Staff Picks for Splunk Security Reading April 2023

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. You can check out our previous staff picks here. We hope you enjoy. 

Doug Lhotka 


Large Language Models and Phishing by Bruce Schneier

"When you combine this type of technology with large databases of breached data, phishing is about to get a whole lot worse. Instead of form letters with missing fields or poor grammar, or generic campaigns and easily spotted scams, we will not get highly targeted custom campaigns, including specific details about the individual that lent it credibility. Add in the ability to interact in full conversations and this is going to be a major problem. The challenge for us as security professionals is twofold; how can we automatically detect and identify these types of campaigns upstream and either flag or block them, and second, how can we properly educate the lay public about this capability to help them avoid becoming a victim."

Danny Furtaw

@furtawww / Linkedin

Exploding USBs used to target journalists in Ecuador by Jurgita Lapienytė

"Remember the Rubber Ducky? Add-in some explosives, plug it in and... BOOM! This article details an incident where a USB was used as a means to detonate explosives at a local news station in Ecuador. Authorities found that the actors placed RDX (a type of explosive) inside a launcher capsule in the USB device. Criminal groups are actively devising new methods to cause chaos and commit violence. This proves that cybersecurity goes beyond protecting our data, but also our people. While this is an extreme case, it should serve as an example of why we need to remain vigilant when dealing with any unknown or unusual devices, like USBs. Stay safe!"

Zachary Christensen


New ChatGPT4.0 Concerns: A Market for Stolen Premium Accounts by Check Point Team

"Who would have guessed it? Brute-forcing credentials to ChatGPT accounts so you can resell AI-as-a-Service using stolen credit cards. It's no surprise that cybercriminals are taking advantage of those who reuse passwords on multiple platforms. This has led to a rise in account takeover of ChatGPT premium accounts, allowing more cybercrime in selling accounts or AI services. This is also another great reminder to not reuse passwords and to be cautious of advertisements for new AI services."

Lars Wittich


The LockBit ransomware (kinda) comes for macOS by Patrick Wardle

"A seemingly new variant of the LockBit ransomware was analysed, this time featuring macOS as target. It is still not entirely clear how impactful this could potentially be, but this write-up goes into a lot of detail about what it does and what to look out for."

Madeleine Milukas

NIST Small Business Cybersecurity Corner from

"While it’s fun to work with well-staffed security operations teams that use the latest, greatest products, most days I work with small- to medium-sized businesses as well. Many of them don’t have a full-blown SOC, but instead have a single “Security Person” or even an IT Team that’s also responsible for Security. I love working with these smaller companies, but I’ve noticed how overwhelming it can be for them, considering the wealth of security-oriented information out there. This may be old news for some of you, but I found NIST’s Small Business Security Corner through last month’s NIST Small Business Cybersecurity Community of Interest (COI) announcement, and my mind went straight to how relevant this information would be to the teams I work with every day! The page includes planning tools, workbooks, a glossary, helpful guides by topic, and training videos. It’s a great resource for any business just starting to improve its security posture, and it’d also be valuable for someone new to the security analyst role in general (by way of career change, internship, etc.). Even a seasoned veteran could benefit from browsing through the content, if only to brush up on security-oriented topics and best practices."

James Hodgkinson

We put GPT-4 in Semgrep to point out false positives & fix code by Bence Nagy for Semgrep

"This is a great example of how LLM's can make for better outcomes in the DevSecOps arena. The first question I'm always asked about security scanning and automated tools is "how actionable are the outputs?" The answer's normally "not great, without trained security professionals and dedicated staff." It looks like this could be rapidly changing with LLMs providing an interpretation of the problems and good first-attempt contextual suggestions for changes. I'm excited to see where this goes, but remember - nothing beats good testing!"

Ronald Beiboer


FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks by Ravie Lakshmanan for The Hacker News

"Old acquaintances reappear and collaborate in the act of stealing your data while simultaneously encrypting it using multi-stage malware attacks."

Sydney Howard


Living Off the Orchard: macOS Binaries (LOOBins) by Brendan Chamberlain

"Alongside the recent releases of new tool repositories (such as LOLDrivers), we welcome Living Off the Orchard: macOS Binaries (LOOBins)! What makes LOOBins unique is that it focuses only on binaries on macOS and how these can be used for malicious purposes. It does not include overlapping Unix binaries that are detailed in GTFOBins. This can be incredibly useful as you are investigating your macOS environments. This is a brand new repository but something that should be bookmarked! Happy hunting!"

Damien Weiss


The weird world of Windows file paths by Erik Jälevik

"As a UNIX snob, I have thought about the relative simplicity of UNIX paths and compared them with needlessly complicated paths that Microsoft has thrust on the world and have wondered "why?" more times than I can count. That being said, a foundational knowledge of rules and exceptions to Windows paths is necessary for threat hunters and red teamers alike. For instance, did you know that you can't name a file PRN on a Windows machine? Seriously, try it. Thankfully, Erik Jälevik has documented this strange world for us."

Kassandra Murphy

Cyber Threat Intelligence: The Power of Data by Ed Cabrera for Trend Micro

"The number of customers I work with who still aren’t leveraging the power of threat intelligence is diminishing but they certainly still exist. With that, this article describes how bringing in threat intelligence data can benefit and enhance an organization’s overall security posture. Some of the benefits include risk and management and compliance, cybersecurity defense and incident response, as well as some lesser known benefits like increasing your competitive advantage differentiation and improving CxO-level briefings."

Chris Perkins


The Future State: Data in SLED by Chris Perkins

"In this blog, I take a brief trip back in history and talk about the future of data in State, Local Government and Education organizations."

Audra Streetman

@audrastreetman /

Hacker Group Names Are Now Absurdly Out of Control by Andy Greenberg for WIRED

"In this article, Andy Greenberg takes aim at threat actor naming conventions that feature descriptive animal names like 'Charming Kitten' or 'Fancy Bear.' It comes after Microsoft announced a new taxonomy with a weather theme. Attribution using so-called 'pet names' can trivialize the serious implications of cyberattacks. It's an easy criticism to make. More difficult, however, is finding a solution for organizing emerging and evolving threat groups into systems for analysts to effectively track and compare. Even more difficult (and unlikely) is a naming convention that's universally adopted, because organizations that track these groups have different visibility into their infrastructure and behaviors. For example, one company may track an activity group that another company clusters as two separate activity groups. From a reporting perspective, descriptive names are more memorable than 'Group 86.' I'm not sure the right answer, other than to acknowledge that threat intelligence collection and attribution is a highly nuanced and complex process."

Audra Streetman is a member of SURGe, Splunk's security research team. Before arriving at Splunk, Audra worked as a reporter, producer and anchor at local TV stations in Indiana, California, Kentucky and Colorado. As a journalist, she covered several major cybersecurity stories including SolarWinds and ransomware attacks targeting Colonial Pipeline, JBS and Kaseya. In her free time, she enjoys hiking and skiing in the Colorado Rockies.

Show All Tags
Show Less Tags