Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Check out our previous staff security picks, and we hope you enjoy.
A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask by Andy Greenberg
“Andy Greenberg, author of the awesome book "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” interviews Alejandro Caceres -- aka p4x -- who briefly took down the North Korean internet and wants to influence US cyber operations to become more offensive. I don't have a strong opinion one way or another, but it is an interesting thought that maybe one of the most effective deterrents to cybercrime is consequences. Conversely, maybe that just makes offensive operations more prevalent. Regardless, an interesting and compelling article!”
CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth by CISA
“This write-up outlining a red team operation conducted by CISA against an unnamed federal civilian executive branch organization is amazing. The techniques used, the recommendations made, and alignment with a number of things we tell people to do daily make this a great read.”
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs by James Nutland for Cisco Talos
“In this article, the Cisco Talos team explains and visualizes common TTPs for ransomware attacks from their research over the past year in an insightful and concise manner. Most folks are aware of ransomware attacks and the chaos that they can provoke within an organization, and although as practitioners we may be weary of hearing about ransomware, this attack vector has continued to grow. In fact, there are some new groups who have entered the scene, including Hunters International, Akira, and Cactus. What’s amazing is that organizations in just about every vertical can be vulnerable, everyone from furniture manufacturers to the oil and gas industry. Despite the variation in attackers and the industries that they target, the tactics and techniques that these groups tend to use follow some similar patterns which are crucial to understand as defenders.”
APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K. by The Hacker News
“Several organizations across various sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have been targeted by the Chinese hacking group APT41 since 2023. APT41 successfully infiltrated networks to extract sensitive data using non-public malware and advanced tools, including web shells, custom droppers, and SQLULDR2. They utilized Google Workspace accounts for concealment and abused Microsoft OneDrive for data exfiltration. Mandiant identified numerous plugins used by APT41 for various malicious activities. Additionally, Sygnia reported a cyberattack by GhostEmperor, another China-nexus group, using a Demodex rootkit variant.”
CrowdStrike update crashes Windows systems, causes outages worldwide by Ionut Ilascu for Bleeping Computer
“A CrowdStrike update on July 18 resulted in a BSOD (blue screen of death) on Windows systems, affecting all kinds of businesses. This included banks, airlines, and hospitals. This will have effects on cybersecurity. For example, to recover, users might disable CrowdStrike. This will leave an opening for threat actors. As network defenders, we should closely watch the investigation into the CrowdStrike event and its aftermath. There will be lots of lessons to learn here.”
Huge Microsoft Outage Caused by CrowdStrike Takes Down Computers Around the World by Matt Burgess for WIRED
“Early on a Friday morning you arrive at the office, only to find that several of your critical systems are displaying a Blue Screen of Death (BSOD). It's the nightmare of every administrator. Unfortunately, one that recently came to life with the recent CrowdStrike outage, first seen in Australia, and then quickly expanding around the globe.
The outage came after a faulty update to the CrowdStrike Falcon Sensor was delivered to many customers, causing hiccups in operations for airlines, hotels, hospitals, and many other sectors across the globe. It is important here to point out that George Kurtz, Crowdstrike CEO, is quoted in the article as saying, “This is not a security incident or cyberattack[...]”. The article goes on to discuss how CrowdStrike immediately began working to resolve this issue. After this unfortunate incident, bad actors may see this as an opportunity to launch phishing or social engineering attacks leveraging information about this incident to try and infiltrate organizations. It is important to stay aware of such attempts and remind staff of organizational policies around unusual/unexpected emails, proper methods of handling attachments and other best security practices.
One independent cybersecurity researcher, Lukasz Olejnik, had a great quote in this article about the importance of technology in our everyday lives: ‘It reminds us about our dependence on IT and software.’ With that importance being ever so clear after this incident, it reaffirms not just a need for strong cybersecurity practices, but user education to help avoid any future fallout from adversaries who may use this event to plan their next move.”
Use A Work Journal To Recover Focus Faster And Clarify Your Thoughts by Charles Féval
“We security professionals find ourselves immersed daily in dynamic and (often) Ops environments. We have to balance deep technical tasks with constant shifts in attention. This technique has its working principle deeply rooted in our brain and will definitely pay dividends. (Bonus points if combined with GenAI!)”
@audrastreetman / @audrastreetman@infosec.exchange
Treasury Sanctions Leader and Primary Member of the Cyber Army of Russia Reborn by the US Department of the Treasury
“This US Treasury Department announcement fell under the radar because it coincided with the CrowdStrike outages on July 19. The press release announces sanctions against two named members of a Russian government-aligned hacktivist group for their roles in cyber operations against US critical infrastructure. This includes an attack on a Texas water utility in January 2024 that compromised industrial control systems, resulting in the loss of tens of thousands of gallons of water.
According to the press release, the hacktivist group named Cyber Army of Russia Reborn (CARR) was also able to compromise the SCADA system of a US energy company, briefly giving them control over the system’s alarms and pumps. The release states, ‘Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication.’
The release says one of the named hacktivist members developed training materials on how to compromise SCADA systems and was ‘possibly looking to distribute the materials to external groups.’”
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.