E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository.
This blog provides a roundup of the security content developed by the STRT from the previous quarters, all of which is available today via the Enterprise Security Content Update app.
Q3 Content Q2 Content Q1 Content Q4 Content
Looking for the latest security content? We've got you covered!
Below you will find an overview of all the security content developed from August-October 2023. Here's a brief table of contents:
NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. Check out More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities to learn more!
The Ave Maria RAT, also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. You can read the STRT analysis of the Warzone RAT and find detections in the Warzon RAT analytic story to search for activities related to:
In August, a new nation-state activity group was identified. Tracked as Flax Typhoon, based in China, the group is targeting dozens of organizations in Taiwan. The Flax Typhoon analytic story released by STRT helps identify the tactics technique and procedures (TTPs) associated with this nation-state group.
CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. In September, the STRT team released the Forest Blizzard analytic story to identify these emails - which once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. This activity has been purportedly linked to APT28 or Fancy Bear - linked to Russia’s GRU.
Learn more about Forest Blizzard: Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs.
Lastly, adversaries may tamper with Subject Interface Packages (SIPs) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In October, we released Subvert Trust Controls SIP and Trust Provider Hijacking analytic story to detect and defend against provider hijacking.
A critical vulnerability was discovered in ShareFile’s Storage Zones Controller software (CVE-2023-24489). The STRT team released the Citrix ShareFile RCE CVE-2023-24489 analytic story to address this vulnerability.
CVE-2023-22515 was discovered affecting on-premises instances of Confluence Server and Confluence Data Center. The STRT released Privilege Escalation Vulnerability Confluence Data Center and Server analytic story to detect activity related to the vulnerability.
Additionally, CVE-2023-46747 was identified affecting F5’s BIG-IP Virtual Edition, which could allow remote, unauthenticated attackers to execute system commands. F5 Authentication Bypass with TMUI analytic story was created to remediate and detect threats effectively.
In October, CVE-2023-4966 was identified to affect both NetScaler ADC and NetScaler Gateway. The STRT identified that the vulnerability can result in unauthorized data disclosure if exploited and as a result, crafted an analytic story.
Two vulnerabilities were identified with Adobe ColdFusion, known as CVE-2023-29298 & CVE-2023-26360, which allow attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation.
In August, Ivanti Sentry, which enables remote workers to use any mobile device or PC to securely connect, disclosed two vulnerabilities affecting the Ivanti Sentry administration interface and Endpoint Manager Mobile (EPMM) product. The STRT released Ivanti Sentry Authentication Bypass CVE-2023-38035 and Ivanti EPMM Remote Unauthenticated Access to address these vulnerabilities.
Progress Software released on September 27th a critical security advisory affecting multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. WS FTP Server Critical Vulnerabilities address both CVE-2023-40044 and CVE-2023-42657. This vulnerability follows an increase in use of file sharing programs for malicious intent, especially following the May 2023 ransomware attack, which utilized the file sharing application, MOVEit.
Read the blog from STRT highlighting further information about CVE-2023-40044.
Microsoft SharePoint Server vulnerability CVE-2023-29357, identified in September, allows for an elevation of privilege due to improper handling of authentication tokens. The analytic story, Microsoft SharePoint Server Elevation of Privilege, identifies attempts to exploit this vulnerability.
Cisco identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). The Cisco IOS XE Software Web Management User Interface vulnerability analytic story detects activity of attackers gaining full control of the compromised device and allowing possible subsequent unauthorized activity.
Finally, the STRT team also released:
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Investigations with Playbooks to learn how playbooks can perform a general investigation on key aspects of a windows device using windows remote management.
This August also marked the deadline for those in the US Federal Civilian space to meet Enterprise Logging Level 3 requirements as part of the recent M-21-31 OMB Mandate. In light of this, we show how adopting a SOAR Maturity Model can help users meet the technical requirements of the mandate and better align to the MITRE D3FEND framework.
Below you will find an overview of all the security content developed from May-July 2023.
Amadey malware is a botnet that is being utilized as Malware as a Service (MaaS) and distributing malware such as RedLine Stealer. You can read the STRT analysis of Amadey in and find detections in the Amadey analytic story to search for activities related to the malware.
In May, The DFIR Report released information on a destructive malware campaign that utilizes Truebot, FlawedGrace and MBR killer malware. The STRT developed the Graceful Wipe Out Attack analytic story to detect and investigate unusual activities related to the campaign.
Vulnerabilities within Active Directory can provide a number of attack paths for attackers. Privilege escalation attacks in Active Directory (AD) typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages AD. Security teams should monitor for privilege escalation attacks in Active Directory to identify breaches before attackers achieve operational success. The Azure Active Directory Privilege Escalation and Active Directory Privilege Escalation analytic stories provide detetions to monitor for activities and techniques associated with privilege escalation attacks within Active Directory tenants.
Earlier this year BlackLotus, a UEFI bootkit, was reported for bypassing Secure Boot on Windows 11 systems. The STRT developed the Windows BootKits analytic story to detect and defend against bootkit attacks.
RedLine Stealer malware was making headlines in May for being delivered through display ads and Google Chrome extensions. The STRT provided an analysis of RedLine Stealer in this blog and developed the related analytic story for detecting and investigating unusual activities that can be related to the RedLine Stealer trojan.
CVE-2023-20887 was released in early June for a critical vulnerability impacting VMware Aria Operations for Networks, formerly vRealize Network Insight. To help defend against this vulnerability, the STRT developed an analytic story to detect potential exploitation attempts that align with the characteristics of CVE-2023-20887.
In early June a critical zero-day vulnerability was discovered in the MOVEit Transfer file transfer software and tracked as CVE-2023-34362. The Windows MOVEit Transfer Writing ASPX detection looks for the creation of new ASPX files in the MOVEit Transfer application’s “wwwroot” directory, which is an activity indicative of the MOVEit Transfer vulnerability.
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored cyber actor whose recent activity resulted in a joint Cybersecurity Advisory. The Splunk Threat Research Team developed the Volt Typhoon analytic story with detections to look for suspicious process execution, LOLBin execution, command-line activity and more associated activities that the Volt Typhoon group can use to target critical infrastructure organizations.
CVE-2023-27350 is an authentication bypass vulnerability in the PaperCut NG print management software for which the FBI and CISA issued a joint advisory. The STRT created a blog highlighting information about the vulnerability as well as a corresponding analytic story for defenders to detect associated exploitation attempts and known indicators of compromise.
The Snake implant is a highly advanced cyber espionage tool, developed and employed by Russia's Federal Security Service's (FSB) Center 16 for persistent intelligence gathering on important targets, and it has been identified in over 50 countries. The Splunk Threat Research Team utilized ChatGPT to develop Atomic Simulations and subsequent detections for activities related to Snake malware.
Splunk developed a deep learning based detection that monitors your DNS traffic looking for signs of low throughput DNS exfiltration. The detection has an accuracy of 99.97% ensuring almost all suspicious DNS exfiltration requests are detected.
Most machine learning models investigate the latest DNS request without attaching any valuable context of communication history between the host and the domain. Instead of considering a short time window, which may be insufficient for low throughput DNS exfiltration, we consider a recent history of past ’x’ events. The deep learning model not only creates features to represent the current DNS request but also creates aggregated features over recent history of events.
The model is deployed using the Splunk App for Data Science and Data Learning (DSDL) and you can find further details in the Detect DNS Data Exfiltration Using Deep Learning blog and the team also recorded an overview of the detection that you can watch here:
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog to learn how playbooks can help you to...
Below you will find an overview of all the security content developed from February - April, 2023. Principal Threat Researcher, Michael Haag, also provides an overview of the STRT Q1 content on a Security Tech Talk, which can be viewed here.
AsyncRAT is an open source remote administration tool project on GitHub that has become a popular tool used maliciously by attackers. The Splunk Threat Research Team explored an AsyncRAT OneNote campaign to develop the AsyncRAT analytic story to detect and investigate unusual activities that might be related to the malware. Learn more about AsyncRAT and the OneNote campaign by reading this blog or watching the video.
Earlier this year Winter Vivern was making headlines, and the STRT developed an analytic story to examine multiple timeout executions, scheduled task creations, screenshots, downloading files through PowerShell, and other indicators of activities related to the malware. Watch an overview video of the analytic story below.
The Sandworm Tools analytic story includes detections focused on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction and other indicators related to the Sandworm Team threat group.
Compromised user account attacks occur when cybercriminals gain access to accounts through techniques like brute force, social engineering, phishing and credential stuffing to pose as the real user and access sensitive data or use stolen information to access further accounts within the organization. The Compromised User Account analytic story provides detections to monitor for these types of activities and techniques.
The Splunk Threat Research Team wrote a blog describing common digital certificate abuses and developed the Windows Certificate Services analytic story for detecting certificate services abuse on Windows and defending against adversaries stealing sensitive information. Watch the video below to learn more about defending against certificate services abuses.
Sneaky Active Directory Persistence Tricks are techniques that are still utilized even eight years after they were initially described in a blog by Sean Metcalf. These techniques abuse legitimate administrative functionality.
The corresponding analytic story developed by the STRT groups detections for techniques described in the original blog as well as other high-impact attacks against Active Directory networks. The team would like to thank Dean Luxton and Steven Dick for contributing detections to this analytic story.
Learn more about Sneaky Active Directory Persistence Tricks in the overview video below.
BishopFox Sliver is an open-source adversary emulation framework that has increasingly been exploited by adversaries for malicious activities. The STRT developed an analytic story to provide visibility into the latest adversary TTPs related to Sliver.
SwiftSlicer wiper is a destructive malware discovered by ESET. The Splunk Threat Research Team (STRT) developed an analytic story to help detect and investigate unusual activities that might be related to the malware. The team also wrote a blog highlighting the team’s analysis, detections, and mitigation measures.
AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. The STRT provides findings on this destructive payload in:
Fortinet released security updates for its FortiNAC product addressing critical vulnerabilities that may allow unauthenticated attackers to write arbitrary files on the system and, as a result, obtain remote code execution in the context of the root user (Horizon3.ai). The STRT developed the analytic story Fortinet FortiNAC CVE-2022-39952 to help defend against this critical vulnerability.
CVE-2023-21716 is a remote code execution vulnerability in Microsoft Word released in February. The analytic story developed by the STRT provides content to assist organizations in identifying potential RTF (rich text file) RCE abuse on endpoints.
A patch for CVE-2023-23397 was released to address a critical elevation of privilege (EoP) vulnerability impacting Microsoft Outlook for Windows. Detections from the STRT help identify behaviors related to this vulnerability.
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems, known as BlackLotus, was reported by ESET in March. The STRT developed content to aid teams in detecting suspicious bootloaders and understanding the diverse techniques utilized by the BlackLotus campaign.
In March, it was reported that an active intrusion campaign was targeting 3CX software and their customers. The STRT created a blog highlighting information and the corresponding analytic story to equip defenders with the necessary tools and strategies to counteract the campaign.
The Splunk Machine Learning for Security team developed two new detections last quarter. Both detections use a pre-trained deep learning model developed with the Splunk App for Data Science and Deep Learning. The two detections are:
Learn more about the latter detection by watching our on-demand tech talk.
Splunk is pleased to announce the first in a series of Response Packs focused on different use-cases, the first of which focuses on Enrichment. These new response packs feature modular, Lego-like playbooks that operate on different tiers depending on your desired use. Additionally, we have also begun to map our playbooks to MITRE D3FEND techniques where applicable.
The three collections in this pack are:
You can choose to use the Connector-based input playbooks in your own use-cases, or choose to use the Dynamic playbooks that automatically detect artifacts, route them to the Input playbooks, and conclude workbook tasks. Here is a full list of the 10 new playbooks:
Task based playbooks:
Input/output playbooks:
You'll see these playbooks show up if you are running the community repo on versions of SOAR 6.0 and above. Be sure to check out our recent blog on Identifier Reputation Analysis and be on the lookout for new blogs and videos highlighting how these playbooks work over the coming months.
In addition to the security content provided above, the Splunk Threat Research Team developed content related to malicious drivers"
Below you will find an overview of all the security content developed from November 2022 - January 2023. Senior Threat Researcher, Michael Haag, also provides an overview of the STRT Q4 content on a Security Tech Talk, which can be viewed here.
Last quarter, the team developed added detections for the Windows post-exploitation analytic story. These detections identify a variety of Windows post-exploitation tools, particularly related to WinPEAS (local Windows privilege escalation scripts), which are typically used to gain privileges and persistence across Windows endpoints.
The Metasploit framework for penetration testing has been utilized by both cybercriminals and ethical hackers to identify systematic vulnerabilities on networks and servers. It has become a popular post-exploitation tool for attackers to find vulnerabilities in networks and exploit them, so the STRT developed an analytic story with detections to search for default configurations attributed to and behaviors related to Metasploit.
In late 2022, CISA issued a cybersecurity advisory after observing suspected advanced persistent threat (APT) activity from Iranian government-sponsored threat actors who exploited the Log4Shell vulnerability in an unpatched VMware Horizon server and moved laterally to continue their objective. The CISA AA22-320A analytic story provides detections for identifying the TTPs outlined in the CISA advisory.
The STRT released an analytic story encompassing a suite of products, beginning with Ngrok, that are classified as Reverse Network Proxies. These utilities allow for an adversary to create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.
In response to a reported 131% increase of account takeover attacks in the first half of 2022 the STRT developed an analytic story for detecting GCP account takeover as well as a blog with even more details for detecting cloud account takeover in Azure Active Directory and AWS in addition to Google Cloud.
In response to a report from Microsoft which noted that attackers are increasingly leveraging Internet Information Services (IIS) modules the STRT developed the IIS Components analytic story and provided further details in the blog “Fantastic IIS Modules and How to Find Them” to help defenders identify suspicious and malicious behavior on IIS web servers.
It should be no surprise that the STRT is always monitoring and developing detections for the ever-evolving threats related to ransomware. In Q4, the team focused on developing security content for three particular ransomware groups: LockBit, Prestige and Chaos.
LockBit has been regularly making headlines since 2019, targeting multiple sectors and organizations of all sizes. The STRT recently added new detections to the LockBit analytic story focused on common tradecraft identified during a ransomware investigation regarding LockBit.
Chaos ransomware recently came on the scene in 2021 and has been found to be a .NET version of Ryuk ransomware, but upon closer look, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. The STRT has written new content and appended prior content to the ransomware analytic story to help defenders identify this and other ransomware variants.
Prestige ransomware was observed targeting transportation and logistics industries as part of the ongoing Russia-Ukraine war with deployment techniques similar to CaddyWiper and HermeticWiper. Read the Prestige ransomware analytic story for defending against this threat with Splunk.
In late 2022, CVE-2022-42889 (Text4Shell) and CVE-2022-40684 (Fortinet Appliance Authentication Bypass) were published and both scored as critical severity. The Splunk Threat Research Team developed analytic stories for each.
Text4Shell CVE-2022-42889 is a critical vulnerability in Apache Commons Text Library. Apache Commons Text is a Java library described as “a library focused on algorithms working on strings,” and can be considered a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution due to a logic flaw that makes the script, DNS, and URL lookup keys interpolated by default. Those keys allow an attacker to execute arbitrary code via lookups.
Fortinet Appliance Authentication Bypass CVE-2022-40684 was issued after Fortinet patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager project. FortiOS exposes a management web portal that allows a user to configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures.
In addition to the analytic stories and blogs provided above, the Splunk Threat Research Team wrote a number of blogs in Q4 highlighting other threats and how to defend against them:
A detection that predicts DGA generated domains using a pre-trained Deep Learning (DL) model was also developed by the Splunk Machine Learning for Security team to help customers defend against adversaries using DGA. To learn more about this detection and machine learning in security, join our Tech Talk on May 2nd.
Thanks for reading! Stay tuned to for more Content Updates every quarter.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.