Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read. You can check out our previous staff picks here. We hope you enjoy.
"When you combine this type of technology with large databases of breached data, phishing is about to get a whole lot worse. Instead of form letters with missing fields or poor grammar, or generic campaigns and easily spotted scams, we will not get highly targeted custom campaigns, including specific details about the individual that lent it credibility. Add in the ability to interact in full conversations and this is going to be a major problem. The challenge for us as security professionals is twofold; how can we automatically detect and identify these types of campaigns upstream and either flag or block them, and second, how can we properly educate the lay public about this capability to help them avoid becoming a victim."
"Remember the Rubber Ducky? Add-in some explosives, plug it in and... BOOM! This article details an incident where a USB was used as a means to detonate explosives at a local news station in Ecuador. Authorities found that the actors placed RDX (a type of explosive) inside a launcher capsule in the USB device. Criminal groups are actively devising new methods to cause chaos and commit violence. This proves that cybersecurity goes beyond protecting our data, but also our people. While this is an extreme case, it should serve as an example of why we need to remain vigilant when dealing with any unknown or unusual devices, like USBs. Stay safe!"
"Who would have guessed it? Brute-forcing credentials to ChatGPT accounts so you can resell AI-as-a-Service using stolen credit cards. It's no surprise that cybercriminals are taking advantage of those who reuse passwords on multiple platforms. This has led to a rise in account takeover of ChatGPT premium accounts, allowing more cybercrime in selling accounts or AI services. This is also another great reminder to not reuse passwords and to be cautious of advertisements for new AI services."
"A seemingly new variant of the LockBit ransomware was analysed, this time featuring macOS as target. It is still not entirely clear how impactful this could potentially be, but this write-up goes into a lot of detail about what it does and what to look out for."
"While it’s fun to work with well-staffed security operations teams that use the latest, greatest products, most days I work with small- to medium-sized businesses as well. Many of them don’t have a full-blown SOC, but instead have a single “Security Person” or even an IT Team that’s also responsible for Security. I love working with these smaller companies, but I’ve noticed how overwhelming it can be for them, considering the wealth of security-oriented information out there. This may be old news for some of you, but I found NIST’s Small Business Security Corner through last month’s NIST Small Business Cybersecurity Community of Interest (COI) announcement, and my mind went straight to how relevant this information would be to the teams I work with every day! The page includes planning tools, workbooks, a glossary, helpful guides by topic, and training videos. It’s a great resource for any business just starting to improve its security posture, and it’d also be valuable for someone new to the security analyst role in general (by way of career change, internship, etc.). Even a seasoned veteran could benefit from browsing through the content, if only to brush up on security-oriented topics and best practices."
We put GPT-4 in Semgrep to point out false positives & fix code by Bence Nagy for Semgrep
"This is a great example of how LLM's can make for better outcomes in the DevSecOps arena. The first question I'm always asked about security scanning and automated tools is "how actionable are the outputs?" The answer's normally "not great, without trained security professionals and dedicated staff." It looks like this could be rapidly changing with LLMs providing an interpretation of the problems and good first-attempt contextual suggestions for changes. I'm excited to see where this goes, but remember - nothing beats good testing!"
FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks by Ravie Lakshmanan for The Hacker News
"Old acquaintances reappear and collaborate in the act of stealing your data while simultaneously encrypting it using multi-stage malware attacks."
"Alongside the recent releases of new tool repositories (such as LOLDrivers), we welcome Living Off the Orchard: macOS Binaries (LOOBins)! What makes LOOBins unique is that it focuses only on binaries on macOS and how these can be used for malicious purposes. It does not include overlapping Unix binaries that are detailed in GTFOBins. This can be incredibly useful as you are investigating your macOS environments. This is a brand new repository but something that should be bookmarked! Happy hunting!"
The weird world of Windows file paths by Erik Jälevik
"As a UNIX snob, I have thought about the relative simplicity of UNIX paths and compared them with needlessly complicated paths that Microsoft has thrust on the world and have wondered "why?" more times than I can count. That being said, a foundational knowledge of rules and exceptions to Windows paths is necessary for threat hunters and red teamers alike. For instance, did you know that you can't name a file PRN on a Windows machine? Seriously, try it. Thankfully, Erik Jälevik has documented this strange world for us."
"The number of customers I work with who still aren’t leveraging the power of threat intelligence is diminishing but they certainly still exist. With that, this article describes how bringing in threat intelligence data can benefit and enhance an organization’s overall security posture. Some of the benefits include risk and management and compliance, cybersecurity defense and incident response, as well as some lesser known benefits like increasing your competitive advantage differentiation and improving CxO-level briefings."
The Future State: Data in SLED by Chris Perkins
"In this blog, I take a brief trip back in history and talk about the future of data in State, Local Government and Education organizations."
"In this article, Andy Greenberg takes aim at threat actor naming conventions that feature descriptive animal names like 'Charming Kitten' or 'Fancy Bear.' It comes after Microsoft announced a new taxonomy with a weather theme. Attribution using so-called 'pet names' can trivialize the serious implications of cyberattacks. It's an easy criticism to make. More difficult, however, is finding a solution for organizing emerging and evolving threat groups into systems for analysts to effectively track and compare. Even more difficult (and unlikely) is a naming convention that's universally adopted, because organizations that track these groups have different visibility into their infrastructure and behaviors. For example, one company may track an activity group that another company clusters as two separate activity groups. From a reporting perspective, descriptive names are more memorable than 'Group 86.' I'm not sure the right answer, other than to acknowledge that threat intelligence collection and attribution is a highly nuanced and complex process."