Learn how Darktrace analyzed the SolarWinds hack without signatures. Understand the techniques used to identify and mitigate this major cyber threat.
For a high-level explanation of the SolarWinds hack, watch our video below.
The SUNBURST malware attacks against SolarWinds have heightened companies’ concerns about the risk to their digital environments. Malware installed during software updates in March 2020 has allowed advanced attackers to gain unauthorized access to files that may include customer data and intellectual property.
Darktrace does not use SolarWinds, and its operations remain unaffected by this breach. However, SolarWinds is an IT discovery tool that is used by a significant number of Darktrace customers. In what follows, we explore a set of Darktrace detections that highlight and alert security teams to the types of behaviors related to this breach.
This is not an example of a SolarWinds compromise, but examples of anomalous behaviors we can expect to see from this type of breach. These examples stress the value of self-learning Cyber AI capable of understanding the evolving normal ‘patterns of life’ within an enterprise – as opposed to a signature-based approach that looks at historical data to predict today’s threat.
As Darktrace detects device activity patterns rather than known malicious signatures, detecting use of these techniques will fall into the scope of Darktrace’s capabilities without further need for configuration. The technology automatically clusters devices into ‘peer groups’, allowing it to detect cases of an individual device behaving unusually. Using a self-learning approach is the best possible mechanism to catch an attacker who gains access into your systems using a degree of stealth so as to not trigger signature-based detection.
A number of these models may fire in combination with other models in order to make a strong detection over a time-series – and this is exactly where Darktrace’s autonomous incident triage capability, Cyber AI Analyst, plays a crucial role in investigating the alerts on behalf of security teams. Cyber AI Analyst saves critical time for security teams, and its results should be treated with a high priority during this period of vigilance.
How SolarWinds was detected with AI
We want to focus on the most sophisticated details of the hands-on intrusion that in many cases followed the initial automated attack. This post-exploitation part of the attack is much more varied and stealthy. These stages are also near-impossible to predict, as they are driven by the attacker’s intentions and goals for each individual victim at this stage – making the use of signatures, threat intelligence or static use cases virtually useless.
While the automated, initial malware execution is a critical initial step to understand, the behavior was pre-configured for the malware and included the download of further payloads and the connection to domain-generation-algorithm (DGA) based subdomains of avsvmcloud[.]com. These automated first stages of the attack have been sufficiently researched in depth by the community. This post is not aiming to add anything to these findings, but instead takes a look at the potential post-infection activities.
Malware / C2 domains
The threat-actor set the hostnames on their later-stage command and control (C2) infrastructure to match a legitimate hostname found within the victim’s environment. This allowed the adversary to blend into the environment, avoid suspicion, and evade detection. They further used C2 servers in geopolitical proximity to their victims, further circumventing static geo-based trusts lists. Darktrace is unaffected by this type of tradecraft as it does not have implicit, pre-defined trust of any geo-locations.
This would be very likely to trigger the following Darktrace Cyber AI models. The models were not specifically designed to detect SolarWinds modifications but have been in place for years – they are designed to detect the subtle but significant attacker activities occurring within an organization’s network.
Compromise / Agent Beacon to New Endpoint
Compromise / SSL Beaconing to New Endpoint
Compromise / HTTP Beaconing to New Endpoint*
*The implant uses SSL, but may be identified as HTTP if using a proxy.
Lateral movement using different credentials
Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access.
This very likely would trigger the following Cyber AI models:
User / Multiple Uncommon New Credentials on Device
Figure 1: Example breach event log showing anomalous (new) logins from a single device, with multiple user credentials
User / New Admin Credentials on Client
Figure 2: Example breach event log showing anomalous admin login
Temporary file replacement and temporary task modification
The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. They routinely removed their tools – including the removal of backdoors once legitimate remote access was achieved.
This would be very likely to trigger the following Cyber AI models:
Anomalous Connection / New or Uncommon Service Control
Figure 3: Example breach showing uncommon service control
Anomalous Connection / High Volume of New or Uncommon Service Control
Figure 4: Example breach showing 10 uncommon service controls
Device / AT Service Scheduled Task
Figure 5: Breach event log shows new AT service scheduled task activity
Device / Multiple RPC Requests for Unknown Services
Figure 6: Breach shows multiple binds to unknown RPC services
Device / Anomalous SMB Followed By Multiple Model Breaches
Figure 10: Breach shows significant deviation in SMB activity from device
SolarWinds breach remembered
By understanding where credentials are used and which devices talk to each other, Cyber AI has an unprecedented and dynamic understanding of business systems. This empowers it to alert security teams to enterprise changes that could indicate cyber risk in real time.
These alerts demonstrate how AI learns ‘normal’ for the unique digital environment surrounding it, and then alerts operators to deviations, including those that are directly relevant to the SUNBURST compromise. It further provides insights into how the attacker exploited those networks that did not have the appropriate visibility and detection capabilities.
On top of these alerts, Cyber AI Analyst will also be automatically correlating these detections over time to identify patterns, generating comprehensive and intuitive incident summaries and significantly reducing triage time. Reviewing Cyber AI Analyst alerts should be given high priority over the next several weeks.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NEWSLETTER
Like this and want more?
Stay up to date on the latest industry news and insights.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Disarming the WarmCookie Backdoor: Darktrace’s Oven-Ready Solution
26
Jul 2024
What is WarmCookie malware?
WarmCookie, also known as BadSpace [2], is a two-stage backdoor tool that provides functionality for threat actors to retrieve victim information and launch additional payloads. The malware is primarily distributed via phishing campaigns according to multiple open-source intelligence (OSINT) providers.
Backdoor malware: A backdoor tool is a piece of software used by attackers to gain and maintain unauthorized access to a system. It bypasses standard authentication and security mechanisms, allowing the attacker to control the system remotely.
Two-stage backdoor malware: This means the backdoor operates in two distinct phases:
1. Initial Stage: The first stage involves the initial infection and establishment of a foothold within the victim's system. This stage is often designed to be small and stealthy to avoid detection.
2. Secondary Stage: Once the initial stage has successfully compromised the system, it retrieves or activates the second stage payload. This stage provides more advanced functionalities for the attacker, such as extensive data exfiltration, deeper system control, or the deployment of additional malicious payloads.
How does WarmCookie malware work?
Reported attack patterns include emails attempting to impersonate recruitment firms such as PageGroup, Michael Page, and Hays. These emails likely represented social engineering tactics, with attackers attempting to manipulate jobseekers into engaging with the emails and following malicious links embedded within [3].
This backdoor tool also adopts stealth and evasion tactics to avoid the detection of traditional security tools. Reported evasion tactics included custom string decryption algorithms, as well as dynamic API loading to prevent researchers from analyzing and identifying the core functionalities of WarmCookie [1].
Before this backdoor makes an outbound network request, it is known to capture details from the target machine, which can be used for fingerprinting and identification [1], this includes:
- Computer name
- Username
- DNS domain of the machine
- Volume serial number
WarmCookie samples investigated by external researchers were observed communicating communicated over HTTP to a hardcoded IP address using a combination of RC4 and Base64 to protect its network traffic [1]. Ultimately, threat actors could use this backdoor to deploy further malicious payloads on targeted networks, such as ransomware.
Darktrace Coverage of WarmCookie
Between April and June 2024, Darktrace’s Threat Research team investigated suspicious activity across multiple customer networks indicating that threat actors were utilizing the WarmCookie backdoor tool. Observed cases across customer environments all included the download of unusual executable (.exe) files and suspicious outbound connectivity.
Affected devices were all observed making external HTTP requests to the German-based external IP, 185.49.69[.]41, and the URI, /data/2849d40ade47af8edfd4e08352dd2cc8.
Less than a minute later, the same device was observed making HTTP requests to the rare external IP address: 185.49.69[.]41, which had never previously been observed on the network, for the URI /data/b834116823f01aeceed215e592dfcba7. The device then proceeded to download masqueraded executable file from this endpoint. Darktrace recognized that these connections to an unknown endpoint, coupled with the download of a masqueraded file, likely represented malicious activity.
Following this download, the device began beaconing back to the same IP, 185.49.69[.]41, with a large number of external connections observed over port 80. This beaconing related behavior could further indicate malicious software communicating with command-and-control (C2) servers.
Darktrace’s model alert coverage included the following details:
[Model Alert: Device / Unusual BITS Activity]
- Associated device type: desktop
- Time of alert: 2024-04-23T14:10:23 UTC
- ASN: AS28753 Leaseweb Deutschland GmbH
- User agent: Microsoft BITS/7.8
[Model Alert: Anomalous File / EXE from Rare External Location]
[Model Alert: Compromise / Beaconing Activity To External Rare]
- Associated device type: desktop
- Time of alert: 2024-04-23T14:15:24 UTC
- Destination IP: 185.49.69[.]41
- Destination port: 80
- Protocol: TCP
- Application protocol: HTTP
- ASN: AS28753 Leaseweb Deutschland GmbH
- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)
Between May 7 and June 4, Darktrace identified a wide range of suspicious external connectivity on another customer’s environment. Darktrace’s Threat Research team further investigated this activity and assessed it was likely indicative of WarmCookie exploitation on customer devices.
Similar to the initial use case, BITS activity was observed on affected devices, which is utilized to download WarmCookie [1]. This initial behavior was observed with the device after triggering the model: Device / Unusual BITS Activity on May 7.
Just moments later, the same device was observed making HTTP requests to the aforementioned German IP address, 185.49.69[.]41 using the same URI /data/2849d40ade47af8edfd4e08352dd2cc8, before downloading a suspicious executable file.
Just like the first use case, this device followed up this suspicious download with a series of beaconing connections to 185.49.69[.]41, again with a large number of connections via port 80.
Similar outgoing connections to 185.49.69[.]41 and model alerts were observed on additional devices during the same timeframe, indicating that numerous customer devices had been compromised.
Darktrace’s model alert coverage included the following details:
[Model Alert: Device / Unusual BITS Activity]
- Associated device type: desktop
- Time of alert: 2024-05-07T09:03:23 UTC
- ASN: AS28753 Leaseweb Deutschland GmbH
- User agent: Microsoft BITS/7.8
[Model Alert: Anomalous File / EXE from Rare External Location]
[Model Alert: Anomalous Connection / New User Agent to IP Without Hostname]
- Associated device type: desktop
- Time of alert: 2024-05-07T09:04:14 UTC
- Destination IP: 185.49.69[.]41
- Application protocol: HTTP
- URI: /data/2849d40ade47af8edfd4e08352dd2cc8
- User agent: Microsoft BITS/7.8
[Model Alert: Compromise / HTTP Beaconing to New Endpoint]
- Associated device type: desktop
- Time of alert: 2024-05-07T09:08:47 UTC
- Destination IP: 185.49.69[.]41
- Protocol: TCP
- Application protocol: HTTP
- ASN: AS28753 Leaseweb Deutschland GmbH
- URI: /
- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705) \
Figure 1: Cyber AI Analyst Coverage Details around the external destination, ‘185.49.69[.]41’.
Figure 2: External Sites Summary verifying the geographical location of the external IP, 185.49.69[.]41’.
Fortunately, this particular customer was subscribed to Darktrace’s Proactive Threat Notification (PTN) service and the Darktrace Security Operation Center (SOC) promptly investigated the activity and alerted the customer. This allowed their security team to address the activity and begin their own remediation process.
In this instance, Darktrace’s Autonomous Response capability was configured in Human Confirmation mode, meaning any mitigative actions required manual application by the customer’s security team.
Despite this, Darktrace recommended two actions to contain the activity: blocking connections to the suspicious IP address 185.49.69[.]41 and any IP addresses ending with '69[.]41', as well as the ‘Enforce Pattern of Life’ action. By enforcing a pattern of life, Darktrace can restrict a device (or devices) to its learned behavior, allowing it to continue regular business activities uninterrupted while blocking any deviations from expected activity.
Figure 3: Actions suggested by Darktrace to contain the emerging activity, including blocking connections to the suspicious endpoint and restricting the device to its ‘pattern of life’.
Conclusion
Backdoor tools like WarmCookie enable threat actors to gather and leverage information from target systems to deploy additional malicious payloads, escalating their cyber attacks. Given that WarmCookie’s primary distribution method seems to be through phishing campaigns masquerading as trusted recruitments firms, it has the potential to affect a large number of organziations.
In the face of such threats, Darktrace’s behavioral analysis provides organizations with full visibility over anomalous activity on their digital estates, regardless of whether the threat bypasses by human security teams or email security tools. While threat actors seemingly managed to evade customers’ native email security and gain access to their networks in these cases, Darktrace identified the suspicious behavior associated with WarmCookie and swiftly notified customer security teams.
Had Darktrace’s Autonomous Response capability been fully enabled in these cases, it could have blocked any suspicious connections and subsequent activity in real-time, without the need of human intervention, effectively containing the attacks in the first instance.
Credit to Justin Torres, Cyber Security Analyst and Dylan Hinz, Senior Cyber Security Analyst
Appendices
Darktrace Model Detections
- Anomalous File / EXE from Rare External Location
- Anomalous File / Masqueraded File Transfer
- Compromise / Beacon to Young Endpoint
- Compromise / Beaconing Activity To External Rare
- Compromise / HTTP Beaconing to New Endpoint
- Compromise / HTTP Beaconing to Rare Destination
- Compromise / High Volume of Connections with Beacon Score
- Compromise / Large Number of Suspicious Successful Connections
- Compromise / Quick and Regular Windows HTTP Beaconing
- Compromise / SSL or HTTP Beacon
- Compromise / Slow Beaconing Activity To External Rare
- Compromise / Sustained SSL or HTTP Increase
- Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
- Anomalous Connection / Multiple Failed Connections to Rare Endpoint
- Anomalous Connection / New User Agent to IP Without Hostname
- Compromise / Sustained SSL or HTTP Increase
AI Analyst Incident Coverage:
- Unusual Repeated Connections
- Possible SSL Command and Control to Multiple Endpoints
The State of AI in Cybersecurity: Understanding AI Technologies
24
Jul 2024
About the State of AI Cybersecurity Report
Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.
How familiar are security professionals with supervised machine learning
Just 31% of security professionals report that they are “very familiar” with supervised machine learning.
Many participants admitted unfamiliarity with various AI types. Less than one-third felt "very familiar" with the technologies surveyed: only 31% with supervised machine learning and 28% with natural language processing (NLP).
Most participants were "somewhat" familiar, ranging from 46% for supervised machine learning to 36% for generative adversarial networks (GANs). Executives and those in larger organizations reported the highest familiarity.
Combining "very" and "somewhat" familiar responses, 77% had familiarity with supervised machine learning, 74% generative AI, and 73% NLP. With generative AI getting so much media attention, and NLP being the broader area of AI that encompasses generative AI, these results may indicate that stakeholders are understanding the topic on the basis of buzz, not hands-on work with the technologies.
If defenders hope to get ahead of attackers, they will need to go beyond supervised learning algorithms trained on known attack patterns and generative AI. Instead, they’ll need to adopt a comprehensive toolkit comprised of multiple, varied AI approaches—including unsupervised algorithms that continuously learn from an organization’s specific data rather than relying on big data generalizations.
Different types of AI
Different types of AI have different strengths and use cases in cyber security. It’s important to choose the right technique for what you’re trying to achieve.
Supervised machine learning: Applied more often than any other type of AI in cyber security. Trained on human attack patterns and historical threat intelligence.
Large language models (LLMs): Applies deep learning models trained on extremely large data sets to understand, summarize, and generate new content. Used in generative AI tools.
Natural language processing (NLP): Applies computational techniques to process and understand human language.
Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies.
What impact will generative AI have on the cybersecurity field?
More than half of security professionals (57%) believe that generative AI will have a bigger impact on their field over the next few years than other types of AI.
Figure 1: Chart from Darktrace's State of AI in Cybersecurity Report
Security stakeholders are highly aware of generative AI and LLMs, viewing them as pivotal to the field's future. Generative AI excels at abstracting information, automating tasks, and facilitating human-computer interaction. However, LLMs can "hallucinate" due to training data errors and are vulnerable to prompt injection attacks. Despite improvements in securing LLMs, the best cyber defenses use a mix of AI types for enhanced accuracy and capability.
AI education is crucial as industry expectations for generative AI grow. Leaders and practitioners need to understand where and how to use AI while managing risks. As they learn more, there will be a shift from generative AI to broader AI applications.
Do security professionals fully understand the different types of AI in security products?
Only 26% of security professionals report a full understanding of the different types of AI in use within security products.
Confusion is prevalent in today’s marketplace. Our survey found that only 26% of respondents fully understand the AI types in their security stack, while 31% are unsure or confused by vendor claims. Nearly 65% believe generative AI is mainly used in cybersecurity, though it’s only useful for identifying phishing emails. This highlights a gap between user expectations and vendor delivery, with too much focus on generative AI.
Key findings include:
Executives and managers report higher understanding than practitioners.
Larger organizations have better understanding due to greater specialization.
As AI evolves, vendors are rapidly introducing new solutions faster than practitioners can learn to use them. There's a strong need for greater vendor transparency and more education for users to maximize the technology's value.
To help ease confusion around AI technologies in cybersecurity, Darktrace has released the CISO’s Guide to Cyber AI. A comprehensive white paper that categorizes the different applications of AI in cybersecurity. Download the White Paper here.
Do security professionals believe generative AI alone is enough to stop zero-day threats?
No! 86% of survey participants believe generative AI alone is NOT enough to stop zero-day threats
This consensus spans all geographies, organization sizes, and roles, though executives are slightly less likely to agree. Asia-Pacific participants agree more, while U.S. participants agree less.
Despite expecting generative AI to have the most impact, respondents recognize its limited security use cases and its need to work alongside other AI types. This highlights the necessity for vendor transparency and varied AI approaches for effective security across threat prevention, detection, and response.
Stakeholders must understand how AI solutions work to ensure they offer advanced, rather than outdated, threat detection methods. The survey shows awareness that old methods are insufficient.
![Cyber AI Analyst Coverage Details around the external destination, ‘185.49.69[.]41’.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/66a3e9519710d78dcbea06b5_66a3de28f7ac7a01b4b94b45_Screenshot%25202024-07-26%2520at%252010.33.48%2520AM.png)
![External Sites Summary verifying the geographical location of the external IP, 185.49.69[.]41’.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/66a3e9519710d78dcbea06ad_66a3de6808c6bac429c4520e_Screenshot%25202024-07-26%2520at%252010.34.08%2520AM.png)
