Staff Picks for Splunk Security Reading July 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy. 

Mick Baccio

@nohackme

Breach Forums – When Student Becomes The Teacher by the Photon Research Team

"The team over at Digital Shadows released a fantastic update on the cybercrime forum landscape. Following the seizure of Raid Forums earlier in February of this year, a former user has established a new dominant cybercrime forum in roughly four months time. Boasting 10.9 billion records (including data sets like the Shanghai National Police database), Breach Forums continues to pose an increased threat to businesses and shows no signs of slowing down. Horror vacui, but make it cybercrime."

Michael Haag

@M_haggis

WarCon 2022 - Modern Initial Access and Evasion Tactics by Mariusz Banach

"Mariusz recently presented on Modern Initial Access and Evasion Tactics at WarCon22. The focus is from a Red Teamers perspective, however they are pertinent to recent adversary tradecraft utilizing ISO files, HTML smuggling, LNK and standard VBA macros. I found the content fresh and up to date. Including research into what is well detected and what is not. The research itself certainly helps defenders focus on priority evasive tactics by adversaries."

Audra Streetman

@audrastreetman

Review of the December 2021 Log4j Event by the Cyber Safety Review Board

"The Cyber Security Review Board (CSRB), newly formed under President Joe Biden's Executive Order, released its first report on the private and public response to Log4Shell in the United States. The board worked with nearly 80 organizations and individuals to gather insight into the Log4j vulnerability. The report includes 19 recommendations to address continued risks, drive cybersecurity best practices, build a better software ecosystem and invest in future research. Splunk SURGe is listed in the report as the first organization to issue an advisory to help defenders and the community detect Log4Shell exploitation. 

The CSRB found no evidence that Log4Shell was exploited prior to its disclosure on December 9th. However, it's still unclear how BoundaryX, a PRC-based cybersecurity company, uncovered the vulnerability before its public disclosure and posted a redacted screenshot of a PoC exploit on WeChat.

The Chinese government declined to comment on reports that its Ministry of Industry and Information Technology (MIIT) suspended an information-sharing partnership with Alibaba Cloud Computing. Alibaba security researcher Chen Zhaojun first disclosed the vulnerability to the Apache Software Foundation (ASF) on Nov. 24 and notified MIIT on Dec. 13. The CSRB raised concerns about mandatory vulnerability disclosure laws in the PRC, which could offer early access to serious vulnerabilities before they are patched.

'In the Board’s judgment, Alibaba’s researcher acted responsibly by following a sound coordinated disclosure process with ASF,' the report states. 'The Board is concerned about alleged punitive government sanctions creating a chilling effect on future coordinated disclosure.'"