What's New in ESCU: June 2018

June was a busy month for the Security Research Team. This valiant group of dedicated digital defenders has been hard at work protecting the world from evil, so you can get back to the important business of summer barbecue!

Here’s what was included in the Enterprise Security Content Update (ESCU) app’s three June releases:

Orangeworm Is Back...with a Vengeance

The attack group Orangeworm, which first surfaced in 2015, has been carrying out targeted campaigns against the healthcare industry in the U.S., Europe, and Asia. While the group’s motives are unconfirmed, it may be focused on corporate espionage.

Orangeworm deploys a particularly virulent piece of malware called Kwampirs that gives the threat actors remote access to the compromised system. According to Microsoft, the malware may be distributed through software supply channels. “It can self-propagate from infected computers through administrative shares. It runs as a service and can delete files, terminate processes, and contact a remote server,” the company’s report said.

The malware decrypts and extracts a copy of its main DLL payload, avoiding hash-based detections by plugging in a randomly generated string into the decrypted payload, and then writing the payload to disk, according to a Symantec blog post. Kwampirs gathers data (such as network-adapter data and the system version, among other things) and sends it back to the threat group.

In June, the Security Research Team released an Analytic Story containing searches that detect and investigate techniques used by the Orangeworm actors. Because these tactics are not unique to Orangeworm, these analytics will help protect your environment against other would-be attackers who employ these methods, as well.  

DHS Releases Technical Alert (TA-18-149A) Regarding North Korea’s “Hidden Cobra” Malware

In June, the Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert TA-18-149A regarding two variants of North Korean malware. One variant, dubbed "Joanap," is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download, and execute secondary payloads, and initialize proxy communications. The other variant, dubbed "Brambul," is a Windows32 SMB worm that is dropped into a victim’s network. When executed, the malware attempts to spread laterally within a victim’s local subnet, connecting via the SMB protocol and initiating brute-force password attacks. Once infected, the malware reports details to the Hidden Cobra actors via email, allowing the group to use the information for secondary remote operations.

An Analytic Story released this month in the ESCU app identifies the techniques and indications used by these malware variants. Its associated analytics help you monitor for and investigate activities that could be evidence of infiltration by North Korean government-sponsored cybercriminals.

Splunk Issues Response to Vulnerability Reported in CVE-2018-11409

On June 18, Splunk posted a response to NIST alert CVE-2018-11409: Information Exposure. The alert revealed a vulnerability in Splunk Enterprise versions 6.2.3 through 7.0.1 that exposes system information through a REST endpoint, as described by the vulnerability descriptions. There is a possibility that other versions are also affected. This is the first publicly disclosed Splunk vulnerability since the spring of 2017.

According to Splunk Answers, to successfully implement this attack, you must be an authenticated Splunk user, which may limit the scope and impact of the exploit. A June ESCU Analytic Story provides searches that monitor for evidence of exploitation via the methods described above.  

Also featured in ESCU this month were the following new Analytic Stories:

  • Command and Control. Attackers often install implants on compromised endpoints to receive instructions and send data back to malicious operators. Leverage the searches in this Analytic Story to detect and investigate tactics, techniques, and procedures leveraged by attackers who establish command-and-control channels.
  • Suspicious Windows Registry Activities. This exploit falls under the category of “adversary tactics.” Attackers often leverage registry files to elevate their privileges, maintain persistence, or move laterally within the target network. A new Analytic Story in one of June’s ESCU releases helps you monitor for and detect changes to the Windows registry.
  • AWS Cross-Account Activity. Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.  

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk Enterprise Security Content Update v1.0.20 now!

The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Join the Discussion