Blog
/
/
March 9, 2021

How VPC Traffic Mirroring Boosts Darktrace Security

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Mar 2021
Find out how Amazon VPC Traffic Mirroring enhances Darktrace's cloud security. Learn about its impact on advanced threat detection and management.

Darktrace's Cyber AI brings real-time visibility and adaptive, autonomous defense to your AWS cloud security strategy.

The platform continuously learns what normal behavior looks like for every user, device, and workload in your AWS environment. With this deep understanding of usual ‘patterns of life,’ Darktrace  can recognize the subtle deviations that point to a threat, from account takeovers to critical misconfigurations.

This bespoke, real-time knowledge of usual activity allows Darktrace to spot the unknown and unpredictable threats that get through policy-based defenses – all without relying on any rules, signatures, or prior assumptions.

With Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring, Darktrace’s self-learning AI can seamlessly access granular packet data in AWS cloud environments, helping the platform build a rich understanding of context. AWS’s recent announcement of the extension of VPC Traffic Mirroring to non-Nitro instance types now allows our customers to gain agentless Cyber AI defense across these instances as well.

Expanding VPC traffic mirroring to non-Nitro instances

Amazon VPC Traffic Mirroring replicates the network traffic from EC2 instances within VPCs and allows customers to leverage this traffic for Darktrace’s AI-driven threat detection and investigation. Darktrace’s Cyber AI learns ‘on the job’ what normal activity looks like in customer AWS environments, in part using the real-time visibility provided by VPC Traffic Mirroring. The platform continuously adapts as each customer’s business evolves, a critical feature given the speed and scale of development in the cloud.

Previously, customers could only enable VPC Traffic Mirroring on their Nitro-based EC2 instances. Now, AWS has announced that this seamless access to hundreds of features from network traffic is extended to select non-Nitro instance types, supporting Darktrace’s ability to easily learn the bespoke behavioral patterns of our customers’ Amazon VPCs.

Customers can now enable VPC Traffic Mirroring on additional instances types such as C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1 and X1e that use the Xen-based hypervisor.* This feature is available in all 20 regions where VPC Traffic Mirroring is currently supported.

VPC Traffic Mirroring supports many of Darktrace’s extensive use cases across AWS, which include:

  • Data exfiltration and destruction: Detects anomalous device connections and user access, as well as unusual resource deletion, modification, and movement;
  • Critical misconfigurations: Catches open S3 buckets, anomalous permission changes, and unusual activity around compliance-related data and devices;
  • Compromised credentials: Spots unusual logins, including brute force attempts and unusual login source/time, as well as unusual user behavior, from rule changes to password resets;
  • Insider threat and admin abuse: Identifies the subtle signs of malicious insiders – including sensitive file access, resource modification, role changes, and adding/deleting users.

Figure 1: Darktrace illuminates activity in AWS

Autonomous investigation and response for AWS cloud environments

The Darktrace Security Module for AWS provides additional visibility across AWS environments via interaction with AWS CloudTrail, allowing for AI-powered monitoring of management and administration activity. With this deep knowledge of how your business operates in the cloud, Darktrace delivers total coverage across all your AWS services, including:

  • EC2
  • IAM
  • S3
  • VPC
  • Lambda
  • Athena
  • DynamoDB
  • Route 53
  • ACM
  • RDS

The recently announced Version 5 of the Darktrace, which focuses on protecting the cloud and the remote workforce, further augments Darktrace’s coverage of AWS environments. Among many other exciting new features, Version 5 extends the reach of Cyber AI Analyst and Darktrace RESPOND to cloud environments like AWS VPCs.

Cyber AI Analyst augments the work of security teams by autonomously reporting on the full scope of security incidents and reduces triage time by up to 92%. Cyber AI Analyst can now also conduct on-demand investigations into users and devices of interest, ingest third-party alerts to trigger new investigations, and automatically feed AI-generated Incident Reports to any SIEM, SOAR, or downstream ticketing system.

Meanwhile, Darktrace RESPOND brings Autonomous Response to the critical infrastructure which AWS VPCs provide. Darktrace's responses are surgically precise and intelligently maintain normal business operations while stopping emerging threats in real time.**

“Darktrace's innovations are outstanding and have really meshed with our current needs as a security team, from the flexibility of our new cloud-delivered deployment to the extended visibility of the Darktrace Client Sensors.”

– CISO, Real Estate

We have also launched a dedicated user interface for visualization and intuitive analysis of cloud-based threats identified across AWS via the Darktrace Security Module.

Self-Learning AI defense across the enterprise

Darktrace offers AI-driven defense of cloud infrastructure in AWS, as well as across SaaS applications, email, corporate networks, industrial systems, and remote endpoints. Taking a fundamentally unique approach, Darktrace provides the industry’s only self-learning platform that gives complete coverage and visibility across the organization.

This is a critical benefit, as businesses and workforces today are increasingly complex and dynamic. Darktrace can connect the dots between unusual behavior in disparate infrastructure areas and ensure cloud security is not siloed from the monitoring of the rest of the organization.

Darktrace’s adaptive and unified approach allows the solution to detect, investigate, and respond to the full range of threats facing the enterprise – even those unpredictable threats that move across dynamic and diverse environments.

Learn more about Darktrace and AWS

* VPC Traffic Mirroring is not supported on the T2, R3 and I2 instance types and previous generation instances.
** This product is only available in AWS for customers who leverage Darktrace osSensors.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Andrew Tsonchev
VP, Security & AI Strategy, Field CISO

Andrew is VP, Security & AI Strategy, Field CISO and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

Email

/

February 27, 2025

Fighting the Real Enemy: The Importance of Responsible Vulnerability Disclosure Between Email Security Vendors

Default blog imageDefault blog image

Part of being a cybersecurity vendor is recognizing our responsibility to the security community – while vendor competition exists, it pales in comparison to the threat of our shared adversary: malicious threat actors.

Darktrace is proud to be contributing to the shared mission of fighting attackers; without goodwill among defenders that task is made more difficult for everyone. Through collaboration, we can advance security standards across the board and make the world a safer place.  

With that in mind, Darktrace recently observed an exploitation capability latent in a competing email security vendor’s link rewriting infrastructure, which posed a risk to organizations. Following identification, Darktrace was able to report it to the vendor following their disclosure process. We’ll explore the vulnerability, the potential impact it may have had, how it could have been resolved, and the steps Darktrace took to raise it with the vendor.  

Please note that the following vulnerability we’re about to expose has already been resolved, so there is no risk of it being exploited by others. While keeping this vendor anonymous, we also want to thank them for their cordial response and swift remediation of the issue.

For more information about vulnerability disclosure best practices, refer to the UK National Cyber Security Center’s Vulnerability Disclosure Toolkit.

Details of the vulnerability

Let’s take a look at the weakness Darktrace identified in the link rewriting infrastructure.

In January 2025, Darktrace observed that links generated by a URL rewriting infrastructure could be re-engineered by a malicious actor to point to a URL of their choosing. In this way, a threat actor could effectively use the vendor’s domain to create a malicious domain under their control.

Because a majority of security vendors default to trust from known-safe domains, using one of these links as the payload greatly enhances the likelihood of that email being allow-listed to bypass email security, network URL filtering, and other such security tools, to reach the inbox. This issue meant any adversary could have abused the vendor’s safelink structure to deliver a malicious phishing link payload to any organization. It is likely this exploitation capability could have been found and abused at scale if not addressed.

The problem with said vendor’s link rewriting process was in using standard base-64 encoding instead of randomized encoding, so that anyone could replace the value of the parameter “b=” which contains a base64-encoded form of the original link with a base64-encoded form of a URL of their choosing.

This also posed issues from a privacy perspective. If, for example the encoded link was a SharePoint file, all the included folder names would be available for anyone to see in plaintext.

Example of a phishing attack caught by Darktrace that uses another email security solution’s compromised safelink
Fig 1: Example of a phishing attack caught by Darktrace that uses another email security solution’s compromised safelink

How the vulnerability was resolved

The solution for developers is to ensure the use of randomized encoding when developing link rewriting infrastructure to close the possibility of safelinks being deciphered and re-engineered by malicious actors.

Once Darktrace found this link issue we followed the vendor’s disclosure process to report the potential risk to customers and the wider community, while also conducting a review to ensure that Darktrace customers and their supply chains remained safe. We continued to follow up with the company directly to ensure that the vulnerability was fixed.

This instance highlights the importance of vendors having clear and visible vulnerability disclosure processes (such as RFC9116) and being available to listen to the security community in case of disclosures of this nature.

Why Darktrace was obliged to disclose this vulnerability

Here, Darktrace had two responsibilities: to the security community and to our customers.

As a company whose mission is to protect organizations today and for an ever-changing future, we will never stand by if there is a known risk. If attackers had used the safelinks to create new attacks, any organization could have been exposed due to the inherent trust in this vendor’s links within services that distribute or maintain global whitelists, harm which could have been multiplied by the interlinked nature of supply chains.

This means that not only the vendor’s customers were exposed, but any organization with their safelink in a whitelist was also exposed to this vulnerability. For Darktrace customers, an attack using this link would have been detected and stopped across various service offerings, and a secondary escalation by our Cyber AI Analyst would ensure security teams were aware. Even so, Darktrace has a responsibility to these customers to do everything in its power to minimize their exposure to risk, even if it comes from within their own security stack.

Why Darktrace customers remain protected

If a Darktrace / EMAIL, Darktrace / NETWORK, or any other Darktrace ActiveAI Security Platform customer was exposed to this type of vulnerability, our unique Self-Learning AI approach and defense-in-depth philosophy means they stay protected.

Darktrace / EMAIL doesn’t approach links from a binary perspective – as safe, or unsafe – instead every link is analyzed for hundreds of metrics including the content and context in which it was delivered. Because every user’s normal behavior is baselined, Darktrace can immediately detect anomalies in link-sharing patterns that may point to a threat. Furthermore, our advanced link analysis includes metrics on how links perform within a browser and in-depth visual analysis, to detect even well-disguised payloads.

None of Darktrace’s customers were compromised as a result of this vulnerability. But should a customer have clicked on a similar malicious link, that’s where a platform approach to security comes in. Detecting threats that traverse domains is one strength of the Darktrace ActiveAI Security Platform. Our AI correlates data from across the digital estate to spot suspicious activity in the network, endpoint or cloud that may have originated from a malicious email. Darktrace’s Cyber AI Analyst then performs triage and investigation of alerts to raise those of high importance to an incident, allowing for human-analyst validation and escalation.

As demonstrated by finding this vulnerability in another vendor, Darktrace’s R&D teams are always thinking like an attacker as they develop our products, to allow us to remain one step ahead for our customers.

Conclusion

We hope this example can be useful to developers working on link rewriting infrastructure, or to vendors figuring out how to proceed with a disclosure to another vendor. We’re pleased to have been able to collaborate with said vendor in this instance, and hope that it serves to illustrate the importance of defenders working together towards the common goal of keeping organizations safe from hostile cyber actors.

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

February 27, 2025

New Threat on the Prowl: Investigating Lynx Ransomware

Default blog imageDefault blog image

What is Lynx ransomware?

In mid-2024, a new ransomware actor named Lynx emerged in the threat landscape. This Ransomware-as-a-Service (RaaS) strain is known to target organizations in the finance, architecture, and manufacturing sectors [1] [2]. However, Darktrace’s Threat Research teams also identified Lynx incidents affecting energy and retail organizations in the Middle East and Asia-Pacific (APAC) regions. Despite being a relatively new actor, Lynx’s malware shares large portions of its source code with the INC ransomware variant, suggesting that the group may have acquired and repurposed the readily available INC code to develop its own strain [2].

What techniques does Lynx ransomware group use?

Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction. The group poses a sophisticated double extortion threat to organizations, exfiltrating sensitive data prior to encryption [1]. This tactic allows threat actors to pressure their targets by threatening to release sensitive information publicly or sell it if the ransom is not paid. The group has also been known to gradually release small batches of sensitive information (i.e., “drip” data) to increase pressure.

Once executed, the malware encrypts files and appends the extension ‘.LYNX’ to all encrypted files. It eventually drops a Base64 encoded text file as a ransom note (i.e., README.txt) [1]. Should initial file encryption attempts fail, the operators have been known to employ privilege escalation techniques to ensure full impact [2].

In the Annual Threat Report 2024, Darktrace’s Threat Research team identified Lynx ransomware as one of the top five most significant threats, impacting both its customers and the broader threat landscape.

Darktrace Coverage of Lynx Ransomware

In cases of Lynx ransomware observed across the Darktrace customer base, Darktrace / NETWORK identified and suggested Autonomous Response actions to contain network compromises from the onset of activity.  

Detection of lateral movement

One such Lynx compromise occurred in December 2024 when Darktrace observed multiple indicators of lateral movement on a customer network. The lateral movement activity started with a high volume of attempted binds to the service control endpoint of various destination devices, suggesting SMB file share enumeration. This activity also included repeated attempts to establish internal connections over destination port 445, as well as other privileged ports. Spikes in failed internal connectivity, such as those exhibited by the device in question, can indicate network scanning. Elements of the internal connectivity also suggested the use of the attack and reconnaissance tool, Nmap.

Indicators of compromised administrative credentials

Although an initial access point could not be confirmed, the widespread use of administrative credentials throughout the lateral movement process demonstrated the likely compromise of such privileged usernames and passwords. The operators of the malware frequently used both 'admin' and 'administrator' credentials throughout the incident, suggesting that attackers may have leveraged compromised default administrative credentials to gain access and escalate privileges. These credentials were observed on numerous devices across the network, triggering Darktrace models that detect unusual use of administrative usernames via methods like NTLM and Kerberos.

Data exfiltration

The lateral movement and reconnaissance behavior was then followed by unusual internal and external data transfers. One such device exhibited an unusual spike in internal data download activity, downloading around 150 GiB over port 3260 from internal network devices. The device then proceeded to upload large volumes of data to the external AWS S3 storage bucket: wt-prod-euwest1-storm.s3.eu-west-1.amazonaws[.]com. Usage of external cloud storage providers is a common tactic to avoid detection of exfiltration, given the added level of legitimacy afforded by cloud service provider domains.

Furthermore, Darktrace observed the device exhibiting behavior suggesting the use of the remote management tool AnyDesk when it made outbound TCP connections to hostnames such as:

relay-48ce591e[.]net[.]anydesk[.]com

relay-c9990d24[.]net[.]anydesk[.]com

relay-da1ad7b4[.]net[.]anydesk[.]com

Tools like AnyDesk can be used for legitimate administrative purposes. However, such tools are also commonly leveraged by threat actors to enable remote access and further compromise activity. The activity observed from the noted device during this time suggests the tool was used by the ransomware operators to advance their compromise goals.

The observed activity culminated in the encryption of thousands of files with the '.Lynx' extension. Darktrace detected devices performing uncommon SMB write and move operations on the drives of destination network devices, featuring the appending of the Lynx extension to local host files. Darktrace also identified similar levels of SMB read and write sizes originating from certain devices. Parallel volumes of SMB read and write activity strongly suggest encryption, as the malware opens, reads, and then encrypts local files on the hosted SMB disk share. This encryption activity frequently highlighted the use of the seemingly-default credential: "Administrator".

In this instance, Darktrace’s Autonomous Response capability was configured to only take action upon human confirmation, meaning the customer’s security team had to manually apply any suggested actions. Had the deployment been fully autonomous, Darktrace would have blocked connectivity to and from the affected devices, giving the customer additional time to contain the attack and enforce existing network behavior patterns while the IT team responded accordingly.

Conclusion

As reported by Darktrace’s Threat Research team in the Annual Threat Report 2024, both new and old ransomware strains were prominent across the threat landscape last year. Due to the continually improving security postures of organizations, ransomware actors are forced to constantly evolve and adopt new tactics to successfully carry out their attacks.

The Lynx group’s use of INC source code, for example, suggests a growing accessibility for threat actors to launch new ransomware strains based on existing code – reducing the cost, resources, and expertise required to build new malware and carry out an attack. This decreased barrier to entry will surely lead to an increased number of ransomware incidents, with attacks not being limited to experienced threat actors.

While Darktrace expects ransomware strains like Lynx to remain prominent in the threat landscape in 2025 and beyond, Darktrace’s ability to identify and respond to emerging ransomware incidents – as demonstrated here – ensures that customers can safeguard their networks and resume normal business operations as quickly as possible, even in an increasingly complex threat landscape.

Credit to Justin Torres (Senior Cyber Analyst) and Adam Potter (Senior Cyber Analyst).

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

  • Identity-based attacks: How attackers are bypassing traditional defenses
  • Zero-day exploitation: The rise of previously unknown vulnerabilities
  • AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

References

1.     https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

2.     https://cybersecsentinel.com/lynx-ransomware-strikes-new-targets-unveiling-advanced-encryption-techniques/

Autonomous Response Model Alerts

·      Antigena::Network::Significant Anomaly::Antigena Alerts Over Time Block

·      Antigena::Network::Insider Threat::Antigena Active Threat SMB Write Block

·      Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block

·      Antigena::Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·      Antigena::Network::Insider Threat::Antigena Network Scan Block

·      Antigena::Network::Insider Threat::Antigena Internal Anomalous File Activity

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Block

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Pattern of Life Block

·      Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block

Darktrace / NETWORK Model Alerts

·      Device::Multiple Lateral Movement Model Alerts

·      Device::Suspicious Network Scan Activity

·      Anomalous File::Internal::Additional Extension Appended to SMB File

·      Device::SMB Lateral Movement

·      Compliance::SMB Drive Write

·      Compromise::Ransomware::Suspicious SMB Activity

·      Anomalous File::Internal::Unusual SMB Script Write

·      Device::Network Scan

·      Device::Suspicious SMB Scanning Activity

·      Device::RDP Scan

·      Unusual Activity::Anomalous SMB Move & Write

·      Anomalous Connection::Sustained MIME Type Conversion

·      Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

·      Unusual Activity::Sustained Anomalous SMB Activity

·      Device::ICMP Address Scan

·      Compromise::Ransomware::Ransom or Offensive Words Written to SMB

·      Anomalous Connection::Suspicious Read Write Ratio

·      Anomalous File::Internal::Masqueraded Executable SMB Write

·      Compliance::Possible Unencrypted Password File On Server

·      User::New Admin Credentials on Client

·      Compliance::Remote Management Tool On Server

·      User::New Admin Credentials on Server

·      Anomalous Connection::Unusual Admin RDP Session

·      Anomalous Connection::Download and Upload

·      Anomalous Connection::Uncommon 1 GiB Outbound

·      Unusual Activity::Unusual File Storage Data Transfer

List of IoCs

IoC - Type - Description + Confidence

- ‘. LYNX’ -  File Extension -  Lynx Ransomware file extension appended to encrypted files

MITRE ATT&CK Mapping  

(Technique Name - Tactic - ID - Sub-Technique of)

Taint Shared Content - LATERAL MOVEMENT - T1080

Data Encrypted for - Impact - IMPACT T1486

Rename System Utilities - DEFENSE EVASION - T1036.003 - T1036

Continue reading
About the author
Justin Torres
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI