Staff Picks for Splunk Security Reading April 2024

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

James Hodgkinson

yaleman@mastodon.social

Kobold Letters: Why HTML emails are a risk to your organization by Konstantin Weddige for Lutra Security

“‘Kobold Letters’ describes a way of hiding text in an email that'll show up only once you forward it using CSS. The method requires targeting a specific client, but some of the implementations would likely attack multiple clients, and there are only a few at the end of the day, but they're neat and show that one person's neat feature is another person's attack vector.”

David Montero-Suárez

LinkedIn

An Undetectable Computer Virus by David M. Chess and Steve R. White at the IBM Thomas J. Watson Research Center

“It's always fascinating to see how math helps us to distill and grasp complex problems! Although not new, this read is very interesting and also helpful to remember that we as cybersecurity practitioners have a wide range of tools and techniques at our disposal for safeguarding networks, even the ‘old-fashioned’ straight up math.”

Brandon Sternfield

@TheLawsOfChaos

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) by Volexity Threat Research

"In the ever-evolving landscape of cybersecurity threats, another vulnerability has emerged in the form of an unauthenticated VPN 0day exploit. Given the widespread use of VPNs, particularly in enterprise settings, such vulnerabilities are cause for concern as they expose sensitive networks to potential compromise. Moreso when they are reported as being actively exploited in the wild.

Palo Alto Networks' GlobalProtect VPN, a fixture in many corporate environments, has been identified as the target of this vulnerability/exploit. In response, Palo Alto has issued a security advisory detailing the affected products and versions, urging organizations to assess their exposure to the threat promptly and apply the patch they created.

With the vulnerability now widely known, the risk of exploitation is heightened, necessitating proactive measures from security professionals, including CISOs. The imperative for organizations lies in promptly applying the provided patches to mitigate the risk posed by this vulnerability.

In their breakdown, Volexity goes over the timeline associated with this vulnerability which was identified back in March 2024. IOCs are included in the Volexity article, but it is important to note that it's easy to modify scripts to change the file hash associated with them. Volexity provides an excellent technical breakdown in the second half of the article for threat hunters, including adversary behavior.”

Mark Stricker

@maschicago

Attackers are pummeling networks around the world with millions of login attempts by Dan Goodin for Ars Technica

"File this under ‘Simplicity beats complexity.’ Cisco detected huge brute force attacks spraying the entire internet over the last month. What happens when AI improves the targeting and the credentials used in such attacks?"

Mike Polisky

Top MITRE ATT&CK Techniques and How to Defend Against Them by Nate Nelson for Dark Reading

“This article highlights the top five MITRE ATT&CK Techniques from a recent D3 Security Report. One technique stands out more than the rest and tips for defending against these techniques are included. Look for Splunk provided detections for these techniques in Splunk Security Essentials.”

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm by Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Luke Jenkins, Dan Perez, Lexie Aytes, Alden Wahlstrom for Mandiant for Google Cloud

“In a new report, Mandiant announced the decision to graduate Sandworm, a group sponsored by Russian military intelligence (GRU), as a named Advanced Persistent Threat: APT 44. The report provides additional insights into the group’s operations, including the adoption of criminal tooling and living off the land techniques along with attacks on Ukrainian critical infrastructure and efforts to influence elections.”