here is that Analygence can use their hiring practices rather than the somewhat more onerous agency processes to rapidly staff up, or down, as is required to absorb the workload. Even so, don't expect the backlog to be resolved before September.
Slide 1 of 0- Slide 1 of 2
Hugging Face Says Spaces Platform was Breached
Hugging Face says they have detected unauthorized access to their Spaces platform that may have compromised “a subset of Spaces’ secrets.” They have revoked some Hugging Face tokens “as a first step of remediation;” affected users have been notified.
Editor's Notes
- Slide 1 of 2
"Spaces" is essentially a "container as a service" or "serverless" platform. As other providers in this space have learned, cross-tenant security is hard if not impossible in these scenarios. But given the business need to rush out have backed AI features, it is very appropriate for organizations to upload proprietary data to these platforms to stay ahead of the competition.
- Slide 2 of 2
Hugging Face has made the new default fine-grained access tokens, which they strongly suggest switching to. They have also eliminated org tokens which will help with audit and traceability as well as implemented a key management service for Spaces secrets, which will improve their ability to revoke and manage these.
Slide 1 of 0- Slide 1 of 2
Manifest V2 Extensions Will Soon Stop Working on Some Chrome Builds
Google has begun phasing out Manifest V2 extensions in Chrome. As of Monday, June 3, users with Manifest V2 extensions on the Chrome beta, Dev, and Canary channels will start to see warning banners when they visit their extension management page that tell them some of their Manifest V2 extensions will no longer be supported. Eventually, users will be directed to the Chrome Web store, where Manifest V3 extensions will be recommended to replace those that are no longer being supported.
Editor's Notes
Manifest V3 is intended to improve security, privacy, performance and trustworthiness of extensions. V3 limits extension access to user network requests, forces users to include all functions locally (no more remote code), move request modifications and background page requests to service workers in the browser. This has impacts on extension behavior, particularly those which were updating content/functionality dynamically. Check the extension developer page for information on how their Manifest V3 version will work.
Linux Kernel Flaw Added to CISA’s Known Exploited Vulnerabilities Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a vulnerability in the Linux kernel is being actively exploited. The use-after-free issue in the ‘netfilter: nf_tables’ component can be exploited to achieve privilege elevation. Users are urged to apply mitigations if available, or discontinue use of the product. Federal Civilian Executive Branch (FCEB) agencies have until June 20 to mitigate the vulnerability.
Editor's Notes
This affects kernel versions between 5.14 and 6.6, which means your RHEL 9 systems as well as AlmaLinux, Debian, Gentoo, SUSE, and Ubuntu need to be updated. The good news is that patches were made available in February, so push those updates if you haven't already. The not so good news is POC code was published in March, which claimed 99.4% success rate as well as the vulnerability being trivial to exploit.
Update Available to Fix High Severity Flaw in Atlassian Confluence
Atlassian has released updates to address a high-severity remote code execution vulnerability in their Confluence Data Center and Server. The flaw was introduced in Confluence Data Center and Server version 5.2. The vulnerability is fixed in versions 8.9.1, 8.5.9, and 7.19.22.
Editor's Notes
Exploiting the flaw requires network access to the system as well as privileges to add new macro languages. Even if none of your users has those privileges, apply the update to remove the vulnerable code; future you will appreciate this. It's also a good time to revisit the choice to host Confluence locally. Make sure those drivers haven't changed. Note that FedHIVE offers a FedRAMP High Jira/Confluence SaaS environment.
US Department of Health and Human Services Will Allow Change Healthcare to File Breach Notifications on Behalf of Affected Organizations
The US Department of Health and Human Services will now allow Change Healthcare to file health insurance portability and accountability act (HIPAA) breach notices on behalf of organizations affected by the massive ransomware attack earlier this year. HHS initially required every affected organization to file their own notices. On Friday, May 31, HHS Office for Civil Rights (OCR) amended the Change Healthcare cybersecurity incident FAQ to reflect the change. Organizations wishing Change Healthcare to file the HIPAA notices on their behalf must contact Change Healthcare.
Editor's Notes
- Slide 1 of 2
Now that that’s settled, the notices can be sent and victims notified. Change Healthcare should pay all costs associated with this security incident to include credit monitoring services.
- Slide 2 of 2
My understanding is that Change Healthcare handled 1 in 3 medical records and processed half of all medical claims in the US at the time of the breach. Change Healthcare's parent, UnitedHealth told congress that about one-third of Americans had information accessed by the hackers. Having Change Healthcare file the breach notification on behalf of others will help with a consistent and likely non-redundant message. Given that there is a one-in-three chance your information was compromised, don't stop at go: go directly to credit monitoring/data validation.
Slide 1 of 0- Slide 1 of 2
Three WordPress Plugin Vulnerabilities are Being Actively Exploited
Researchers at Fastly have observed active exploitation of three high-severity vulnerabilities cross-site scripting in WordPress plugins. The researchers note that the script used to exploit each of the three flaws is identical. The affected plugins are the WP Statistics plugin (version 14.5 and earlier), the WP Meta SEO plugin (version 4.5.12 and earlier), and the LiteSpeed Cache plugin (version 5.7.0.1 and earlier).
Editor's Notes
- Slide 1 of 2
The root cause for all three vulnerabilities is lack of input sanitization. After you've verified the plugins are updated, you need to make sure you're not compromised. Review user accounts, particularly those with admin privileges, check for files with unexpected modifications, particularly injected scripts, and look for outbound requests to Yandex tracking links or pixels.
- Slide 2 of 2
It is sufficient to say that WordPress plugins are being actively exploited. Experience indicates that WordPress plugins are high risk. They should be used only by design and intent, never by default. Those used must be monitored and managed for risk.
Slide 1 of 0- Slide 1 of 2