Staff Picks for Splunk Security Reading May 2020

Ryan Kovar

@meansec

We didn't start the fire

Understanding and Baselining Network Behaviour using Machine Learning Parts 1 & 2 by Greg Ainslie-Malik

I love the "idea" of machine learning, but I often find it is a bit pie-in-the-sky. A recent blog post by my colleague Greg Ainslie-Malik gives some nice step-by-step guidance of how to use the Deep Learning Toolkit developed by Philipp Drieger to analyze a generated dataset from CIDDS (Coburg Intrusion Detection Data Sets). The ability to visualize the network traffic and apply models is really cool. Once I have time, I want to take old BOTS data and try it all out. Nice to see some actual ML that is useful and clearly laid out. Kudos, Greg and Philipp!

Drew Church

@drewchurch

It was always burning

Detect and Prevent Web Shell Malware by National Security Agency and Australian Signals Directorate

This joint Cybersecurity Advisory from the US National Security Agency (NSA) and Australian Signals Directorate (ASD) is a great technical resource for understanding what web shell malware is as well as explaining detection and prevention methodologies. What takes this whitepaper from good to great is the inclusion of nine appendices with scripts, rules, and yes, even Splunk SPL, to help defenders with the problem. I wish more people and organizations gave this kind of practical advice in their advisories. I also want to point out that the NSA publishes a wealth of knowledge on their portal here and the ASD publishes their guidance here.

Andrew Morris

Since the world's been turning

"PerSwaysion" Phishing Campaign Targets High-Ranked Professionals Across The Globe by Cisomag, Feixiang He

This article grabbed my attention as I had never heard of Microsoft Sway, so I thought maybe there was some new code exploit. Sway is a tool that looks like a combination of Powerpoint and Publisher and is hosted online. I found the attack interesting as it is targeting possible SSO credentials, and uses an n-tier architecture to distribute its functions. The original research (linked to in the summary article above) is here.

Ray Cruciata

We didn't start the fire

Symon v11.0 by Microsoft by Mark Russinovich and Thomas Garnier

If you liked what was introduced last summer in Microsoft Sysmon v10.0, then you should be very excited about the brand new v11.0 release. This major update to Sysmon includes file delete and archive monitoring to help responders capture attacker tools and quickly identify malicious or anomalous activity. But wait, there's more... there are plenty of other new features that can also be very valuable when threat hunting with Splunk. Don't believe me? Check it out yourself!

Matt Toth

@willhackforfood

No we didn't light it

GRU Hacker wanted by FBI, now indicted by Germany by Christo Grozev

A GRU hacker, Dmitry Badin, who is on the FBI's wanted list of his alleged involvement in hacking attempts against the USADA and WADA has now been indicted by Germany for the Bundestag Hack. This hack occurred back in April 2015, and ended with over 16GB of data being exfiltrated, which included a lot of sensitive information presumably. The hacker did not always practice good OPSEC though and his credentials were leaked, exposing a rather simple password. Even hackers get lazy when they don't feel that there are real consequences to their actions.

John Stoner

@stonerpsu

But we tried to fight it

Gamaredon APT Group Use COVID-19 Lure in Campaigns by Hiroyuki Kakara and Erina Maruyama

It should not come as a surprise to anyone that reads this blog regularly that COVID-19 lures are being used for all sorts of nefarious purposes. Recently, the research team at TrendMicro found that Gamaredon, an APT group targeting Ukraine, and suspected to be the same group as BlueAlpha and has been attributed to be the FSB 16th and 18th divisions, was actively conducting operations earlier this year. In March, TrendMicro identified tactics associated with email attachments that Gamaredon had previously used, but this time some of the emails leveraged the ongoing pandemic as part of its lure. This specific campaign is also extending beyond Ukraine to other European countries. TrendMicro's blog goes on to highlight their findings with mapping to MITRE techniques and provides a nice set of findings to work with. As a bonus, and to muddy the waters a bit more, Recorded Future reported seeing Gamaredon having overlapping infrastructure with Iranian nation-state actors. So, I've just ended up giving you three articles to read on this, but the underlying message remains constant: current events are highly effective lures for phishing.

Tim Frazier

@timfrazier1

But when we are gone

Finding Evil in AWS: A key pair to remember by Anthony Randazzo, Britton Manahan and Sam Lipton

Finding and responding to security incidents that happen in cloud environments like AWS, GCP, or Azure is a nascent topic that is evolving daily. Check out this blog post from Expel for a great write up of a real-world example of detecting and responding to some "badness" in AWS, including what specifically they detected on, how they gathered context about it, and what they recommended to their customer as an appropriate response. If you have been struggling thinking of what sort of things you should detect with your AWS Cloudtrail logs or what kind of process you should follow when finding something interesting, I highly recommend this blog post from Expel.

Julia Cuaderes

@infosecjulia

Will it still burn on, and on, and on, and on

Fingerprint Cloning: Myth or Reality? by Paul Rascagneres and Vitor Ventura

With every new security layer comes a unique opportunity for attackers to peel it back, reverse engineer it, and manipulate it to their needs. How does this apply to logging into devices with your fingerprint? Biometric authentication has gained traction over the last five years, so I'm sure this topic is relevant to you or someone you know (Mom and Dad, I'm talking to you!). This blog post from the Talos research team details their quest to bypass fingerprint authentication in phones, laptops, and USB drives. In using different collection methods, they are successful in replicating fingerprints to gain access to these devices. And while this may sound like a worthwhile garage project, this research makes it clear the initiative was tedious and spanned over months of work. The article's conclusion emphasizes you should only worry if you're a high-profile target or store intellectual property on your devices. However, because I'm paranoid, I will ignore biometrics altogether and happily stick with my fossilized iPhone passcode.

Mick Baccio

@nohackme

Nevermind, Mick lit it.

Shade ransomware shuts down and releases decryption keys by Catalin Cimpanu

I'm not sure how, but I managed to finish all five seasons of The Wire in a month - hooray completely jacked up circadian rhythm. While trying to search for ways that will make my brain stop holding my sleep hostage, I came across many ransomware articles - I think my google-fu may need some tuning. Ransomware is the constant evil we hear about...constantly, maybe we know someone or know a company that fell victim to a ransomware attack. In 2019, the financial impact of ransomware attacks almost tripled to $36k per incident - average estimates showed over 11 BILLION dollars in damages globally in 2019. There are incredible resources out there that will provide information about different ransomware strains, potential vectors for infection, and bad actors utilizing these exploit kits to rip people off.

One of the more high profile variants is Shade. First spotted around 2014, Shade has been one of the most prolific strains and approximated to be responsible for over 50% of the malicious code spotted 'in the wild' in the first half of last year. Inexplicably, the operators behind the Shade malware shut down operations in late 2019. We're all pretty aware of the wonkiness that is 2020, so of course, this gets weirder. In addition to shutting down operations, the group released 750,000 decryption keys to allow victims to recover their data. A note published to Github reads, "We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data." To help victims, Kaspersky developed and published tools to decrypt files on victim machines.

I am thankful there is one less active ransomware variant - only eleventy billion to go. Stay frosty out there.

Damien Weiss

@damienweiss

First in but last out

Hunter of Default Logins (Web/HTTP) by Infosec Matter

Far too many times, we have people placing devices on our networks with zero to little security. And far worse, they're using default usernames and passwords. Faithful reader, I wish I knew why people did this, but I do not. I do, however, know how to detect these devices and feed the information into Splunk so you can leverage our notifications and correlation goodness. Go to the link and download the Default HTTP Login Hunter. Run it against your network, perhaps a subnet at a time, and place the results in a monitored location. Viola, you have a default killer.