Staff Picks for Splunk Security Reading August 2024

Hello, everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

Check out our previous staff security picks, and we hope you enjoy.

James Hodgkinson

[email protected]

512-bit RSA key in home energy system gives control of "virtual power plant" by Ryan Castellucci

"While configuring access to their energy management system, Ryan Castellucci found that the security was lax, to say the least. With a relatively small amount of cloud computing and a little time, they were able to recover the private key and establish significant access in the platform. I don't agree that "the tool let them do it" is any excuse for using such small keys, but the response from the vendor was swift and effective."

Kassandra Murphy

New DNS-Based Backdoor Threat Discovered at Taiwanese University by Alessandro Mascellino

"A fresh new threat has hit the villa (Love Island fans, anyone?), this time targeting a Taiwanese university with a backdoor called Backdoor.Msupedge. This one's quite sneaky as it uses DNS traffic for its command-and-control, which, while increasingly common, is still rare enough that it may help it fly under the radar. The backdoor operates as a DLL and can execute commands like creating a process through DNS TXT records, using URLs received through DNS to download files, triggering sleep modes in the target machine, and removing various temp files. The initial entry was likely through a PHP vulnerability (CVE-2024-4577) and, more specifically, a CGI argument injection vulnerability, which affects all versions of PHP and is sure to be a concern for Windows-based web server admins. Symantec is staying up to date with researching this topic and has provided a list of IOCs in their latest advisory, which can be referenced via the article."

Zachary Christensen

LinkedIn

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset by Joshua Miller, Georgi Mladenov, Andrew Northern, Greg Lesnewich and the Proofpoint Threat Research Team

"Proofpoint's blog post discusses how the Iranian threat actor TA453 targeted a prominent religious figure with a fake podcast invitation. The attack involved sending a benign email to build trust, followed by a malicious link, delivering a new malware toolkit called BlackSmith. This toolkit, including a PowerShell trojan named AnvilEcho, is designed for intelligence gathering and data exfiltration. The post highlights the sophistication of TA453's methods and their focus on exploiting trust to deploy advanced malware. This event serves as a reminder of the complexity and persistent nature of threats in the cybersecurity landscape, especially from nation-state actors."

David Montero-Suárez

LinkedIn

Show HN: 1-FPS encrypted screen sharing for introverts by Roman Pushkin

"Very interesting approach to the problem of encrypted video! Instead of supercharging hardware or algorithms, just reconsidering our needs. A good reminder of the importance of requirements."

Mike Polisky

USPS Text Scammers Duped His Wife, So He Hacked Their Operation by Matt Burgess for WIRED

"This is a classic, feel good, hack-back story about how a Red Teamer named Grant Smith infiltrated a large-scale Chinese Smishing operation. You've probably received one of the USPS package messages yourself. Even the bad guys slack on opsec, SQL Injection, default passwords, and more. A total of 1,133 domains used in the campaign were discovered."

Sydney Marrone

@letswastetime

The Hidden Treasures of Crash Reports by Patrick Wardle

"Rather than staying very demure this summer, I challenge you to dive into this blog post that reveals how to find treasure in something most people overlook: crash reports! While the author's focus is on macOS, you can leverage ANY crash report to uncover bugs, malware, and more. Happy hunting!"

Mark Stricker

@maschicago

Qilin ransomware now steals credentials from Chrome browsers by Bill Toulas

"I've always worried about those little dialogue boxes on browsers that offer to "remember" your passwords. Convenient, yes, but also seems like a pretty big risk. Turns out I was right to worry! This new threat not only steals your saved credentials, but propagates itself via a Group Policy Object, so it can steal credentials from anyone using Chrome in your enterprise! See this article for a good discussion of this threat and what you can do to mitigate it."

Chris Perkins

Linkedin

The Intersection of Security and Usability in Public Pensions by Chris Perkins

"As public sector pensions navigate the modern threats of fraud and cyber attacks, I examine in this blog the intersection between technical innovation and security + how human-centered design can enhance anti-fraud efforts. I also discuss the transformation from traditional pension systems to advanced, resilient systems that safeguard the financial futures of millions of public servants while making them easier to use, manage and observe."

Audra Streetman

@audrastreetman / @[email protected]

"The Light We Keep" documentary by Cisco Talos Intelligence Group

"I'm looking forward to watching this documentary by Cisco Talos about the impact of electronic warfare in Ukraine, which is coming out soon. The story follows Project PowerUp, an effort led by Talos cyber threat researcher and security strategist Joe Marshall, which aims to help keep the lights on in Ukraine by improving stability in the country's power transmission grid. You can read more about the project here."

Public link

Please use the above public link if you want to share this noodl on another website.