Staff Picks for Splunk Security Reading June 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy. 

Ronald Beiboer

LinkedIn

Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable by Ravie Lakshmanan for The Hacker News

"Critically important to not only focus on prevention or detection in the inital access stage. Make sure you are able to detect lateral movement and follow-up actions by the adversary after a succesfull breach of you systems. When you don't, you are extremely vulnerable."

Tony Iacobelli

New TTPs for BECs by Stephan Berger

"In this series of tweets, the author talks about how instead of making a new inbox rule (which you should definitely be monitoring your inboxes for), the actor leverages blocked senders and domains to functionally accomplish the same thing during a Business Email Compromise (BEC). This is an interesting way to evade some more traditional detection use cases that look for inbox rule creation and even potentially large amounts of undeliverable notices being sent to an inbox. The author also mentions PwC's BEC IR guide, which is contained in the tweets and is a fantastic resource if you are unfamiliar with responses to these types of threats. Finally, now would be a good time to check your auditing in your M365 of G Suite tenant!"

Mark Stricker

@maschicago

ChatGPT Hallucinations Open Developers to Supply Chain Malware Attacks by Elizabeth Montalbano for Dark Reading

"Remember when it seemed like ChatGPT was a good thing? The fact that it sometimes makes stuff up is, in retrospect, pretty bad! It seems that now malicious actors are building code packages complete with malware to implement the "non-existent" packages that ChatGPT hallucinates. Developers, beware!"

Tamara Chacon

Linkedin

The Bold Plan to Create Cyber 311 Hotlines by Eric Geller for WIRED

"What do you do when you see a large pothole in your local area? You call 311 to report and get assistance. There are many small business that lack basic cyber hygiene because they are unable to buy the different softwares, are understaffed, and lack a decent budget. This is where the idea of a Cyber 311 hotline comes into play. The University of Texas in Austin is starting up a pilot program (supported by CISA) to have students give cybersecurity services pro-bono to the local community. Having students assist their local area for free is not a new concept; law students have been doing it for decades. If this pilot run goes well, CISA would consider creating a larger scale version of the 311. The article by Eric Geller breaks down what the program will look like and how it can benefit small and local business."

Richard Marsh

Linkedin

Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers by Guy Nachshon for Checkmarx

"We're only beginning to see how creative attackers can be when attacking supply chains. This S3 takeover attack is very similar to expired domain takeovers we've seen for quite a while. Software maintainers should maintain ownership of buckets to avoid this risk in the future or move to a different delivery method like 'bignum' did."

Kassandra Murphy

Fake security researchers push malware files on GitHub by Christopher Boyd for Malwarebytes

"As if there wasn't already enough to worry about! The social engineering of it all! The irony! Unfortunately VulnCheck recently identified a campaign whereby attackers utilized actual security practitioners personas to lure unsuspecting victims into downloading malware from a handful of GitHub repositories. In this article, it’s described that, starting in May, various downloads were offered for a number of different exploits to include an alleged zero-day for Signal among other big names like Chrome and Exchange. Not only were these repositories created, the attackers leaned in even creating social media to promote their findings utilizing cybersecurity hashtags that we all follow on Twitter. Ultimately, the pages have been taken offline but the article does include a list of the GitHub repositories, accounts, and Twitter accounts in the case you were (hopefully not) in contact with any of them. Another lesson that even if something looks legitimate, check your code before downloading."

Charlotte Guiney

Linkedin

BEYOND THE HORIZON: TRAVELING THE WORLD ON CAMARO DRAGON’S USB FLASH DRIVES by the Check Point Research Team

"In this article, Check Point dissects a recent malware infection of a European hospital by the Chinese state-sponsored espionage threat actor Mustang Panda. What makes this campaign interesting, is that the Initial Access vector for the first infection was via a USB drive while an employee attended a conference in China and connected a USB drive to a colleague's already infected computer. Although the targeting of this campaign targeted a European hospital, this is the third USB-related, Chinese state-sponsored campaign I've read about so far this year. As Replication Through Removable Media is not a new Initial Access vector, it is fascinating to see it come back. This also highlights the importance of the safe travel policies!"

Danny Furtaw

@furtawww / Linkedin

Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer by Ravie Lakshmanan for The Hacker News

"Great <10 min. read on a highly sophisticated attack that was carried out against an East Asian IT firm. The malware used in this operation was written in Go, which we are seeing increase in popularity as the language of choice among malware authors. This operation also carried on for quite some time, nearly a year. If you're a blue teamer and are responsible for (or interested in) reverse-engineering, it may be a perfect time to learn Golang. This also goes to show that just because we think our environment is clean and secure, we must remain vigilant when looking for threat actors. Sophisticated APT's <3 to lurk before striking. Happy hunting!"

Adam Swanda

mastodon.social/@deadbits

Applying Cone of Plausibility to CTI by SecAlliance

"This blog post describes how cyber threat intelligence analysts can apply the Cone of Plausibility (a structured analytical technique) to model realistic scenarios of threat actors' actions given different events or assumptions. Accurate forecasting, especially over more extended periods, can be one of the more difficult tasks for an analyst, but by applying methodologies like this one, analysts can understand how a situation could plausibly change based on key factors."

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Progess Software Faces More Lawsuits Over MOVEit Data Breach by Randi Love for Bloomberg Law

"Bloomberg Law reports Progress Software Corp. is named in more than one proposed class action lawsuit after vulnerabilities in its MOVEit file transfer service were exploited by the Cl0p ransomware group. The lawsuits allege that Progress failed to implement adequate security measures, monitor its network, properly train employees, or provide timely notice of the incident. As of June 26, at least 106 organizations have disclosed being impacted or were listed on Cl0p's leak site, according to Brett Callow, threat analyst at Emsisoft. Altogether, the breaches reportedly compromised the personal information of nearly 15 million people. What's worrisome is that Cl0p has now leveraged several zero-day vulnerabilities in file transfer solutions like GoAnywhere MFT, Accellion FTA, and MOVEit Transfer in order to rapidly target organizations with success."