Blog

Inside the SOC

Stemming the Citrix Bleed Vulnerability with Darktrace’s ActiveAI Security Platform

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
28
May 2024
28
May 2024
This blog delves into Darktrace’s investigation into the exploitation of the Citrix Bleed vulnerability on the network of a customer in late 2023. Darktrace’s Self-Learning AI ensured the customer was well equipped to track the post-compromise activity and identify affected devices.

What is Citrix Bleed?

Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed. Citrix Bleed, also known as CVE-2023-4966, remained undiscovered and even unpatched for several months, resulting in a wide range of security incidents across business and government sectors [1].

How does Citrix Bleed vulnerability work?

The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.

When used as a means of initial network access, the vulnerability has resulted in the exfiltration of sensitive data, as in the case of Xfinity, and even the deployment of ransomware variants including Lockbit [2]. Although Citrix has released a patch to address the vulnerability, slow patching procedures and the widespread use of these products has resulted in the continuing exploitation of Citrix Bleed into 2024 [3].

How Does Darktrace Handle Citrix Bleed?

Darktrace has demonstrated its proficiency in handling the exploitation of Citrix Bleed since it was disclosed back in 2023; its anomaly-based approach allows it to efficiently identify and inhibit post-exploitation activity as soon as it surfaces.  Rather than relying upon traditional rules and signatures, Darktrace’s Self-Learning AI enables it to understand the subtle deviations in a device’s behavior that would indicate an emerging compromise, thus allowing it to detect anomalous activity related to the exploitation of Citrix Bleed.

In late 2023, Darktrace identified an instance of Citrix Bleed exploitation on a customer network. As this customer had subscribed to the Proactive Threat Notification (PTN) service, the suspicious network activity surrounding the compromise was escalated to Darktrace’s Security Operation Center (SOC) for triage and investigation by Darktrace Analysts, who then alerted the customer’s security team to the incident.

Darktrace’s Coverage

Initial Access and Beaconing of Citrix Bleed

Darktrace’s initial detection of indicators of compromise (IoCs) associated with the exploitation of Citrix Bleed actually came a few days prior to the SOC alert, with unusual external connectivity observed from a critical server. The suspicious connection in question, a SSH connection to the rare external IP 168.100.9[.]137, lasted several hours and utilized the Windows PuTTY client. Darktrace also identified an additional suspicious IP, namely 45.134.26[.]2, attempting to contact the server. Both rare endpoints had been linked with the exploitation of the Citrix Bleed vulnerability by multiple open-source intelligence (OSINT) vendors [4] [5].

Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.
Figure 1: Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.

As Darktrace is designed to identify network-level anomalies, rather than monitor edge infrastructure, the initial exploitation via the typical HTTP buffer overflow associated with this vulnerability fell outside the scope of Darktrace’s visibility. However, the aforementioned suspicious connectivity likely constituted initial access and beaconing activity following the successful exploitation of Citrix Bleed.

Command and Control (C2) and Payload Download

Around the same time, Darktrace also detected other devices on the customer’s network conducting external connectivity to various endpoints associated with remote management and IT services, including Action1, ScreenConnect and Fixme IT. Additionally, Darktrace observed devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory. While this tool is typically used for auditing and inventory management purposes, it could also be leveraged by attackers for the purpose of lateral movement.

Defense Evasion

In the days surrounding this compromise, Darktrace observed multiple devices engaging in potential defense evasion tactics using the ScreenConnect and Fixme IT services. Although ScreenConnect is a legitimate remote management tool, it has also been used by threat actors to carry out C2 communication [6]. ScreenConnect itself was the subject of a separate critical vulnerability which Darktrace investigated in early 2024. Meanwhile, CISA observed that domains associated with Fixme It (“fixme[.]it”) have been used by threat actors attempting to exploit the Citrix Bleed vulnerability [7].

Reconnaissance and Lateral Movement

A few days after the detection of the initial beaconing communication, Darktrace identified several devices on the customer’s network carrying out reconnaissance and lateral movement activity. This included SMB writes of “PSEXESVC.exe”, network scanning, DCE-RPC binds of numerous internal devices to IPC$ shares and the transfer of compromise-related tools. It was at this point that Darktrace’s Self-Learning AI deemed the activity to be likely indicative of an ongoing compromise and several Enhanced Monitoring models alerted, triggering the aforementioned PTNs and investigation by Darktrace’s SOC.

Darktrace observed a server on the network initiating a wide range of connections to more than 600 internal IPs across several critical ports, suggesting port scanning, as well as conducting unexpected DCE-RPC service control (svcctl) activity on multiple internal devices, amongst them domain controllers. Additionally, several binds to server service (srvsvc) and security account manager (samr) endpoints via IPC$ shares on destination devices were detected, indicating further reconnaissance activity. The querying of these endpoints was also observed through RPC commands to enumerate services running on the device, as well as Security Account Manager (SAM) accounts.  

Darktrace also identified devices performing SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration. Further SMB file writes were observed around this time including PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution, and one device was observed making widespread failed NTLM authentication attempts on the network, indicating NTLM brute-forcing. Darktrace observed several devices using administrative credentials to carry out the above activity.

In addition to the transfer of tools and executables via SMB, Darktrace also identified numerous devices deleting files through SMB around this time. In one example, an MSI file associated with the patch management and remediation service, Action1, was deleted by an attacker. This legitimate security tool, if leveraged by attackers, could be used to uncover additional vulnerabilities on target networks.

A server on the customer’s network was also observed writing the file “m.exe” to multiple internal devices. OSINT investigation into the executable indicated that it could be a malicious tool used to prevent antivirus programs from launching or running on a network [8].

Impact and Data Exfiltration

Following the initial steps of the breach chain, Darktrace observed numerous devices on the customer’s network engaging in data exfiltration and impact events, resulting in additional PTN alerts and a SOC investigation into data egress. Specifically, two servers on the network proceeded to read and download large volumes of data via SMB from multiple internal devices over the course of a few hours. These hosts sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443. Darktrace also identified the use of additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io. In total the threat actor exfiltrated over 8.5 GB of data from the customer’s network.

Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.
Figure 2: Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.

Finally, Darktrace detected a user account within the customer’s Software-as-a-Service (SaaS) environment conducting several suspicious Office365 and AzureAD actions from a rare IP for the network, including uncommon file reads, creations and the deletion of a large number of files.

Unfortunately for the customer in this case, Darktrace RESPOND™ was not enabled on the network and the post-exploitation activity was able to progress until the customer was made aware of the attack by Darktrace’s SOC team. Had RESPOND been active and configured in autonomous response mode at the time of the attack, it would have been able to promptly contain the post-exploitation activity by blocking external connections, shutting down any C2 activity and preventing the download of suspicious files, blocking incoming traffic, and enforcing a learned ‘pattern of life’ on offending devices.

Conclusion

Given the widespread use of Netscaler Gateway and Netscaler ADC, Citrix Bleed remains an impactful and potentially disruptive vulnerability that will likely continue to affect organizations who fail to address affected assets. In this instance, Darktrace demonstrated its ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, enabling the customer to identify affected devices and enact their own remediation.

Darktrace’s anomaly-based approach to threat detection allows it to identify such post-exploitation activity resulting from the exploitation of a vulnerability, regardless of whether it is a known CVE or a zero-day threat. Unlike traditional security tools that rely on existing threat intelligence and rules and signatures, Darktrace’s ability to identify the subtle deviations in a compromised device’s behavior gives it a unique advantage when it comes to identifying emerging threats.

Credit to Vivek Rajan, Cyber Analyst, Adam Potter, Cyber Analyst

Appendices

Darktrace Model Coverage

Device / Suspicious SMB Scanning Activity

Device / ICMP Address Scan

Device / Possible SMB/NTLM Reconnaissance

Device / Network Scan

Device / SMB Lateral Movement

Device / Possible SMB/NTLM Brute Force

Device / Suspicious Network Scan Activity

User / New Admin Credentials on Server

Anomalous File / Internal::Unusual Internal EXE File Transfer

Compliance / SMB Drive Write

Device / New or Unusual Remote Command Execution

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Unusual Admin SMB Session

Device / Unauthorised Device

User / New Admin Credentials on Server

Anomalous Server Activity / Outgoing from Server

Device / Long Agent Connection to New Endpoint

Anomalous Connection / Multiple Connections to New External TCP Port

Device / New or Uncommon SMB Named Pipe

Device / Multiple Lateral Movement Model Breaches

Device / Large Number of Model Breaches

Compliance / Remote Management Tool On Server

Device / Anomalous RDP Followed By Multiple Model Breaches

Device / SMB Session Brute Force (Admin)

Device / New User Agent

Compromise / Large Number of Suspicious Failed Connections

Unusual Activity / Unusual External Data Transfer

Unusual Activity / Enhanced Unusual External Data Transfer

Device / Increased External Connectivity

Unusual Activity / Unusual External Data to New Endpoints

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Compliance / Possible Unencrypted Password File On Server

Anomalous Connection / Suspicious Read Write Ratio and Rare External

Device / Reverse DNS Sweep]

Unusual Activity / Possible RPC Recon Activity

Anomalous File / Internal::Executable Uploaded to DC

Compliance / SMB Version 1 Usage

Darktrace AI Analyst Incidents

Scanning of Multiple Devices

Suspicious Remote Service Control Activity

SMB Writes of Suspicious Files to Multiple Devices

Possible SSL Command and Control to Multiple Devices

Extensive Suspicious DCE-RPC Activity

Suspicious DCE-RPC Activity

Internal Downloads and External Uploads

Unusual External Data Transfer

Unusual External Data Transfer to Multiple Related Endpoints

MITRE ATT&CK Mapping

Technique – Tactic – ID – Sub technique of

Network Scanning – Reconnaissance - T1595 - T1595.002

Valid Accounts – Defense Evasion, Persistence, Privilege Escalation, Initial Access – T1078 – N/A

Remote Access Software – Command and Control – T1219 – N/A

Lateral Tool Transfer – Lateral Movement – T1570 – N/A

Data Transfers – Exfiltration – T1567 – T1567.002

Compressed Data – Exfiltration – T1030 – N/A

NTLM Brute Force – Brute Force – T1110 - T1110.001

AntiVirus Deflection – T1553 - NA

Ingress Tool Transfer   - COMMAND AND CONTROL - T1105 - NA

Indicators of Compromise (IoCs)

204.155.149[.]37 – IP – Possible Malicious Endpoint

199.80.53[.]177 – IP – Possible Malicious Endpoint

168.100.9[.]137 – IP – Malicious Endpoint

45.134.26[.]2 – IP – Malicious Endpoint

13.35.147[.]18 – IP – Likely Malicious Endpoint

13.248.193[.]251 – IP – Possible Malicious Endpoint

76.223.1[.]166 – IP – Possible Malicious Endpoint

179.60.147[.]10 – IP – Likely Malicious Endpoint

185.220.101[.]25 – IP – Likely Malicious Endpoint

141.255.167[.]250 – IP – Malicious Endpoint

106.71.177[.]68 – IP – Possible Malicious Endpoint

cat2.hbwrapper[.]com – Hostname – Likely Malicious Endpoint

aj1090[.]online – Hostname – Likely Malicious Endpoint

dc535[.]4sync[.]com – Hostname – Likely Malicious Endpoint

204.155.149[.]140 – IP - Likely Malicious Endpoint

204.155.149[.]132 – IP - Likely Malicious Endpoint

204.155.145[.]52 – IP - Likely Malicious Endpoint

204.155.145[.]49 – IP - Likely Malicious Endpoint

References

  1. https://www.axios.com/2024/01/02/citrix-bleed-security-hacks-impact
  2. https://www.csoonline.com/article/1267774/hackers-steal-data-from-millions-of-xfinity-customers-via-citrix-bleed-vulnerability.html
  3. https://www.cybersecuritydive.com/news/citrixbleed-security-critical-vulnerability/702505/
  4. https://www.virustotal.com/gui/ip-address/168.100.9.137
  5. https://www.virustotal.com/gui/ip-address/45.134.26.2
  6. https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
  7. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
  8. https://www.file.net/process/m.exe.html
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Vivek Rajan
Cyber Analyst
Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage

More in this series

No items found.

Blog

No items found.

Darktrace: Microsoft UK Partner of the Year 2024

Default blog imageDefault blog image
27
Jun 2024

Darktrace has been named as Microsoft UK Partner of the Year for 2024!    
The Microsoft Partner Awards recognize winners for their commitment to customers, impact of solutions, and exemplary use of Microsoft technologies.  

Whilst the award was granted based on our innovations combining Darktrace/Email and Microsoft Defender for Office 365, our shared values go beyond technology. Darktrace stood out for the integration of our products to deliver exceptional security value to customers, as well as our investment in partnerships, marketplace and go to market. Microsoft was also impressed with our strong commitment to diversity and inclusion and our broader contribution to both the UK economy and the UK tech sector.

Microsoft Defender for Office 365 + Darktrace/Email leave attackers nowhere to hide

The email threat landscape is constantly evolving. Attacks are becoming more sophisticated, more targeted and increasing in multi-stage payload attacks. Across the Darktrace customer base in 2023 alone, we have seen a 135% increase in ‘novel social engineering attacks’, corresponding with the rise of ChatGPT, 45% of phishing emails were identified as spear phishing attempts and a 59% increase in multi-stage payload attacks.  

Legacy defenses were built to address a high volume of unsophisticated attacks, but generative AI has shifted the threats towards lower quantity yet very sophisticated, high impact targeted attacks. Microsoft Defender for Office 365’s rapid innovation has outpaced the Secure Email Gateway’s rule and signature based historical data approach. Customers no longer need email gateways which duplicate workflows and add expense native to their Defender for O365 solution.    

Point email solutions overlap with Microsoft in 3 key areas: detection approach, workflows, capabilities  

  • Detection - Microsoft receives trillions threat signals daily, giving customers the broadest scope of the attack landscape. Darktrace combined with Microsoft unites business and attack centric approaches
  • Workflows – any Microsoft configurations are reflected automatically in Darktrace/Email. Users can keep daily workflow in Microsoft, while a traditional SEG requires duplicated workflows  
  • Capabilities – Microsoft handles foundational elements like archiving/encryption/signature matching while Darktrace handles advanced threat security

Darktrace/Email is built to elevate, not duplicate, Microsoft email security – removing the burden of operating legacy point solutions and blocking 25% more threats. Robust account takeover protections to stop the 38% of sophisticated threats other tools miss. Customers can seamlessly correlate activity and insights across Microsoft email, DMARC and Teams to stop threats on average 13 days earlier.  

Azure Marketplace

Microsoft Azure customers can access Darktrace in the Azure Marketplace to take advantage of the scalability, reliability, and agility of Azure to drive rapid IT operations and security integrations across the enterprise. Customers can leverage their Microsoft Azure Consumption Commitments (MACC), making procurement simple.

As UK Partner of the Year winner, customers know they have a trusted partner with Darktrace and a proven solution to work seamlessly with Azure.

Continue reading
About the author
Francesca Bowen
Global Vice President, Cloud GTM

Blog

Inside the SOC

Following up on our Conversation: Detecting & Containing a LinkedIn Phishing Attack with Darktrace

Default blog imageDefault blog image
25
Jun 2024

Note: Real organization, domain and user names have been modified and replaced with fictitious names to maintain anonymity.  

Social media cyber-attacks

Social media is a known breeding ground for cyber criminals to easily connect with a near limitless number of people and leverage the wealth of personal information shared on these platforms to defraud the general public.  Analysis suggests even the most tech savvy ‘digital natives’ are vulnerable to impersonation scams over social media, as criminals weaponize brands and trends, using the promise of greater returns to induce sensitive information sharing or fraudulent payments [1].

LinkedIn phishing

As the usage of a particular social media platform increases, cyber criminals will find ways to exploit the increasing user base, and this trend has been observed with the rise in LinkedIn scams in recent years [2].  LinkedIn is the dominant professional networking site, with a forecasted 84.1million users by 2027 [3].  This platform is data-driven, so users are encouraged to share information publicly, including personal life updates, to boost visibility and increase job prospects [4] [5].  While this helps legitimate recruiters to gain a good understanding of the user, an attacker could also leverage the same personal content to increase the sophistication and success of their social engineering attempts.  

Darktrace detection of LinkedIn phishing

Darktrace detected a Software-as-a-Service (SaaS) compromise affecting a construction company, where the attack vector originated from LinkedIn (outside the monitoring of corporate security tools), but then pivoted to corporate email where a credential harvesting payload was delivered, providing the attacker with credentials to access a corporate file storage platform.  

Because LinkedIn accounts are typically linked to an individual’s personal email and are most commonly accessed via the mobile application [6] on personal devices that are not monitored by security teams, it can represent an effective initial access point for attackers looking to establish an initial relationship with their target. Moreover, user behaviors to ignore unsolicited emails from new or unknown contacts are less frequently carried over to platforms like LinkedIn, where interactions with ‘weak ties’ as opposed to ‘strong ties’ are a better predictor of job mobility [7]. Had this attack been allowed to continue, the threat actor could have leveraged access to further information from the compromised business cloud account to compromise other high value accounts, exfiltrate sensitive data, or defraud the organization.

LinkedIn phishing attack details

Reconnaissance

The initial reconnaissance and social engineering occurred on LinkedIn and was thus outside the purview of corporate security tools, Darktrace included.

However, the email domain “hausconstruction[.]com” used by the attacker in subsequent communications appears to be a spoofed domain impersonating a legitimate construction company “haus[.]com”, suggesting the attacker may have also impersonated an employee of this construction company on LinkedIn.  In addition to spoofing the domain, the attacker seemingly went further to register “hausconstruction.com” on a commercial web hosting platform.  This is a technique used frequently not just to increase apparent legitimacy, but also to bypass traditional security tools since newly registered domains will have no prior threat intelligence, making them more likely to evade signature and rules-based detections [8].  In this instance, open-source intelligence (OSINT) sources report that the domain was created several months earlier, suggesting this may have been part of a targeted attack on construction companies.  

Initial Intrusion

It was likely that during the correspondence over LinkedIn, the target user was solicited into following up over email regarding a prospective construction project, using their corporate email account.  In a probable attempt to establish a precedent of bi-directional correspondence so that subsequent malicious emails would not be flagged by traditional security tools, the attacker did not initially include suspicious links, attachments or use solicitous or inducive language within their initial emails.

Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Figure 1: Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.
Figure 2: Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.  

To accomplish the next stage of their attack, the attacker shared a link, hidden behind the inducing text “VIEW ALL FILES”, to a malicious file using the Hightail cloud storage service. This is also a common method employed by attackers to evade detection, as this method of file sharing does not involve attachments that can be scanned by traditional security tools, and legitimate cloud storage services are less likely to be blocked.

OSINT analysis on the malicious link link shows the file hosted on Hightail was a HTML file with the associated message “Following up on our LinkedIn conversation”.  Further analysis suggests the file contained obfuscated Javascript that, once opened, would automatically redirect the user to a malicious domain impersonating a legitimate Microsoft login page for credential harvesting purposes.  

The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Figure 3: The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Screenshot of fraudulent Microsoft Sign In page hosted on the malicous credential harvesting domain.
Figure 4: Screenshot of fraudulent Microsoft Sign In page hosted on the malicious credential harvesting domain.

Although there was prior email correspondence with the attacker, this email was not automatically deemed safe by Darktrace and was further analyzed for unusual properties and unusual communications for the recipient and the recipient’s peer group.  

Darktrace determined that:

  • It was unusual for this file storage solution to be referenced in communications to the user and the wider network
  • Textual properties of the email body suggested a high level of inducement from the sender, with a high level of focus on the phishing link.
  • The full link contained suspicious properties suggesting it is high risk.
Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.
Figure 5: Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.  

Based on these anomalies, Darktrace initially moved the phishing email to the junk folder and locked the link, preventing the user from directly accessing the malicious file hosted on Hightail.  However, the customer’s security team released the email, likely upon end-user request, allowing the target user to access the file and ultimately enter their credentials into that credential harvesting domain.

Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.
Figure 6: Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.

Lateral Movement

Correspondence between the attacker and target continued for two days after the credential harvesting payload was delivered.  Five days later, Darktrace detected an unusual login using multi-factor authentication (MFA) from a rare external IP and ASN that coincided with Darktrace/Email logs showing access to the credential harvesting link.

This attempt to bypass MFA, known as an Office365 Shell WCSS attack, was likely achieved by inducing the target to enter their credentials and legitimate MFA token into the fake Microsoft login page. This was then relayed to Microsoft by the attacker and used to obtain a legitimate session. The attacker then reused the legitimate token to log into Exchange Online from a different IP and registered the compromised device for MFA.

Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Figure 7: Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked.  Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge.
Figure 8: Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked.  Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge. Highlighted in orange and red is the malicious activity using Chrome.

The IP addresses used by the attacker appear to be part of anonymization infrastructure, but are not associated with any known indicators of compromise (IoCs) that signature-based detections would identify [9] [10].

In addition to  logins being observed within half an hour of each other from multiple geographically impossible locations (San Francisco and Phoenix), the unexpected usage of Chrome browser, compared to Edge browser previously used, provided Darktrace with further evidence that this activity was unlikely to originate from the legitimate user.  Although the user was a salesperson who frequently travelled for their role, Darktrace’s Self-Learning AI understood that the multiple logins from these locations was highly unusual at the user and group level, and coupled with the subsequent unexpected account modification, was a likely indicator of account compromise.  

Accomplish mission

Although the email had been manually released by the security team, allowing the attack to propagate, additional layers of defense were triggered as Darktrace's Autonomous Response initiated “Disable User” actions upon detection of the multiple unusual logins and the unauthorized registration of security information.  

However, the customer had configured Autonomous Response to require human confirmation, therefore no actions were taken until the security team manually approved them over two hours later. In that time, access to mail items and other SharePoint files from the unusual IP address was detected, suggesting a potential loss of confidentiality to business data.

Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome.  Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.
Figure 9: Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome.  Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.

However, it appears that the attacker was able to maintain access to the compromised account, as login and mail access events from 199.231.85[.]153 continued to be observed until the afternoon of the next day.  

Conclusion

This incident demonstrates the necessity of AI to security teams, with Darktrace’s ActiveAI Security Platform detecting a sophisticated phishing attack where human judgement fell short and initiated a real-time response when security teams could not physically respond as fast.  

Security teams are very familiar with social engineering and impersonation attempts, but these attacks remain highly prevalent due to the widespread adoption of technologies that enable these techniques to be deployed with great sophistication and ease.  In particular, the popularity of information-rich platforms like LinkedIn that are geared towards connecting with unknown people make it an attractive initial access point for malicious attackers.

In the second half of 2023 alone, over 200 thousand fake profiles were reported by members on LinkedIn [11].  Fake profiles can be highly sophisticated, use professional images, contain compelling descriptions, reference legitimate company listings and present believable credentials.  

It is unrealistic to expect end users to defend themselves against such sophisticated impersonation attempts. Moreover, it is extremely difficult for human defenders to recognize every fraudulent interaction amidst a sea of fake profiles. Instead, defenders should leverage AI, which can conduct autonomous investigations without human biases and limitations. AI-driven security can ensure successful detection of fraudulent or malicious activity by learning what real users and devices look like and identifying deviations from their learned behaviors that may indicate an emerging threat.

Appendices

Darktrace Model Detections

DETECT/ Apps

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and Account Update

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compliance / M365 Security Information Modified

RESPOND/ Apps

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Unusual Activity Block

DETECT & RESPOND/ Email

·      Link / High Risk Link + Low Sender Association

·      Link / New Correspondent Classified Link

·      Link / Watched Link Type

·      Antigena Anomaly

·      Association / Unknown Sender

·      History / New Sender

·      Link / Link to File Storage

·      Link / Link to File Storage + Unknown Sender

·      Link / Low Link Association

List of IoCs

·      142.252.106[.]251 - IP            - Possible malicious IP used by attacker during cloud account compromise

·      199.231.85[.]153 – IP - Probable malicious IP used by attacker during cloud account compromise

·      vukoqo.hebakyon[.]com – Endpoint - Credential harvesting endpoint

MITRE ATT&CK Mapping

·      Resource Development - T1586 - Compromise Accounts

·      Resource Development - T1598.003 – Spearphishing Link

·      Persistence - T1078.004 - Cloud Accounts

·      Persistence - T1556.006 - Modify Authentication Process: Multi-Factor Authentication

·      Reconnaissance - T1593.001 – Social Media

·      Reconnaissance - T1598 – Phishing for Information

·      Reconnaissance - T1589.001 – Credentials

·      Reconnaissance - T1591.002 – Business Relationships

·      Collection - T1111 – Multifactor Authentication Interception

·      Collection - T1539 – Steal Web Session Cookie

·      Lateral Movement - T1021.007 – Cloud Services

·      Lateral Movement - T1213.002 - Sharepoint

References

[1] Jessica Barker, Hacked: The secrets behind cyber attacks, (London: Kogan Page, 2024), p. 130-146.

[2] https://www.bitdefender.co.uk/blog/hotforsecurity/5-linkedin-scams-and-how-to-avoid-them/

[3] https://www.washingtonpost.com/technology/2023/08/31/linkedin-personal-posts/

[4] https://www.forbes.com/sites/joshbersin/2012/05/21/facebook-vs-linkedin-whats-the-difference/

[5] https://thelinkedblog.com/2022/3-reasons-why-you-should-make-your-profile-public-1248/

[6] https://www.linkedin.com/pulse/50-linkedin-statistics-every-professional-should-ti9ue

[7] https://www.nytimes.com/2022/09/24/business/linkedin-social-experiments.html

[8] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

[9] https://spur.us/context/142.252.106[.]251

[10] https://spur.us/context/199.231.85[.]153

[11]https://www.statista.com/statistics/1328849/linkedin-number-of-fake-accounts-detected-and-removed

Continue reading
About the author
Nicole Wong
Cyber Security Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.