Staff Picks for Splunk Security Reading January 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. You can check out our previous staff picks here. We hope you enjoy. 

The Mac Malware of 2022 👾 by Patrick Wardle

Recommended by:

Damien Weiss (@damienweiss)

"While we all know about Windows malware, malware on the Mac is a lesser known entity. Thankfully, Patrick Wardle over at Objective-See has been educating folks on the state of security on the Mac for years. This year, he has published the state of Mac malware for 2022 with descriptions and samples of the malware itself. Relevant to us using Splunk, he has also published IOCs for the malware."

Travis Lowe

"This post dives into new Mac malware discovered over the past year. Each sample is broken down and analyzed. There is representation from all kinds of different malware ranging from coin miners to full featured implants capable of all kinds of actions. The goal of the post is for readers to come away with 'a thorough understanding of recent threats targeting macOS' and it definitely delivers."

Ransomware Diaries: Volume 1 by Jon DiMaggio

Recommended by:

Haylee Mills (@7thdrxn)

"Holy moly, this is an incredible deep dive into the impact and operations of the LockBit ransomware group by Jon DiMaggio. It has nearly 100 citations, as well as interesting interactions from the darknet forums Jon has been staking out. I can't even begin to properly articulate the amount of insight into modern ransomware operations this article gets into; set aside an hour, pour yourself a cup of coffee (or bourbon), and enjoy this wild ride."

Madeleine Tauber

"If you, like me, enjoy reading about the 'why' and 'who' behind cyber attacks, then check out Jon DiMaggio’s behavioral profile of the LockBit ransomware gang. After months spent investigating the cybercrime syndicate, he produced this well-researched paper with in-depth analysis of the LockBit gang, their attacks, and their 'outside-of-the-box' strategies for recruitment and growth. The paper also includes findings on the gang leadership's 'narcissistic' tendencies, potential errors in previous attributions, and LockBit's relationships with key members of other ransomware groups such as REvil and DarkSide/BlackMatter. Though a bit lengthy (scroll to the 'Unmasking LockBit' section if you’re short on time!), it is a captivating read providing insight into the minds of cybercriminals."

A Sneaky Ad Scam Tore Through 11 Million Phones by Matt Burgess for WIRED

Recommended by:

Shannon Davis (@DrShannon2000 / @DrShannon2000@infosec.exchange)

"This is a really good article covering a seldom-explored realm in our industry. Digital advertising tends to be a black box where stuff just happens. Beneath the surface, there are a number of vectors that bad actors can abuse in digital advertising, and this article gives us an example called Vastflux that resulted in a huge amount of fraudulent payments to the adversary."

Tamara Chacon (LinkedIn)

"Pop-up ads—let's be honest—are the worst. We have all seen them on the side of a website we are visiting and they have somehow become even more troublesome. This WIRED article is about a widespread attack on the lucrative online advertising business. Researches at Human Security discovered the attack, dubbed Vastflux. The article does a great job outlining their findings and how the ad business works. It is a short but insightful read that may make you dislike online ads even more."

Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident by Lior Sonntag for wiz.io

Recommended by:

Sydney Howard (@letswastetime)

"CircleCI incident got you down? Whether you are a customer or not, it's a great time to review your cloud environments for signs of persistence! This post focuses on ideas for hunting through your logs for signs that adversaries are persisting in your cloud environments. Use these queries to baseline and further build high fidelity detections for your SOC. Happy hunting!"

Timeline of the latest LastPass data breaches by Michael Hill for CSO UK

Recommended by:

Dustin Eastman (@DustinJEastman/@DarkDrgn)

"This article is a very concise outline of all of the recent concerns and issues that have been raised by the breach of the password vault company LastPass. It does an excellent job of providing a glimpse into the nightmares of any system administrator or security practitioner. The article lays out the timeline with the stepwise way in which various elements from an attack built upon one another to lead to progressive access, and potential risk/compromise, and that is seen in the progressive messages from the LastPass organization to clients.

Most importantly, for those of us in security, this article drives home the importance on end-to-end incident investigation, and how just as we might leverage frameworks such as MITRE ATT&CK, or pick your flavor of framework, to map to for our investigation of threats. Adversaries do indeed use these methods, but they also have their own timelines, and ultimate goals. This guides the intentionality in how they strike. It won't necessarily be a single massive strike, it may be iterative, and as time passes we must remain vigilant for signs that something that has occurred may still put the organization at risk."

Chatting Our Way Into Creating a Polymorphic Malware by Eran Shimony and Omer Tsarfati

Recommended by:

Mark Stricker (@maschicago)

"Holy Smokes! This article dives deep into how you could use ChatGPT to create 'polymorphic' malware. The potential is alarming to say the least. It looks at how you could ask ChatGPT to write code to inject a DLL into a running process, explorer.exe. It shows you how to bypass the content filters. Then, it shows you how to get ChatGPT to change the code. That way, you could deploy a different 'file' each time to avoid detection (this is the polymorphic part). It's a little technical, but well worth the read. As security professionals, it's on us to come up with ways to defend against this. This will mean using AI in defense."

World Economic Forum officials warn global instability could lead to catastrophic cyber event by David Jones for Cybersecurity Dive

Recommended by:

Chris Perkins (LinkedIn)

"The article states, 'Companies need to do more to anticipate cyberthreats, because cyber criminals are outsourcing attacks through ransomware as a service operations and using much more sophisticated methods to launch attacks.' To me, this translates to: organizations need to build and/or fortify their networks, systems, and data security so that the digital organization becomes more resilient. Resilient organizations are able to quickly bounce back from any kind of issue whether it be local, regional, or global. The key to unlocking organizational resilience is data... specifically, data analytics."

Canada’s Air Alert System Was Also Disrupted—Fueling Conspiracy Theories by Suzanne Rowan Helleher for Forbes

Recommended by:

Audra Streetman (@audrastreetman / @audrastreetman@infosec.exchange)

"There was much speculation about the possibility of a cyberattack earlier this month when a Federal Aviation Administration system outage led to a full ground stop at U.S. airports. That same day, Nav Canada also reported an outage affecting its version of the same system. Nav Canada said it did not believe the outages were related. It turns out the FAA outage was caused by a damaged database file and there is so far no evidence of a cyberattack.

These two incidents are a good reminder of how cognitive bias can impede investigations into technology-related issues. Theories about a possible cyberattack behind both events are an example of illusory correlation, or a perceived relationship between events when no such relationship exists. It can be easy to miscorrelate two rare and impactful events if they happen at the same time and involve similar technology. Another example is in 2015 when the New York Stock Exchange experienced a computer glitch on the same day that hundreds of United flights were grounded due to a network issue. These issues ended up being unrelated and not caused by hacking. The point here is that understanding cognitive bias and logical fallacies can help security practitioners avoid making inaccurate assessments and decisions when investigating outages and potential breaches."