Staff Picks for Splunk Security Reading February 2024

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Shannon Davis

@DrShannon2000

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity by Andy Greenberg for WIRED

"Adapted from ‘Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency,’ this article paints a great picture of research by Sarah Meiklejohn and others to trace Bitcoin transactions. This type of research reminds me of the work we try to undertake within SURGe. That is, taking a very large dataset, in this case the entire Bitcoin blockchain at the time, and then applying analysis techniques to uncover things such as which wallets were owned by the same person or company, who was transacting with whom, and even tracing the flow of coins through tumbler services."

Ronald Beiboer

LinkedIn

Law enforcement seizes top ransomware gang's website by Sam Sabin for Axios

"It took some time, but law enforcement is really making an impact on global cyber crime lately!"

Brandon Sternfield

@TheLawsOfChaos

Introducing Sudo for Windows! by Jordi Adoumie

"Microsoft's introduction of "sudo" for Windows strengthens security measures by offering users fine-grained control over system access, addressing vulnerabilities, and aligning Windows environments with Unix-like security practices. Here's hoping the Splunk Threat Research Team is ready for this to be rolled out!"

Richard Marsh

Linkedin

Leaked files from Chinese firm show vast international hacking effort by Christian Sheperd, Cate Cadell, Ellen Nakashima, Joseph Menn, Aaron Schaffer

"On February 16, 2024, something big happened on GitHub. A mass of files were leaked from a Chinese-state linked hacking group. This dump is still being analyzed by security researchers, but what we know so far is wrapped up nicely by the Washington Post in this article. This leak provides insight into hacking group operations, rivalries, and tools/techniques within these groups. Over the coming weeks, researchers will continue sharing their findings online. Blue teams around the world have an amazing opportunity to increase defenses against these specific tactics, techniques, and procedures that were leaked."

Allison Gallo

Linkedin

Royal ransomware: a threat actor you should know by Christine Barry for Barracuda Networks

"Just when you thought Conti was gone, they regroup! Like the mythical hydra, ransomware groups tend to come back with a vengeance. Royal Hacking Group started out targeting organizations in the healthcare industry, but have since expanded to target other sectors. They were behind the attack on the city of Dallas, TX in May of 2023, which disrupted city services and resulted in 1TB of data exfiltrated. They use an interesting technique called partial encryption which can evade detections and can be difficult to recover from without the decryption key. Check out the CISA page for more info and IOCs."

Michael Haag

@M_haggis

Diving Into Glupteba's UEFI Bootkit by Lior Rochberger and Dan Yashnik for Unit 42

"I found the deep dive into the Glupteba bootkit fascinating because it highlights a part of cybersecurity that often doesn't get enough attention. Over the past year, the rise in bootkits signals a potential shift in how attackers operate, moving from traditional malicious software to focusing on persistence through the bootloader. This change in tactic is worrying because bootkits are harder to detect and remove, making them a more potent threat. The article's exploration of Glupteba not only showcases the complexity and stealthiness of these threats but also serves as a wake-up call to the cybersecurity community."

Mark Stricker

@maschicago

LLM Agents can Autonomously Hack Websites by Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, Daniel Kang

"Interesting work on the use of LLM agents to hack websites, find vulnerabilities, exploit vulnerabilities and extract data. Obviously, the reverse is true – we could use agents like this to scan our systems for vulnerabilities and patch or mitigate them. It's a brave new world out there!"

Audra Streetman

@audrastreetman / @audrastreetman@infosec.exchange

Dragos 2023 OT Cybersecurity Year in Review by Dragos, Inc.

“There are a number of interesting findings in Dragos’s annual Year in Review report, including a nearly 50 percent increase in observed ransomware attacks targeting industrial networks in 2023 compared to 2022. Madeleine Tauber and I recently interviewed Dragos CEO Rob Lee about the report in an upcoming episode of The Security Detail, which comes out on March 13. We discuss threat groups known to target the electric sector, including Volt Typhoon and Sandworm, along with ICS-tailored malware like Pipedream, CrashOverride/Industroyer, and BlackEnergy.”