Latest Security Content Roundups by the Splunk Threat Research Team (STRT)
The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository.
This blog provides a roundup of the security content developed by the STRT from the previous quarters, all of which is available today via the Enterprise Security Content Update app.
Q3 Content Q2 Content Q1 Content Q4 Content
Looking for the latest security content? We’ve got you covered!
Splunk Security Content: Q3 Roundup
Below you will find an overview of all the security content developed from August-October 2023. Here’s a brief table of contents:
Adversary Tradecraft Analytic Stories
Emerging Threats Analytic Stories
Adversary Tradecraft Analytic Stories
NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. Check out More Than Just a RAT: Unveiling NjRAT’s MBR Wiping Capabilities to learn more!
The Ave Maria RAT, also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. You can read the STRT analysis of the Warzone RAT and find detections in the Warzon RAT analytic story to search for activities related to:
- Suspicious process execution
- Command-line activity
- And more
In August, a new nation-state activity group was identified. Tracked as Flax Typhoon, based in China, the group is targeting dozens of organizations in Taiwan. The Flax Typhoon analytic story released by STRT helps identify the tactics technique and procedures (TTPs) associated with this nation-state group.
CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. In September, the STRT team released the Forest Blizzard analytic story to identify these emails – which once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. This activity has been purportedly linked to APT28 or Fancy Bear – linked to Russia’s GRU.
Learn more about Forest Blizzard: Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs.
Lastly, adversaries may tamper with Subject Interface Packages (SIPs) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In October, we released Subvert Trust Controls SIP and Trust Provider Hijacking analytic story to detect and defend against provider hijacking.
Emerging Threats Analytic Stories
A critical vulnerability was discovered in ShareFile’s Storage Zones Controller software (CVE-2023-24489). The STRT team released the Citrix ShareFile RCE CVE-2023-24489 analytic story to address this vulnerability.
CVE-2023-22515 was discovered affecting on-premises instances of Confluence Server and Confluence Data Center. The STRT released Privilege Escalation Vulnerability Confluence Data Center and Server analytic story to detect activity related to the vulnerability.
Additionally, CVE-2023-46747 was identified affecting F5’s BIG-IP Virtual Edition, which could allow remote, unauthenticated attackers to execute system commands. F5 Authentication Bypass with TMUI analytic story was created to remediate and detect threats effectively.
In October, CVE-2023-4966 was identified to affect both NetScaler ADC and NetScaler Gateway. The STRT identified that the vulnerability can result in unauthorized data disclosure if exploited and as a result, crafted an analytic story.
Two vulnerabilities were identified with Adobe ColdFusion, known as CVE-2023-29298 & CVE-2023-26360, which allow attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation.
In August, Ivanti Sentry, which enables remote workers to use any mobile device or PC to securely connect, disclosed two vulnerabilities affecting the Ivanti Sentry administration interface and Endpoint Manager Mobile (EPMM) product. The STRT released Ivanti Sentry Authentication Bypass CVE-2023-38035 and Ivanti EPMM Remote Unauthenticated Access to address these vulnerabilities.
Progress Software released on September 27th a critical security advisory affecting multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. WS FTP Server Critical Vulnerabilities address both CVE-2023-40044 and CVE-2023-42657. This vulnerability follows an increase in use of file sharing programs for malicious intent, especially following the May 2023 ransomware attack, which utilized the file sharing application, MOVEit.
Read the blog from STRT highlighting further information about CVE-2023-40044.
Microsoft SharePoint Server vulnerability CVE-2023-29357, identified in September, allows for an elevation of privilege due to improper handling of authentication tokens. The analytic story, Microsoft SharePoint Server Elevation of Privilege, identifies attempts to exploit this vulnerability.
Cisco identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). The Cisco IOS XE Software Web Management User Interface vulnerability analytic story detects activity of attackers gaining full control of the compromised device and allowing possible subsequent unauthorized activity.
Finally, the STRT team also released:
- JetBrains TeamCity Unauthenticated RCE to identify CVE-2023-42793, which affected all versions of TeamCity On-Premises up to 2023.05.3 allowing unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks.
The Latest in Splunk SOAR
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Investigations with Playbooks to learn how playbooks can perform a general investigation on key aspects of a windows device using windows remote management.
This August also marked the deadline for those in the US Federal Civilian space to meet Enterprise Logging Level 3 requirements as part of the recent M-21-31 OMB Mandate. In light of this, we show how adopting a SOAR Maturity Model can help users meet the technical requirements of the mandate and better align to the MITRE D3FEND framework.
Splunk Security Content: Q2 Roundup
Below you will find an overview of all the security content developed from May-July 2023.
Adversary Tradecraft Analytic Stories
Amadey malware is a botnet that is being utilized as Malware as a Service (MaaS) and distributing malware such as RedLine Stealer. You can read the STRT analysis of Amadey in and find detections in the Amadey analytic story to search for activities related to the malware.
In May, The DFIR Report released information on a destructive malware campaign that utilizes Truebot, FlawedGrace and MBR killer malware. The STRT developed the Graceful Wipe Out Attack analytic story to detect and investigate unusual activities related to the campaign.
Vulnerabilities within Active Directory can provide a number of attack paths for attackers. Privilege escalation attacks in Active Directory (AD) typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages AD. Security teams should monitor for privilege escalation attacks in Active Directory to identify breaches before attackers achieve operational success. The Azure Active Directory Privilege Escalation and Active Directory Privilege Escalation analytic stories provide detetions to monitor for activities and techniques associated with privilege escalation attacks within Active Directory tenants.
Earlier this year BlackLotus, a UEFI bootkit, was reported for bypassing Secure Boot on Windows 11 systems. The STRT developed the Windows BootKits analytic story to detect and defend against bootkit attacks.
Ransomware Analytic Story
RedLine Stealer malware was making headlines in May for being delivered through display ads and
