Read more about Darktrace's machine-learning technology which can effortlessly identify anomalous behavioral patterns from ransomware like WannaCry.
Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.
Some background on the WannaCry campaign
The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.
Leveraging Darktrace, these kind of infections are not hard to detect: WannaCry and other ransomware cause highly anomalous behavioral patterns that our machine-learning technology is ideally placed to recognize.
To demonstrate, let’s take a walk-through of how Darktrace was able to detect the WannaCry attack on a client. Note that device names have been obfuscated for security purposes.
Following the initial compromise, Darktrace detected unusual activity originating from an infected device, as it scanned the network in an attempt to locate other devices open to SMB connections:
Example of an internal scan.
The worm was scanning the network to locate devices with the DoublePulsar backdoor already present, through which the WannaCry ransomware can be dropped. If this backdoor was not found to be present, the worm used an exploit known as EternalBlue to infect the device, installing both WannaCry and the DoublePulsar backdoor.
This installation of the worm on vulnerable devices allowed it to continue to spread laterally inside the network.
Simultaneously, infected devices scanned random external IPs on port 445 (SMB), to continue spreading the worm to other devices on the internet:
Internal devices scanning external destinations.
As soon as infected devices started scanning both inside and outside network, Darktrace detected these activities as serious deviations in the devices’ usual pattern of life:
External and internal connections by one of the network devices 48 hours either side of the WannaCry campaign. Every orange dot represents a model breach.
For many of these devices, the deviation from typical pattern of life was such that it took Darktrace one second to detect anomalous behavior:
As this unusual activity persisted in the network, the confidence of Darktrace’s machine learning increased and attributed higher scores to these anomalous events:
These high scores caused Darktrace models to breach in real time, alerting the customer to the severity of the unusual connections occurring inside their network:
In these recent cyber-attacks, the level of disruption was attributed to the speed with which this infection was able to spread like wildfire through networks. Unlike more common forms of malware, which rely on human-mediated methods such as phishing to co-opt people into triggering the payload, this type of attack uses a worm to move from machine to machine without human intervention. Fortunately, it is precisely this – a dramatic change in internal activity – which has allowed us to effectively fight back.
Darktrace Antigena acts automatically to neutralise in-progress attacks, taking targeted action against deviations in the expected ‘pattern of life’. This allows organisations to react before humans have even become aware of a breach. So it follows that the extent of deviation produced by an attack is fundamentally linked to the ability of a self-aware network to protect itself.
The potential gravity of this situation has proven that infections traveling at machine speed require an equivalent response time – only possible with machine-learning technology – in order to stop and contain future threats.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Stay ahead of threats with the Darktrace blog newsletter
Get the latest insights from the cybersecurity landscape, including threat trends, incident analysis, and the latest Darktrace product developments – delivered directly to your inbox, monthly.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Andrew Tsonchev
VP of Technology
Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.
From Call to Compromise: Darktrace’s Response to a Vishing-Induced Network Attack
What is vishing?
Vishing, or voice phishing, is a type of cyber-attack that utilizes telephone devices to deceive targets. Threat actors typically use social engineering tactics to convince targets that they can be trusted, for example, by masquerading as a family member, their bank, or trusted a government entity. One method frequently used by vishing actors is to intimidate their targets, convincing them that they may face monetary fines or jail time if they do not provide sensitive information.
What makes vishing attacks dangerous to organizations?
Vishing attacks utilize social engineering tactics that exploit human psychology and emotion. Threat actors often impersonate trusted entities and can make it appear as though a call is coming from a reputable or known source. These actors often target organizations, specifically their employees, and pressure them to obtain sensitive corporate data, such as privileged credentials, by creating a sense of urgency, intimidation or fear. Corporate credentials can then be used to gain unauthorized access to an organization’s network, often bypassing traditional security measures and human security teams.
Darktrace’s coverage of vishing attack
On August 12, 2024, Darktrace / NETWORK identified malicious activity on the network of a customer in the hospitality sector. The customer later confirmed that a threat actor had gained unauthorized access through a vishing attack. The attacker successfully spoofed the IT support phone number and called a remote employee, eventually leading to the compromise.
Establishing a Foothold
During the call, the remote employee was requested to authenticate via multi-factor authentication (MFA). Believing the caller to be a member of their internal IT support, using the legitimate caller ID, the remote user followed the instructions and confirmed the MFA prompt, providing access to the customer’s network.
This authentication allowed the threat actor to login into the customer’s environment by proxying through their Virtual Private Network (VPN) and gain a foothold in the network. As remote users are assigned the same static IP address when connecting to the corporate environment, the malicious actor appeared on the network using the correct username and IP address. While this stealthy activity might have evaded traditional security tools and human security teams, Darktrace’s anomaly-based threat detection identified an unusual login from a different hostname by analyzing NTLM requests from the static IP address, which it determined to be anomalous.
Observed Activity
On 2024-08-12 the static IP was observed using a credential belonging to the remote user to initiate an SMB session with an internal domain controller, where the authentication method NTLM was used
A different hostname from the usual hostname associated with this remote user was identified in the NTLM authentication request sent from a device with the static IP address to the domain controller
This device does not appear to have been seen on the network prior to this event.
Darktrace, therefore, recognized that this login was likely made by a malicious actor.
Internal Reconnaissance
Darktrace subsequently observed the malicious actor performing a series of reconnaissance activities, including LDAP reconnaissance, device hostname reconnaissance, and port scanning:
The affected device made a 53-second-long LDAP connection to another internal domain controller. During this connection, the device obtained data about internal Active Directory (AD) accounts, including the AD account of the remote user
The device made HTTP GET requests (e.g., HTTP GET requests with the Target URI ‘/nice ports,/Trinity.txt.bak’), indicative of Nmap usage
The device started making reverse DNS lookups for internal IP addresses.
Lateral Movement
The threat actor was also seen making numerous failed NTLM authentication requests using a generic default Windows credential, indicating an attempt to brute force and laterally move through the network. During this activity, Darktrace identified that the device was using a different hostname than the one typically used by the remote employee.
Cyber AI Analyst
In addition to the detection by Darktrace / NETWORK, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the ongoing activity. The investigation was able to correlate the seemingly separate events together into a broader incident, continuously adding new suspicious linked activities as they occurred.
Upon completing the investigation, Cyber AI Analyst provided the customer with a comprehensive summary of the various attack phases detected by Darktrace and the associated incidents. This clear presentation enabled the customer to gain full visibility into the compromise and understand the activities that constituted the attack.
Darktrace Autonomous Response
Despite the sophisticated techniques and social engineering tactics used by the attacker to bypass the customer’s human security team and existing security stack, Darktrace’s AI-driven approach prevented the malicious actor from continuing their activities and causing more harm.
Darktrace’s Autonomous Response technology is able to enforce a pattern of life based on what is ‘normal’ and learned for the environment. If activity is detected that represents a deviation from expected activity from, a model alert is triggered. When Darktrace’s Autonomous Response functionality is configured in autonomous response mode, as was the case with the customer, it swiftly applies response actions to devices and users without the need for a system administrator or security analyst to perform any actions.
In this instance, Darktrace applied a number of mitigative actions on the remote user, containing most of the activity as soon as it was detected:
Block all outgoing traffic
Enforce pattern of life
Block all connections to port 445 (SMB)
Block all connections to port 9401
Conclusion
This vishing attack underscores the significant risks remote employees face and the critical need for companies to address vishing threats to prevent network compromises. The remote employee in this instance was deceived by a malicious actor who spoofed the phone number of internal IT Support and convinced the employee to perform approve an MFA request. This sophisticated social engineering tactic allowed the attacker to proxy through the customer’s VPN, making the malicious activity appear legitimate due to the use of static IP addresses.
Despite the stealthy attempts to perform malicious activities on the network, Darktrace’s focus on anomaly detection enabled it to swiftly identify and analyze the suspicious behavior. This led to the prompt determination of the activity as malicious and the subsequent blocking of the malicious actor to prevent further escalation.
While the exact motivation of the threat actor in this case remains unclear, the 2023 cyber-attack on MGM Resorts serves as a stark illustration of the potential consequences of such threats. MGM Resorts experienced significant disruptions and data breaches following a similar vishing attack, resulting in financial and reputational damage [1]. If the attack on the customer had not been detected, they too could have faced sensitive data loss and major business disruptions. This incident underscores the critical importance of robust security measures and vigilant monitoring to protect against sophisticated cyber threats.
Credit to Rajendra Rushanth (Cyber Security Analyst) and Ryan Traill (Threat Content Lead)
Appendices
Darktrace Model Detections
Device / Unusual LDAP Bind and Search Activity
Device / Attack and Recon Tools
Device / Network Range Scan
Device / Suspicious SMB Scanning Activity
Device / RDP Scan
Device / UDP Enumeration
Device / Large Number of Model Breaches
Device / Network Scan
Device / Multiple Lateral Movement Model Breaches (Enhanced Monitoring)
Device / Reverse DNS Sweep
Device / SMB Session Brute Force (Non-Admin)
List of Indicators of Compromise (IoCs)
IoC - Type – Description
/nice ports,/Trinity.txt.bak - URI – Unusual Nmap Usage
Introducing real-time multi-cloud detection & response powered by AI
We are delighted to announce the general availability of Microsoft Azure support for Darktrace / CLOUD, enabling real-time cloud detection and response across dynamic multi-cloud environments. Built on Self-Learning AI, Darktrace / CLOUD leverages Microsoft’s new virtual network flow logs (VNet flow) to offer an agentless-first approach that dramatically simplifies detection and response within Azure, unifying cloud-native security with Darktrace’s innovative ActiveAI Security Platform.
As organizations increasingly adopt multi-cloud architectures, the need for advanced, real-time threat detection and response is critical to keep pace with evolving cloud threats. Security teams face significant challenges, including increased complexity, limited visibility, and siloed tools. The dynamic nature of multi-cloud environments introduces ever-changing blind spots, while traditional security tools struggle to provide real-time insights, often offering static snapshots of risk. Additionally, cloud security teams frequently operate in isolation from SOC teams, leading to fragmented visibility and delayed responses. This lack of coordination, especially in hybrid environments, hinders effective threat detection and response. Compounding these challenges, current security solutions are split between agent-based and agentless approaches, with agentless solutions often lacking real-time awareness and agent-based options adding complexity and scalability concerns. Darktrace / CLOUD helps to solve these challenges with real-time detection and response designed specifically for dynamic cloud environments like Azure and AWS.
Darktrace has been at the forefront of real-time detection and response for over a decade, continually pushing the boundaries of AI-driven cybersecurity. Our Self-Learning AI uniquely positions Darktrace with the ability to automatically understand and instantly adapt to changing cloud environments. This is critical in today’s landscape, where cloud infrastructures are highly dynamic and ever-changing.
Built on years of market-leading network visibility, Darktrace / CLOUD understands ‘normal’ for your unique business across clouds and networks to instantly reveal known, unknown, and novel cloud threats with confidence. Darktrace Self-Learning AI continuously monitors activity across cloud assets, containers, and users, and correlates it with detailed identity and network context to rapidly detect malicious activity. Platform-native identity and network monitoring capabilities allow Darktrace / CLOUD to deeply understand normal patterns of life for every user and device, enabling instant, precise and proportionate response to abnormal behavior - without business disruption.
Leveraging platform-native Autonomous Response, AI-driven behavioral containment neutralizes malicious activity with surgical accuracy while preventing disruption to cloud infrastructure or services. As malicious behavior escalates, Darktrace correlates thousands of data points to identify and instantly respond to unusual activity by blocking specific connections and enforcing normal behavior.
Unparalleled agentless visibility into Azure
As a long-term trusted partner of Microsoft, Darktrace leverages Azure VNet flow logs to provide agentless, high-fidelity visibility into cloud environments, ensuring comprehensive monitoring without disrupting workflows. By integrating seamlessly with Azure, Darktrace / CLOUD continues to push the envelope of innovation in cloud security. Our Self-learning AI not only improves the detection of traditional and novel threats, but also enhances real-time response capabilities and demonstrates our commitment to delivering cutting-edge, AI-powered multi-cloud security solutions.
Integration with Microsoft Virtual network flow logs for enhanced visibility Darktrace / CLOUD integrates seamlessly with Azure to provide agentless, high-fidelity visibility into cloud environments. VNet flow logs capture critical network traffic data, allowing Darktrace to monitor Azure workloads in real time without disrupting existing workflows. This integration significantly reduces deployment time by 95%1 and cloud security operational costs by up to 80%2 compared to traditional agent-based solutions. Organizations benefit from enhanced visibility across dynamic cloud infrastructures, scaling security measures effortlessly while minimizing blind spots, particularly in ephemeral resources or serverless functions.
High-fidelity agentless deployment Agentless deployment allows security teams to monitor and secure cloud environments without installing software agents on individual workloads. By using cloud-native APIs like AWS VPC flow logs or Azure VNet flow logs, security teams can quickly deploy and scale security measures across dynamic, multi-cloud environments without the complexity and performance overhead of agents. This approach delivers real-time insights, improving incident detection and response while reducing disruptions. For organizations, agentless visibility simplifies cloud security management, lowers operational costs, and minimizes blind spots, especially in ephemeral resources or serverless functions.
Real-time visibility into cloud assets and architectures With real-time Cloud Asset Enumeration and Dynamic Architecture Modeling, Darktrace / CLOUD generates up-to-date architecture diagrams, giving SecOps and DevOps teams a unified view of cloud infrastructures. This shared context enhances collaboration and accelerates threat detection and response, especially in complex environments like Kubernetes. Additionally, Cyber AI Analyst automates the investigation process, correlating data across networks, identities, and cloud assets to save security teams valuable time, ensuring continuous protection and efficient cloud migrations.
Unified multi-cloud security at scale
As organizations increasingly adopt multi-cloud strategies, the complexity of managing security across different cloud providers introduces gaps in visibility. Darktrace / CLOUD simplifies this by offering agentless, real-time monitoring across multi-cloud environments. Building on our innovative approach to securing AWS environments, our customers can now take full advantage of robust real-time detection and response capabilities for Azure. Darktrace is one of the first vendors to leverage Microsoft’s virtual network flow logs to provide agentless deployment in Azure, enabling unparalleled visibility without the need for installing agents. In addition, Darktrace / CLOUD offers automated Cloud Security Posture Management (CSPM) that continuously assesses cloud configurations against industry standards. Security teams can identify and prioritize misconfigurations, vulnerabilities, and policy violations in real-time. These capabilities give security teams a complete, live understanding of their cloud environments and help them focus their limited time and resources where they are needed most.
This approach offers seamless integration into existing workflows, reducing configuration efforts and enabling fast, flexible deployment across cloud environments. By extending its capabilities across multiple clouds, Darktrace / CLOUD ensures that no blind spots are left uncovered, providing holistic, multi-cloud security that scales effortlessly with your cloud infrastructure. diagrams, visualizes cloud assets, and prioritizes risks across cloud environments.
The future of cloud security: Real-time defense in an unpredictable world
Darktrace / CLOUD’s support for Microsoft Azure, powered by Self-Learning AI and agentless deployment, sets a new standard in multi-cloud security. With real-time detection and autonomous response, organizations can confidently secure their Azure environments, leveraging innovation to stay ahead of the constantly evolving threat landscape. By combining Azure VNet flow logs with Darktrace’s AI-driven platform, we can provide customers with a unified, intelligent solution that transforms how security is managed across the cloud.