3 Ways AI Secures OT & ICS from Cyber Attacks

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Jan 2024
09
Jan 2024
Explore the three challenges facing industries that manage OT and ICS Systems, the benefits of adopting AI technology, and Darktrace/OT’s unique role!

What is OT and ICS?

Operational technologies and industrial control systems are the networked technologies used for the automation of physical processes. These are the technologies that allow operators to control processes and retrieve real time process data from a factory, rail system, pipeline, and other industrial processes.  

The role of AI in defending OT/ICS networks  

While largely adopted by industrial organizations, OT is utilized by Critical Infrastructures, these being the industries that directly affect the health, safety, and welfare of the public. As these organizations expand and adopt new networked industrial technologies, they are simultaneously expanding their attack surface.  

With a larger attack surface, more attacks targeting OT/ICS, and focused coordination around cyber security from regulatory authorities, security personnel have increasing workloads that make it difficult to keep pace with threats and vulnerabilities. Defenders are managing growing attack surfaces due to IT and OT convergence. Thus, the adoption of AI technology to protect, detect, respond, and recover from cyber incidents in industrial systems is paramount for keeping critical infrastructure safe.

This blog will explore three challenges facing industries managing OT/ICS, the perceived benefits of adopting AI technology to address these challenges, and Darktrace/OT’s unique role in this process.  

Darktrace also delivers complete AI-powered solutions to defend US federal government customers from cyber disruptions and ensure mission resilience. Learn more about high fidelity detection in Darktrace Federal’s TAC report.

Figure 1: AI statistics from Gartner and Deloitte

Three ways AI helps improves OT/ICS security  

1. Anomaly detection and response

In this heightened security landscape, OT/ICS environments face a spectrum of external cyber threats that demand vigilant defense. From the looming risk of industrial ransomware to the threat of insiders, yet another dimension is added to security challenge, meaning security professionals must be equipped to detect and respond to internal and external threats.  

While threats are eminent from both inside and outside the organization, many organizations rely on Indicator of Compromises (IOCs) for threat detection. By definition, these solutions can only detect network activity they recognize as an indicator of compromise; therefore, often miss insider threats and novel (zero-day) attacks because the tactics, techniques, and procedures (TTPs) and attack toolkits have never been seen in practice.  

Anomaly-based detection is best suited to combat never-before-seen threats and signatureless threats from the inside. However, not all detection methods are equal. Most anomaly-based detection solutions that leverage AI rely on a combination of supervised machine learning, deep learning, and transformers to train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. This data set gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.  

While this method reduces the workload for security teams who would have to input attack data otherwise manually, it runs the same risk of only detecting known threats and has potential privacy concerns when shipping this data externally.  

To improve the quality and speed of anomaly detection, Darktrace/OT uses Self-Learning AI that leverages Bayesian Probabilistic Methodologies, Graph Theory, and Deep Neural Networks to learn your organization from the ground up in real time. By learning your unique organization, Darktrace/OT develops a sophisticated baseline knowledge of your network and assets, identifying abnormal activity that indicates a threat based on your unique network data at machine speed. Because the AI engine is local to the organization and/or assets, concerns of data residency and privacy are reduced, and the result is faster time to detect and triage incidents.  

Leveraging Self-Learning AI, Darktrace/OT uses autonomous response that severs only the anomalous or risky behaviors allowing the assets to continue to operate as normal. Organizations work with Darktrace to customize how they want Darktrace’s autonomous response to be applied. These options vary from on a device- by-device basis, device type by device type, or subnet by subnet basis and can be done completely autonomously or in human confirmation mode. This gives security teams more time to respond to an incident and reduces operational downtime when facing a threat.  

Darktrace leverages a combination of AI methods:

  • Self-Learning AI
  • Bayesian classification probabilistic models  
  • Deep neural networks
  • Transformers
  • Graph theory models
  • Clustering models  
  • Anomaly detection models
  • Generative and applied AI  
  • Natural language processing  
  • Supervised machine learning for investigation process of alerts

2. Vulnerability & Asset Management

At present, managing OT cyber risk is labor and resource intensive. Many organizations use third-party auditors to identify assets and vulnerabilities, grade compliance, and recommend improvements.  

At best, these exercises become tick-box exercises for companies to stay in compliance with little measurable reduction in cyber risk. At worst, asset owners can be left with a mountain of vulnerability information to work through, much of it irrelevant to the security risks Engineering and Operations teams deal with day to day, and increasingly out of date each passing day after the annual or biannual audit has been completed.  

In both cases, organizations are left using a patchwork of point products to address different aspects of preventative OT cyber security, most of which lack wider business context and lead to costly inefficiencies with no real impact to vulnerability or risk exposure.  

Darktrace’s technology helps in three unique ways:

  1. AI populates asset inventories: Self-Learning AI technology listens and learns from network traffic to populate or update asset inventories. It does this not just by identifying simple IPs, mac addresses, and hostnames, it learns from what it sees and automatically classifies or tags specific types of assets with the function that they perform. For example, if a specific device is performing functions like a PLC, sending commands to and from an HMI, it can appropriately tag and label these systems.
  2. AI prioritizes risk: Leveraging Bayesian Probabilistic Methodologies, Graph Theory, and Deep Neural Networks, Darktrace/OT assesses the strategic risks facing your organization in real time. Using knowledge of data points on all your networked assets, data flow topology, your assets vulnerabilities and OSINT, Darktrace identifies and prioritizes high-value assets, potential attack pathways based on an existing vulnerabilities targetability and impact.
  3. AI explains remediation tactics: Many OT devices run 24/7 operations and cannot be taken offline to apply a patch, assuming a patch is even available. Darktrace/OT uses natural language processing to provide and explain prioritized remediation and mitigation associated with a given cyber risk across all MITRE ATT&CK techniques. Thus, where a CVE exists but a patch cannot be applied, a different technical mitigation can be recommended to remove a potential attack path before it can be exploited, preemptively securing vital internal systems and assets.
Figure 2: A critical attack path which starts with the compromise of a PC in the internal IT network, and ends with a PLC in the OT network. Each step is mapped out to the real world TTPs including abuse of SSH sessions and the modifications of ICS programs

3. Simplify compliance and reporting

Organizations, regardless of size or resources, have compliance regulations they need to adhere to. What this creates is an increased workload for security professionals. For smaller organizations, security teams might lack the manpower or resources to report in the short time frame that is required. For large organizations, keeping track of a massive amount of assets proves to be a challenge. Both cases emanate the risk of reporting fatigue where organizations might be hesitant to report incidents due to the complexity and time requirements they demand.  

An AI engine within the Darktrace/OT platform, Cyber AI analyst autonomously investigates incidents, summarize findings in natural language, and provides comprehensive insights into the nature and scope of cyber threats to improve the time it takes to triage and report on incidents. The ability to stitch together and present related security events provides a holistic understanding of the incident, enabling security analysts to identify patterns, assess the scope of potential threats, and prioritize responses effectively.  

Darktrace's detection capabilities identify every stage of an intrusion, from a compromised domain controller to network reconnaissance and privilege escalation. The AI technology is capable of detecting infections across several devices and generating incident reports that piece together disparate events to give a clear security narrative containing details of the attack, bridging the communication gap between IT and OT specialists.  

Post-incident, the technology assists in outlining timelines, discerning compromised data, pinpointing unusual activities, and aiding security teams in proactive threat mitigation.  

With its capabilities, organizations can swiftly understand the attack timeline, affected assets, unauthorized accesses, compromised data points, and malicious interactions, facilitating appropriate communication and action. For example, when Cyber AI Analyst shows an attack path, the security team gains insight on the segmentation or lack thereof between two subnets allowing the security team to appropriately segment the subnets.  

Cyber AI improves critical infrastructure operators’ ability to report major cyber-attacks to regulatory authorities. Considering that 72 hours is the reporting period for most significant incidents — and 24 hours for ransomware payments — Cyber AI Analyst is no longer a nice-to-have but a must-have for critical infrastructure.

Figure 3: The tabs labeled 1-4 denote model breaches, each with a specific action and severity indicated by color dots. Darktrace integrates these breaches, offering the security team a unified view of interconnected security events.  

The right AI for the right challenge

Incident Phase:

Protect

Role of AI:

Cyber risk prioritization

Attack path modelling

Compliance reporting

Darktrace Product:

PREVENT/OT

Incident Phase:

Detect

Role of AI:

Anomaly detection

Triaging and investigating

Darktrace Product:

Cyber AI analyst

DETECT/OT

Incident Phase:

Respond

Role of AI: 

Autonomous response  

Incident reporting

Darktrace Product:

RESPOND/OT

Incident Phase:

Recover

Role of AI:

Incident preparedness

Incident simulations

Darktrace Product:

HEAL

Credit to: Nicole Carignan, VP of Strategic Cyber AI - Kendra Gonzalez Duran, Director of Technology Innovation - & Daniel Simonds, Director of Operational Technology for their contribution to this blog.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Oakley Cox
Director of Product

Oakley is a Product Manager within the Darktrace R&D team. He collaborates with global customers, including all critical infrastructure sectors and Government agencies, to ensure Darktrace/OT remains the first in class solution for OT Cyber Security. He draws on 7 years’ experience as a Cyber Security Consultant to organizations across EMEA, APAC and ANZ. His research into cyber-physical security has been published by Cyber Security journals and by CISA. Oakley has a Doctorate (PhD) from the University of Oxford.

Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage

More in this series

No items found.

Blog

No items found.

How 1.27 Centimeters Opened My Eyes to Continuous Threat and Exposure Management

Default blog imageDefault blog image
23
Jul 2024

Introduction

Fifteen years ago, I never realized that one point twenty-seven centimeters was the difference between keeping my family safe and having an intruder break into our home.

Yet that is exactly what happened. We came home one night and did not know intruders were already in our basement; and the only reason we were alerted to their presence was when they attempted to move to the upper levels after we had gone to sleep, and the main floor motion sensors triggered an alarm.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

The culprit of the successful breach? Screws measuring 1.27 centimeters (that’s a half-inch if you’re not on the metric system yet) that held the glass windows of our basement French doors. Despite having door opening sensors and glass breakage sensors, we missed that the glass panel could be forcefully kicked out – and land – onto the carpeted floor.  No door was opened. No glass was broken (we used to have cats that roamed the basement, so motion sensors were not an option when we first moved in). The screws were not long enough to better secure the framing of the window.

Continuous Threat and Exposure Management

What does this have to do with CTEM, or Continuous Threat and Exposure Management? Well, once our situation changed and our cats were no longer with us; we a) did not reassess our detection capabilities and b) still did not realize we had a vulnerability exposure that could lead to a breach.

I fell into the same trap many organizations fall into where point in time assessments can create a false sense of security. Instead, CTEM offers a cyclical approach to assessing risk that involves five stages:  

Scope: To adopt a CTEM approach, organizations should first identify key business programs. There should be an understanding for each program what the impact to the business would be if something were to occur. An organization can, and most likely will, have multiple scopes defined as part of the CTEM process. For example, your customer relationship management (CRM) project may encompass a Saas solution such as SalesForce, tie-ins with selling partners, supply chain vendors, and multiple user groups (sales, finance, etc.).

Discover: Next, identification of systems, applications, and SaaS subscriptions that support the business program should be accounted for and documented. As you build out risk profiles for these assets, I believe it is also important to identify associated users (end-users, administrators, etc.), especially since user error / account takeover is a favored attack vector.

Prioritization: Proper prioritization is essential to a solid CTEM program. I go into more detail about Risk-Based Vulnerability Management (RBVM) later; but for now, prioritization deals with measuring the potential impact based on factors such as: prevalence of an exploit, lack of controls, program / asset criticality, and available mitigations.

Validation: This stage helps identify if an adversary could launch a successful attack. Red team exercises and breach simulation solutions are often utilized to exercise the organization’s ability to halt an attack before damage is done. Validation should go beyond the initial stage of the attack and explore available methods to reach the adversary’s mission objective.

Mobilization: Identified responses to breach attempts should be categorized into automated or manual processes. Automated response solutions such as Security Orchestration, Automation, and Response (SOAR) can be integral in ensuring actions are taken with appropriate authorization, remediation / response times are rapid, and procedures are executed without human error.

A properly managed CTEM program will help ensure survivability and rapid recovery when an attack occurs as well as minimizing the risk of an attack being successful. This also helps organizations move towards a more proactive security posture.

Implementing a Risk-Based Vulnerability Management Program

Now don’t get me wrong. I thought I had done a pretty good job covering the bases when we first moved in. I walked the alarm company “expert” through every room of the house, and we discussed every possible entry point. I ensured that every avenue of access was covered by two types of sensors. I asked questions about how an intruder was most likely to attempt to gain entry and ensured we had addressed the exposure.

I relied on the expertise of someone that while they worked for an alarm company, was not actually trained and experienced in criminal break-ins. At the end of this paper, I will list the recommendations made by a friend of ours that was a Deputy Chief of Police. Hint: It was eye-opening.

Risk-Based Vulnerability Management (RBVM) is an approach that helps organizations not boil the ocean (try to address every possible vulnerability that may exist) and avoid becoming myopically focused that you miss an attack path that is relevant.

Without expending the entire blog on all the details of CTEM and RBVM, let’s touch on the main components.

Vulnerability Scanning

Vulnerability Scanners can help you identify all the vulnerabilities that exist in your organization but are generally a point in time view. Update systems or applications, change configuration settings, deploy new systems or applications and the scan data may be meaningless – not to mention new vulnerabilities are discovered all the time.

CVE, or Common Vulnerabilities and Exposures, is a compilation of all known vulnerabilities. I emphasize known because adversaries love finding zero-days (and for how I describe zero-days, check out my LinkedIn posting: Race to the Bottom).

CVSS, or Common Vulnerability Scoring System, is a method to define the severity of the vulnerability. Scoring can be determined by things like complexity and skill to utilize the vulnerability, privileges required, what type of attack path is needed, and if user interaction is required to trigger the vulnerability.

CVE and CVSS however, do not address context of the vulnerability in an organization’s environment. A small number of vulnerabilities will account for the most risk in an organization. Remember, adversaries don’t care about risk scores…. If it gets them in, they will use it.

EPSS, or Exploit Prediction Scoring System, estimates whether a vulnerability is likely to be utilized by adversaries and provides an indication of the threat level to the organization.

Another nuance is ensuring you understand how the scanner is gathering and reporting vulnerabilities. One of my favorite questions to ask candidates I’ve interviewed is “How can two scanners interrogate the same system, where nothing changed in the system, both scanners executed flawlessly and knew to scan for the specific vulnerability…. yet one reports vulnerable and the other reports not vulnerable?” I had this occur, and the answer was that one scanner interrogated the running service, and based on how it responded could determine if the vulnerable version was running. The other scanner authenticated into the system and checked patch level installed – but the service/system had not been restarted. The configured state was NOT vulnerable, but the running state WAS vulnerable. This happens a lot after Microsoft Super Tuesday patches go out and users login and think “I’ve got work to do; I will reboot later”.

External Attack Surface Management (EASM)

Simply put, you can have a vulnerability, but if there is no path to exploiting the vulnerability, then the risk should be lowered. Even a high severity vulnerability is not a risk if it cannot be exploited, whereas a low-risk vulnerability (like 1.27cm screws) can provide a path to success for the adversary. EASM solutions were built to provide that context: Vulnerability + Exposure. BTW – I would not neglect Internal Attack Surface Management for potential Insider Threat risks.

Breach and Attack Simulation (BAS)

YARN | On my mark, rotate launch keys to "launch." | WarGames | Video gifs  by quotes | 24d1705c | 紗

It’s one thing to list vulnerabilities, another thing to say there are exposed systems with those vulnerabilities that could lead to an attack. But executing an attack simulation that shows you what the potential outcome(s) are if an attack occurred? This is what BAS solutions were built to assist with, and not only show attack paths ripe for exploitation, but also exercise SOC / IR teams in nearly real-world situations. Table-top exercises are good for verifying processes, but live-fire exercises are imperative to ensure your teams respond quickly and precisely when the real deal occurs (don’t make me whip out the beginning of Wargames on you, I’ve already used that movie twice before!).  

Risk-Based Context

I’ve often wondered why it’s 2024, I’ve been doing this for 30+ years, and breaches are still inevitable and security teams still struggle with many of the same issues they faced when I first got into this career.

I believe not addressing an RBVM approach could be one of those reasons. It’s not a priority if you have a vulnerability on a system that is not exposed for exploitation. It’s not a priority if a vulnerability has been mitigated by other compensating controls. Focusing solely on vulnerability scoring without regard to whether the vulnerability poses a real and credible threat to your organization diverts focus away from vulnerabilities that matter (this is the same mantra you will hear me evangelizing around SOCs expending time on alerts that do not matter).

When assessing context, I think of it in the following manner:

How Can Darktrace Help with your CTEM?

The Darktrace ActiveAI Security Platform is designed with CTEM in mind. Using patented AI capabilities at its core, components of the platform work in harmony to provide actionable intelligence to risks facing the organization.

PREVENT/ASM utilizes AI to help understand scope and what makes externally facing assets yours while providing associated risks and trends on the risk types identified. These findings are communicated to DETECT and RESPOND to harden critical paths.

Prevent/End-to-End (E2E) delivers attack path modeling for discovery and prioritization of high-value targets across all assets in your program’s scope, providing continuous visibility into relevant risks the organization faces.  E2E also utilizes AI-generated social engineering generated content for Breach & Attack Emulation scenarios involving Phishing / Spear-Phishing attack vectors.

Darktrace threat detection and autonomous response utilizes unsupervised machine learning at its core to identify anomalous activity, and if malicious events are occurring, enforce Pattern of Life allowing business operations to continue while stopping the breach from progressing.  This provides unprecedented speed of response to emerging threats.

So, ensure you’re addressing vulnerabilities in the proper context, because you never know when 1.27cm will ruin your day.

Appendix A: Deter Burglars from Breaking into Your Home

Another question I have asked candidates centers around what security controls they would implement to keep an advanced adversary away from a highly classified project; and shockingly, very few would mention any physical security controls or use of air-gapped networks. So, as promised, here are some recommendations from our Deputy Chief of Police friend on better securing your home, because we must protect ourselves, our information on our home and work computers, especially for remote staff:

32 in. x 80 in. Rustic Knotty Alder 2-Panel Square Top Left-Hand/Inswing  Grey Stain Wood Prehung Front Door
  1. Solid (no glass) doors that open outward for rear / side entryways – a kicked door will press against the framing providing stability. Hinges should not be exposed to the outside.  

STASUN LED Flood Light Outdoor, 150W 15000lm Outdoor Area Lighting, IP66  Waterproof Exterior Floodlight Commercial Security Light, 3000K Warm White,  3 ...
  1. Motion activated exterior flood lights – illumination is the enemy of thieves.  

Mortise Lock Set Screws (2 Screws Per Pack)
  1. Replace door hardware lockset screws with minimum 4-inch (that’s 10.16 centimeters) screws on all doors including interior ones – this should ensure screws firmly attach to trimmer and king studs in door frame and will add additional valuable seconds for the intruder to break through

home security Memes & GIFs - Imgflip
Dog Food Bowl
  1. Get a dog – a big dog. (I’ve amended this to include putting out fake dog bowls to make it look like you have a big dog!)  

SPT Interior/Exterior Simulated Security Camera
  1. Exterior video cameras – record and alert on activity around the house
LARSON Platinum Secure Glass Full-view Aluminum Storm Door With Quickfit  Handle | Retractable Screen Door Lowes | universoprofesional.com
  1. Tempered Safety Glass Storm Doors – whack at it for hours with a baseball bat and they still can’t get in
Should You Install Fake Home Security Yard Signs? – Forbes Home
  1. Alarm system warning signs for windows and doors
LG Electronics Recalls Free-Standing 86-Inch Smart Televisions and Stands  Due to Serious Tip-Over and Entrapment Hazards (Recall Alert) | CPSC.gov
  1. Pictures of valuables along with serial numbers (this won’t stop a break-in but could help in recovery of stolen items).

  1. Finally, an alarm system combining motion sensors with door/window sensors.
Continue reading
About the author
John Bradshaw
Sr. Director, Technical Marketing

Blog

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
18
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1.     https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2.     https://flashpoint.io/blog/evolution-stealer-malware/

3.     https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4.     https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5.     https://www.virustotal.com/gui/ip-address/146.70.71.135

6.     https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7.     https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8.     https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9.     https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

146.70.71[.]135

IP Address

Jupyter info-stealer C2 Endpoint

91.206.178[.]109

IP Address

Jupyter info-stealer C2 Endpoint

146.70.92[.]153

IP Address

Jupyter info-stealer C2 Endpoint

2.58.14[.]246

IP Address

Jupyter info-stealer C2 Endpoint

78.135.73[.]176

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]105

IP Address

Jupyter info-stealer C2 Endpoint

185.243.115[.]88

IP Address

Jupyter info-stealer C2 Endpoint

146.70.80[.]66

IP Address

Jupyter info-stealer C2 Endpoint

23.29.115[.]186

IP Address

Jupyter info-stealer C2 Endpoint

67.43.235[.]218

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]85

IP Address

Jupyter info-stealer C2 Endpoint

193.29.104[.]25

IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.