Previous Security Content Roundups from the Splunk Threat Research Team (STRT)

The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository.

This blog provides a roundup of the security content developed by the STRT from the previous quarters, all of which is available today via the Enterprise Security Content Update app.  

Q2 Content Q1 Content Q4 Content Q3 Content

Looking for the latest security content? Head here for the latest Security Content from STRT.

Splunk Security Content: Q2 Roundup

Below you will find a brief table of contents, followed by an overview of the security content developed from May - July 2024.

Adversary Tradecraft Analytic Stories

• Gomir
• AcidPour
• Gozi Malware
• ShrinkLocker

Emerging Threats Analytic Stories

• CrushFTP Vulnerabilities
• Ivanti EPM Vulnerabilities
• MOVEit Transfer Authentication Bypass
• VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Overview: Adversary Tradecraft Analytic Stories

Linux.Gomir is a backdoor malware designed to infiltrate and compromise systems covertly. Linux.Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker, as well as downloading and installing further malicious payloads to facilitate broader cyber-espionage or destructive activities. You can read the Splunk Threat Research Team’s analysis of Linux.Gomir here and find relevant detections in the Gomir analytics story.

AcidPour Wiper is a destructive malware designed to irreversibly delete data from targeted systems, rendering them inoperable. Unlike typical ransomware, AcidPour focuses on data destruction rather than financial gain. It targets critical sectors of the storage media, overwriting files to make recovery nearly impossible. The AcidPour analytics story includes detections to help identify unusual activities that may relate to this threat. To learn more, check out “AcidPour Wiper Malware: Threat Analysis and Detections.”

The Gozi Malware analytics story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat.

The ShrinkLocker analytics story helps identify activities that may be related to ShrinkLocker, a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. Instead of a ransom note, it uses boot partition labels to communicate with victims.

Overview: Emerging Threats Analytic Stories

The CrushFTP Vulnerabilities analytics story helps detect activity related to CVE-2024-4040, a vulnerability in CrushFTP that allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. Check out “Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP” to learn more.

The Ivanti EPM Vulnerabilities analytic story covers vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints.

The MOVEit Transfer Authentication Bypass analytic story addresses CVE-2024-5806, a critical authentication bypass vulnerability in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise.

The VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 analytic story contains security content to help detect activity potentially related to CVE-2024-37085, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the ‘ESX Admins’ group after deletion.

Splunk Security Content: Q1 Roundup

Below you will find a brief table of contents, followed by an overview of all the security content developed from February - April 2024.

Adversary Tradecraft Analytic Stories

• Snake Keylogger
• Office 365 Collection Techniques
• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats
• Phemedrone Stealer

Emerging Threats Analytic Stories

• ConnectWise ScreenConnect Vulnerabilities
• WordPress Vulnerabilities
• JetBrains TeamCity Vulnerabilities
• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378

Overview: Adversary Tradecraft Analytic Stories

Snake Keylogger is a malware that secretly records infected devices’ keystrokes. You can read the Splunk Threat Research Team’s analysis of Snake Keylogger and find detections in the Snake Keylogger analytic story to search for activities related to:

• Masquerading
• Registry keys used for persistence
• Query Registry
• And more

The Office 365 Collection Techniques analytic story includes detections to monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. To learn more, check out:

• Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard 
• Hunting M365 Invaders: Dissecting Email Collection Techniques

Administrators use Windows AppLocker to specify who is allowed to run particular applications in their organization. This analytic story contains detections for events related to monitoring and managing AppLocker policies, including:

• Unauthorized software installations.
• Enforcing best practices for software usage.
• And more.

Lastly, the Okta Account Takeover analytic story contains detections designed to identify unauthorized access and potential takeover attempts of Okta accounts. The Zscaler Browser Proxy Threats analytic story helps you detect and investigate unusual activities related to Zscaler.

Overview: Emerging Threats Analytic Stories

The Phemedrone Stealer analytic story helps detect activity related to Phemedrone, a sophisticated malware used to steal sensitive data. Check out Unveiling Phemedrone Stealer: Threat Analysis and Detections to learn more.

The JetBrains TeamCity Vulnerabilities analytic story provides content to help defenders detect and respond to activities related to CVE-2024-27198 and CVE-2024-27199, which make it possible for unauthenticated attackers to gain administrative control or execute code remotely on affected TeamCity servers.

For more information on these vulnerabilities and the analytic story created by the Splunk Threat Research Team, read Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199.

In February 2024, Mandiant identified that APT29 was using a backdoor called WINELOADER to target German political parties. To help defenders detect and respond to this threat, the Splunk Threat Research Team created this analytic story. For additional details, check out From Water to Wine: An Analysis of WINELOADER.

The Outlook RCE CVE-2024-21378 analytic story contains security content to help detect activity potentially related to the CVE-2024-21378 vulnerability, which allows attackers to execute code remotely upon successful authentication.

Lastly, this analytic story provides detections related ConnectWise ScreenConnect vulnerabilities, while this analytic story includes detections to help address known vulnerabilities in WordPress plugins and themes.

Splunk Security Content: Q4 Roundup

Below you will find a brief table of contents, followed by an overview of all the security content developed from November 2023 - January 2024. (Prefer a video update? Watch our on-demand Tech Talk “Using the Splunk Threat Research Team’s Latest Security Content.”)

Adversary Tradecraft Analytic Stories

• DarkGate Malware
  
• PlugX
  
• Rhysida Ransomware
  
• Office 365 Account Takeover
  
• Office 365 Persistence Mechanisms
  
• Windows Attack Surface Reduction
  
• Kubernetes Security
  
• Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
  

Emerging Threats Analytic Stories

• SysAid On-Prem Software CVE-2023-47246 Vulnerability
  
• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
  
• CISA AA23-347A
  
• Ivanti Connect Secure VPN Vulnerabilities
  
• Confluence Data Center and Confluence Server Vulnerabilities
  
• Jenkins Server Vulnerabilities

Overview: Adversary Tradecraft Analytic Stories

DarkGate is a malware that employs multi-stage payloads and leverages obfuscated AutoIt scripting to exfiltrate sensitive data and establish command and control communications. This analytic story includes detections to help uncover and investigate activities that could be indicative of DarkGate’s presence. Check out “Enter The Gates: An Analysis of the DarkGate AutoIt Loader” to learn more.

PlugX, also known as “PlugX RAT” or “Kaba,” is a covert malware that’s known for its ability to elude detection and its association with cyber espionage activities. You can read the Splunk Threat Research Team’s analysis of a specific PlugX variant here and find detections in the PlugX analytic story to search for activities related to:

• Remote desktop protocol
  
• Remote services
  
• Phishing
  
• Masquerading
  
• And more
  

The Rhysida Ransomware analytic story includes detections designed to identify unusual behaviors potentially associated with Rhysidia, a ransomware that stealthily infiltrates systems and employs sophisticated encryption tactics to lock access to critical files and databases.

The Office 365 Account Takeover and Office 365 Persistence Mechanisms analytic stories include detections to monitor for activities and anomalies indicative of potential initial access techniques and persistence techniques within Office 365 environments. These detections can also be used to help detect attacks similar to the recent Midnight Blizzard incident that the Splunk Threat Research Team covered in this blog.

The Windows Attack Surface Reduction (ASR) analytic story contains detections for events related to Windows ASR (a feature of Windows Defender Exploit Guard) that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Learn more about this content in “Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk.”

Lastly, the team created two new analytic stories to help detect tactics and techniques adversaries may use in an effort to exploit Kubernetes environments: the Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring and Kubernetes Security analytic stories.

Overview: Emerging Threats Analytic Stories

In November, CVE-2023-47246 was identified to affect on-premise versions of SysAid prior to 23.3.36. The Splunk Threat Research Team tagged detections into a new SysAid On-Prem Software CVE-2023-47246 Vulnerability analytic story to support the identification of initial access and some post-exploitation activities.

Additionally, the team created the CISA AA23-347A analytic story to help detect and investigate activities that may be related to cyber tactics and techniques employed by Russia’s Foreign Intelligence Service (SVR). 

January saw the creation of three new analytic stories related to newly-identified exploits. First, the Ivanti Connect Secure VPN Vulnerabilities analytic story includes analytics and hunting queries to support defenders against CVE-2023-46805 (an authentication-bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability). 

Next, the Confluence Data Center and Confluence Server Vulnerabilities analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server, such as CVE-2023-22527. 

Lastly, the Jenkins Server Vulnerabilities analytic story includes detections to help defend against Jenkins server vulnerabilities, including CVE-2024-2389. 

To learn more about these vulnerabilities and detection content, check out the following blogs:

• Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
  
• Security Insights: Tracking Confluence CVE-2023-22527
  
• Security Insights: Jenkins CVE-2024-23897 RCE
  

Splunk Security Content: Q3 Roundup

Below you will find an overview of all the security content developed from August-October 2023. Here's a brief table of contents:  

Adversary Tradecraft Analytic Stories

• NjRAT
• Warzone RAT
  
• Flax Typhoon
  
• Forest Blizzard
  
• Subvert Trust Controls SIP and Trust Provider Hijacking

Emerging Threats Analytic Stories 

• Citrix ShareFile RCE CVE-2023-24489
  
• CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
  
• F5 Authentication Bypass with TMUI
  
• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
  
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 & CVE-2023-26360
  
• Ivanti Sentry Authentication Bypass CVE-2023-38035
  
• WS FTP Server Critical Vulnerabilities
  
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
  
• Cisco IOS XE Software Web Management User Interface vulnerability
  
• Ivanti EPMM Remote Unauthenticated Access
  
• Windows Error Reporting Service Elevation of Privilege Vulnerability
  
• Juniper JunOS Remote Code Execution
  
• JetBrains TeamCity Unauthenticated RCE

Adversary Tradecraft Analytic Stories

NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. Check out More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities to learn more!

The Ave Maria RAT, also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. You can read the STRT analysis of the Warzone RAT and find detections in the Warzon RAT analytic story to search for activities related to:

• Suspicious process execution
• Command-line activity
• And more
  

In August, a new nation-state activity group was identified. Tracked as Flax Typhoon, based in China, the group is targeting dozens of organizations in Taiwan. The Flax Typhoon analytic story released by STRT helps identify the tactics technique and procedures (TTPs) associated with this nation-state group. 

CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. In September, the STRT team released the Forest Blizzard analytic story to identify these emails - which once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. This activity has been purportedly linked to APT28 or Fancy Bear -  linked to Russia’s GRU.

Learn more about Forest Blizzard: Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs.

Lastly, adversaries may tamper with Subject Interface Packages (SIPs) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In October, we released Subvert Trust Controls SIP and Trust Provider Hijacking analytic story to detect and defend against provider hijacking. 

Emerging Threats Analytic Stories 

A critical vulnerability was discovered in ShareFile’s Storage Zones Controller software (CVE-2023-24489). The STRT team released the Citrix ShareFile RCE CVE-2023-24489 analytic story to address this vulnerability.

CVE-2023-22515 was discovered affecting on-premises instances of Confluence Server and Confluence Data Center. The STRT released Privilege Escalation Vulnerability Confluence Data Center and Server analytic story to detect activity related to the vulnerability.  

Additionally, CVE-2023-46747 was identified affecting F5’s BIG-IP Virtual Edition, which could allow remote, unauthenticated attackers to execute system commands. F5 Authentication Bypass with TMUI analytic story was created to remediate and detect threats effectively.

In October, CVE-2023-4966 was identified to affect both NetScaler ADC and NetScaler Gateway. The STRT identified that the vulnerability can result in unauthorized data disclosure if exploited and as a result, crafted an analytic story. 

Two vulnerabilities were identified with Adobe ColdFusion, known as CVE-2023-29298 & CVE-2023-26360, which allow attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation.

In August, Ivanti Sentry, which enables remote workers to use any mobile device or PC to securely connect, disclosed two vulnerabilities affecting the Ivanti Sentry administration interface and Endpoint Manager Mobile (EPMM) product. The STRT released Ivanti Sentry Authentication Bypass CVE-2023-38035 and Ivanti EPMM Remote Unauthenticated Access to address these vulnerabilities. 

Progress Software released on September 27th a critical security advisory affecting multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. WS FTP Server Critical Vulnerabilities address both CVE-2023-40044 and CVE-2023-42657. This vulnerability follows an increase in use of file sharing programs for malicious intent, especially following the May 2023 ransomware attack, which utilized the file sharing application, MOVEit. 

Read the blog from STRT highlighting further information about CVE-2023-40044. 

Microsoft SharePoint Server vulnerability CVE-2023-29357, identified in September, allows for an elevation of privilege due to improper handling of authentication tokens. The analytic story, Microsoft SharePoint Server Elevation of Privilege, identifies attempts to exploit this vulnerability.

Cisco identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). The Cisco IOS XE Software Web Management User Interface vulnerability analytic story detects activity of  attackers gaining full control of the compromised device and allowing possible subsequent unauthorized activity.

Finally, the STRT team also released:

• Windows Error Reporting Service Elevation of Privilege Vulnerability to address CVE-2023-36874, a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges.

• Juniper JunOS Remote Code Execution to address multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices.

• JetBrains TeamCity Unauthenticated RCE to identify CVE-2023-42793, which affected all versions of TeamCity On-Premises up to 2023.05.3 allowing unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks.

The Latest in Splunk SOAR

Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Investigations with Playbooks to learn how playbooks can perform a general investigation on key aspects of a windows device using windows remote management.

This August also marked the deadline for those in the US Federal Civilian space to meet Enterprise Logging Level 3 requirements as part of the recent M-21-31 OMB Mandate. In light of this, we show how adopting a SOAR Maturity Model can help users meet the technical requirements of the mandate and better align to the MITRE D3FEND framework.

Thanks for reading! Stay tuned to for more Content Updates every quarter.