Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.
Check out our previous staff security picks, and we hope you enjoy.
Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan by Ariel Szarf and Or Aspir for Mitiga
"The discovery of the AWS SSM Agent being misused as a covert RAT raises significant concerns about security in cloud environments. The SSM Agent's original purpose was to facilitate efficient communication and management of resources like EC2 instances. However, its ability to run on non-EC2 machines, such as on-premises servers and VMs, can be exploited to launch unauthorized remote access attacks. As cloud services become more prevalent, ensuring the security of such platforms becomes paramount. Organizations using AWS should take necessary precautions such as monitoring SSM Agent activity and properly configuring access permissions to safeguard against potential threats. It's a reminder that security should be an ongoing priority, and it's essential for users to stay vigilant and follow best practices to protect against potential vulnerabilities and misuse of cloud resources."
The Ghost of Privacy Past Haunts the Senate’s AI Future by Matt Laslo for WIRED
"Data privacy has been an issue in the United States for a while now. This article by Matt Laslo covers the issues of AI and data privacy. Both sides of Congress need to focus on what can happen if things are left unchecked, and not just on the AI side of things."
"Most, if not all, security tasks become dramatically more difficult or impossible when you don't have consistent time stamps. Imagine conducting a forensic investigation on a server whose time randomly changes. After you've shed a tear at that thought, take a look at this article about how Windows "Secure Time Seeding" (STS) feature can cause random time changes caused by establishing SSL connections to remote servers. The article also includes mitigations to disable STS and a response from Microsoft on the issue."
"I just came back from BlackHat and DEF CON, and it seems that easily half of each conference was devoted to talking about, exhibiting solutions, or challenging commonly held beliefs around ML/AI. My dismal performance at the AI Village challenge had me looking for tools that would assist in getting LLMs to lie to me. Thankfully, Peter Halberg has written a guide to help."
"AI is definitely the latest and greatest and, while we’ve touched on many different security issues surrounding AI, some 'old tricks' are causing AI-adjacent issues, as well. This article describes how illegitimate AI bots are pretending to be genuine AI applications. The links, once clicked, lead to a number of different security concerns from exposing sensitive data to even downloading malware. Alessandro goes on to explain how the fake bots are attempting to look authentic, as well, with one case related to a bot pretending to be Google’s AI tool 'Bard' with the site hosted in Google Cloud and thus masquerading as an actual Google site. While there are still plenty of concerns within AI tools, themselves, these run-of-the-mill malicious links are still something to be cognizant of."
PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers by Kevin O’Connor for Adlumin
"PlayCrypt ransomware, now with supply chain delivery through your MSP for complete administrative access! This article highlights the TTPs of the threat group 'BalloonFly', and includes IOCs as well."
"This article is about the recent approval of an SEC rule that requires companies to disclose cyber attacks within four days. But there's a caveat; because this is an SEC rule, you only have to disclose attacks that have a material impact on finances of the company. I would like to see legislation that included requirements to disclose for other reasons as well -- such as public safety, harm to customers, community or employees, etc. Transparency would, in the long, run benefit everybody. Of course, disclosures should be made in such a way that it doesn't give bad actors MORE opportunities to cause damage. Tricky, I know."
"In this blog, I explore the XDR (Extended Detection and Response) marketing hype, which emerged in 2018. It is evident that this trend has moved beyond its peak, as indicated by its (almost) absence at RSA and Black Hat this year. Additionally, it is progressively adopting a more realistic approach."
"Ransomware claimed two more fatalities, this time in the hosting space. This kind of data loss reminds me of cloud spaces, which had an attacker gain access to their hosting provider and then, when they failed to pay the ransom, had their entire infrastructure deleted. Everyone should have a business continuity plan. Most plans I have seen, plan for a complete outage, while still maintaining control of the assets. This should be a healthy reminder for everyone that they should plan for, and more importantly test their plan, should their entire cloud infrastructure fold without notice."
Unpacking the MOVEit Breach: Statistics and Analysis by Zach Simas for Emsisoft
"More than 1,000 organizations have been impacted by the MOVEit breach. I know this figure because the cybersecurity firm Emsisoft has done such a thorough job tracking the number of victims based on state breach notifications, SEC filings, and the ransomware group cl0p's leak site disclosures. The attack, which is still ongoing, targets vulnerabilities in Progress Software Corp.'s MOVEit file transfer platform. So far, more than 60 million people have been impacted, with U.S. organizations accounting for nearly 84% of known victims. Emsisoft also examined victimology by industry, with the education sector accounting for the largest percentage — 26% — of known incidents."