Staff Picks for Splunk Security Reading February 2019

Ryan Kovar

@meansec
I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time, like tears in rain

Risky Business #528 – Huawei dinged, epic FaceTime and Exchange bugs by Patrick Gray, Adam Boileau, and Lesley Carhart starting at minute 40:23

Ever since Dave Herrald introduced me to the Risky Business Podcast I've been a big fan. A couple of weeks ago I heard a fascinating segment (starting at minute 40:23) featuring Lesley Carhart (@hacks4pancakes) where she discussed how her apartment complex made a contract with a smarthome startup company that required an IoT device on her personal network with the ability to control (among other things) her locks. I actually tend to be on the somewhat laissez-faire side of the "IoT" world and take convenience over the increased insecurity. I used to be worried about Alexa listening, then realized my phone was always an "OK Google" away. I was against IoT doors and then realized that it was still easier to break a window and unlock my door than hack my well-defended home network. However, the idea of a plethora of startups having direct access to my locks, etc. is rather...scary (especially when part of what you pay for in an apartment is security). Since then, Lesley has also written a great blog post on the issue and is planning on speaking further on the subject at the Multifamily Technology and Entrepreneurship Conference (MTEC) in San Francisco. Whether at home or at work, IoT is ever creeping into our lives. I admit, I thought the BYOD battles of the early 2000s had been won by the personal cellphone, but what about BYOAlexa? This is something we, as network defenders, need to think of in our threat models and (dare I say) our SIEMs.

John Stoner

@stonerpsu
You gotta listen the way people talk: you don't say "affirmative"

A Deep Dive on the Recent Widespread DNS Hijacking Attacks by Brian Krebs

When DHS-CISA issued their first emergency directive, Mitigate DNS Infrastructure Tampering, in late January they had made references to both Cisco Talos and FireEye reporting of adversaries gaining control of DNS infrastructure and changing configurations to route traffic to adversary infrastructure. Now Brian Krebs has released a deeper dive into some of these attacks focusing on a list of malicious IP addresses that Crowdstrike published along with the timeframe of the attacks and the impacted organization's country and sector. Brian uses the December attacks that impacted both US and Swedish internet providers as an example to show how passive DNS can be used to gain insight into these attacks and discusses the use of DNSSEC as potential mitigation for these attacks. A persistent issue with DNS attacks is highlighted in the following paragraph, "Multiple experts interviewed for this story said one persistent problem with DNS-based attacks is that many organizations tend to take much of their DNS infrastructure for granted. For example, many entities don't even log their DNS traffic, nor do they keep a close eye on any changes made to their domain records." The article concludes with some best practices to secure DNS in addition to logging and monitoring.

Dave Herrald

@daveherrald
Obey orders given it by human beings 

Announcing the new Security Engineering website by Tony Rice

This month I'm sharing this excellent blog post from Tony Rice at Microsoft announcing the release of their new Security Engineering Portal. While the portal is new, it contains a cross-section of security content that represents "...decades of experience implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices..." It includes a refresh of the classic Security Development Lifecycle (SDL) as well as more recently created content focusing on securing cloud-based infrastructure and managing security risks in third-party open source software components. I've shared this guidance recently with several customers looking for advice on DevSecOps, SecDevOps, cloud security, or just plain old web application security.

Adam Swanda

@bindshell_
Hal, open the pod bay doors

Extracting "Sneaky" Excel XLM Macros by Amirreza Niakanlahiji and Pedram Amini

Due to the prevalence of Microsoft Office malware delivery documents, I want to focus this month on a new blog post from InQuest. In this blog, InQuest identifies a malicious Microsoft Excel document, walk-throughs dissecting it with a variety of open source tools and techniques, and includes YARA rules for detection of the various stages. With a very low initial Anti-Virus detection score on VirusTotal (3/59), the inspected sample uses an older technique of embedding the active content within an XLM macro, as opposed to the more typical macros directly within a document. Ultimately the embedded content leverages msiexec.exe to download and execute a malicious payload in one of the many possible Living off the Land approaches to malware execution that has become a prevalent method used by bad actors in an attempt to hide their activity from endpoint security monitoring tools. This blog is an excellent example of how old file format tricks tend to sneak past Anti-Virus, much like we all saw with the IQY and SLK campaigns last year, which also provides an in-depth look at the technique used to deliver the malware, and offers up YARA signatures for your detection and hunting needs.

José Hernandez

@d1vious
Excuse me, I have to go. Somewhere there is a crime happening

The First Mac Malware of 2019 by Yue Chen, Cong Zheng, Wenjun Hu and Zhi Xu

Palo Alto Networks' security research team recently published the first report of 2019, revealing a new and particularly nasty piece MacOS malware that not only steals your browser cookies, saved passwords/credit cards in Chrome, and text messages from iTunes backups, but also drops a cryptocurrency miner. A few notable things about this story sparked my interest—specifically that the attackers were using curldrop as the exfiltration tool for the cookies and credentials. It also drops a common python post-exploitation backdrop, EmPyre, to maintain persistence. Even though the malware uses a filename (xmrig2) similar to the popular Monero miner, it actually mined Koto Zcash-based anonymous cryptocurrency. This is timely, as Splunk Security Research recently finished OSquery add-on for Splunk to help us better monitor MacOS. You can see some examples of its capabilities in the latest Splunk ESCU release.

Derek King

@network_slayer
01001000 01100101 01101100 01101100 01101111 00100000 01110111 01101111 01110010 01101100 01100100

2019 Global Threat Report by Crowdstrike

Now I usually leave the swooning of the MITRE ATT&CK framework to my esteemed colleagues, but this month I would like to jump on the bandwagon. Our friends over at CrowdStrike have just released their 2019 Global Threat Report. Whilst the report makes for an interesting read, what I really like is how they have overlaid a heat map on to the framework outlining the frequency of specific techniques they are observing. If you find the Mitre approach a little overwhelming or want to get a head start on prioritizing efforts, then I think you will like this!