Staff Picks for Splunk Security Reading January 2024

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. You can check out our previous staff picks here. We hope you enjoy. 

James Hodgkinson

yaleman@mastodon.social

Playing With Fire – How We Executed A Critical Supply Chain Attack On Pytorch by John Stawinski IV

"It's important to secure your CI/CD pipelines, and doubly so when members of the public can submit pull requests to your repositories. This report covers a successful exploitation of the PyTorch community repository, which could have had massive downstream implications, given the huge and varied user base of this toolset."

Ryan Fetterman

@iknowuhack

Why We Need to Stop Panicking about Zero-Days by Katie Nickels

"In this talk from Shmoocon 2024, Katie Nickels (Director of Intel Ops at Red Canary) explores how we should respond to zero-day vulnerabilities in the best way possible -- with actual data and figures! There is something to take away here for beginners and cyber veterans alike in how we can collectively, rationally respond to these events."

Ronald Beiboer

LinkedIn

Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 by Alexander Marvi, Shawn Chew, Punsaen Boonyakarn for Mandiant

"Hacks like these remind us of how important detection is after initial access. This vulnerability was patched in October 2023, leaving systems exposed for two years for this Chinese espionage group."

Mark Stricker

@maschicago

Do Users Write More Insecure Code with AI Assistants? by Neil Perry, Megha Srivastava, Deepak Kumar, Dan Boneh

"Everybody's talking about the potential for Large Language Models (LLMs) like ChatGPT to help in coding, and even in cyber defense. You can ask these systems to write code, and they will come up with passable results (even in Splunk's own query language, SPL). The problem is that they are trained against lots of examples, good and bad - and for cyber, secure and insecure. This research from Cornell University points out some of the ways this can make our systems and applications less, not more secure. Food for thought!"

Dustin Eastman

@DustinJEastman/@DarkDrgn

~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation from The Hacker News

"Just days after a recent Confluence RCE exploit vulnerability was made available there have been nearly 40,000 exploit attempts. The article states, 'This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.' The article lists 'Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5' as the vulnerable versions. This is yet another blow for organizations who are trying to keep solutions on-prem in their own data centers. Most often it is in these datacenters that versions get behind, patches are not applied, and organizations could find themselves vulnerable to such attack vectors."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Authentication Bypass in GoAnywhere MFT by Fortra Security and Trust Center

"Exploit code is now available for a critical authentication bypass vulnerability affecting Fortra's GoAnywhere Managed File Transfer (MFT) software. This is worth paying attention to because ransomware groups have been known to leverage vulnerabilities in file transfer platforms to rapidly target organizations. This includes previous vulnerabilities in MOVEit Transfer, GoAnywhere MFT, and the Accellion File Transfer Appliance (FTA). This new GoAnywhere vulnerability is tracked as CVE-2024-0204 and it has a CVSS score of 9.8 critical. It’s remotely exploitable and could allow an unauthorized user to create admin accounts on GoAnywhere’s administration portal. This is similar to a zero-day vulnerability in GoAnywhere MFT that the cl0p ransomware group leveraged this time last year to target more than 100 organizations. Lateral movement was not observed in last year’s attacks, suggesting that the adversary was able to download files directly from the MFT environment. This is an added challenge for detection. The good news is that there is a fix for this latest vulnerability, which affects MFT versions before 7.4.1. You can read more in Fortra’s security advisory."