What's New in ESCU: June, 2018

June was a busy month for the Security Research Team. This valiant group of dedicated digital defenders has been hard at work protecting the world from evil, so you can get back to the important business of summer barbecue!

Here’s what was included in the Enterprise Security Content Updates (ESCU) app’s three June releases:

Orangeworm Is Back...with a Vengeance

The attack group Orangeworm, which first surfaced in 2015, has been carrying out targeted campaigns against the healthcare industry in the U.S., Europe, and Asia. While the group’s motives are unconfirmed, it may be focused on corporate espionage.

Orangeworm deploys a particularly virulent piece of malware called Kwampirs that gives the threat actors remote access to the compromised system. According to Microsoft, the malware may be distributed through software supply channels. “It can self-propagate from infected computers through administrative shares. It runs as a service and can delete files, terminate processes, and contact a remote server,” the company’s report said.

The malware decrypts and extracts a copy of its main DLL payload, avoiding hash-based detections by plugging in a randomly generated string into the decrypted payload, and then writing the payload to disk, according to a Symantec blog post. Kwampirs gathers data (such as network-adapter data and the system version, among other things) and sends it back to the threat group.

In June, the Security Research Team released an Analytic Story containing searches that detect and investigate techniques used by the Orangeworm actors. Because these tactics are not unique to Orangeworm, these analytics will help protect your environment against other would-be attackers who employ these methods, as well.  

DHS Releases Technical Alert (TA-18-149A) Regarding North Korea’s “Hidden Cobra” Malware

In June, the Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert TA-18-149A regarding two variants of North Korean malware. One variant, dubbed "Joanap," is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download, and execute secondary payloads, and initialize proxy communications. The other variant, dubbed "Brambul," is a Windows32 SMB worm that is dropped into a victim’s network. When executed, the malware attempts to spread laterally within a victim’s local subnet, connecting via the SMB protocol and initiating brute-force password attacks. Once infected, the malware reports details to the Hidden Cobra actors via email, allowing the group to use the information for secondary remote operations.

An Analytic Story released this month in the ESCU app identifies the techniques and indications used by these malware variants. Its associated analytics help you monitor for and investigate activities that could be evidence of infiltration by North Korean government-sponsored cybercriminals.

Splunk Issues Response to Vulnerability Reported in CVE-2018-11409

On June 18, Splunk posted a response to NIST alert CVE-2018-11409: Information Exposure. The alert revealed a vulnerability in Splunk Enterprise versions 6.2.3 through 7.0.1 that exposes system information through a REST endpoint, as described by the vulnerability descriptions. There is a possibility that other versions are also affected. This is the first publicly disclosed Splunk vulnerability since the spring of 2017.

According to Splunk Answers, to successfully implement this attack, you must be an authenticated Splunk user, which may limit the scope and impact of the exploit. A June ESCU Analytic Story provides searches that monitor for evidence of exploitation via the methods described above.  

Also featured in ESCU this month were the following new Analytic Stories:

  • Command and Control. Attackers often install implants on compromised endpoints to receive instructions and send data back to malicious operators. Leverage the searches in this Analytic Story to detect and investigate tactics, techniques, and procedures leveraged by attackers who establish command-and-control channels.

  • Suspicious Windows Registry Activities. This exploit falls under the category of “adversary tactics.” Attackers often leverage registry files to elevate their privileges, maintain persistence, or move laterally within the target network. A new Analytic Story in one of June’s ESCU releases helps you monitor for and detect changes to the Windows registry.

  • AWS Cross-Account Activity. Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.  

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk Enterprise Security Content Update v1.0.20 now!




The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content