June was a busy month for the Security Research Team. This valiant group of dedicated digital defenders has been hard at work protecting the world from evil, so you can get back to the important business of summer barbecue!
Here’s what was included in the Enterprise Security Content Updates (
Orangeworm Is Back...with a Vengeance
The attack group Orangeworm, which first surfaced in 2015, has been carrying out targeted campaigns against the healthcare industry in the U.S., Europe, and Asia. While the group’s motives are unconfirmed, it may be focused on corporate espionage.
Orangeworm deploys a particularly virulent piece of malware called
The malware decrypts and extracts a copy of its main DLL payload, avoiding hash-based detections by plugging in a randomly generated string into the decrypted payload, and then writing the payload to disk, according to a Symantec blog post.
In June, the Security Research Team released an Analytic Story containing searches that detect and
DHS Releases Technical Alert (TA-18-149A) Regarding North Korea’s “Hidden Cobra” Malware
In June, the Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert TA-18-149A regarding two variants of North Korean malware. One variant, dubbed "
An Analytic Story released this month in the ESCU app identifies the techniques and indications used by these malware variants. Its associated analytics help you monitor
Splunk Issues Response to Vulnerability Reported in CVE-2018-11409
On June 18, Splunk posted a response to NIST alert CVE-2018-11409: Information Exposure. The alert revealed a vulnerability in Splunk Enterprise versions 6.2.3 through 7.0.1 that exposes system information through a REST endpoint, as described by the vulnerability descriptions. There is a possibility that other versions are also affected. This is the first publicly disclosed Splunk vulnerability since the spring of 2017.
According to Splunk Answers, to successfully implement this attack, you must be an authenticated Splunk user, which may limit the scope and impact of the exploit. A June ESCU Analytic Story provides searches that monitor for evidence of exploitation via the methods described above.
Also featured in
Command and Control. Attackers often install implants on compromised endpoints to receive instructions and send data back to malicious operators. Leverage the searches in this Analytic Story to detect and investigate tactics, techniques, and procedures leveraged by attackers who establish command-and-control channels.
Suspicious Windows Registry Activities. This exploit falls under the category of “adversary tactics.” Attackers often leverage registry files to elevate their privileges, maintain persistence, or move laterally within the target network. A new Analytic Story in one of June’s
ESCUreleases helps you monitor for and detect changes to the Windows registry.
AWS Cross-Account Activity. Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.
Install the Latest Version of
The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk Enterprise Security Content Update v1.0.20 now!