Blog
/

Email

Threat Finds

/
August 25, 2020

Emotet Resurgence: Email & Network Defense Insights

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
25
Aug 2020
Explore how Darktrace's defense in depth strategy combats Emotet's resurgence in email and network layers, ensuring robust cybersecurity.

The Emotet banking malware first emerged in 2014, and has since undergone multiple iterations. Emotet seeks to financially profit from a range of organizations by spreading rapidly from device to device and stealing sensitive financial information.

Darktrace’s AI has detected the return of this botnet after a five month absence. The new Spamware campaign has hit multiple industries through highly sophisticated phishing emails, containing either URLs linking to the download of a macro-containing Microsoft Word document or an attachment of the document itself. This iteration uses new variants of infrastructure and malware that were unknown to threat intelligence lists – thus easily bypassing static, rule-based defenses.

In this blog post, we investigate the attack from two angles. The first documents a case where Emotet successfully infiltrated a company’s network, where it was promptly detected and alerted on by the Enterprise Immune System. We then explore two customers who had extended Darktrace’s Cyber AI coverage to the inbox. While these organizations were also targeted by this latest Emotet campaign, the malicious email containing the Emotet payload was identified and blocked by Antigena Email.

Case study one: Detecting Emotet in the network

Figure 1: A timeline of the attack

This first case study looks at a large European organization spanning multiple industries, including healthcare, pharmaceuticals, and manufacturing. Darktrace’s AI was monitoring over 2500 devices when the organization became a victim of this new wave of Emotet.

The attack entered the business via a phishing email that fell outside of Darktrace’s scope in this particular deployment, as the customer had not yet activated Antigena Email. Either a malicious link or a macro-embedded Word document in the email directed a device to the malicious payload.

Darktrace’s Enterprise Immune System witnessed SSL connections to a 100% rare external IP address, and detected a Kernel crash on the device shortly afterwards, indicating potential exploitation.

Following these actions, the desktop began to beacon to multiple external endpoints using self-signed or invalid SSL certificates. The observed endpoints had previously been associated with Trickbot C2 servers and the Emotet malware. The likely overall dwell time – that is the length of time an attacker has free reign in an environment before they are eradicated – was in this instance around 24 hours, with most of the activity taking place on July 23.

The device then made a large number of new and unusual internal connection attempts over SMB (port 445) to 97 internal devices during a one-hour period. The goal was likely lateral movement, possibly with the intention to infect other devices, download additional malware, and send out more spam emails.

Darktrace’s AI had promptly alerted the security team to the initial rare connections, but when the device attempted lateral movement it escalated the severity of the alert. The security team was able to remediate the situation before further damage was done, taking the desktop offline.

This overview of the infected device shows the extent of the anomalous behavior, with over a dozen Darktrace detections firing in quick succession.

Figure 2: A graph showing unusual activity in combination with the large number of model breaches on July 23

Figure 3: A list of all model breaches occurring over a small time on the compromised device

Case study two: Catching Emotet in the email environment

While Darktrace’s Enterprise Immune System allows us to visualize the attack within the network, Antigena Email has also identified the Emotet phishing campaign in many other customer environments and stopped the attack before the payload could be downloaded.

One European organization was hit by multiple phishing emails associated with Emotet. These emails use a number of tactics, including personalized subject lines, malicious attachments, and hidden malicious URLs. However, Darktrace’s AI recognized the emails as highly anomalous for the organization and prevented them from reaching employees’ inboxes.

Figure 4: A snapshot of Antigena Email’s user interface. The subject line reads ‘Notice of transfer.’

Despite claiming to be from CaixaBank, a Spanish financial services company, Antigena Email revealed that the email was actually sent from a Brazilian domain. The email also contained a link that was hidden behind text suggesting it would lead to a CaixaBank domain, but Darktrace recognized this as a deliberate attempt to mislead the recipient. Antigena Email is unique in its ability to gather insights from across the broader business, and it leveraged this ability to reveal that the link in fact led to a WordPress domain that Darktrace’s AI identified as 100% rare for the business. This would not have been possible without a unified security platform analyzing and comparing data across different parts of the organization.

Figure 5: The malicious links contained in the email

The three above links surfaced by Darktrace are all associated with the Emotet malware, and prompt the user to download a Word file. This document contains a macro with instructions for downloading the actual virus payload.

Another email targeting the same organization contained a header suggesting it was from Vietnam. The sender had never been in any previous correspondence across the business, and the single, isolated link within the email was also revealed to be a 100% rare domain. The website displayed when visiting the domain imitates a legitimate printing business, but appears hastily made and contained a similar malicious payload.

In both cases, Darktrace’s AI recognized these as phishing attempts due to its understanding of normal communication patterns and behavior for the business and held the emails back from the inbox, preventing Emotet from entering the next phase of the attack life cycle.

Case study three: A truly global campaign

Darktrace has seen Emotet in attacks targeting customers around the world, with one of the most recent campaigns aimed at a food production and distribution company in Japan. This customer received six Emotet emails across July 29 and July 30. The senders spoofed Japanese names and some existing Japanese companies, including Mitsubishi. Antigena Email successfully detected and actioned these emails, recognizing the spoofing indicators, ‘unspoofing’ the emails, and converting the attachments.

Figure 6: A second Emotet email targeting an organization in Japan

Revealing a phish

Both the subject line and the filename translate to “Regarding the invoice,” followed by a number and the date. The email imitated a well-known Japanese company (三菱食品(株)), with ‘藤沢 昭彦’ as a common Japanese name and the appended ‘様’ serving a similar function to ‘Sir’ or ‘Dr,’ in a clear attempt to mimic a legitimate business email.

A subsequent investigation revealed that the sender’s location was actually Portugal, and the hash values of Microsoft Word attachments were consistent with Emotet. Crucially, at the time of the attack, these file hashes were not publicly associated with any malicious behavior and so could not have been used for initial detection.

Figure 7: Antigena Email shows critical metrics revealing the true source of the email

Surfacing further key metrics behind the email, Antigena Email revealed that the true sender was using a GMO domain name. GMO is a Japanese cloud-hosting company that offers cheap web email services.

Figure 8: Antigena Email reveals the anomalous extensions and mimes

The details of the attachment show that both the extension and mime type is anomalous in comparison to documents this customer commonly exchanges by email.

Figure 9: Antigena Email detects the attempt at inducement

Antigena Email’s models are able to recognize topic anomalies and inducement attempts in emails, regardless of the language they are written in. Despite this email being written in Japanese, Darktrace’s AI was still able to reveal the attempt at inducement, giving the email a high score of 85.

Figure 10: The six successive Emotet emails

The close proximity in which these emails were sent and the fact they all contained URLs consistent with Emotet suggests that they are likely part of the same campaign. Different recipients received the emails from different senders in an attempt to bypass traditional security tools, which are trained to deny-list an individual sender once it is recognized as bad.

A defense in depth

This new campaign and the comeback of the Emotet malware has shown the need for defense in depth – or having multiple layers of security across the different areas of a business, including email, network, cloud and SaaS, and beyond.

Historically, defense in depth has led companies to adopt myriad point solutions, which can be both expensive and challenging to manage. Security leaders are increasingly abandoning point solutions in favor of a single security platform, which not only makes handling the security stack easier and more efficient, but creates synergies between different parts of the platform. Data can be analyzed across different sources and insights drawn from different areas of the organization, helping detect sophisticated attacks that might attempt to exploit a business’ siloed approach to security.

A single platform ultimately reduces the friction for security teams while allowing for effective, company-wide incident investigation. And when a platform approach leverages AI to understand normal behavior rather than looking for ‘known bad’, it can detect unknown and emerging threats – and help prevent damage from being done.

Thanks to Darktrace analyst Beverly McCann for her insights on the above threat find.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

December 19, 2024

/
No items found.

Darktrace Recognized in the Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace has been recognized in the first ever Gartner Magic Quadrant for Email Security Platforms (ESP).  As a Challenger, we have been recognized based on our Ability to Execute and Completeness of Vision.

The Gartner Magic Quadrant for Email Security is designed to help organizations evaluate which email security solutions might be the best fit for their needs by providing a visual representation of the market vendors and the strengths and cautions of different vendors. We encourage our customers to read the full report to get the complete picture.

Darktrace / EMAIL has a unique AI approach to identifying threats, including NLP and behavioral analysis, instead of traditional security measures like signatures and sandboxing – providing protection against advanced attacks like Business Email Compromise (BEC) and spear phishing. We believe our AI-first approach delivers high-quality solutions that our customers trust, allowing them to stay ahead of sophisticated threats that other tools miss.  

We’re proud of Darktrace’s rapid growth, geographic scale, and ability to execute effectively in the email security market, which reflect our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.

What do we believe makes Darktrace the fastest growing email security solution on the market?

An AI-first approach to innovation: Catching the threats others miss

As one of the founders of the ICES category, Darktrace has a long history of innovation, backed by over 200 patents. While other email security solutions are only just starting to apply machine learning (ML) techniques to outdated methods like signature analysis, reputation lists, and sandboxing, Darktrace has redefined the approach to email threat detection with its pioneering AI-driven anomaly detection engine.

Traditional ESPs often miss advanced threats because they rely on rules and signatures that focus on payloads and blindly trust known sources. This approach requires constant updates and frequently fails to detect threats like Business Email Compromise and Spear Phishing. In contrast, Darktrace / EMAIL uses advanced anomaly detection to identify the most sophisticated threats by focusing on unusual patterns and behaviors. This innovative approach has consistently delivered superior detection, stopping on average 58% of the threats that other solutions in the security stack miss.1

But our AI-first approach doesn’t stop at the inbox. At Darktrace, we transcend the limitations of traditional email security by leveraging a platform that unifies insights across multiple domains, providing robust protection against multi-domain threats. Our award-winning solutions defend the most popular attack vectors, including email, messaging, network, and identity protection. By combining signals from all domains, we establish unique behavioral profiles for each device and user, significantly enhancing detection precision.  

This pioneering approach has led to introducing industry-first advancements like QR code analysis and automated incident investigations, alongside game-changing functionality including:

  • Microsoft Teams security with advanced messaging analysis: The ability to identify critical early phishing and insider threats across both email and Microsoft Teams messaging.  
  • AI analyst narratives for improved end user reporting: that reduces phishing investigations by 60% by exposing unique narratives that provide the context of each received email and give feedback to each employee as they interact with their mail.2
  • Mailbox Security Assistant: to perform advanced behavioral browser analysis and stop malicious links within webpages, detecting and remediating 70% more malicious phishing links than traditional tools.3  
  • AI based, autonomous data loss prevention: to immediately secure your organization from misdirected emails, insider threats, and data loss—both classified and unclassified- without any administrative overhead.

Customer trust that fuels exponential growth

With almost 5,000 customers in under 5 years, we've doubled the growth rate of other vendors in the email security market. Our rapid market penetration, fueled by customer satisfaction and pioneering technology, showcases our revolutionary approach and sets new industry standards. 

Darktrace’s exceptional customer retention is fueled by an unparalleled customer experience, extensive regional support, dedicated account teams, and cutting-edge scalable technology. We pride ourselves on having a global network with local expertise, consisting of 110 worldwide offices which provide local language and technical support to offer multilingual, in-house assistance to our customer base.

Check it out – Darktrace / EMAIL has the highest percentage of 5-star ratings with a 4.8 rating on Gartner® Peer Insights™.4

Supporting every stage of your email security journey

Darktrace / EMAIL supports your security maturity journey, from first time security buyers to mature security stacks looking to augment their existing ESPs – by handling advanced threats without extensive tuning. And unlike other solutions that create a siloed and parallel solution, it works harmoniously with native email providers to create a modern email security stack. That’s why Darktrace performs well with first-time email security buyers and has strong renewal rates.

Integrating with Microsoft and Google via API, we replace traditional Secure Email Gateways (SEGs) with a modern, comprehensive email security stack. By combining approaches, our solution merges attack-centric analysis, which learns attack patterns and threat intelligence, with a business-centric approach that understands user behavior and inbox activity to deliver a unified stack that defends the entire threat spectrum – leading Darktrace to be recognized as Microsoft Partner of the year UK 2024.  

Our user-friendly, self-learning AI solution requires minimal tuning and deployment, making it perfect for customers looking for a highly usable but lightly configurable solution that will accompany them throughout their lifetime as they mature their email security stack in line with the evolving threat landscape.

Learn more

Get complimentary access to the full Gartner® Magic Quadrant™ for Email Security Platforms here.

To learn more about Darktrace / EMAIL or to get a free demo, check out the product hub.

References

1 From September 1 – December 31 2023, 58% of the phishing emails analyzed by Darktrace / EMAIL had already passed through native spam filtering and email security controls. (Darktrace End of Year Threat Report 2023)

2 When customers deployed the Darktrace / EMAIL Outlook Add-in there was a 60% decrease in incorrectly reported phishing emails. Darktrace Internal Research, 2024

3 Once a user reports phishing that contains a link, an automated second level triage engages our link analysis infrastructure expanding the signals analyzed. Darktrace Internal Research, 2024

4 Based on 252 reviews as of 19th December 2024

Continue reading
About the author
Carlos Gray
Product Manager

Blog

/

December 17, 2024

/

Inside the SOC

Cleo File Transfer Vulnerability: Patch Pitfalls and Darktrace’s Detection of Post-Exploitation Activities

Default blog imageDefault blog image

File transfer applications: A target for ransomware

File transfer applications have been a consistent target, particularly for ransomware groups, in recent years because they are key parts of business operations and have trusted access across different parts of an organization that include potentially confidential and personal information about an organization and its employees.

Recent targets of ransomware criminals includes applications like Acellion, Moveit, and GoAnywhere [1]. This seems to have been the case for Cleo’s managed file transfer (MFT) software solutions and the vulnerability CVE-2024-50623.

Threat overview: Understanding Cleo file transfer vulnerability

This vulnerability was believed to have been patched with the release of version 5.8.0.21 in late October 2024. However, open-source intelligence (OSINT) reported that the Clop ransomware group had managed to bypass the initial patch in late November, leading to the successful exploitation of the previously patched CVE.

In the last few days Cleo has published a new vulnerability, CVE-2024-55956, which is not a patch bypass of the CVE-2024-50623 but rather another vulnerability. This is also an unauthenticated file write vulnerability but while CVE-2024-50623 allows for both reading and writing arbitrary files, the CVE-2024-55956 only allows for writing arbitrary files and was addressed in version 5.8.0.24 [2].

Darktrace Threat Research analysts have already started investigating potential signs of devices running the Cleo software with network traffic supporting this initial hypothesis.

Comparison of CVE-2024-50623 and CVE-2024-55956

While CVE-2024-50623 was initially listed as a cross-site scripting issue, it was updated on December 10 to reflect unrestricted file upload and download. This vulnerability could lead to remote code execution (RCE) in versions of Cleo’s Harmony, VLTrader, and LexiCom products prior to 5.8.0.24. Attackers could leverage the fact that files are placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software [3].

CVE-2024-55956, refers to an unauthenticated user who can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory [4]. Both CVEs have occurred due to separate issues in the “/Synchronization” endpoint.

Investigating post exploitation patterns of activity on Cleo software

Proof of exploitation

Darktrace’s Threat Research analysts investigated multiple cases where devices identified as likely running Cleo software were detected engaging in unusual behavior. Analysts also attempted to identify any possible association between publicly available indicators of compromise (IoCs) and the exploitation of the vulnerability, using evidence of anomalous network traffic.

One case involved an Internet-facing device likely running Cleo VLTrader software (based on its hostname) reaching out to the 100% rare Lithuanian IP 181.214.147[.]164 · AS 15440 (UAB Baltnetos komunikacijos).

This activity occurred in the early hours of December 8 on the network of a customer in the energy sector. Darktrace detected a Cleo server transferring around over 500 MB of data over multiple SSL connections via port 443 to the Lithuanian IP. External research reported that this IP appears to be a callback IP observed in post-exploitation activity of vulnerable Cleo devices [3].

While this device was regularly observed sending data to external endpoints, this transfer represented a small increase in data sent to public IPs and coupled with the rarity of the destination, triggered a model alert as well as a Cyber AI Analyst Incident summarizing the transfer. Unfortunately, due to the encrypted connection no further analysis of the transmitted data was possible. However, due to the rarity of the activity, Darktrace’s Autonomous Response intervened and prevented any further connections to the IP.

 Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Figure 1: Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Shows connections to 181.214.147[.]164 and the amount of data transferred.
Figure 2: Shows connections to 181.214.147[.]164 and the amount of data transferred.

On the same day, external connections were observed to the external IP 45.182.189[.]225, along with inbound SSL connections from the same endpoint. OSINT has also linked this IP to the exploitation of Cleo software vulnerabilities [5].

Outgoing connections from a Cleo server to an anomalous endpoint.
Figure 3: Outgoing connections from a Cleo server to an anomalous endpoint.
 Incoming SSL connections from the external IP 45.182.189[.]225.
Figure 4: Incoming SSL connections from the external IP 45.182.189[.]225.

Hours after the last connection to 181.214.147[.]164, the integration detection tool from CrowdStrike, which the customer had integrated with Darktrace, issued an alert. This alert provided additional visibility into host-level processes and highlighted the following command executed on the Cleo server:

“D:\VLTrader\jre\bin\java.exe" -jar cleo.4889

Figure 5: The executed comand “D:\VLTrader\jre\bin\java.exe" -jar cleo.4889 and the Resource Location: \Device\HarddiskVolume3\VLTrader\jre\bin\java.exe.

Three days later, on December 11, another CrowdStrike integration alert was generated, this time following encoded PowerShell command activity on the server. This is consistent with post-exploitation activity where arbitrary PowerShell commands are executed on compromised systems leveraging the default settings of the Autorun directory, as highlighted by Cleo support [6]. According to external researchers , this process initiates connections to an external IP to retrieve JAR files with webshell-like functionality for continued post-exploitation [3]. The IP embedded in both commands observed by Darktrace was 38.180.242[.]122, hosted on ASN 58061(Scalaxy B.V.). There is no OSINT associating this IP with Cleo vulnerability exploitation at the time of writing.

Another device within the same customer network exhibited similar data transfer and command execution activity around the same time, suggesting it had also been compromised through this vulnerability. However, this second device contacted a different external IP, 5.45.74[.]137, hosted on AS 58061 (Scalaxy B.V.).

Like the first device, multiple connections to this IP were detected, with almost 600 MB of data transferred over the SSL protocol.

The Security Integration Detection Model that was triggered  and the PowerShell command observed
Figure 6: The Security Integration Detection Model that was triggered  and the PowerShell command observed
 Incoming connections from the external IP 38.180.242[.]122.
Figure 7: Incoming connections from the external IP 38.180.242[.]122.
Connections to the external IP 5.45.74[.]137.
Figure 8: Connections to the external IP 5.45.74[.]137.
Figure 9: Autonomous Response Actions triggered during the suspicious activities

While investigating potential Cleo servers involved in similar outgoing data activity, Darktrace’s Threat Research team identified two additional instances of likely Cleo vulnerability exploitation used to exfiltrate data outside the network. In those two instances, unusual outgoing data transfers were observed to the IP 176.123.4[.]22 (AS 200019, AlexHost SRL), with around 500 MB of data being exfiltrated over port 443 in one case (the exact volume could not be confirmed in the other instance). This IP was found embedded in encoded PowerShell commands examined by external researchers in the context of Cleo vulnerability exploitation investigations.

Conclusion

Overall, Cleo software represents a critical component of many business operations, being utilized by over 4,000 organizations worldwide. This renders the software an attractive target for threat actors who aim at exploiting internet-facing devices that could be used to compromise the software’s direct users but also other dependent industries resulting in supply chain attacks.

Darktrace / NETWORK was able to capture traffic linked to exploitation of CVE-2024-50623 within models that triggered such as Unusual Activity / Unusual External Data to New Endpoint while its Autonomous Response capability successfully blocked the anomalous connections and exfiltration attempts.

Information on new CVEs, how they're being exploited, and whether they've been patched can be fast-changing, sometimes limited and often confusing. Regardless, Darktrace is able to identify and alert to unusual behavior on these systems, indicating exploitation.

Credit to Maria Geronikolou, Alexandra Sentenac, Emma Fougler, Signe Zaharka and the Darktrace Threat Research team

Insights from Darktrace’s First 6: Half-year threat report for 2024

First 6: half year threat report darktrace screenshot

Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.

  • Focuses on anomaly detection and behavioral analysis to identify threats
  • Maps mitigated cases to known, publicly attributed threats for deeper context
  • Offers guidance on improving security posture to defend against persistent threats

Appendices

References

[1] https://blog.httpcs.com/en/file-sharing-and-transfer-software-the-new-target-of-hackers/

[2] https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

[3] https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

[4] https://nvd.nist.gov/vuln/detail/CVE-2024-55956

[5] https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/

[6] https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

[7] https://support.cleo.com/hc/en-us/articles/360034260293-Local-HTTP-Users-Configuration

Darktrace Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

Device / Internet Facing Device with High Priority Alert

Anomalous Server Activity / Rare External from Server

Anomalous Connection / New User Agent to IP Without Hostname

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Autonomous Response Model Detections

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Cyber AI Analyst Incidents

Unusual External Data Transfer

MITRE ATT&CK Mapping

Tactic – Technique

INITIAL ACCESS – Exploit Public-Facing Application

COMMAND AND CONTROL – Application Layer Protocol (Web Protocols)

COMMAND AND CONTROL – Encrypted Channel

PERSISTENCE – Web Shell

EXFILTRATION - Exfiltration Over C2 Channel

IoC List

IoC       Type    Description + Probability

181.214.147[.]164      IP Address       Likely C2 Infrastructure

176.123.4[.]22            IP Address       Likely C2 Infrastructure

5.45.74[.]137               IP Address           Possible C2 Infrastructure

38.180.242[.]122        IP Address       Possible C2 Infrastructure

Continue reading
About the author
Maria Geronikolou
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI