Staff Picks for Splunk Security Reading February 2021

Ryan Kovar

@ meansec

51 weeks since my last flight

SIEM rules ignore bulk of MITRE ATT&CK framework, placing risk burden on users by Bradley Barth

We hear "how do I create a detection for everything in the Mitre ATT&CK matrix?" quite often at Splunk. I get it. It makes sense. It's a matrix. It makes you want to fill in boxes with green and red for "done" and "not done" status. But the reality is that ATT&CK was not designed to give you a SIEM detection scavenger hunt challenge. The ATT&CK team designed it to allow for a scientific method of tracking adversary TTPs. It just so happens that SIEM nerds like us can also use it to generate detections for SOME of those TTPs. Full disclosure, I was interviewed for the article, so I obviously have a bias, but take a look and think hard on how you are using Mitre ATT&CK in your organization.

John Stoner

@ stonerpsu

Are hotels still a thing?

Sandworm Intrusion Set Campaign Targeting Centreon Systems by ANSSI

Readers of our blog may not be familiar with ANSSI, so in case you are not, allow me to introduce the organization who is bringing you my selection for this month. ANSSI is the acronym for Agence Nationale de la Securite des Systemes d'Information. They describe their role eloquently on their own website in this way; "The role of the National Information Systems Security Agency is to facilitate coordinated, ambitious and proactive consideration of cybersecurity issues in France." At the end of January they produced a report that you may not have seen that discusses the targeting of Centreon systems by the Sandworm Intrusion Set. I wasn't familiar with Centreon but with a little web browsing found that they are an ITOps Platform that was founded in France. With all the recent IT monitoring fun many of us have experienced over the past few months, I found it fascinating that another ITOps platform had been targeted prior to 2020. The report (EN / FR) details the webshell and backdoor utilized and its operation, including ties back to the original ESET report that associated the similarities of the backdoor to Industroyer, which was attributed to TeleBots(Sandworm). Most importantly from a defensive side, ANSSI provided a set of recommendations and detections; IOCs for MISP in JSON format, SNORT and YARA rules that are detailed in the report can also be downloaded for your own use.

Matt Toth

@ willhackforfood

Will I get to goto .conf?

B is for Billion, as in 3.27 Billion Stolen Logins by Tara Seals

When a user on a cybercriminal forum posts about a compilation of over 3 billion stolen account logins, it gets an eyebrow raise. The user, Singularity0x01, dropped the COMB (Compilation of Many Breaches)for around $2 US on RaidForums. While the number of accounts included is massive, they appear to have been available in the Dark Web for some time. This is a good reminder for users to get a password management tool, and make sure to use unique passwords for each site or account, and update those affected in breaches.

Damien Weiss

@ damienweiss

Am I alone?

DNS Hijacking Attacks on Home Routers in Brazil by Albert Zsigovits

It's always DNS. And this article does nothing to dispel that maxim.

In my red team years, I would go after corporate and government DNS servers to create a joyful army of MItM attacks. Flip all pictures upside down in a browser? Sure. Replacing downloads with installers of my own? Don't mind if I do. Run all bank sites through to scrape relevant information? Sure. "But wait, Damien, what about TLS?" Well, my friends, the number of people that actually look for the lock symbol is pretty small...

This mindset is what I present today: websites in Brazil taking advantage of vulnerabilities to log into consumer's wireless routers to change the DNS servers that are being pointed to. Now, they're pointing to the evil DNS servers for no good. Indeed, the article goes on to show that these DNS servers are pointing folks to "bank websites" to harvest credentials. IOCs are in the article.