TekStream Security Bulletin: APT Spotlight Ransomware from MeowCorp

By Bryan Bollou, Team Lead, Cybersecurity Engineering

Introduction

Confirmed to have been in use since February 2020, the Conti Ransomware has made a resurgence with a newer APT – MeowCorp. The ransomware’s code was originally leaked by an alleged Ukrainian hacker after the group publicly expressed support for Russia during the Russia-Ukraine war. With the code public, many other ransomwares have used its code as a base while many decryptors have been built from it at the same time. Being one of the copycats, the MEOW! ransomware shares many all the Conti characteristics from its use of ChaCha20 and RSA-4096 to encrypt files to dropping a ransom note named “readme.txt”.

What is unique about this malware is this use of leaked source code for generating novel ransomware variants. This is a recent phenomenon, which simplifies the process for hackers to produce and spread new strains of ransomware. Such attacks can be disruptive and costly for organizations. The worst outcomes being the potential loss of crucial data and system access, often necessitating the payment of a ransom to regain access.

Threat Overview

The attacks using the Conti-based Ransomware from MeowCorp has been acknowledged by many cyber threat researchers including Kaspersky. Kaspersky has released a free decryptor for the ransomware linked here: https://support.kaspersky.com/common/disinfection/10556#block1

NOTE: If you suspect your machine has been infected by ransomware, please follow good security practices, and escalate it to your information security team. Do not attempt to decrypt your files without the supervision of this team.

Various mitigation steps to prevent a successful attack from MeowCorp are as follows;

  • Having regularly scheduled phishing simulations, routine education, and awareness training
  • Having communication on MFA fatigue and web browser hygiene
  • If MeowCorp IOCs are discovered, prioritize and block all indicators attributed to the threat actors and attacks
  • Ensure all workstations and servers had endpoint protection that is up-to-date

So far, we have seen many good options and would like to present a few more specific cases using everyone’s favorite SIEM, Splunk.

This is not a blog post to fully explain or give recommendations on remediating the vulnerability, this has been discussed at length by various resources such as: https://www.pcrisk.com/removal-guides/25479-meow-ransomware

The goal here is to aggregate the detections to maximize your chances of detecting this critical attack. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the MeowCorp Ransomware exploitation. Here at TekStream, we have several security engineers that are intimate with cybersecurity knowledge and especially the logs of our clients.  

In this blog post, we go through the various steps in the MeowCorp Ransomware exploitation and detection. With this format, we are providing a more generic data model “tstats” command. This is taking advantage of the data model to quickly find data that may match our IOC list. We then provide examples of a more specific search that will add context to the first find. There will be a wide variety of specific searches as each client has their own specific technologies. To get help building detection for your specific client, fill in the form below and get access to our Splunk/security expertise. 

Note: This blog is purely focused on discovering IOCs related to the MeowCorp Ransomware. Determining the correct actions in your environment to take once a ransomware infection is an intensive process. This incident response is not covered in this blog post. Reach out to TekStream by filling out the form below if you’d like specific guidance on that aspect. TekStream MeowCorp IOC List

The following detection steps mirror the stages and TTP-related indicators used in the attack:

  1. Detect emails to and from any known addresses associated with the MeowCorp or use of the Conti ransomware
  2. Detect connection to any domains for either C2C communications or malicious domains for drive-by downloads
  3. Detect the existence of any of the file and/or processes hashes related to the MeowCorp ransomware
  4. Detect the existence of any file extensions associated with the MeowCorp Ransomware

Detect the C2C communications to known IP addresses related to the MeowCorp ATP.

Threat Implication

There are many ways the MeowCorp ransomware can infect an environment. The most common ways the malware was discovered in the wild are as follows;

  • Infected email attachments distributed as part of phishing campaigns
  • Macros in infected documents (e.g.; word docs, spreadsheets)
  • Torrent websites
  • Malicious ads

Threat Detection

Step 1

Detect emails to and from any known addresses associated with the MeowCorp or use of the Conti ransomware. This detection is important in for two reasons – you can detect a possible or a confirmed exploitation attempt. If an employee’s workstations gets infected, they may be drive to reach out to the preparator to resolve the issue without sounding the alarm.

Actions Detect

Detect the any incoming or outgoing communications to the following email addresses and telegram accounts. The accounts are listed below:

SPL

SPL – Detect outgoing/incoming emails to known malicious address using Email Datamodel

| tstats `summariesonly` max(_time) as _time, values(All_Email.protocol) as protocol, values(All_Email.recipient) as recipient, count from datamodel=Email.All_Email where All_Email.src_user IN ("@meowcorp123","@meowcorp2022","amagnus@india[.]com","bitcoin143@india[.]com","braker@plague[.]life","byaki_buki@aol[.]com","byaki_buki@aol[.]com_mod2","crannbest@foxmail[.]com","cryptolocker@aol[.]com","cryptolocker@aol[.]com_graf1","cryptolocker@aol[.]com_mod","funa@india[.]com","grafdrkula@gmail[.]com","iizomer@aol[.]com","ivanivanov34@aol[.]com","lavandos@dr[.]com","load180@aol[.]com","meowcorp2022@aol[.]com","meowcorp2022@proton[.]me","meowcorp@msgsafe[.]io","meowcorp@onionmail[.]org","mkgoro@india[.]com","moshiax@aol[.]com","oduvansh@aol[.]com","pay4help@india[.]com","seven_Legion2@aol[.]com","stopper@india[.]com","trojanencoder@aol[.]com","vpupkin3@aol[.]com","watnik91@aol[.]com","webmafia@asia[.]com","worm01@india[.]com") All_Email.recipient IN ("@meowcorp123","@meowcorp2022","amagnus@india[.]com","bitcoin143@india[.]com","braker@plague[.]life","byaki_buki@aol[.]com","byaki_buki@aol[.]com_mod2","crannbest@foxmail[.]com","cryptolocker@aol[.]com","cryptolocker@aol[.]com_graf1","cryptolocker@aol[.]com_mod","funa@india[.]com","grafdrkula@gmail[.]com","iizomer@aol[.]com","ivanivanov34@aol[.]com","lavandos@dr[.]com","load180@aol[.]com","meowcorp2022@aol[.]com","meowcorp2022@proton[.]me","meowcorp@msgsafe[.]io","meowcorp@onionmail[.]org","mkgoro@india[.]com","moshiax@aol[.]com","oduvansh@aol[.]com","pay4help@india[.]com","seven_Legion2@aol[.]com","stopper@india[.]com","trojanencoder@aol[.]com","vpupkin3@aol[.]com","watnik91@aol[.]com","webmafia@asia[.]com","worm01@india[.]com") by All_Email.src,All_Email.src_user,All_Email.dest  |  `drop_dm_object_name("All_Email")`  | sort - count | fields _time, protocol, src, src_user, dest, recipient, count

Step 2

Detect connection to any domains for either Command-and-Control communications or malicious domains for drive-by downloads. There are many websites and domains associated with the Meow Ransomware ranging from credential harvesting sites, malware remote session sites, sites to buy decryptors, C2C domains, etc. Any attempt (successful or not) to these known malicious domains is a sign of a potential infection.

Actions Detect

Any successful or failed connection attempts to the following domains:

SPL

SPL 1 – Detect C2 and Malicious Domains using the Web Data Model

| tstats `summariesonly` sum("Web.bytes") as bytes,values("Web.http_content_type") as http_content_type,values("Web.http_method") as http_method,values("Web.http_user_agent") as http_user_agent,values("Web.status") as status from datamodel="Web"."Web" by "Web.src", "Web.dest", "Web.user", "Web.http_referrer", "Web.url", _time | `drop_dm_object_name("Web")` | where match(url, "(?i) (anonfiles[.]com)|(badiwaw[.]com)|(balacif[.]com)|(barovur[.]com)|(basisem[.]com)|(bimafu[.]com)|(bujoke[.]com)|(buloxo[.]com)|(bumoyez[.]com)|(bupula[.]com)|(cajeti[.]com)|(cilomum[.]com)|(codasal[.]com)|(comecal[.]com)|(contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.[]]onion)|(contirecovery[.]top)|(dawasab[.]com)|(derotin[.]com)|(dihata[.]com)|(dirupun[.]com)|(dohigu[.]com)|(dubacaj[.]com)|(fecotis[.]com)|(fipoleb[.]com)|(fofudir[.]com)|(fulujam[.]com)|(ganobaz[.]com)|(gerepa[.]com)|(gucunug[.]com )|(guvafe[.]com)|(hakakor[.]com)|(hejalij[.]com)|(hepide[.]com)|(hesovaw[.]com)|(hewecas[.]com)|(hidusi[.]com)|(hireja[.]com)|(hoguyum[.]com)|(jecubat[.]com)|(jegufe[.]com)|(joxinu[.]com)|(kelowuh[.]com)|(kidukes[.]com)|(kipitep[.]com)|(kirute[.]com)|(kogasiv[.]com)|(kozoheh[.]com)|(kuxizi[.]com)|(kuyeguh[.]com)|(lipozi[.]com)|(lujecuk[.]com)|(masaxoc[.]com)|(mebonux[.]com)|(mihojip[.]com)|(modasum[.]com)|(moduwoj[.]com)|(movufa[.]com)|(nagahox[.]com)|(nawusem[.]com)|(nerapo[.]com)|(newiro[.]com)|(paxobuy[.]com)|(pazovet[.]com)|(pihafi[.]com)|(pilagop[.]com)|(pipipub[.]com)|(pofifa[.]com)|(radezig[.]com)|(raferif[.]com)|(ragojel[.]com)|(rexagi[.]com)|(rimurik[.]com)|(rinutov[.]com)|(rusoti[.]com)|(sazoya[.]com)|(sidevot[.]com)|(solobiv[.]com)|(sufebul[.]com)|(suhuhow[.]com)|(sujaxa[.]com)|(tafobi[.]com )|(tepiwo[.]com)|(tifiru[.]com)|(tiyuzub[.]com)|(tubaho[.]com)|(vafici[.]com)|(vegubu[.]com)|(vigave[.]com)|(vipeced[.]com)|(vizosi[.]com)|(vojefe[.]com)|(vonavu[.]com)|(wezeriw[.]com)|(wideri[.]com)|(wudepen[.]com)|(wuluxo[.]com)|(wuvehus[.]com)|(wuvici[.]com)|(wuvidi[.]com)|(xegogiv[.]com)|(xekezix[.]com)” | fields _time src, dest, user, http_referrer, url, http_content_type, http_method, http_user_agent, status, bytes | eval ip_pair = src . " - " . dest  | stats values(_time) as Time values(ip_pair) AS src_dest, values(user) as user, values(http_referrer) as http_referrer, values(http_user_agent) as http_user_agent, values(http_method) as http_method, values(status) as status, values(bytes) as bytes count by url | fieldformat Time = strftime(Time,"%m/%d/%Y %T")

Note: The malicious domains have been kept sanitized using “[.]” for the periods, please remove these when running the SPL. Please be careful not to navigate to them outside a sandbox.

SPL 2 – Detect C2 and Malicious Domains using the DNS Data Model

| tstats `summariesonly` latest(_time) as _time  values("DNS.dest") as dest, values("DNS.query") as query, values("DNS.query_count") as query_count, values("DNS.message_type") as message_type, values("DNS.answer") as answer, values("DNS.reply_code") as reply_code from datamodel="Network_Resolution"."DNS" where DNS.query IN ("anonfiles[.]com","badiwaw[.]com","balacif[.]com","barovur[.]com","basisem[.]com","bimafu[.]com","bujoke[.]com","buloxo[.]com","bumoyez[.]com","bupula[.]com","cajeti[.]com","cilomum[.]com","codasal[.]com","comecal[.]com","contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.[]]onion","contirecovery[.]top","dawasab[.]com","derotin[.]com","dihata[.]com","dirupun[.]com","dohigu[.]com","dubacaj[.]com","fecotis[.]com","fipoleb[.]com","fofudir[.]com","fulujam[.]com","ganobaz[.]com","gerepa[.]com","gucunug[.]com ","guvafe[.]com","hakakor[.]com","hejalij[.]com","hepide[.]com","hesovaw[.]com","hewecas[.]com","hidusi[.]com","hireja[.]com","hoguyum[.]com","jecubat[.]com","jegufe[.]com","joxinu[.]com","kelowuh[.]com","kidukes[.]com","kipitep[.]com","kirute[.]com","kogasiv[.]com","kozoheh[.]com","kuxizi[.]com","kuyeguh[.]com","lipozi[.]com","lujecuk[.]com","masaxoc[.]com","mebonux[.]com","mihojip[.]com","modasum[.]com","moduwoj[.]com","movufa[.]com","nagahox[.]com","nawusem[.]com","nerapo[.]com","newiro[.]com","paxobuy[.]com","pazovet[.]com","pihafi[.]com","pilagop[.]com","pipipub[.]com","pofifa[.]com","radezig[.]com","raferif[.]com","ragojel[.]com","rexagi[.]com","rimurik[.]com","rinutov[.]com","rusoti[.]com","sazoya[.]com","sidevot[.]com","solobiv[.]com","sufebul[.]com","suhuhow[.]com","sujaxa[.]com","tafobi[.]com ","tepiwo[.]com","tifiru[.]com","tiyuzub[.]com","tubaho[.]com","vafici[.]com","vegubu[.]com","vigave[.]com","vipeced[.]com","vizosi[.]com","vojefe[.]com","vonavu[.]com","wezeriw[.]com","wideri[.]com","wudepen[.]com","wuluxo[.]com","wuvehus[.]com","wuvici[.]com","wuvidi[.]com","xegogiv[.]com","xekezix[.]com")| table _time, dest, query, query_count, message_type, answer, reply_code | fieldformat Time = strftime(_time,"%m/%d/%Y %T")

Note: The malicious domains have been kept sanitized using “[.]” for the periods, please remove these when running the SPL. Please be careful not to navigate to them outside a sandbox.

Step 3

Detect the existence of any of the file and/or processes hashes related to the MeowCorp ransomware. There are tons of known hashes associated with this malware. This comes from samples submitted from victims, samples identified by researchers in sandbox environments and even data from the Conti ransomware leak.

Actions Detect

The existence of any of the known hashes associated with the MeowCorp ransomware. This points to a potential infection and the hashes are as follows:

SPL

SPL – Detect existence of malicious hashes using the Endpoint Datamodel

| tstats `summariesonly` latest(_time) as _time, latest(Filesystem.file_create_time) as file_create_time, latest(Filesystem.file_modify_time) as file_modify_time, latest(Filesystem.file_access_time) as file_access_time, values(Filesystem.dest) as dest, values(Filesystem.action) as action, values(Filesystem.file_name) as file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path) as file_path, values(Filesystem.file_size) as file_size from datamodel="Endpoint"."Filesystem" where Filesystem.file_hash IN ("222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853","fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9","7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099","5a936250411bf5709a888db54680c131e9c0f40ff4ff04db4aeda5443481922f","7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f","b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec","938cbbf9061792b6fc9bd2440b8a93f2db1139212f73e4fde30499568cbe75ea","c4c5b77cceb82cd9b5f5e839136313e2fbfc97db731b162bc2e250d10fd62c1a","3460d66ff62bfccae55a26b499de0f18fc4b2d6efd2283b0278385269b047973","8ac29ab81c98c1b094aa0986a0e66c7473d5b6b7153f7b34ae0e0215eb474e66","e6f6fde7839a21807a321b79ac1395489c0eeea9b9187ba4d20c17559ccef608","c0941c7c8d162d60f73d56aefe36647a31575a5077392202015f480453024a6b","84b8c65ba4cf18f852fd435fc9210f108b090dcd5cc69cf3beaaebff6b8cec2c","0252a7441f7a2595add46aa89b4bf7d0b5e5a9eb4683550907b03c5917ece5bd","fca83ce362e14648eb729547e14b06a7f402c98cce2c96a9ab47bf676755bd02","4f0a7bf521f979afa947001eedd8b18a1ecd1994e1ae0ed90d65739de662684b","78d588aad48812f4421c22eeccee1a5b0499c41ae41e20ab6186982245719b86","ae21a4210486695dbdf514d96250a4e05f0e6e572f7eaad7048b3bdd357b4aad","5cddda3ccbf63faea37daf019437b760daa627632b986e1d764d11978944757a","2191fe7baba338a2b3f5a12a95ea4e42cad96850f2afd4a6c7eaa23289d610c5","9de83968d33d896fc2a2629a271fbc9bcaf5bf504e033cfdb1fb99fd55953cde","041e879548c2839ebb36f642c5a25870ab1b015e875775077b7d8b951d53e0a1","ae6eef72bba38ab89c5cbe418d839b75b78a9247f06aa3e1df4850f103a6b1dd","1eaef39c48fcce2af0bf1ee089dd412d29d1396b31f0536138879cd0421d53ec","2a0f684bb99a9077914961bea16bac5f8baa5368a40a305a0ea0008a4c2f1bdf","c5bf64ac95cc82f65205984c8adb107870c71197c767744209bbc4a3e19aede8","f15cff9bf29f9098999401b16d73f61fe73789866e51319c7c24c4594ed7367d","6065d4b46266a2114dc8363b15ec7f884cbdbed1735f0ca4f1eb60df85d61a9b","f9e47d2cb8ba9a69c9ba8b2bc6017a1e54da68c944ee4324873047b0200546d0","47d7d2027548f7562b221acdebe3b33d67ddd1dd278b98ad05a5f3ac14dea3fe","c32f2ec819fee8581fbeed9b4eea40cb17efda7284beed5d12ed48e5af45c41c","234665c66de8541ef8e95cb9ccbcd5ecccb0189d3cf174c4e11a2c60dbc1742e","1a34ba12130ffff45bb525cce48e5d19e4110e4a4bb06d79ad33d6a816f28927","72c55f299c997ec0f5cb87e82141707482067609f1d631ac3cc825af90540b9f","a18aab0f358b7b8e23ebf6eb1252172625430e9aa461b3dcebff1de357113626","b802f944cc6ba9b33c0d58c04295f9f6cf6473ffa602cfa447acb36a97afcc55","d8aa49acc0b40f52b3ac3027ecc16ee053fd01e383272eca4d0637f24fd51a55","df75243be11b86b6644b671dcfd16fdeaf47a7b64e28bfd3ac179c44a6312b46","d9e24d6bd5e118f04bc36fe3cfc314a808119d12190fd9b661b5f871c33fec6b","6b36a1d647d4de09e7f204f221b3445d499a540823c1c9b9612764e3241cdf62","fad2f925ad2267c01d604e12081017215fa9e5ca83279064885bd7682400b761","c1f5a70c2c5bb42ac973558c5c9ef510a2caab8aae19e4f1f68c76d1d10107b9","ede451e9a65e55d0827e217a25cf895163c46bc42432f7cbed0f46d99769c385","6cd17b4422772c99c93e388bbad4c7c213584e15400fb984d748e4cfecd9dd8d","94a9da09da3151f306ab8a5b00f60a38b077d594","987ad5aa6aee86f474fb9313334e6c9718d68daf","4f5d4e9d1e3b6a46f450ad1fb90340dfd718608b","578b1b0f46491b9d39d21f2103cb437bc2d71cac","5949c404aee552fc8ce29e3bf77bd08e54d37c59","59e756e0da6a82a0f9046a3538d507c75eb95252","4dd2b61e0ccf633e008359ad989de2ed","1d70020ddf6f29638b22887947dd5b9c","8f154ca4a8ee50dc448181afbc95cfd7","3eff7826b6eea73b0206f11d08073a68","033acf3b0f699a39becdc71d3e2dddcc","0bbb9b0d573a9c6027ca7e0b1f5478bf") by Filesystem.src | fields _time, dest, action, file_name, file_hash, file_path, file_size, file_create_time, file_modify_time, file_access_time | fieldformat Time = strftime(_time,"%m/%d/%Y %T")

Step 4

Detect the existence of any file extensions associated with the MeowCorp Ransomware. Like any other ransomware, the MeowCorp ransomware has a unique way it encrypts and renames infected files. It has many similarities with the Conti ransomware file extension naming.

Actions Detect

The creation or movement of any files with the known MeowCorp file extensions. These extensions are as follows:

File Extensions
.MEOW
.CONTI
.KREMLIN
.RUSSIA
.PUTIN

SPL

SPL – Detect the creation or renaming of files file extensions related to the MeowCorp ATP using the Endpoint Datamodel

| tstats `summariesonly` latest(_time) as _time, latest(Filesystem.file_create_time) as file_create_time, latest(Filesystem.file_modify_time) as file_modify_time, latest(Filesystem.file_access_time) as file_access_time, values(Filesystem.dest) as dest, values(Filesystem.action) as action, values(Filesystem.file_name) as file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path) as file_path, values(Filesystem.file_size) as file_size from datamodel="Endpoint"."Filesystem" where Filesystem.file_name IN ("*.MEOW","*.CONTI","*.KREMLIN","*.RUSSIA","*.PUTIN")  ```by Filesystem.src``` | fields _time, dest, action, file_name, file_hash, file_path, file_size, file_create_time, file_modify_time, file_access_time | fieldformat Time = strftime(_time,"%m/%d/%Y %T")

Step 5

Detect the C2C communications to known IP addresses related to the MeowCorp ATP. These C2C IP addresses have been associated with beaconing activity of the malware.

Actions Detect

Connection Attempts to Known C2 IP Addresses including the following:
162.244.80[.]235
85.93.88[.]165
185.141.63[.]120
82.118.21[.]1

SPL

SPL – Detect C2 IPs using Network Resolution Data Model

| tstats `summariesonly` latest(_time) as _time, sum("All_Traffic.bytes") as bytes, values("All_Traffic.src_port") as src_port, values("All_Traffic.transport") as transport, values("All_Traffic.dest_port") as dest_port from datamodel="Network_Traffic"."All_Traffic" where All_Traffic.src IN ("162.244.80[.]235","85.93.88[.]165","185.141.63[.]120","82.118.21[.]1") OR All_Traffic.dest IN ("162.244.80[.]235","85.93.88[.]165","185.141.63[.]120","82.118.21[.]1") by "All_Traffic.action", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.user" | head 10000 | `drop_dm_object_name("All_Traffic")` | table action, src, src_port, dest, transport, dest_port, user, bytes

Note: The malicious IPs have been kept sanitized using “[.]” for the periods, please remove these when running the SPL. Please be careful not to navigate to them outside a sandbox.

IOC List

Below is an aggregate of IOCs found related to the MeowCorp ransomware. It has been presented here for you to have it consolidated in one spot and made easier to export to a lookup for notable detections.

TekStream MeowCorp IOC List

Conclusion

Ideally, you could make scheduled searches like what is shown above with lookup tables for matching more specific and new detections. These can be set to run on a continuous schedule to ensure the monitoring of your assets from new vulnerabilities. Old vulnerabilities that have been patched (and applied) can also be aged out of this lookup table to ensure it is timely and efficient. For questions on how to build such a process that is dynamic and customizable for your environment, ask one of our consultants by filling in the form below. Also, subscribe to the TekStream blog to catch the next monthly security bulletin and apply the latest detections to protect your systems. Happy Splunking!

References

Articles referenced and used for this Blog Post

Bleeping Computer: Conti-based ransomware ‘MeowCorp’ gets free decryptor

Malwarebytes: The Conti Ransomware Leaks

CISA.Gov: Conti Ransomware

Sentinel Labs: Conti Unpacked | Understanding Ransomware Development As a Response to Detection

The Record: Kaspersky releases decryptor for ransomware based on Conti source code

PC Risk: MEOW (.MEOW) ransomware virus – removal and decryption options

WatchGuard: Ransomware – MEOW!

Kaspersky: The Kaspersky Rakhni Decryptor

HivePro: New Ransomware Variants Created Using Leaked Conti Source Code

Disclaimer

The approaches recommended herein have not been tested broadly across the TekStream customer base. They are preliminary in nature and come without any certification of efficacy.

Purpose of TekStream Security Bulletins

With the TekStream Security Bulletin, we are presenting some specific detection use cases using everyone’s favorite SIEM, Splunk. We’ve cherry-picked vulnerabilities that are not only intriguing but also directly impactful for our valued clients. These vulnerabilities were chosen based on a multitude of factors, ranging from the technology in the crosshairs to the specific sectors being targeted. This is not a blog post to fully explain or give recommendations on remediating the vulnerability or exploit – this has been discussed at length by various resources. The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit these vulnerabilities. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the vulnerability being exploited. Here at TekStream, we have an amazing team of cybersecurity engineers armed with a deep knowledge of logs and the secrets they hold, ready to fortify your cyber resiliency.