Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Check out our previous staff security picks, and we hope you enjoy.
“While configuring access to their energy management system, Ryan Castellucci found that the security was lax, to say the least. With a relatively small amount of cloud computing and a little time, they were able to recover the private key and establish significant access in the platform. I don't agree that "the tool let them do it" is any excuse for using such small keys, but the response from the vendor was swift and effective.”
“A fresh new threat has hit the villa (Love Island fans, anyone?), this time targeting a Taiwanese university with a backdoor called Backdoor.Msupedge. This one’s quite sneaky as it uses DNS traffic for its command-and-control, which, while increasingly common, is still rare enough that it may help it fly under the radar. The backdoor operates as a DLL and can execute commands like creating a process through DNS TXT records, using URLs received through DNS to download files, triggering sleep modes in the target machine, and removing various temp files. The initial entry was likely through a PHP vulnerability (CVE-2024-4577) and, more specifically, a CGI argument injection vulnerability, which affects all versions of PHP and is sure to be a concern for Windows-based web server admins. Symantec is staying up to date with researching this topic and has provided a list of IOCs in their latest advisory, which can be referenced via the article.”
“Proofpoint's blog post discusses how the Iranian threat actor TA453 targeted a prominent religious figure with a fake podcast invitation. The attack involved sending a benign email to build trust, followed by a malicious link, delivering a new malware toolkit called BlackSmith. This toolkit, including a PowerShell trojan named AnvilEcho, is designed for intelligence gathering and data exfiltration. The post highlights the sophistication of TA453's methods and their focus on exploiting trust to deploy advanced malware. This event serves as a reminder of the complexity and persistent nature of threats in the cybersecurity landscape, especially from nation-state actors.”
“Very interesting approach to the problem of encrypted video! Instead of supercharging hardware or algorithms, just reconsidering our needs. A good reminder of the importance of requirements.”
“This is a classic, feel good, hack-back story about how a Red Teamer named Grant Smith infiltrated a large-scale Chinese Smishing operation. You've probably received one of the USPS package messages yourself. Even the bad guys slack on opsec, SQL Injection, default passwords, and more. A total of 1,133 domains used in the campaign were discovered.”
“Rather than staying very demure this summer, I challenge you to dive into this blog post that reveals how to find treasure in something most people overlook: crash reports! While the author’s focus is on macOS, you can leverage ANY crash report to uncover bugs, malware, and more. Happy hunting!”
“I’ve always worried about those little dialogue boxes on browsers that offer to “remember” your passwords. Convenient, yes, but also seems like a pretty big risk. Turns out I was right to worry! This new threat not only steals your saved credentials, but propagates itself via a Group Policy Object, so it can steal credentials from anyone using Chrome in your enterprise! See this article for a good discussion of this threat and what you can do to mitigate it.”
“As public sector pensions navigate the modern threats of fraud and cyber attacks, I examine in this blog the intersection between technical innovation and security + how human-centered design can enhance anti-fraud efforts. I also discuss the transformation from traditional pension systems to advanced, resilient systems that safeguard the financial futures of millions of public servants while making them easier to use, manage and observe.”
@audrastreetman / @[email protected]
“I’m looking forward to watching this documentary by Cisco Talos about the impact of electronic warfare in Ukraine, which is coming out soon. The story follows Project PowerUp, an effort led by Talos cyber threat researcher and security strategist Joe Marshall, which aims to help keep the lights on in Ukraine by improving stability in the country’s power transmission grid. You can read more about the project here.”
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.