Blog
‍

Threat Finds

Hafnium cyber-attack neutralized by AI in December 2020

Apr 2021

Darktrace AI appears to have detected a Hafnium attack against vulnerable Exchange servers in December 2020, three months before the zero-day was identified. This blog provides an in-depth analysis of the attack, which suggests that Hafnium’s campaign began far earlier than previously thought.

In early December 2020, Darktrace AI autonomously detected and investigated a sophisticated cyber-attack that targeted a customer’s Exchange server. On March 2, 2021, Microsoft disclosed an ongoing campaign by the Hafnium threat actor group leveraging Exchange server zero-days.

Based on similarities in techniques, tools and procedures (TTPs) observed, Darktrace has now assessed with high confidence that the attack in December was the work of the Hafnium group. Although it is not possible to determine whether this attack leveraged the same Exchange zero-days as reported by Microsoft, the finding suggests that Hafnium’s campaign was active several months earlier than assumed.

As a result, organizations may want to go back as far as early December 2020 to check security logs and tools for signs of initial intrusion into their Internet-facing Exchange servers.

As Darktrace does not rely on rules or signatures, it doesn’t require a constant cloud connection. Most customers therefore operate our technology themselves, and we don’t centrally monitor their detections.

At the time of detection in December, this was one of many uncategorized, sophisticated intrusions that affected only a single customer, and was not indicative of a broader campaign.

This means that while we protect our customers from individual intrusions, we are not in a position to do global campaign tracking like other companies which focus primarily on threat intelligence and threat actor tracking.

In this blog, we will analyze the attack to aid organizations in their ongoing investigations, and to raise awareness that the Hafnium campaign may have been active for longer than previously disclosed.

Overview of the Exchange attack

The intrusion was detected at an organization in the critical national infrastructure sector in South Asia. One hypothesis is that the Hafnium group was testing out and refining its TTPs, potentially including the Exchange server exploit, before running a broad-scale campaign against Western organizations in early 2021.

The threat actor used many of the same techniques that were observed in the later Hafnium attacks, including the deployment of the low-activity China Chopper web shell, quickly followed by post-exploitation activity – attempting to move laterally and spread to critical devices in the network.

The following analysis demonstrates how Darktrace’s Enterprise Immune System detected the malicious activity, how Cyber AI Analyst automatically investigated on the incident and surfaced the alert as a top priority, and how Darktrace RESPOND (formerly known as 'Antigena') would have responded autonomously to shut down the attack, had it been in active mode.

All the activity took place in early December 2020, almost three months before Microsoft released information about the Hafnium campaign.

*Figure 1: Timeline of the attack from early December 2020*

‍

Initial compromise

Unfortunately, the victim organization did not keep any logs or forensic artefacts from their Exchange server in December 2020, which would have allowed Darktrace to ascertain the exploit of the zero-day. However, there is circumstantial evidence suggesting that these Exchange server vulnerabilities were abused.

Darktrace observed no signs of compromise or change in behavior from the Internet-facing Exchange server – no prior internal admin connections, no broad-scale brute-force attempts, no account takeovers, no malware copied to the server via internal channels – until all of a sudden, it began to scan the internal network.

While this is not conclusive evidence that no other avenue of initial intrusion was present, the change in behavior on an administrative level points to a complete takeover of the Exchange server, rather than the compromise of a single Outlook Web Application account.

To conduct a network scan from an Exchange server, a highly privileged, operating SYSTEM-level account is required. The patch level of the Exchange server at the time of compromise appears to have been up-to-date, at least not offering a threat actor the ability to target a known vulnerability to instantly get SYSTEM-level privileges.

For this reason, Darktrace has inferred that the Exchange server zero-days that became public in early March 2021 were possibly being used in this attack observed in early December 2020.

Internal reconnaissance

As soon as the attackers gained access via the web shell, they used the Exchange server to scan all IPs in a single subnet on ports 80, 135, 445, 8080.

This particular Exchange server had never made such a large number of new failed internal connections to that specific subnet on those key ports. As a result, Darktrace instantly alerted on the anomalous behavior, which was indicative of a network scan.

Autonomous Response

Darktrace RESPOND was in passive mode in the environment, so was not able to take action. In active mode, it would have responded by enforcing the previously learned, normal ‘pattern of life’ of the Exchange server – allowing the server to continue normal business operations (sending and receiving emails) but preventing the network scan and any subsequent activity. These actions would have been carried out via various integrations with the customer’s existing security stack, including Firewalls and Network Access Controls.

Specifically, when the network scanning started, the ‘Antigena Network Scan Block’ was triggered. This means that for several hours, Darktrace RESPOND (Antigena) would have blocked any new outgoing connections from the Exchange server to the scanned subnet on port 80, 135, 445, or 8080, preventing the infected Exchange server from conducting network scanning.

As a result, the attackers would not have been able to conclude anything from their reconnaissance — all their scanning would have returned closed ports. At this point, they would need to stop their attack or resort to other means, likely triggering further detections and further Autonomous Response.

The network scan was the first step touching the internal network. This is therefore a clear case of how Darktrace RESPOND can intercept an attack in seconds, acting at the earliest possible evidence of the intrusion.

Lateral movement

Less than an hour after the internal network scan, the compromised Exchange server was observed writing further web shells to other Exchange servers via internal SMB. Darktrace alerted on this as the initially compromised Exchange server had never accessed the other Exchange servers in this fashion over SMB, let alone writing .aspx files to Program Files remotely.

A single click allowed the security team to pivot from the alert into Darktrace’s Advanced Search, revealing further details about the written files. The full file path for the newly deployed web shells was:

Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\errorFS.aspx

The attackers thus used internal SMB to compromise further Exchange servers and deploy more web shells, rather than using the Exchange zero-day exploit again to achieve the same goal. The reason for this is clear: exploits can often be unstable, and an adversary would not want to show their hand unnecessarily if it could be avoided.

While the China Chopper web shell has been deployed with many different names in the past, the file path and file name of the actual .aspx web shell bear very close resemblance to the Hafnium campaign details published by Microsoft and others in March 2021.

As threat actors often reuse naming conventions / TTPs in coherent campaigns, it again indicates that this particular attack was in some way part of the broader campaign observed in early 2021.

Further lateral movement

Minutes later, the attacker conducted further lateral movement by making more SMB drive writes to Domain Controllers. This time the attackers did not upload web shells, but malware, in the form of executables and Windows .bat files.

Darktrace alerted the security team as it was extremely unusual for the Exchange server and its peer group to make SMB drive writes to hidden shares to a Domain Controller, particularly using executables and batch files. The activity was presented to the team in the form of a high-confidence alert such as the anonymized example below.

*Figure 2: Example graphic of Darktrace detecting unusual connectivity*

‍

The batch file was called ‘a.bat’. At this point, the security team could have created a packet capture for the a.bat file in Darktrace with the click of a button, inspecting the content and details of that script at the time of the intrusion.

Darktrace also listed the credentials involved in the activity, providing context into the compromised accounts. This allows an analyst to pivot rapidly around the data and further understand the scope of the intrusion.

Bird’s-eye perspective

In addition to detecting the malicious activity outlined above, Darktrace’s Cyber AI Analyst autonomously summarized the incident and reported on it, outlining the internal reconnaissance and lateral movement activity in a single, cohesive incident.

The organization has several thousand devices covered by Darktrace’s Enterprise Immune System. Nevertheless, over the period of one week, the Hafnium intrusion was in the top five incidents highlighted in Cyber AI Analyst. Even a small or resource-stretched security team, with only a few minutes available per week to review the highest-severity incidents, could have seen and inspected this threat.

Below is a graphic showing a similar Cyber AI Analyst incident created by Darktrace.

*Figure 3: A Cyber AI Analyst report showing unusual SMB activity*

‍

How to stop a zero-day

Large scale campaigns which target Internet-facing infrastructure and leverage zero-day exploits will continue to occur regularly, and such attacks will always succeed in evading signature-based detection. However, organizations are not helpless against the next high-profile zero-day or supply chain attack.

Detecting the movements of attackers inside a system and responding to contain in-progress threats is possible before IoCs have been provided. The methods of detection outlined above protected the company against this attack in December, and the same techniques will continue to protect the company against unknown threats in the future.

Learn more about how Darktrace AI has stopped Hafnium cyber-attacks and similar threat actors

Darktrace model detections:

Device / New or Uncommon WMI Activity
Executable Uploaded to DC
Compliance / High Priority Compliance Model Breach
Compliance / SMB Drive Write
Antigena / Network / Insider Threat / Antigena Network Scan Block
Device / Network Scan - Low Anomaly Score
Unusual Activity / Unusual Internal Connections

‍

INSIDE THE SOC

Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.

AUTHOR

ABOUT ThE AUTHOR

Max Heinemeyer

Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

share this article

More in this series

No items found.

Blog
‍

No items found.

The State of AI in Cybersecurity: How AI will impact the cyber threat landscape in 2024

Apr 2024

About the AI Cybersecurity Report

We surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog is continuing the conversation from our last blog post “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners” which was an overview of the entire report. This blog will focus on one aspect of the overarching report, the impact of AI on the cyber threat landscape.

To access the full report click here.

Are organizations feeling the impact of AI-powered cyber threats?

Nearly three-quarters (74%) state AI-powered threats are now a significant issue. Almost nine in ten (89%) agree that AI-powered threats will remain a major challenge into the foreseeable future, not just for the next one to two years.

However, only a slight majority (56%) thought AI-powered threats were a separate issue from traditional/non AI-powered threats. This could be the case because there are few, if any, reliable methods to determine whether an attack is AI-powered.

Identifying exactly when and where AI is being applied may not ever be possible. However, it is possible for AI to affect every stage of the attack lifecycle. As such, defenders will likely need to focus on preparing for a world where threats are unique and are coming faster than ever before.

a hypothetical cyber attack augmented by AI at every stage

Are security stakeholders concerned about AI’s impact on cyber threats and risks?

The results from our survey showed that security practitioners are concerned that AI will impact organizations in a variety of ways. There was equal concern associated across the board – from volume and sophistication of malware to internal risks like leakage of proprietary information from employees using generative AI tools.

What this tells us is that defenders need to prepare for a greater volume of sophisticated attacks and balance this with a focus on cyber hygiene to manage internal risks.

One example of a growing internal risks is shadow AI. It takes little effort for employees to adopt publicly-available text-based generative AI systems to increase their productivity. This opens the door to “shadow AI”, which is the use of popular AI tools without organizational approval or oversight. Resulting security risks such as inadvertent exposure of sensitive information or intellectual property are an ever-growing concern.

Are organizations taking strides to reduce risks associated with adoption of AI in their application and computing environment?

71.2% of survey participants say their organization has taken steps specifically to reduce the risk of using AI within its application and computing environment.

16.3% of survey participants claim their organization has not taken these steps.

These findings are good news. Even as enterprises compete to get as much value from AI as they can, as quickly as possible, they’re tempering their eager embrace of new tools with sensible caution.

Still, responses varied across roles. Security analysts, operators, administrators, and incident responders are less likely to have said their organizations had taken AI risk mitigation steps than respondents in other roles. In fact, 79% of executives said steps had been taken, and only 54% of respondents in hands-on roles agreed. It seems that leaders believe their organizations are taking the needed steps, but practitioners are seeing a gap.

Do security professionals feel confident in their preparedness for the next generation of threats?

A majority of respondents (six out of every ten) believe their organizations are inadequately prepared to face the next generation of AI-powered threats.

The survey findings reveal contrasting perceptions of organizational preparedness for cybersecurity threats across different regions and job roles. Security administrators, due to their hands-on experience, express the highest level of skepticism, with 72% feeling their organizations are inadequately prepared. Notably, respondents in mid-sized organizations feel the least prepared, while those in the largest companies feel the most prepared.

Regionally, participants in Asia-Pacific are most likely to believe their organizations are unprepared, while those in Latin America feel the most prepared. This aligns with the observation that Asia-Pacific has been the most impacted region by cybersecurity threats in recent years, according to the IBM X-Force Threat Intelligence Index.

The optimism among Latin American respondents could be attributed to lower threat volumes experienced in the region, but it's cautioned that this could change suddenly (1).

What are biggest barriers to defending against AI-powered threats?

The top-ranked inhibitors center on knowledge and personnel. However, issues are alluded to almost equally across the board including concerns around budget, tool integration, lack of attention to AI-powered threats, and poor cyber hygiene.

The cybersecurity industry is facing a significant shortage of skilled professionals, with a global deficit of approximately 4 million experts (2). As organizations struggle to manage their security tools and alerts, the challenge intensifies with the increasing adoption of AI by attackers. This shift has altered the demands on security teams, requiring practitioners to possess broad and deep knowledge across rapidly evolving solution stacks.

Educating end users about AI-driven defenses becomes paramount as organizations grapple with the shortage of professionals proficient in managing AI-powered security tools. Operationalizing machine learning models for effectiveness and accuracy emerges as a crucial skill set in high demand. However, our survey highlights a concerning lack of understanding among cybersecurity professionals regarding AI-driven threats and the use of AI-driven countermeasures indicating a gap in keeping pace with evolving attacker tactics.

The integration of security solutions remains a notable problem, hindering effective defense strategies. While budget constraints are not a primary inhibitor, organizations must prioritize addressing these challenges to bolster their cybersecurity posture. It's imperative for stakeholders to recognize the importance of investing in skilled professionals and integrated security solutions to mitigate emerging threats effectively.

To access the full report click here.

References

1. IBM, X-Force Threat Intelligence Index 2024, Available at: https://www.ibm.com/downloads/cas/L0GKXDWJ

2. ISC2, Cybersecurity Workforce Study 2023, Available at: https://media.isc2.org/-/media/Project/ISC2/Main/Media/ documents/research/ISC2_Cybersecurity_Workforce_Study_2023.pdf?rev=28b46de71ce24e6ab7705f6e3da8637e

About the author

Blog
‍

Inside the SOC

Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework

Apr 2024

Offensive Security Tools

As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.

What is Sliver C2?

Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.

The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

In early 2024, Darktrace observed the malicious use of Sliver C2 during an investigation into post-exploitation activity on customer networks affected by the Ivanti vulnerabilities. Fortunately for affected customers, Darktrace DETECT™ was able to recognize the suspicious network-based connectivity that emerged alongside Sliver C2 usage and promptly brought it to the attention of customer security teams for remediation.

How does Silver C2 work?

Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].

Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].

Why Do Attackers Use Sliver C2?

Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].

Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.

Darktrace’s Coverage of Sliver C2 Activity

Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.

Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.

Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.

The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.

Figure 1: Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.

Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.

Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].

An Additional Example of Darktrace’s Detection of Sliver C2

However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base. In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].

Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:

‘/upload/api.html?c=[REDACTED] &fp=[REDACTED]’

‘/samples.html?mx=[REDACTED] &s=[REDACTED]’
‘/actions/samples.html?l=[REDACTED] &tc=[REDACTED]’
‘/api.html?gf=[REDACTED] &x=[REDACTED]’
‘/samples.html?c=[REDACTED] &zo=[REDACTED]’

This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.

Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].

Conclusion

Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant