Latin America has been one of hardest hit regions for cyber-crime this last year. This blog unpacks an intrusion at a pharmaceutical organization based in LATAM, and how Self-Learning AI detected the data exfiltration attack at every stage.
Data exfiltration is a popular enterprise for cyber-criminals. All organizations – from government agencies to small businesses – have sensitive data which can be stolen for extortion, competitive advantage, or further inroads in a company’s system. It is now the preferred technique of ransomware actors. Some Ransomware-as-a-Service (RaaS) groups have even pioneered a new type of ‘extortionware’, which focuses solely on data theft without encryption.
Easy money
At a pharmaceutical manufacturing institute in Latin America, Darktrace recently detected the exfiltration of critical files from the company, as this blog will explore.
The organization was an enticing target for two reasons. Firstly, pharmaceutical companies hold a wealth of valuable IP and patient data, which have come under sustained fire this last year as threat actors and nation states infiltrate vaccine research and distribution.
#1 most affected industry for data breaches: pharmaceuticals.
Secondly, Latin America is a treasure trove for cyber-criminals, thanks to huge economic growth in recent years, the digitization of major industries, alongside sub-standard cyber insurance policies and virtually nonexistent regulations.
Even before the COVID-19 pandemic, Brazil and Mexico were in Europol’s top ten affected countries. Since then, cases have skyrocketed – and many companies remain underprepared, facing limited support and pressure from government bodies. Strikingly, even though it has suffered estimated losses of almost $8 billion, Brazil still has no data protection law in place.
On top of financial crimes, the LATAM region has been targeted by state-sponsored groups linked to Russia, China, and Iran. Cyber-espionage is used as a method to gain the upper hand in negotiations and advance foreign interests in investment and trade.
Furthermore, as supply chains in the criminal world are hit by the effects of the pandemic, organized crime may begin to leverage the digital world – particularly fraud and phishing – as a possible source of income. La Familia Michoacana, a notorious drug cartel in Mexico, has reportedly begun enlisting Dark Web hackers.
Despite the number of threats facing Latin America, organizations have been slow to adopt defensive technology. So when the attacker in the case below chose a small organization in the LATAM region, they probably expected to face only signature-based, legacy security tools. Sensing that this would be easy prey – with little resistance and large profit to be made – the actor launched their first steps.
How the intrusion played out
During a Proof of Value trial with the company, Darktrace detected unusual activity from a server, following external remote connectivity.
Figure 1: Timeline of the attack.
The attack began when an internal server received an unusual connection over RDP from an external IP. The connection lasted five hours. The external IP then established a new SMB session to the same server using administrative credentials. The external IP leveraged SMB to access a file, which appeared to contain unencrypted passwords.
65% of the Colombian population now use the Internet, compared to only 3% in 2000.
From there, the external IP downloaded over 18,000 files over SMB. Based on the file names, it appears that the data was highly sensitive. In total, the external IP downloaded around 150 MB of data from the internal server.
Unusual activity post remote connections
Self-Learning AI detected that the IP address was 100% rare for the organization and server. The data transfer was also detected as unusual for the device’s ‘pattern of life’. Unfortunately, as Antigena was being trialled in passive mode, Darktrace could not intervene and disrupt the attack.
Nevertheless, Darktrace fired a number of high-confidence alerts to warn the security team. The figure below shows five-day activity from an example device in the same situation, with a high volume of clustered alerts. These reflect the unusual increase in volume transferred externally from a breach device.
Figure 2: A similar device received an incoming remote desktop connection, highlighted by the first model breach (orange dot). Shortly after, the external device accessed an unencrypted password file. At the same time, the device transferred an unusual volume of data to a rare external source IP.
Data exfiltration methods: RDP and password file access
The threat actor managed to bypass all the other existing security products in the company. They did this with legitimate administrative credentials, which were used to establish the RDP and SMB connections. RDP credentials are easily bought off the Dark Web and have proved a popular form of initial access, especially this year as employees continue to work remotely.
In addition, improper password management can unlock an organization’s digital kingdom. One of the accessed files was a password file, enabling the actor to quickly escalate privileges. After this point, only an AI-powered defensive tool could keep up with the speed of the intrusion.
Leveraging common protocols such as SMB to exfiltrate data is a common tactic. Internet-exposed servers are still a major risk to organizations as attackers exploit open and unused ports.
Moreover, the files transferred during the activity were saved as receipts with the names of partners and customers. This is extremely dangerous and could have put the company’s reputation at serious risk. Luckily, Self-Learning AI detected the malicious actions and warned the security team immediately, allowing them to stop further exfiltration and any follow-up activity.
Protecting sensitive data
The example above demonstrates that even the smallest of companies can fall victim to an attack. Small and medium-sized enterprises are targeted because they own important data and IP, yet often lack robust security and resources. This makes them simple catches compared to large establishments or governments.
Darktrace’s AI has the ability to detect malicious data exfiltration from subtle changes in behavior. In this case, the targeted server regularly transfers data in and out of the organization, yet Darktrace scored the incoming external IP with the highest rarity. In other words, Darktrace considered the data transfer activity highly unusual and outside of the server’s normal ‘pattern of life’.
This enabled the security team to respond to the threat and take the server offline for further investigation. If Darktrace Antigena had been active in the environment, it would have responded seconds after the initial compromise, stopping the threat at machine speed.
Thanks to Darktrace analyst Kendra Gonzalez Duran for her insights on the above threat find.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Darktrace has been named as Microsoft UK Partner of the Year for 2024! The Microsoft Partner Awards recognize winners for their commitment to customers, impact of solutions, and exemplary use of Microsoft technologies.
Whilst the award was granted based on our innovations combining Darktrace/Email and Microsoft Defender for Office 365, our shared values go beyond technology. Darktrace stood out for the integration of our products to deliver exceptional security value to customers, as well as our investment in partnerships, marketplace and go to market. Microsoft was also impressed with our strong commitment to diversity and inclusion and our broader contribution to both the UK economy and the UK tech sector.
Microsoft Defender for Office 365 + Darktrace/Email leave attackers nowhere to hide
The email threat landscape is constantly evolving. Attacks are becoming more sophisticated, more targeted and increasing in multi-stage payload attacks. Across the Darktrace customer base in 2023 alone, we have seen a 135% increase in ‘novel social engineering attacks’, corresponding with the rise of ChatGPT, 45% of phishing emails were identified as spear phishing attempts and a 59% increase in multi-stage payload attacks.
Legacy defenses were built to address a high volume of unsophisticated attacks, but generative AI has shifted the threats towards lower quantity yet very sophisticated, high impact targeted attacks. Microsoft Defender for Office 365’s rapid innovation has outpaced the Secure Email Gateway’s rule and signature based historical data approach. Customers no longer need email gateways which duplicate workflows and add expense native to their Defender for O365 solution.
Point email solutions overlap with Microsoft in 3 key areas: detection approach, workflows, capabilities
Detection - Microsoft receives trillions threat signals daily, giving customers the broadest scope of the attack landscape. Darktrace combined with Microsoft unites business and attack centric approaches
Workflows – any Microsoft configurations are reflected automatically in Darktrace/Email. Users can keep daily workflow in Microsoft, while a traditional SEG requires duplicated workflows
Capabilities – Microsoft handles foundational elements like archiving/encryption/signature matching while Darktrace handles advanced threat security
Darktrace/Email is built to elevate, not duplicate, Microsoft email security – removing the burden of operating legacy point solutions and blocking 25% more threats. Robust account takeover protections to stop the 38% of sophisticated threats other tools miss. Customers can seamlessly correlate activity and insights across Microsoft email, DMARC and Teams to stop threats on average 13 days earlier.
Azure Marketplace
Microsoft Azure customers can access Darktrace in the Azure Marketplace to take advantage of the scalability, reliability, and agility of Azure to drive rapid IT operations and security integrations across the enterprise. Customers can leverage their Microsoft Azure Consumption Commitments (MACC), making procurement simple. As UK Partner of the Year winner, customers know they have a trusted partner with Darktrace and a proven solution to work seamlessly with Azure.
Following up on our Conversation: Detecting & Containing a LinkedIn Phishing Attack with Darktrace
25
Jun 2024
Note: Real organization, domain and user names have been modified and replaced with fictitious names to maintain anonymity.
Social media cyber-attacks
Social media is a known breeding ground for cyber criminals to easily connect with a near limitless number of people and leverage the wealth of personal information shared on these platforms to defraud the general public. Analysis suggests even the most tech savvy ‘digital natives’ are vulnerable to impersonation scams over social media, as criminals weaponize brands and trends, using the promise of greater returns to induce sensitive information sharing or fraudulent payments [1].
LinkedIn phishing
As the usage of a particular social media platform increases, cyber criminals will find ways to exploit the increasing user base, and this trend has been observed with the rise in LinkedIn scams in recent years [2]. LinkedIn is the dominant professional networking site, with a forecasted 84.1million users by 2027 [3]. This platform is data-driven, so users are encouraged to share information publicly, including personal life updates, to boost visibility and increase job prospects [4] [5]. While this helps legitimate recruiters to gain a good understanding of the user, an attacker could also leverage the same personal content to increase the sophistication and success of their social engineering attempts.
Darktrace detection of LinkedIn phishing
Darktrace detected a Software-as-a-Service (SaaS) compromise affecting a construction company, where the attack vector originated from LinkedIn (outside the monitoring of corporate security tools), but then pivoted to corporate email where a credential harvesting payload was delivered, providing the attacker with credentials to access a corporate file storage platform.
Because LinkedIn accounts are typically linked to an individual’s personal email and are most commonly accessed via the mobile application [6] on personal devices that are not monitored by security teams, it can represent an effective initial access point for attackers looking to establish an initial relationship with their target. Moreover, user behaviors to ignore unsolicited emails from new or unknown contacts are less frequently carried over to platforms like LinkedIn, where interactions with ‘weak ties’ as opposed to ‘strong ties’ are a better predictor of job mobility [7]. Had this attack been allowed to continue, the threat actor could have leveraged access to further information from the compromised business cloud account to compromise other high value accounts, exfiltrate sensitive data, or defraud the organization.
LinkedIn phishing attack details
Reconnaissance
The initial reconnaissance and social engineering occurred on LinkedIn and was thus outside the purview of corporate security tools, Darktrace included.
However, the email domain “hausconstruction[.]com” used by the attacker in subsequent communications appears to be a spoofed domain impersonating a legitimate construction company “haus[.]com”, suggesting the attacker may have also impersonated an employee of this construction company on LinkedIn. In addition to spoofing the domain, the attacker seemingly went further to register “hausconstruction.com” on a commercial web hosting platform. This is a technique used frequently not just to increase apparent legitimacy, but also to bypass traditional security tools since newly registered domains will have no prior threat intelligence, making them more likely to evade signature and rules-based detections [8]. In this instance, open-source intelligence (OSINT) sources report that the domain was created several months earlier, suggesting this may have been part of a targeted attack on construction companies.
Initial Intrusion
It was likely that during the correspondence over LinkedIn, the target user was solicited into following up over email regarding a prospective construction project, using their corporate email account. In a probable attempt to establish a precedent of bi-directional correspondence so that subsequent malicious emails would not be flagged by traditional security tools, the attacker did not initially include suspicious links, attachments or use solicitous or inducive language within their initial emails.
Figure 1: Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Figure 2: Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.
To accomplish the next stage of their attack, the attacker shared a link, hidden behind the inducing text “VIEW ALL FILES”, to a malicious file using the Hightail cloud storage service. This is also a common method employed by attackers to evade detection, as this method of file sharing does not involve attachments that can be scanned by traditional security tools, and legitimate cloud storage services are less likely to be blocked.
OSINT analysis on the malicious link link shows the file hosted on Hightail was a HTML file with the associated message “Following up on our LinkedIn conversation”. Further analysis suggests the file contained obfuscated Javascript that, once opened, would automatically redirect the user to a malicious domain impersonating a legitimate Microsoft login page for credential harvesting purposes.
Figure 3: The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Figure 4: Screenshot of fraudulent Microsoft Sign In page hosted on the malicious credential harvesting domain.
Although there was prior email correspondence with the attacker, this email was not automatically deemed safe by Darktrace and was further analyzed for unusual properties and unusual communications for the recipient and the recipient’s peer group.
Darktrace determined that:
It was unusual for this file storage solution to be referenced in communications to the user and the wider network
Textual properties of the email body suggested a high level of inducement from the sender, with a high level of focus on the phishing link.
The full link contained suspicious properties suggesting it is high risk.
Figure 5: Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.
Based on these anomalies, Darktrace initially moved the phishing email to the junk folder and locked the link, preventing the user from directly accessing the malicious file hosted on Hightail. However, the customer’s security team released the email, likely upon end-user request, allowing the target user to access the file and ultimately enter their credentials into that credential harvesting domain.
Figure 6: Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.
Lateral Movement
Correspondence between the attacker and target continued for two days after the credential harvesting payload was delivered. Five days later, Darktrace detected an unusual login using multi-factor authentication (MFA) from a rare external IP and ASN that coincided with Darktrace/Email logs showing access to the credential harvesting link.
This attempt to bypass MFA, known as an Office365 Shell WCSS attack, was likely achieved by inducing the target to enter their credentials and legitimate MFA token into the fake Microsoft login page. This was then relayed to Microsoft by the attacker and used to obtain a legitimate session. The attacker then reused the legitimate token to log into Exchange Online from a different IP and registered the compromised device for MFA.
Figure 7: Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Figure 8: Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked. Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge. Highlighted in orange and red is the malicious activity using Chrome.
The IP addresses used by the attacker appear to be part of anonymization infrastructure, but are not associated with any known indicators of compromise (IoCs) that signature-based detections would identify [9] [10].
In addition to logins being observed within half an hour of each other from multiple geographically impossible locations (San Francisco and Phoenix), the unexpected usage of Chrome browser, compared to Edge browser previously used, provided Darktrace with further evidence that this activity was unlikely to originate from the legitimate user. Although the user was a salesperson who frequently travelled for their role, Darktrace’s Self-Learning AI understood that the multiple logins from these locations was highly unusual at the user and group level, and coupled with the subsequent unexpected account modification, was a likely indicator of account compromise.
Accomplish mission
Although the email had been manually released by the security team, allowing the attack to propagate, additional layers of defense were triggered as Darktrace's Autonomous Response initiated “Disable User” actions upon detection of the multiple unusual logins and the unauthorized registration of security information.
However, the customer had configured Autonomous Response to require human confirmation, therefore no actions were taken until the security team manually approved them over two hours later. In that time, access to mail items and other SharePoint files from the unusual IP address was detected, suggesting a potential loss of confidentiality to business data.
Figure 9: Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome. Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.
However, it appears that the attacker was able to maintain access to the compromised account, as login and mail access events from 199.231.85[.]153 continued to be observed until the afternoon of the next day.
Conclusion
This incident demonstrates the necessity of AI to security teams, with Darktrace’s ActiveAI Security Platform detecting a sophisticated phishing attack where human judgement fell short and initiated a real-time response when security teams could not physically respond as fast.
Security teams are very familiar with social engineering and impersonation attempts, but these attacks remain highly prevalent due to the widespread adoption of technologies that enable these techniques to be deployed with great sophistication and ease. In particular, the popularity of information-rich platforms like LinkedIn that are geared towards connecting with unknown people make it an attractive initial access point for malicious attackers.
In the second half of 2023 alone, over 200 thousand fake profiles were reported by members on LinkedIn [11]. Fake profiles can be highly sophisticated, use professional images, contain compelling descriptions, reference legitimate company listings and present believable credentials.
It is unrealistic to expect end users to defend themselves against such sophisticated impersonation attempts. Moreover, it is extremely difficult for human defenders to recognize every fraudulent interaction amidst a sea of fake profiles. Instead, defenders should leverage AI, which can conduct autonomous investigations without human biases and limitations. AI-driven security can ensure successful detection of fraudulent or malicious activity by learning what real users and devices look like and identifying deviations from their learned behaviors that may indicate an emerging threat.
Appendices
Darktrace Model Detections
DETECT/ Apps
SaaS / Compromise / SaaS Anomaly Following Anomalous Login
SaaS / Compromise / Unusual Login and Account Update
