Staff Picks for Splunk Security Reading November 2021

John Stoner

@stonerpsu

Evolving trends in Iranian threat actor activity – MSTIC presentation at CYBERWARCON 2021

“Last week, I was fortunate to attend CYBERWARCON and hear some great talks by a number of speakers on numerous threats that organizations are researching across the globe. While presentations and videos have not been posted, I came across this blog that the MSTIC team at Microsoft published that provides a synopsis of the talk they gave and I felt like it was a good way to give you a taste of the kind of content presented at Cyberwarcon and the talk the team gave. The MSTIC team presented on Iranian Threat Activity and a series of ransomware they have deployed, and more specifically on a campaign they call Phosphorus. Phosphorus targeted Fortinet SSL VPNs and Exchange servers. When you read the blog, it is interesting to note that the adversary functions like a persistent threat actor would in their process. Post compromise, they determined the systems that aligned with their goals and established admin accounts on the systems. For their encryption they used Bitlocker. Possibly the most interesting piece of this entire operation though is the level of effort taken to gain initial access to the victim systems and the social engineering. You can read about it in the blog but it is all about gaining trust, either at a personal level or through the guise of interview questions, and exceedingly helpful technical support to harvest credentials."

Haylee Mills

@7thdrxn

Lamboozling Attackers: A New Generation of Deception by Kelly Shortridge (@swagitda_) & Ryan Petrich (@rpetrich)

"Kelly's Security Chaos Engineering is one of my favorite books; she always seems to be ideating new paths forward for security and this article with Ryan Petrich is no different. The idea is to move from honeypots to honeyhives/replicombs, which are far more convincing deception environments simulating and replaying scrubbed production data that only spin up and utilize resources when an attack begins. This mature deception is more likely to gain insight into attacker TTPs as they are presented with a more convincing production environment. Excited to see folks take this idea and run with it!"

Tamara Chacon

@holly1g0lightly

The Booming Underground Market for Bots That Steal Your 2FA Codes by Joseph Cox (@josephfcox) at VICE Motherboard

“When you wait for a MFA code to come through to your phone, do you ever wonder if it's legitimate? This is what the article from VICE Motherboard is all about. There is now a market for Bots that steal 2FA codes. The hacker that struggled with social engineering now has a new tool to overcome some of that."

Audra Streetman

@audrastreetman

Tardigrade: An APT attack on vaccine manufacturing infrastructure by Callie Churchwell, Charles Fracchia, and Ed Chung, MD at BioBright

“On Nov. 22, the Bioeconomy ​​Information Sharing and Analysis Center, or BIO-ISAC, released an advisory regarding an APT attack on the bioeconomy named Tardigrade. The ransomware was first discovered this past spring inside the systems of a biomanufacturing facility. Researchers say espionage, disruption, and destruction appear to be the primary motive. The sophisticated malware is able to “adapt to its environment, conceal itself, and even operate autonomously when cut off from its command and control server,” WIRED reports. BIO-ISAC expedited public disclosure after the Tardigrade malware was found inside a second facility in October. Security researchers say biomanufacturing sites and their partners should assume they are targets for this attack.”