Staff Picks for Splunk Security Reading June 2022

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

Mark Stricker

@maschicago

Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft by Jai Vijayan at Dark Reading

"Ransomware threats evolved from hostage negotiating (pay to get your machines and data back) to blackmail (pay or we release your data). Now it looks like like an APT has found a new "use case" by using five different ransomware versions to cover up intellectual property theft and to destroy evidence of malicious cyberactivity. This article by Jai Vijayan at Dark Reading gives the dirty details on the 'Bronze Starlight' APT's activities."

Damien Weiss

@damienweiss

Playing Docker? Bad Containers and What They Teach Us by SOC Prime

"I was recently talking with a colleague about Docker and potential ways one could break out of a container to the host. This recalled, in my memory, the mainframe vs. distributed computing wars I fought early in my career, and how we are seeing this monolithic VM vs. small, distributed container war being fought now. I remember the mainframers mocking the (lack of) security of our thousands of UNIX boxes, and my team mocked the lack of nimbleness from the mainframers. Sounds familiar, doesn't it? This article talks about poorly secured containers, and while it does not dig into the exploits, it does a good job of talking about how to remediate some Docker security issues. There was, however, an article written way back in the Stone Age of 2019 on Understanding Docker Escapes that does a great job explaining some of the techniques used to break out of the containers."

Tamara Chacon

@holly1g0lightly

Tweet about deceptive ad practices that collect your data from @hackinraccoon

"We have all been there - you are browsing a site or looking for a video and then boom, a pop up! Now most of us understand that if we click that link it will probably lead to a bad time. But have you ever thought about tracing down the origins of the pop-up? This wonderful Twitter thread from Infosecsie dives into what they did when they received a pop-up while browsing YouTube. Using a little OSINT, they find some very interesting things about the app in the pop-up."

Audra Streetman

@audrastreetman

LockBit 3.0 introduces the first ransomware bug bounty program by Lawrence Abrams at Bleeping Computer

"The LockBit ransomware group announced the release of LockBit 3.0 on June 26 after beta testing the new encryptor for the past couple of months. Lawrence Abrams at Bleeping Computer reports one difference with LockBit 3.0 is that ransom notes are now named in the format '[id].README.txt' compared to 'Restore-My-Files.txt'. It also appears the Ransomware-as-a-Service group is expanding its extortion model by selling victim data to threat actors.

And that's not all. LockBit also introduced a bug bounty program - the first of any ransomware group - where security researchers can disclose bugs in exchange for rewards ranging from $1,000 to $1 million. LockBit is also offering bounties in exchange for ideas to improve their operation along with a $1 million reward for any hacker who can name the group's affiliate manager, known on forums as LockBitSupp. In addition, a new cryptocurrency animation on the LockBit 3.0 site implies the group now accepts the privacy coin Zcash as a payment option.

The cybercriminals have bragged before that LockBit 1.0 and 2.0 have the fastest encryption speeds of any criminal group. These claims are backed up by research comparing ransomware encryption speeds from Shannon Davis, a member of Splunk SURGe. We hope to test LockBit 3.0 soon to see how it compares with other ransomware strains. Meanwhile, time will tell how these new extortion techniques will impact victims and the ransomware ecosystem."