Blog
/

Threat Finds

/
May 3, 2021

Understanding Modern-Day Cyber Attacks

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
May 2021
Discover how Darktrace detects and mitigates threats in IoT ecosystems and globalized supply chains that are constantly evolving.

It’s ten to five on a Friday afternoon. A technician has come in to perform a routine check on an electronic door. She enters the office with no issues – she works for a trusted third-party vendor, employees see her every week. She opens her laptop and connects to the Door Access Control Unit, a small Internet of Things (IoT) device used to operate the smart lock. Minutes later, trojans have been downloaded onto the company network, a crypto-mining operation has begun, and there is evidence of confidential data being exfiltrated. Where did things go wrong?

Threats in a business: A new dawn surfaces

As organizations keep pace with the demands of digital transformation, the attack surface has become broader than ever before. There are numerous points of entry for a cyber-criminal – from vulnerabilities in IoT ecosystems, to blind spots in supply chains, to insiders misusing their access to the business. Darktrace sees these threats every day. Sometimes, like in the real-world example above, which will be examined in this blog, they can occur in the very same attack.

Insider threats can use their familiarity and level of access to a system as a critical advantage when evading detection and launching an attack. But insiders don’t necessarily have to be malicious. Every employee or contractor is a potential threat: clicking on a phishing link or accidentally releasing data often leads to wide-scale breaches.

At the same time, connectivity in the workspace – with each IoT device communicating with the corporate network and the Internet on its own IP address – is an urgent security issue. Access control systems, for example, add a layer of physical security by tracking who enters the office and when. However, these same control systems imperil digital security by introducing a cluster of sensors, locks, alarm systems, and keypads, which hold sensitive user information and connect to company infrastructure.

Furthermore, a significant proportion of IoT devices are built without security in mind. Vendors prioritize time-to-market and often don’t have the resources to invest in baked-in security measures. Consider the number of start-ups which manufacture IoT – over 60% of home automation companies have fewer than ten employees.

Insider threat detected by Cyber AI

In January 2021, a medium-sized North American company suffered a supply chain attack when a third-party vendor connected to the control unit for a smart door.

Figure 1: The attack lasted 3.5 hours in total, commencing 16:50 local time.

The technician from the vendor’s company had come in to perform scheduled maintenance. They had been authorized to connect directly to the Door Access Control Unit, yet were unaware that the laptop they were using, brought in from outside of the organization, had been infected with malware.

As soon as the laptop connected with the control unit, the malware detected an open port, identified the vulnerability, and began moving laterally. Within minutes, the IoT device was seen making highly unusual connections to rare external IP addresses. The connections were made using HTTP and contained suspicious user agents and URIs.

Darktrace then detected that the control unit was attempting to download trojans and other payloads, including upsupx2.exe and 36BB9658.moe. Other connections were used to send base64 encoded strings containing the device name and the organization’s external IP address.

Cryptocurrency mining activity with a Monero (XMR) CPU miner was detected shortly afterwards. The device also utilized an SMB exploit to make external connections on port 445 while searching for vulnerable internal devices using the outdated SMBv1 protocol.

One hour later, the device connected to an endpoint related to the third-party remote access tool TeamViewer. After a few minutes, the device was seen uploading over 15 MB to a 100% rare external IP.

Figure 2: Timeline of the connections made by an example device on the days around an incident (blue). The connections associated with the compromise are a significant deviation from the device’s normal pattern of life, and result in multiple unusual activity events and repeated model breaches (orange).

Security threats in the supply chain

Cyber AI flagged the insider threat to the customer as soon as the control unit had been compromised. The attack had managed to bypass the rest of the organization’s security stack, for the simple reason that it was introduced directly from a trusted external laptop, and the IoT device itself was managed by the third-party vendor, so the customer had little visibility over it.

Traditional security tools are ineffective against supply chain attacks such as this. From the SolarWinds hack to Vendor Email Compromise, 2021 has put the nail in the coffin for signature-based security – proving that we cannot rely on yesterday’s attacks to predict tomorrow’s threats.

International supply chains and the sheer number of different partners and suppliers which modern organizations work with thus pose a serious security dilemma: how can we allow external vendors onto our network and keep an airtight system?

The first answer is zero-trust access. This involves treating every device as malicious, inside and outside the corporate network, and demanding verification at all stages. The second answer is visibility and response. Security products must shed a clear light into cloud and IoT infrastructure, and react autonomously as soon as subtle anomalies emerge across the enterprise.

IoT investigated

Darktrace’s Cyber AI Analyst reported on every stage of the attack, including the download of the first malicious executable file.

Figure 3: Example of Cyber AI Analyst detecting anomalous behavior on a device, including C2 connectivity and suspicious file downloads.

Cyber AI Analyst investigated the C2 connectivity, providing a high-level summary of the activity. The IoT device had accessed suspicious MOE files with randomly generated alphanumeric names.

Figure 4: A Cyber AI Analyst summary of C2 connectivity for a device.

Not only did the AI detect every stage of the activity, but the customer was also alerted via a Proactive Threat Notification following a high scoring model breach at 16:59, just minutes after the attack had commenced.

Stranger danger

Third parties coming in to tweak device settings and adjust the network can have unintended consequences. The hyper-connected world which we’re living in, with the advent of 5G and Industry 4.0, has become a digital playground for cyber-criminals.

In the real-world case study above, the IoT device was unsecured and misconfigured. With rushed creations of IoT ecosystems, intertwining supply chains, and a breadth of individuals and devices connecting to corporate infrastructure, modern-day organizations cannot expect simple security tools which rely on pre-defined rules to stop insider threats and other advanced cyber-attacks.

The organization did not have visibility over the management of the Door Access Control Unit. Despite this, and despite no prior knowledge of the attack type or the vulnerabilities present in the IoT device, Darktrace detected the behavioral anomalies immediately. Without Cyber AI, the infection could have remained on the customer’s environment for weeks or months, escalating privileges, silently crypto-mining, and exfiltrating sensitive company data.

Thanks to Darktrace analyst Grace Carballo for her insights on the above threat find.

Learn more about insider threats

Darktrace model detections:

  • Anomalous File/Anomalous Octet Stream
  • Anomalous Connection/New User Agent to IP Without Hostname
  • Unusual Activity/Unusual External Connectivity
  • Device/Increased External Connectivity
  • Anomalous Server Activity/Outgoing from Server
  • Device/New User Agent and New IP
  • Compliance/Cryptocurrency Mining Activity
  • Compliance/External Windows Connectivity
  • Anomalous File/Multiple EXE from Rare External Locations
  • Anomalous File/EXE from Rare External Location
  • Device/Large Number of Model Breaches
  • Anomalous File/Internet Facing System File Download
  • Device/Initial Breach Chain Compromise
  • Device/SMB Session Bruteforce
  • Device/Network Scan- Low Anomaly Score
  • Device/Large Number of Connections to New Endpoint
  • Anomalous Server Activity/Outgoing from Server
  • Compromise/Beacon to Young Endpoint
  • Anomalous Server Activity/Rare External from Server
  • Device/Multiple C2 Model Breaches
  • Compliance/Remote Management Tool on Server
  • Anomalous Connection/Data Sent to New External Device


Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Brianna Leddy
Director of Analysis

Based in San Francisco, Brianna is Director of Analysis at Darktrace. She joined the analyst team in 2016 and has since advised a wide range of enterprise customers on advanced threat hunting and leveraging Self-Learning AI for detection and response. Brianna works closely with the Darktrace SOC team to proactively alert customers to emerging threats and investigate unusual behavior in enterprise environments. Brianna holds a Bachelor’s degree in Chemical Engineering from Carnegie Mellon University.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

October 4, 2024

/

Inside the SOC

From Call to Compromise: Darktrace’s Response to a Vishing-Induced Network Attack

Default blog imageDefault blog image

What is vishing?

Vishing, or voice phishing, is a type of cyber-attack that utilizes telephone devices to deceive targets. Threat actors typically use social engineering tactics to convince targets that they can be trusted, for example, by masquerading as a family member, their bank, or trusted a government entity. One method frequently used by vishing actors is to intimidate their targets, convincing them that they may face monetary fines or jail time if they do not provide sensitive information.

What makes vishing attacks dangerous to organizations?

Vishing attacks utilize social engineering tactics that exploit human psychology and emotion. Threat actors often impersonate trusted entities and can make it appear as though a call is coming from a reputable or known source.  These actors often target organizations, specifically their employees, and pressure them to obtain sensitive corporate data, such as privileged credentials, by creating a sense of urgency, intimidation or fear. Corporate credentials can then be used to gain unauthorized access to an organization’s network, often bypassing traditional security measures and human security teams.

Darktrace’s coverage of vishing attack

On August 12, 2024, Darktrace / NETWORK identified malicious activity on the network of a customer in the hospitality sector. The customer later confirmed that a threat actor had gained unauthorized access through a vishing attack. The attacker successfully spoofed the IT support phone number and called a remote employee, eventually leading to the compromise.

Figure 1: Timeline of events in the kill chain of this attack.

Establishing a Foothold

During the call, the remote employee was requested to authenticate via multi-factor authentication (MFA). Believing the caller to be a member of their internal IT support, using the legitimate caller ID, the remote user followed the instructions and confirmed the MFA prompt, providing access to the customer’s network.

This authentication allowed the threat actor to login into the customer’s environment by proxying through their Virtual Private Network (VPN) and gain a foothold in the network. As remote users are assigned the same static IP address when connecting to the corporate environment, the malicious actor appeared on the network using the correct username and IP address. While this stealthy activity might have evaded traditional security tools and human security teams, Darktrace’s anomaly-based threat detection identified an unusual login from a different hostname by analyzing NTLM requests from the static IP address, which it determined to be anomalous.

Observed Activity

  • On 2024-08-12 the static IP was observed using a credential belonging to the remote user to initiate an SMB session with an internal domain controller, where the authentication method NTLM was used
  • A different hostname from the usual hostname associated with this remote user was identified in the NTLM authentication request sent from a device with the static IP address to the domain controller
  • This device does not appear to have been seen on the network prior to this event.

Darktrace, therefore, recognized that this login was likely made by a malicious actor.

Internal Reconnaissance

Darktrace subsequently observed the malicious actor performing a series of reconnaissance activities, including LDAP reconnaissance, device hostname reconnaissance, and port scanning:

  • The affected device made a 53-second-long LDAP connection to another internal domain controller. During this connection, the device obtained data about internal Active Directory (AD) accounts, including the AD account of the remote user
  • The device made HTTP GET requests (e.g., HTTP GET requests with the Target URI ‘/nice ports,/Trinity.txt.bak’), indicative of Nmap usage
  • The device started making reverse DNS lookups for internal IP addresses.
Figure 2: Model alert showing the IP address from which the malicious actor connected and performed network scanning activities via port 9401.
Figure 3: Model Alert Event Log showing the affected device connecting to multiple internal locations via port 9401.

Lateral Movement

The threat actor was also seen making numerous failed NTLM authentication requests using a generic default Windows credential, indicating an attempt to brute force and laterally move through the network. During this activity, Darktrace identified that the device was using a different hostname than the one typically used by the remote employee.

Cyber AI Analyst

In addition to the detection by Darktrace / NETWORK, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the ongoing activity. The investigation was able to correlate the seemingly separate events together into a broader incident, continuously adding new suspicious linked activities as they occurred.

Figure 4: Cyber AI Analyst investigation showing the activity timeline, and the activities associated with the incident.

Upon completing the investigation, Cyber AI Analyst provided the customer with a comprehensive summary of the various attack phases detected by Darktrace and the associated incidents. This clear presentation enabled the customer to gain full visibility into the compromise and understand the activities that constituted the attack.

Figure 5: Cyber AI Analyst displaying the observed attack phases and associated model alerts.

Darktrace Autonomous Response

Despite the sophisticated techniques and social engineering tactics used by the attacker to bypass the customer’s human security team and existing security stack, Darktrace’s AI-driven approach prevented the malicious actor from continuing their activities and causing more harm.

Darktrace’s Autonomous Response technology is able to enforce a pattern of life based on what is ‘normal’ and learned for the environment. If activity is detected that represents a deviation from expected activity from, a model alert is triggered. When Darktrace’s Autonomous Response functionality is configured in autonomous response mode, as was the case with the customer, it swiftly applies response actions to devices and users without the need for a system administrator or security analyst to perform any actions.

In this instance, Darktrace applied a number of mitigative actions on the remote user, containing most of the activity as soon as it was detected:

  • Block all outgoing traffic
  • Enforce pattern of life
  • Block all connections to port 445 (SMB)
  • Block all connections to port 9401
Figure 6: Darktrace’s Autonomous Response actions showing the actions taken in response to the observed activity, including blocking all outgoing traffic or enforcing the pattern of life.

Conclusion

This vishing attack underscores the significant risks remote employees face and the critical need for companies to address vishing threats to prevent network compromises. The remote employee in this instance was deceived by a malicious actor who spoofed the phone number of internal IT Support and convinced the employee to perform approve an MFA request. This sophisticated social engineering tactic allowed the attacker to proxy through the customer’s VPN, making the malicious activity appear legitimate due to the use of static IP addresses.

Despite the stealthy attempts to perform malicious activities on the network, Darktrace’s focus on anomaly detection enabled it to swiftly identify and analyze the suspicious behavior. This led to the prompt determination of the activity as malicious and the subsequent blocking of the malicious actor to prevent further escalation.

While the exact motivation of the threat actor in this case remains unclear, the 2023 cyber-attack on MGM Resorts serves as a stark illustration of the potential consequences of such threats. MGM Resorts experienced significant disruptions and data breaches following a similar vishing attack, resulting in financial and reputational damage [1]. If the attack on the customer had not been detected, they too could have faced sensitive data loss and major business disruptions. This incident underscores the critical importance of robust security measures and vigilant monitoring to protect against sophisticated cyber threats.

Credit to Rajendra Rushanth (Cyber Security Analyst) and Ryan Traill (Threat Content Lead)

Appendices

Darktrace Model Detections

  • Device / Unusual LDAP Bind and Search Activity
  • Device / Attack and Recon Tools
  • Device / Network Range Scan
  • Device / Suspicious SMB Scanning Activity
  • Device / RDP Scan
  • Device / UDP Enumeration
  • Device / Large Number of Model Breaches
  • Device / Network Scan
  • Device / Multiple Lateral Movement Model Breaches (Enhanced Monitoring)
  • Device / Reverse DNS Sweep
  • Device / SMB Session Brute Force (Non-Admin)

List of Indicators of Compromise (IoCs)

IoC - Type – Description

/nice ports,/Trinity.txt.bak - URI – Unusual Nmap Usage

MITRE ATT&CK Mapping

Tactic – ID – Technique

INITIAL ACCESS – T1200 – Hardware Additions

DISCOVERY – T1046 – Network Service Scanning

DISCOVERY – T1482 – Domain Trust Discovery

RECONNAISSANCE – T1590 – IP Addresses

T1590.002 – DNS

T1590.005 – IP Addresses

RECONNAISSANCE – T1592 – Client Configurations

T1592.004 – Client Configurations

RECONNAISSANCE – T1595 – Scanning IP Blocks

T1595.001 – Scanning IP Blocks

T1595.002 – Vulnerability Scanning

References

[1] https://www.bleepingcomputer.com/news/security/securing-helpdesks-from-hackers-what-we-can-learn-from-the-mgm-breach/

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

/

October 3, 2024

/

Cloud

Introducing real-time multi-cloud detection & response powered by AI

Default blog imageDefault blog image

We are delighted to announce the general availability of Microsoft Azure support for Darktrace / CLOUD, enabling real-time cloud detection and response across dynamic multi-cloud environments. Built on Self-Learning AI, Darktrace / CLOUD leverages Microsoft’s new virtual network flow logs (VNet flow) to offer an agentless-first approach that dramatically simplifies detection and response within Azure, unifying cloud-native security with Darktrace’s innovative ActiveAI Security Platform.

As organizations increasingly adopt multi-cloud architectures, the need for advanced, real-time threat detection and response is critical to keep pace with evolving cloud threats. Security teams face significant challenges, including increased complexity, limited visibility, and siloed tools. The dynamic nature of multi-cloud environments introduces ever-changing blind spots, while traditional security tools struggle to provide real-time insights, often offering static snapshots of risk. Additionally, cloud security teams frequently operate in isolation from SOC teams, leading to fragmented visibility and delayed responses. This lack of coordination, especially in hybrid environments, hinders effective threat detection and response. Compounding these challenges, current security solutions are split between agent-based and agentless approaches, with agentless solutions often lacking real-time awareness and agent-based options adding complexity and scalability concerns. Darktrace / CLOUD helps to solve these challenges with real-time detection and response designed specifically for dynamic cloud environments like Azure and AWS.

Pioneering AI-led real-time cloud detection & response

Darktrace has been at the forefront of real-time detection and response for over a decade, continually pushing the boundaries of AI-driven cybersecurity. Our Self-Learning AI uniquely positions Darktrace with the ability to automatically understand and instantly adapt to changing cloud environments. This is critical in today’s landscape, where cloud infrastructures are highly dynamic and ever-changing.  

Built on years of market-leading network visibility, Darktrace / CLOUD understands ‘normal’ for your unique business across clouds and networks to instantly reveal known, unknown, and novel cloud threats with confidence. Darktrace Self-Learning AI continuously monitors activity across cloud assets, containers, and users, and correlates it with detailed identity and network context to rapidly detect malicious activity. Platform-native identity and network monitoring capabilities allow Darktrace / CLOUD to deeply understand normal patterns of life for every user and device, enabling instant, precise and proportionate response to abnormal behavior - without business disruption.

Leveraging platform-native Autonomous Response, AI-driven behavioral containment neutralizes malicious activity with surgical accuracy while preventing disruption to cloud infrastructure or services. As malicious behavior escalates, Darktrace correlates thousands of data points to identify and instantly respond to unusual activity by blocking specific connections and enforcing normal behavior.

Figure 1: AI-driven behavioral containment neutralizes malicious activity with surgical accuracy while preventing disruption to cloud infrastructure or services.

Unparalleled agentless visibility into Azure

As a long-term trusted partner of Microsoft, Darktrace leverages Azure VNet flow logs to provide agentless, high-fidelity visibility into cloud environments, ensuring comprehensive monitoring without disrupting workflows. By integrating seamlessly with Azure, Darktrace / CLOUD continues to push the envelope of innovation in cloud security. Our Self-learning AI not only improves the detection of traditional and novel threats, but also enhances real-time response capabilities and demonstrates our commitment to delivering cutting-edge, AI-powered multi-cloud security solutions.

  • Integration with Microsoft Virtual network flow logs for enhanced visibility
    Darktrace / CLOUD integrates seamlessly with Azure to provide agentless, high-fidelity visibility into cloud environments. VNet flow logs capture critical network traffic data, allowing Darktrace to monitor Azure workloads in real time without disrupting existing workflows. This integration significantly reduces deployment time by 95%1 and cloud security operational costs by up to 80%2 compared to traditional agent-based solutions. Organizations benefit from enhanced visibility across dynamic cloud infrastructures, scaling security measures effortlessly while minimizing blind spots, particularly in ephemeral resources or serverless functions.
  • High-fidelity agentless deployment
    Agentless deployment allows security teams to monitor and secure cloud environments without installing software agents on individual workloads. By using cloud-native APIs like AWS VPC flow logs or Azure VNet flow logs, security teams can quickly deploy and scale security measures across dynamic, multi-cloud environments without the complexity and performance overhead of agents. This approach delivers real-time insights, improving incident detection and response while reducing disruptions. For organizations, agentless visibility simplifies cloud security management, lowers operational costs, and minimizes blind spots, especially in ephemeral resources or serverless functions.
  • Real-time visibility into cloud assets and architectures
    With real-time Cloud Asset Enumeration and Dynamic Architecture Modeling, Darktrace / CLOUD generates up-to-date architecture diagrams, giving SecOps and DevOps teams a unified view of cloud infrastructures. This shared context enhances collaboration and accelerates threat detection and response, especially in complex environments like Kubernetes. Additionally, Cyber AI Analyst automates the investigation process, correlating data across networks, identities, and cloud assets to save security teams valuable time, ensuring continuous protection and efficient cloud migrations.
Figure 2: Real-time visibility into Azure assets and architectures built from network, configuration and identity and access roles.

Unified multi-cloud security at scale

As organizations increasingly adopt multi-cloud strategies, the complexity of managing security across different cloud providers introduces gaps in visibility. Darktrace / CLOUD simplifies this by offering agentless, real-time monitoring across multi-cloud environments. Building on our innovative approach to securing AWS environments, our customers can now take full advantage of robust real-time detection and response capabilities for Azure. Darktrace is one of the first vendors to leverage Microsoft’s virtual network flow logs to provide agentless deployment in Azure, enabling unparalleled visibility without the need for installing agents. In addition, Darktrace / CLOUD offers automated Cloud Security Posture Management (CSPM) that continuously assesses cloud configurations against industry standards.  Security teams can identify and prioritize misconfigurations, vulnerabilities, and policy violations in real-time. These capabilities give security teams a complete, live understanding of their cloud environments and help them focus their limited time and resources where they are needed most.

This approach offers seamless integration into existing workflows, reducing configuration efforts and enabling fast, flexible deployment across cloud environments. By extending its capabilities across multiple clouds, Darktrace / CLOUD ensures that no blind spots are left uncovered, providing holistic, multi-cloud security that scales effortlessly with your cloud infrastructure. diagrams, visualizes cloud assets, and prioritizes risks across cloud environments.

Figure 3: Unified view of AWS and Azure cloud posture and compliance over time.

The future of cloud security: Real-time defense in an unpredictable world

Darktrace / CLOUD’s support for Microsoft Azure, powered by Self-Learning AI and agentless deployment, sets a new standard in multi-cloud security. With real-time detection and autonomous response, organizations can confidently secure their Azure environments, leveraging innovation to stay ahead of the constantly evolving threat landscape. By combining Azure VNet flow logs with Darktrace’s AI-driven platform, we can provide customers with a unified, intelligent solution that transforms how security is managed across the cloud.

Learn More:

References

1. Based on internal research and customer data

2. Based on internal research

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security
Your data. Our AI.
Elevate your network security with Darktrace AI