Discover why Cyber Monday poses a cybersecurity nightmare and how security teams need to prepare for the 'hacking season' in this blog post by Darktrace.
As Black Friday and Cyber Monday approach, retailers are gearing up for what is predicted to be a holiday season worth around $214 billion in e-commerce sales. They are not alone in making special preparations: in the cyber-criminal underworld, hackers are looking to use the influx of limited-time offers to incite a sense of urgency and lure victims with phishing emails disguised as Black Friday deals.
And as the holiday season draws nearer, another familiar attack vector threatens to dampen the festive cheer. With security teams enjoying well-earned breaks, upcoming public holidays present the perfect opportunity for ransomware attackers to strike. We covered this topic in detail earlier this year, and over the Fourth of July bank holiday weekend, the ‘largest ever ransomware attack’ wreaked havoc across the world, affecting up to 1,500 organizations.
With sophisticated festive phishing and the recent well-documented surge in ransomware, the stage is set for this holiday season to be one filled with cyber disruption. Security teams need all the help they can get to face this year’s ‘hacking season’ with best-in-class technology that keeps a watchful eye over the digital enterprise 365 days a year.
Attacks know no boundaries
Most of us tend to use personal email addresses for our holiday shopping, but in an era of remote and hybrid working, this can easily have knock-on effects, granting attackers a backdoor into the corporate sphere. The pandemic has seen a greater number of organizations focused on enabling remote and flexible working in whatever ways possible to ‘get the job done.’
BYOD (‘Bring Your Own Device’) has seen a surge in popularity to enable flexible working, increase efficiency, reduce costs, and give employees the opportunity to use IT they feel comfortable with.
From a digital perspective, this has led to increasing convergence of our personal and professional lives. Phishing emails that target personal email accounts – often using more relaxed email security measures – therefore put organizations at risk. Malicious executable files may grant an attacker access to the device, and from here they can pivot into corporate activity, and infiltrate an organization through a single, careless employee.
It’s not just BYOD users who are at risk. Despite the warnings, password reuse continues to be widespread, meaning a successful credential-grab on a personal account can potentially give attackers the keys to a wide range of corporate accounts, whether it’s Microsoft 365 or any number of other internal systems.
A longer holiday calendar expands the attack ‘calendar’ surface
This year, disruptions in the global supply chain are already causing problems for shipping and delays. In response, retailers like Best Buy are offering special deals well ahead of Black Friday with the price promise that they’ll refund the difference should the price drop further on the day itself.
This extends the time period in which these offers are promoted, and thereby the attack ‘calendar’ surface, gifting attackers an extra few weeks through which to launch seasonal scams.
And we know from experience that attackers can get creative, not only with emails disguised as Black Friday offers and promotions, but also spoofing attacks posing as delivery firms, or other third-party logistics suppliers. They will try anything which might induce a click on a link or attachment.
They see you when you’re sleeping: Hackers won’t take holiday
During public holidays, IT and security teams drastically reduce in size. Attackers know this, and it no longer comes as a surprise when some of the largest cyber-attacks of the year are detonated during this time. Adopting reliable autonomous security, and in particular autonomous response, has never been more important in ensuring organizations stay protected.
With opportunistic hackers looking to spoil the holiday season for some quick returns, we cannot rely on human teams alone. Human beings are fallible: they get tired, they need breaks, and they get complacent. One simple misconfiguration can leave an unprotected device exposed to the Internet, opening up the wider digital ecosystem to attack.
Breaches are inevitable, and organizations are no longer throwing all their resources into stopping an attacker from getting inside. The focus is increasingly shifting to being able to spot their behavior once they do get in, and taking autonomous action at machine speed to minimize cyber disruption.
Self-Learning AI does exactly this, learning every user and device in the organization from the ground up, without relying on static rules or signatures, and with no pre-conceptions of what constitutes a ‘threat’. And unlike humans, the technology works around the clock, without needing breaks or unwinding as the year draws to an end.
Darktrace’s AI learns ‘self’ across the entire digital estate, from the email layer, to the cloud, network, and endpoints. And crucially, Autonomous Response takes action on behalf of security teams, and can respond to ransomware in under 10 seconds, minimizing disruption, and saving teams from facing the new year with a lengthy and costly incident clean-up.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Stay ahead of threats with the Darktrace blog newsletter
Get the latest insights from the cybersecurity landscape, including threat trends, incident analysis, and the latest Darktrace product developments – delivered directly to your inbox, monthly.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Mariana Pereira
VP, Cyber Innovation
Mariana is the VP of Cyber Innovation at Darktrace, and works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.
The Gartner Magic Quadrant for Email Security is designed to help organizations evaluate which email security solutions might be the best fit for their needs by providing a visual representation of the market vendors and the strengths and cautions of different vendors. We encourage our customers to read the full report to get the complete picture.
Darktrace / EMAIL has a unique AI approach to identifying threats, including NLP and behavioral analysis, instead of traditional security measures like signatures and sandboxing – providing protection against advanced attacks like Business Email Compromise (BEC) and spear phishing. We believe our AI-first approach delivers high-quality solutions that our customers trust, allowing them to stay ahead of sophisticated threats that other tools miss.
We’re proud of Darktrace’s rapid growth, geographic scale, and ability to execute effectively in the email security market, which reflect our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.
What do we believe makes Darktrace the fastest growing email security solution on the market?
An AI-first approach to innovation: Catching the threats others miss
As one of the founders of the ICES category, Darktrace has a long history of innovation, backed by over 200 patents. While other email security solutions are only just starting to apply machine learning (ML) techniques to outdated methods like signature analysis, reputation lists, and sandboxing, Darktrace has redefined the approach to email threat detection with its pioneering AI-driven anomaly detection engine.
Traditional ESPs often miss advanced threats because they rely on rules and signatures that focus on payloads and blindly trust known sources. This approach requires constant updates and frequently fails to detect threats like Business Email Compromise and Spear Phishing. In contrast, Darktrace / EMAIL uses advanced anomaly detection to identify the most sophisticated threats by focusing on unusual patterns and behaviors. This innovative approach has consistently delivered superior detection, stopping on average 58% of the threats that other solutions in the security stack miss.1
But our AI-first approach doesn’t stop at the inbox. At Darktrace, we transcend the limitations of traditional email security by leveraging a platform that unifies insights across multiple domains, providing robust protection against multi-domain threats. Our award-winning solutions defend the most popular attack vectors, including email, messaging, network, and identity protection. By combining signals from all domains, we establish unique behavioral profiles for each device and user, significantly enhancing detection precision.
This pioneering approach has led to introducing industry-first advancements like QR code analysis and automated incident investigations, alongside game-changing functionality including:
Microsoft Teams security with advanced messaging analysis: The ability to identify critical early phishing and insider threats across both email and Microsoft Teams messaging.
AI analyst narratives for improved end user reporting: that reduces phishing investigations by 60% by exposing unique narratives that provide the context of each received email and give feedback to each employee as they interact with their mail.2
Mailbox Security Assistant: to perform advanced behavioral browser analysis and stop malicious links within webpages, detecting and remediating 70% more malicious phishing links than traditional tools.3
AI based, autonomous data loss prevention: to immediately secure your organization from misdirected emails, insider threats, and data loss—both classified and unclassified- without any administrative overhead.
Customer trust that fuels exponential growth
With almost 5,000 customers in under 5 years, we've doubled the growth rate of other vendors in the email security market. Our rapid market penetration, fueled by customer satisfaction and pioneering technology, showcases our revolutionary approach and sets new industry standards.
Darktrace’s exceptional customer retention is fueled by an unparalleled customer experience, extensive regional support, dedicated account teams, and cutting-edge scalable technology. We pride ourselves on having a global network with local expertise, consisting of 110 worldwide offices which provide local language and technical support to offer multilingual, in-house assistance to our customer base.
Check it out – Darktrace / EMAIL has the highest percentage of 5-star ratings with a 4.8 rating on Gartner® Peer Insights™.4
Supporting every stage of your email security journey
Darktrace / EMAIL supports your security maturity journey, from first time security buyers to mature security stacks looking to augment their existing ESPs – by handling advanced threats without extensive tuning. And unlike other solutions that create a siloed and parallel solution, it works harmoniously with native email providers to create a modern email security stack. That’s why Darktrace performs well with first-time email security buyers and has strong renewal rates.
Integrating with Microsoft and Google via API, we replace traditional Secure Email Gateways (SEGs) with a modern, comprehensive email security stack. By combining approaches, our solution merges attack-centric analysis, which learns attack patterns and threat intelligence, with a business-centric approach that understands user behavior and inbox activity to deliver a unified stack that defends the entire threat spectrum – leading Darktrace to be recognized as Microsoft Partner of the year UK 2024.
Our user-friendly, self-learning AI solution requires minimal tuning and deployment, making it perfect for customers looking for a highly usable but lightly configurable solution that will accompany them throughout their lifetime as they mature their email security stack in line with the evolving threat landscape.
Learn more
Get complimentary access to the full Gartner® Magic Quadrant™ for Email Security Platforms here.
1 From September 1 – December 31 2023, 58% of the phishing emails analyzed by Darktrace / EMAIL had already passed through native spam filtering and email security controls. (Darktrace End of Year Threat Report 2023)
2 When customers deployed the Darktrace / EMAIL Outlook Add-in there was a 60% decrease in incorrectly reported phishing emails. Darktrace Internal Research, 2024
3 Once a user reports phishing that contains a link, an automated second level triage engages our link analysis infrastructure expanding the signals analyzed. Darktrace Internal Research, 2024
Cleo File Transfer Vulnerability: Patch Pitfalls and Darktrace’s Detection of Post-Exploitation Activities
File transfer applications: A target for ransomware
File transfer applications have been a consistent target, particularly for ransomware groups, in recent years because they are key parts of business operations and have trusted access across different parts of an organization that include potentially confidential and personal information about an organization and its employees.
Recent targets of ransomware criminals includes applications like Acellion, Moveit, and GoAnywhere [1]. This seems to have been the case for Cleo’s managed file transfer (MFT) software solutions and the vulnerability CVE-2024-50623.
Threat overview: Understanding Cleo file transfer vulnerability
This vulnerability was believed to have been patched with the release of version 5.8.0.21 in late October 2024. However, open-source intelligence (OSINT) reported that the Clop ransomware group had managed to bypass the initial patch in late November, leading to the successful exploitation of the previously patched CVE.
In the last few days Cleo has published a new vulnerability, CVE-2024-55956, which is not a patch bypass of the CVE-2024-50623 but rather another vulnerability. This is also an unauthenticated file write vulnerability but while CVE-2024-50623 allows for both reading and writing arbitrary files, the CVE-2024-55956 only allows for writing arbitrary files and was addressed in version 5.8.0.24 [2].
Darktrace Threat Research analysts have already started investigating potential signs of devices running the Cleo software with network traffic supporting this initial hypothesis.
Comparison of CVE-2024-50623 and CVE-2024-55956
While CVE-2024-50623 was initially listed as a cross-site scripting issue, it was updated on December 10 to reflect unrestricted file upload and download. This vulnerability could lead to remote code execution (RCE) in versions of Cleo’s Harmony, VLTrader, and LexiCom products prior to 5.8.0.24. Attackers could leverage the fact that files are placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software [3].
CVE-2024-55956, refers to an unauthenticated user who can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory [4]. Both CVEs have occurred due to separate issues in the “/Synchronization” endpoint.
Investigating post exploitation patterns of activity on Cleo software
Proof of exploitation
Darktrace’s Threat Research analysts investigated multiple cases where devices identified as likely running Cleo software were detected engaging in unusual behavior. Analysts also attempted to identify any possible association between publicly available indicators of compromise (IoCs) and the exploitation of the vulnerability, using evidence of anomalous network traffic.
One case involved an Internet-facing device likely running Cleo VLTrader software (based on its hostname) reaching out to the 100% rare Lithuanian IP 181.214.147[.]164 · AS 15440 (UAB Baltnetos komunikacijos).
This activity occurred in the early hours of December 8 on the network of a customer in the energy sector. Darktrace detected a Cleo server transferring around over 500 MB of data over multiple SSL connections via port 443 to the Lithuanian IP. External research reported that this IP appears to be a callback IP observed in post-exploitation activity of vulnerable Cleo devices [3].
While this device was regularly observed sending data to external endpoints, this transfer represented a small increase in data sent to public IPs and coupled with the rarity of the destination, triggered a model alert as well as a Cyber AI Analyst Incident summarizing the transfer. Unfortunately, due to the encrypted connection no further analysis of the transmitted data was possible. However, due to the rarity of the activity, Darktrace’s Autonomous Response intervened and prevented any further connections to the IP.
Figure 1: Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Figure 2: Shows connections to 181.214.147[.]164 and the amount of data transferred.
On the same day, external connections were observed to the external IP 45.182.189[.]225, along with inbound SSL connections from the same endpoint. OSINT has also linked this IP to the exploitation of Cleo software vulnerabilities [5].
Figure 3: Outgoing connections from a Cleo server to an anomalous endpoint.
Figure 4: Incoming SSL connections from the external IP 45.182.189[.]225.
Hours after the last connection to 181.214.147[.]164, the integration detection tool from CrowdStrike, which the customer had integrated with Darktrace, issued an alert. This alert provided additional visibility into host-level processes and highlighted the following command executed on the Cleo server:
Three days later, on December 11, another CrowdStrike integration alert was generated, this time following encoded PowerShell command activity on the server. This is consistent with post-exploitation activity where arbitrary PowerShell commands are executed on compromised systems leveraging the default settings of the Autorun directory, as highlighted by Cleo support [6]. According to external researchers , this process initiates connections to an external IP to retrieve JAR files with webshell-like functionality for continued post-exploitation [3]. The IP embedded in both commands observed by Darktrace was 38.180.242[.]122, hosted on ASN 58061(Scalaxy B.V.). There is no OSINT associating this IP with Cleo vulnerability exploitation at the time of writing.
Another device within the same customer network exhibited similar data transfer and command execution activity around the same time, suggesting it had also been compromised through this vulnerability. However, this second device contacted a different external IP, 5.45.74[.]137, hosted on AS 58061 (Scalaxy B.V.).
Like the first device, multiple connections to this IP were detected, with almost 600 MB of data transferred over the SSL protocol.
Figure 6: The Security Integration Detection Model that was triggered and the PowerShell command observed
Figure 7: Incoming connections from the external IP 38.180.242[.]122.
Figure 8: Connections to the external IP 5.45.74[.]137.
Figure 9: Autonomous Response Actions triggered during the suspicious activities
While investigating potential Cleo servers involved in similar outgoing data activity, Darktrace’s Threat Research team identified two additional instances of likely Cleo vulnerability exploitation used to exfiltrate data outside the network. In those two instances, unusual outgoing data transfers were observed to the IP 176.123.4[.]22 (AS 200019, AlexHost SRL), with around 500 MB of data being exfiltrated over port 443 in one case (the exact volume could not be confirmed in the other instance). This IP was found embedded in encoded PowerShell commands examined by external researchers in the context of Cleo vulnerability exploitation investigations.
Conclusion
Overall, Cleo software represents a critical component of many business operations, being utilized by over 4,000 organizations worldwide. This renders the software an attractive target for threat actors who aim at exploiting internet-facing devices that could be used to compromise the software’s direct users but also other dependent industries resulting in supply chain attacks.
Darktrace / NETWORK was able to capture traffic linked to exploitation of CVE-2024-50623 within models that triggered such as Unusual Activity / Unusual External Data to New Endpoint while its Autonomous Response capability successfully blocked the anomalous connections and exfiltration attempts.
Information on new CVEs, how they're being exploited, and whether they've been patched can be fast-changing, sometimes limited and often confusing. Regardless, Darktrace is able to identify and alert to unusual behavior on these systems, indicating exploitation.
Credit to Maria Geronikolou, Alexandra Sentenac, Emma Fougler, Signe Zaharka and the Darktrace Threat Research team
Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.
Focuses on anomaly detection and behavioral analysis to identify threats
Maps mitigated cases to known, publicly attributed threats for deeper context
Offers guidance on improving security posture to defend against persistent threats
.jpg)
![Shows connections to 181.214.147[.]164 and the amount of data transferred.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/676091f33af052836b8b2b31_6760907938a8ff516ee174bf_Screenshot%25202024-12-16%2520at%252012.41.19%25E2%2580%25AFPM.png)
![Incoming SSL connections from the external IP 45.182.189[.]225.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/676091f13af052836b8b2ab8_676090d8352cd84c711f7144_Screenshot%25202024-12-16%2520at%252012.42.32%25E2%2580%25AFPM.png)
![Incoming connections from the external IP 38.180.242[.]122.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/676091f13af052836b8b2abb_676091935b9e52a6e1bac35c_Screenshot%25202024-12-16%2520at%252012.45.35%25E2%2580%25AFPM.png)
![Connections to the external IP 5.45.74[.]137.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/676091f13af052836b8b2aa3_676091abc2a7bf6fa0e9bc29_Screenshot%25202024-12-16%2520at%252012.45.47%25E2%2580%25AFPM.png)
