Blog

Ameaças encontradas

Ameaças internas, cadeias de suprimentos e IoT: Quebrando um cyber-ataque dos tempos modernos

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Maio 2021
03
Maio 2021
A paisagem de ameaça não é o que era. A expansão dos ecossistemas e cadeias de abastecimento globalizadas oferecem muitas oportunidades para os atores da ameaça. Darktrace detecta esses vetores diariamente, às vezes no mesmo ataque.

São dez a cinco em uma sexta-feira à tarde. Um técnico entrou para realizar uma verificação de rotina em uma porta eletrônica. Ela entra no escritório sem problemas - ela trabalha para um fornecedor terceirizado de confiança, os funcionários a vêem todas as semanas. Ela abre seu laptop e se conecta à Unidade de Controle de Acesso às Portas, um pequeno dispositivo de Internet das Coisas (IoT) usado para operar a fechadura inteligente. Minutos depois, trojans foram baixados na rede da empresa, uma operação de criptografia de minas foi iniciada e há evidência de dados confidenciais sendo exfiltrados. Onde as coisas deram errado?

Ameaças em um negócio: um novo amanhecer

Como as organizações acompanham as exigências da transformação digital, a superfície de ataque se tornou mais ampla do que nunca. Há inúmeros pontos de entrada para um cyber-criminoso - desde vulnerabilidades nos ecossistemas da Internet sem fio, a pontos cegos nas cadeias de abastecimento, até o uso indevido do acesso ao negócio por parte de pessoas de dentro. Darktrace vê estas ameaças todos os dias. Às vezes, como no exemplo do mundo real acima, que será examinado neste blog, elas podem ocorrer exatamente no mesmo ataque.

As ameaças internas podem usar sua familiaridade e nível de acesso a um sistema como uma vantagem crítica ao evitar a detecção e lançar um ataque. Mas os infiltrados não têm necessariamente que ser maliciosos. Cada funcionário ou contratante é uma ameaça potencial: clicar em um link de phishing ou liberar dados acidentalmente muitas vezes leva a violações em larga escala.

Ao mesmo tempo, a conectividade no espaço de trabalho - com cada dispositivo IoT comunicando-se com a rede corporativa e a Internet em seu próprio endereço IP - é uma questão urgente de segurança. Sistemas de controle de acesso, por exemplo, adicionam uma camada de segurança física rastreando quem entra no escritório e quando. Entretanto, estes mesmos sistemas de controle põem em risco a segurança digital ao introduzir um cluster de sensores, fechaduras, sistemas de alarme e teclados, que retêm informações sensíveis do usuário e se conectam à infra-estrutura da empresa.

Além disso, uma proporção significativa dos dispositivos de IOT é construída sem ter em mente a segurança. Os fornecedores priorizam o time-to-market e muitas vezes não têm os recursos para investir em medidas de segurança cozidas. Considere o número de empresas iniciantes que fabricam o IoT - mais de 60% das empresas de automação doméstica têm menos de dez funcionários.

Ameaça interna detectada pela Cyber AI

Em janeiro de 2021, uma empresa norte-americana de médio porte sofreu um ataque na cadeia de abastecimento quando um fornecedor terceirizado se conectou à unidade de controle para uma porta inteligente.

Figura 1: O ataque durou 3,5 horas no total, a partir das 16:50 horas locais.

O técnico da empresa do fornecedor tinha vindo para realizar a manutenção programada. Eles tinham sido autorizados a se conectar diretamente à Unidade de Controle de Acesso às Portas, mas não sabiam que o laptop que estavam usando, trazido de fora da organização, tinha sido infectado por malware.

Assim que o laptop conectou-se à unidade de controle, o malware detectou uma porta aberta, identificou a vulnerabilidade e começou a se mover lateralmente. Em poucos minutos, o dispositivo IoT foi visto fazendo conexões altamente incomuns com endereços IP externos raros. As conexões foram feitas usando HTTP e continham agentes de usuários suspeitos e URIs.

Darktrace então detectou que a unidade de controle estava tentando baixar trojans e outras cargas úteis, incluindo upsupx2.exe e 36BBB9658.moe. Outras conexões foram usadas para enviar cordas codificadas base64 contendo o nome do dispositivo e o endereço IP externo da organização.

A atividade de mineração de moedas criptográficas com um minerador de CPU Monero (XMR) foi detectada logo em seguida. O dispositivo também utilizou uma exploração SMB para fazer conexões externas na porta 445 enquanto procurava por dispositivos internos vulneráveis usando o protocolo SMBv1 desatualizado.

Uma hora depois, o dispositivo conectado a um ponto final relacionado à ferramenta de acesso remoto de terceiros TeamViewer. Após alguns minutos, o dispositivo foi visto carregando mais de 15 MB para um IP externo 100% raro.

Figura 2: Linha do tempo das conexões feitas por um dispositivo de exemplo nos dias em torno de um incidente (azul). As conexões associadas ao compromisso são um desvio significativo do padrão de vida normal do dispositivo, e resultam em múltiplos eventos de atividade incomuns e violações repetidas do modelo (laranja).

Ameaças à segurança na cadeia de fornecimento

A Cyber AI sinalizou a ameaça interna ao cliente assim que a unidade de controle foi comprometida. O ataque tinha conseguido contornar o resto da pilha de segurança da organização, pela simples razão de que foi introduzido diretamente de um laptop externo confiável, e o próprio dispositivo IoT foi gerenciado pelo fornecedor terceirizado, de modo que o cliente tinha pouca visibilidade sobre ele.

As ferramentas tradicionais de segurança são ineficazes contra ataques da cadeia de abastecimento como este. Do hack do SolarWinds ao Vendor Email Compromise, 2021 colocou o prego no caixão para segurança baseada em assinatura - provando que não podemos contar com os ataques de ontem para prever as ameaças de amanhã.

As cadeias de fornecimento internacionais e o grande número de diferentes parceiros e fornecedores com os quais as organizações modernas trabalham representam assim um sério dilema de segurança: como podemos permitir a entrada de fornecedores externos em nossa rede e manter um sistema hermético?

A primeira resposta é o zero-trust. Isto envolve tratar cada dispositivo como malicioso, dentro e fora da rede corporativa, e exigir verificação em todas as etapas. A segunda resposta é visibilidade e resposta. Os produtos de segurança devem lançar uma luz clara na infraestrutura da nuvem e da Internet sem fio e reagir de forma autônoma assim que surgirem anomalias sutis em toda a empresa.

IoT investigado

DarktraceO Cyber AI Analyst informou sobre cada etapa do ataque, incluindo o download do primeiro arquivo executável malicioso.

Figura 3: Exemplo de Cyber AI Analyst detectando comportamento anômalo em um dispositivo, incluindo conectividade C2 e downloads suspeitos de arquivos.

O Cyber AI Analyst investigou a conectividade C2, fornecendo um resumo de alto nível da atividade. O dispositivo IoT tinha acessado arquivos MOE suspeitos com nomes alfanuméricos gerados aleatoriamente.

Figura 4: Um resumo do Cyber AI Analyst da conectividade C2 para um dispositivo.

A IA não apenas detectou cada etapa da atividade, mas o cliente também foi alertado através de uma Notificação de Ameaça Proativa após uma quebra do modelo de pontuação alta às 16:59, poucos minutos após o ataque ter começado.

Perigo estranho

Terceiros que entram para ajustar as configurações do dispositivo e ajustar a rede podem ter conseqüências não intencionais. O mundo hiper conectado em que vivemos, com o advento da 5G e da Indústria 4.0, tornou-se um campo de jogos digital para ciber-criminosos.

No estudo de caso do mundo real acima, o dispositivo IoT não estava seguro e estava mal configurado. Com criações apressadas de ecossistemas de IOT, cadeias de fornecimento entrelaçadas e uma gama de indivíduos e dispositivos conectados à infra-estrutura corporativa, as organizações modernas não podem esperar simples ferramentas de segurança que dependem de regras pré-definidas para deter ameaças internas e outros ataques cibernéticos avançados.

A organização não tinha visibilidade sobre a gestão da Unidade de Controle de Acesso às Portas. Apesar disso, e apesar de não ter conhecimento prévio do tipo de ataque ou das vulnerabilidades presentes no dispositivo IoT, Darktrace detectou imediatamente as anomalias comportamentais. Sem a Cyber AI, a infecção poderia ter permanecido no ambiente do cliente por semanas ou meses, aumentando os privilégios, minerando silenciosamente em criptografia e exfiltrando dados sensíveis da empresa.

Agradecimentos à analista Grace Carballo de Darktrace por suas idéias sobre a descoberta da ameaça acima.

Saiba mais sobre as ameaças internas

Darktrace detecções de modelos:

  • Arquivo anômalo/Crente de octetos anômalos
  • Conexão anômala /Novo agente de usuário para IP sem nome de host
  • Atividade incomum/Conectividade externa incomum
  • Conectividade externa do dispositivo/Incredible
  • Atividade do servidor anômalo/Outgoing from server
  • Dispositivo/Novo agente de usuário e novo IP
  • Atividade de mineração de conformidade/cryptocurrency
  • Conformidade/Conectividade com Windows externo
  • Arquivo anômalo/ EXE múltiplo de locais externos raros
  • Arquivo anomalous/EXE de localização externa rara
  • Número grande de quebras de modelo de dispositivo
  • Arquivo Anomalous / Sistema de faceamento da internet download do arquivo
  • Compromisso de Dispositivo/Cadeia Inicial de breach
  • Dispositivo/SMB sessão bruteforce
  • Escaneamento de dispositivos/Rede - Baixa pontuação de anomalias
  • Dispositivo/Grande número de conexões para o novo ponto final
  • Atividade do servidor anômalo/Outgoing from server
  • Compromisso/Beacon para young endpoint
  • Atividade do servidor anomalous/Raros externos do servidor
  • Quebra do modelo C2 do dispositivo/Múltiplo
  • Ferramenta de gerenciamento de conformidade/Remota no servidor
  • Conexão anômala/Dados enviados para novo dispositivo externo


DENTRO DO SOC
Os analistas cibernéticos da Darktrace são especialistas de classe mundial em inteligência de ameaças, caça de ameaças e resposta a incidentes, e fornecem suporte 24/7 SOC a milhares de Darktrace clientes em todo o mundo. Dentro do SOC é de autoria exclusiva desses especialistas, fornecendo análises de incidentes cibernéticos e tendências de ameaças, com base na experiência do mundo real na área.
AUTOR
SOBRE O AUTOR
Brianna Leddy
Director of Analysis

Com sede em São Francisco, Brianna é Diretora de Análise em Darktrace. Ela se juntou à equipe de analistas em 2016 e desde então tem aconselhado uma ampla gama de clientes empresariais sobre caça avançada de ameaças e alavancagem da IA de auto-aprendizagem para detecção e resposta. Brianna trabalha de perto com a equipe do SOC Darktrace para alertar proativamente os clientes sobre ameaças emergentes e investigar comportamentos incomuns em ambientes empresariais. Brianna é graduada em Engenharia Química pela Carnegie Mellon University.

Book a 1-1 meeting with one of our experts
share this article
Cobertura de Core

More in this series

Nenhum item encontrado.

Blog

Email

Beyond DMARC: Navigating the Gaps in Email Security

Default blog imageDefault blog image
29
Feb 2024

Email threat landscape  

Email has consistently ranked among the most targeted attack vectors, given its ubiquity and criticality to business operations. From September to December 2023, 10.4 million phishing emails were detected across Darktrace’s customer fleet demonstrating the frequency of attempted email-based attacks.

Businesses are searching for ways to harden their email security posture alongside email providers who are aiming to reduce malicious emails traversing their infrastructure, affecting their clients. Domain-based Message Authentication (DMARC) is a useful industry-wide protocol organizations can leverage to move towards these goals.  

What is DMARC?

DMARC is an email authentication protocol designed to enhance the security of email communication.

Major email service providers Google and Yahoo recently made the protocol mandatory for bulk senders in an effort to make inboxes safer worldwide. The new requirements demonstrate an increasing need for a standardized solution as misconfigured or nonexistent authentication systems continue to allow threat actors to evade detection and leverage the legitimate reputation of third parties.  

DMARC is a powerful tool that allows email administrators to confidently identify and stop certain spoofed emails; however, more organizations must implement the standard for it to reach its full potential. The success and effectiveness of DMARC is dependent on broad adoption of the standard – by organizations of all sizes.  

How does DMARC work?

DMARC builds on two key authentication technologies, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and helps to significantly improve their ability to prevent domain spoofing. SPF verifies that a sender’s IP address is authorized to send emails on behalf of a particular domain and DKIM ensures integrity of email content by providing a verifiable digital signature.  

DMARC adds to this by allowing domain owners to publish policies that set expectations for how SPF and DKIM verification checks relate to email addresses presented to users and whose authenticity the receiving mail server is looking to establish.  

These policies work in tandem to help authenticate email senders by verifying the emails are from the domain they say they are, working to prevent domain spoofing attacks. Key benefits of DMARC include:

  1. Phishing protection DMARC protects against direct domain spoofing in which a threat actor impersonates a legitimate domain, a common phishing technique threat actors use to trick employees to obtain sensitive information such as privileged credentials, bank information, etc.  
  2. Improving brand reputation: As DMARC helps to prevent impersonation of domains, it stands to maintain and increase an organization’s brand reputation. Additionally, as organizational reputation improves, so will the deliverability of emails.
  3. Increased visibility: DMARC provides enhanced visibility into email communication channels, including reports of all emails sent on behalf of your domain. This allows security teams to identify shadow-IT and any unauthorized parties using their domain.

Understanding DMARC’s Limitations

DMARC is often positioned as a way for organizations to ‘solve’ their email security problems, however, 65% of the phishing emails observed by Darktrace successfully passed DMARC verification, indicating that a significant number of threat actors are capable of manipulating email security and authentication systems in their exploits. While DMARC is a valuable tool in the fight against email-based attacks, the evolving threat landscape demands a closer look at its limitations.  

As threat actors continue to innovate, improving their stealth and evasion tactics, the number of attacks with valid DMARC authentication will only continue to increase in volume and sophistication. These can include:

  1. Phishing attacks that leverage non-spoofed domains: DMARC allows an organization to protect the domains that they own, preventing threat actors from being able to send phishing emails from their domains. However, threat actors will often create and use ‘look-a-like’ domains that closely resemble an organization’s domain to dupe users. 3% of the phishing emails identified by Darktrace utilized newly created domains, demonstrating shifting tactics.  
  2. Email Account Takeovers: If a threat actor gains access to a user’s email account through other social engineering means such as credential stuffing, they can then send phishing emails from the legitimate domain to pursue further attacks. Even though these emails are malicious, DMARC would not identify them as such because they are coming from an authorized domain or sender.  

Organizations must also ensure their inbound analysis of emails is not skewed by successful DMARC authentication. Security teams cannot inherently trust emails that pass DMARC, because the source cannot always be legitimized, like in the event of an account takeover. If a threat actor gains access to an authenticated email account, emails sent by the threat actor from that account will pass DMARC – however the contents of that email may be malicious. Sender behavior must be continuously evaluated and vetted in real time as past communication history and validated DMARC cannot be solely relied upon amid an ever-changing threat landscape.  

Security teams should lean on other security measures, such as anomaly detection tools that can identify suspicious emails without relying on historical attack rules and static data. While DMARC is not a silver bullet for email security, it is nevertheless foundational in helping organizations protect their brand identity and must be viewed as an essential layer in an organization's overall cyber security strategy.  

Implementing DMARC

Despite the criticality of DMARC for preserving brand reputation and trust, adoption of the standard has been inconsistent. DMARC can be complex to implement with many organizations lacking the time required to understand and successfully implement the standard. Because of this, DMARC set-up is often outsourced, giving security and infrastructure teams little to no visibility into or control of the process.  

Implementation of DMARC is only the start of this process, as DMARC reports must be consistently monitored to ensure organizations have visibility into who is sending mail from their domain, the volume of mail being sent and whether the mail is passing authentication protocols. This process can be time consuming for security teams who are already faced with mounting responsibilities, tight budgets, and personnel shortages. These complexities unfortunately delay organizations from using DMARC – especially as many today still view it as a ‘nice to have’ rather than an essential.  

With the potential complexities of the DMARC implementation process, there are many ways security and infrastructure teams can still successfully roll out the standard. Initial implementation should start with monitoring, policy adjustment and then enforcement. As business changes over time, DMARC should be reviewed regularly to ensure ongoing protection and maintain domain reputation.

The Future of Email Security

As email-based attacks continue to rise, the industry must recognize the importance of driving adoption of foundational email authentication protocols. To do this, a new and innovative approach to DMARC is needed. DMARC products must evolve to better support organizations throughout the ongoing DMARC monitoring process, rather than just initial implementation. These products must also be able to share intelligence across an organization’s security stack, extending beyond email security tools. Integration across these products and tools will help organizations optimize their posture, ensuring deep understanding of their domain and increased visibility across the entire enterprise.

DMARC is critical in protecting brand identity and mitigating exact-domain based attacks. However, organizations must understand DMARC’s unique benefits and limitations to ensure their inboxes are fully protected. In today’s evolving threat landscape, organizations require a robust, multi-layered approach to stop email threats – in inbound mail and beyond. Email threats have evolved – its time security does too.

Join Darktrace on 9 April for a virtual event to explore the latest innovations needed to get ahead of the rapidly evolving threat landscape. Register today to hear more about our latest innovations coming to Darktrace’s offerings. For additional insights check out Darktrace’s 2023 End of Year Threat Report.

Credit to Carlos Gray and Stephen Pickman for their contribution to this blog

Continue reading
About the author
Carlos Gray
Product Manager

Blog

Dentro do SOC

No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware

Default blog imageDefault blog image
29
Feb 2024

As-a-Service malware trending

Throughout the course of 2023, “as-a-Service” strains of malware remained the most consistently observed threat type to affect Darktrace customers, mirroring their overall prominence across the cyber threat landscape. With this trend expected to continue throughout 2024, organizations and their security teams should be prepared to defend their network against increasingly versatile and tailorable malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) strains [1].

What is ALPHV ransomware?

The ALPHV ransomware, also known as ‘BlackCat’ or ‘Noberus’, is one example of a RaaS strain that has been prominent across the threat landscape over the last few years.

ALPHV is a ransomware strain coded in the Rust programming language. The ransomware is sold as part of the RaaS economy [2], with samples of the ransomware being provided and sold by a criminal group (the RaaS ‘operator’) to other cybercriminals (the RaaS ‘affiliates’) who then gain entry to organizations' networks with the intention of detonating the ransomware and demanding ransom payments.

ALPHV was likely first used in the wild back in November 2021 [3]. Since then, it has become one of the most prolific ransomware strains, with the Federal Bureau of Investigation (FBI) reporting nearly USD 300 million in ALPHV ransom payments as of September 2023 [4].

In December 2023, the FBI and the US Department of Justice announced a successful disruption campaign against the ALPHV group, which included a takedown of the their data leak site, and the release of a decryption tool for the ransomware strain [5], and in February 2024, the US Department of State announced  a reward of up to USD 10 million for information leading to the identification or location of anyone occupying a key leadership position in the group operating the ALPHV ransomware strain [6].

The disruption campaign against the ransomware group appeared to have been successful, as evidenced by the recent, significant decline in ALPHV attacks, however, it would not be surprising for the group to simply return with new branding, in a similar vein to its apparent predecessors, DarkSide and BlackMatter [7].

How does ALPHV ransomware work?

ALPHV affiliates have been known to employ a variety of methods to progress towards their objective of detonating ALPHV ransomware [4]. In the latter half of 2023, ALPHV affiliates were observed using malicious advertising (i.e, malvertising) to deliver a Python-based backdoor-dropper known as 'Nitrogen' to users' devices [8][12]. These malvertising operations consisted in affiliates setting up malicious search engine adverts for tools such as WinSCP and AnyDesk.

Users' interactions with these adverts led them to sites resembling legitimate software distribution sites. Users' attempts to download software from these spoofed sites resulted in the delivery of a backdoor-dropping malware sample dubbed 'Nitrogen' to their devices. Nitrogen has been observed dropping a variety of command-and-control (C2) implants onto users' devices, including Cobalt Strike Beacon and Sliver C2. ALPHV affiliates often used the backdoor access afforded to them by these C2 implants to conduct reconnaissance and move laterally, in preparation for detonating ALPHV ransomware payloads.

Darktrace Detection of ALPHV Ransomware

During October 2023, Darktrace observed several cases of ALPHV affiliates attempting to infiltrate organizations' networks via the use of malvertising to socially engineer users into downloading and installing Nitrogen from impersonation websites such as 'wireshhark[.]com' and wìnscp[.]net (i.e, xn--wnscp-tsa[.]net).

While the attackers managed to bypass traditional security measures and evade detection by using a device from the customer’s IT team to perform its malicious activity, Darktrace DETECT™ swiftly identified the subtle indicators of compromise (IoCs) in the first instance. This swift detection of ALPHV, along with Cyber AI Analyst™ autonomously investigating the wide array of post-compromise activity, provided the customer with full visibility over the attack enabling them to promptly initiate their remediation and recovery efforts.

Unfortunately, in this incident, Darktrace RESPOND™ was not fully deployed within their environment, hindering its ability to autonomously counter emerging threats. Had RESPOND been fully operational here, it would have effectively contained the attack in its early stages, avoiding the eventual detonation of the ALPHV ransomware.

Figure 1: Timeline of the ALPHV ransomware attack.

In mid-October, a member of the IT team at a US-based Darktrace customer attempted to install the network traffic analysis software, Wireshark, onto their desktop. Due to the customer’s configuration, Darktrace's visibility over this device was limited to its internal traffic, despite this it was still able to identify and alert for a string of suspicious activity conducted by the device.

Initially, Darktrace observed the device making type A DNS requests for 'wiki.wireshark[.]org' immediately before making type A DNS requests for the domain names 'www.googleadservices[.]com', 'allpcsoftware[.]com', and 'wireshhark[.]com' (note the two 'h's). This pattern of activity indicates that the device’s user was redirected to the website, wireshhark[.]com, as a result of the user's interaction with a sponsored Google Search result pointing to allpcsoftware[.]com.

At the time of analysis, navigating to wireshhark[.]com directly from the browser search bar led to a YouTube video of Rick Astley's song "Never Gonna Give You Up". This suggests that the website, wireshhark[.]com, had been configured to redirect users to this video unless they had arrived at the website via the relevant sponsored Google Search result [8].

Although it was not possible to confirm this with certainty, it is highly likely that users who visited the website via the appropriate sponsored Google Search result were led to a fake website (wireshhark[.]com) posing as the legitimate website, wireshark[.]com. It seems that the actors who set up this fake version of wireshark[.]com were inspired by the well-known bait-and-switch technique known as 'rickrolling', where users are presented with a desirable lure (typically a hyperlink of some kind) which unexpectedly leads them to a music video of Rick Astley's "Never Gonna Give You Up".

After being redirected to wireshhark[.]com, the user unintentionally installed a malware sample which dropped what appears to be Cobalt Strike onto their device. The presence of Cobalt Strike on the user's desktop was evidenced by the subsequent type A DNS requests which the device made for the domain name 'pse[.]ac'. These DNS requests were responded to with the likely Cobalt Strike C2 server address, 194.169.175[.]132. Given that Darktrace only had visibility over the device’s internal traffic, it did not observe any C2 connections to this Cobalt Strike endpoint. However, the desktop's subsequent behavior suggests that a malicious actor had gained 'hands-on-keyboard' control of the device via an established C2 channel.

Figure 2: Advanced Search data showing an customer device being tricked into visiting the fake website, wireshhark[.]com.

Since the malicious actor had gained control of an IT member's device, they were able to abuse the privileged account credentials to spread Python payloads across the network via SMB and the Windows Management Instrumentation (WMI) service. The actor was also seen distributing the Windows Sys-Internals tool, PsExec, likely in an attempt to facilitate their lateral movement efforts. It was normal for this IT member's desktop to distribute files across the network via SMB, which meant that this malicious SMB activity was not, at first glance, out of place.

Figure 3: Advanced Search data showing that it was normal for the IT member's device to distribute files over SMB.

However, Darktrace DETECT recognized that the significant spike in file writes being performed here was suspicious, even though, on the surface, it seemed ‘normal’ for the device. Furthermore, Darktrace identified that the executable files being distributed were attempting to masquerade as a different file type, potentially in an attempt to evade the detection of traditional security tools.

Figure 4: Event Log data showing several Model Breaches being created in response to the IT member's DEVICE's SMB writes of Python-based executables.

An addition to DETECT’s identification of this unusual activity, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the ongoing compromise and was able to link the SMB writes and the sharing of the executable Python payloads, viewing the connections as one lateral movement incident rather than a string of isolated events. After completing its investigation, Cyber AI Analyst was able to provide a detailed summary of events on one pane of glass, ensuring the customer could identify the affected device and begin their remediation.

Figure 5: Cyber AI Analyst investigation summary highlighting the IT member's desktop’s lateral movement activities.

C2 Activity

The Python payloads distributed by the IT member’s device were likely related to the Nitrogen malware, as evidenced by the payloads’ names and by the network behaviours which they engendered.  

Figure 6: Advanced Search data showing the affected device reaching out to the C2 endpoint, pse[.]ac, and then distributing Python-based executable files to an internal domain controller.

The internal devices to which these Nitrogen payloads were distributed immediately went on to contact C2 infrastructure associated with Cobalt Strike. These C2 connections were made over SSL on ports 443 and 8443.  Darktrace identified the attacker moving laterally to an internal SQL server and an internal domain controller.

Figure 7: Advanced Search data showing an internal SQL server contacting the Cobalt Strike C2 endpoint, 194.180.48[.]169, after receiving Python payloads from the IT member’s device.
Figure 8: Event Log data showing several DETECT model breaches triggering in response to an internal SQL server’s C2 connections to 194.180.48[.]169.

Once more, Cyber AI Analyst launched its own investigation into this activity and was able to successfully identify a series of separate SSL connections, linking them together into one wider C2 incident.

Figure 9: Cyber AI Analyst investigation summary highlighting C2 connections from the SQL server.

Darktrace observed the attacker using their 'hands-on-keyboard' access to these systems to elevate their privileges, conduct network reconnaissance (primarily port scanning), spread Python payloads further across the network, exfiltrate data from the domain controller and transfer a payload from GitHub to the domain controller.

Figure 10: Cyber AI Analyst investigation summary an IP address scan carried out by an internal domain controller.
Figure 12: Event Log data showing an internal domain controller contacting GitHub around the time that it was in communication with the C2 endpoint, 194.180.48[.]169.
Figure 13: Event Log data showing a DETECT model breach being created in response to an internal domain controller's large data upload to the C2 endpoint, 194.180.48[.]169.

After conducting extensive reconnaissance and lateral movement activities, the attacker was observed detonating ransomware with the organization's VMware environment, resulting in the successful encryption of the customer’s VMware vCenter server and VMware virtual machines. In this case, the attacker took around 24 hours to progress from initial access to ransomware detonation.  

If the targeted organization had been signed up for Darktrace's Proactive Threat Notification (PTN) service, they would have been promptly notified of these suspicious activities by the Darktrace Security Operations Center (SOC) in the first instance, allowing them to quickly identify affected devices and quarantine them before the compromise could escalate.

Additionally, given the quantity of high-severe alerts that triggered in response to this attack, Darktrace RESPOND would, under normal circumstances, have inhibited the attacker's activities as soon as they were identified by DETECT. However, due to RESPOND not being configured to act on server devices within the customer’s network, the attacker was able to seamlessly move laterally through the organization's server environment and eventually detonate the ALPHV ransomware.

Nevertheless, Darktrace was able to successfully weave together multiple Cyber AI Analyst incidents which it generated into a thread representing the chain of behavior that made up this attack. The thread of Incident Events created by Cyber AI Analyst provided a substantial account of the attack and the steps involved in it, which significantly facilitated the customer’s post-incident investigation efforts.  

Figure 14: Darktrace's AI Analyst weaved together 33 of the Incident Events it created together into a thread representing the attacker’s chain of behavior.

Conclusão

It is expected for malicious cyber actors to revise and upgrade their methods to evade organizations’ improving security measures. The continued improvement of email security tools, for example, has likely created a need for attackers to develop new means of Initial Access, such as the use of Microsoft Teams-based malware delivery.

This fast-paced ALPHV ransomware attack serves as a further illustration of this trend, with the actor behind the attack using malvertising to convince an unsuspecting user to download the Python-based malware, Nitrogen, from a fake Wireshark site. Unbeknownst to the user, this stealthy malware dropped a C2 implant onto the user’s device, giving the malicious actor the ‘hands-on-keyboard’ access they needed to move laterally, conduct network reconnaissance, and ultimately detonate ALPHV ransomware.

Despite the non-traditional initial access methods used by this ransomware actor, Darktrace DETECT was still able to identify the unusual patterns of network traffic caused by the attacker’s post-compromise activities. The large volume of alerts created by Darktrace DETECT were autonomously investigated by Darktrace’s Cyber AI Analyst, which was able to weave together related activities of different devices into a comprehensive timeline of the attacker’s operation. Given the volume of DETECT alerts created in response to this ALPHV attack, it is expected that Darktrace RESPOND would have autonomously inhibited the attacker’s operation had the capability been appropriately configured.

As the first post-compromise activities Darktrace observed in this ALPHV attack were seemingly performed by a member of the customer’s IT team, it may have looked normal to a human or traditional signature and rules-based security tools. To Darktrace’s Self-Learning AI, however, the observed activities represented subtle deviations from the device’s normal pattern of life. This attack, and Darktrace’s detection of it, is therefore a prime illustration of the value that Self-Learning AI can bring to the task of detecting anomalies within organizations’ digital estates.

Credit to Sam Lister, Senior Cyber Analyst, Emma Foulger, Principal Cyber Analyst

Appendices

Darktrace DETECT Model Breaches

- Compliance / SMB Drive Write

- Compliance / High Priority Compliance Model Breach

- Anomalous File / Internal / Masqueraded Executable SMB Write

- Device / New or Uncommon WMI Activity

- Anomalous Connection / New or Uncommon Service Control

- Anomalous Connection / High Volume of New or Uncommon Service Control

- Device / New or Uncommon SMB Named Pipe

- Device / Multiple Lateral Movement Model Breaches

- Device / Large Number of Model Breaches  

- SMB Writes of Suspicious Files (Cyber AI Analyst)

- Suspicious Remote WMI Activity (Cyber AI Analyst)

- Suspicious DCE-RPC Activity (Cyber AI Analyst)

- Compromise / Connection to Suspicious SSL Server

- Compromise / High Volume of Connections with Beacon Score

- Anomalous Connection / Suspicious Self-Signed SSL

- Anomalous Connection / Anomalous SSL without SNI to New External

- Compromise / Suspicious TLS Beaconing To Rare External

- Compromise / Beacon to Young Endpoint

- Compromise / SSL or HTTP Beacon

- Compromise / Agent Beacon to New Endpoint

- Device / Long Agent Connection to New Endpoint

- Compromise / SSL Beaconing to Rare Destination

- Compromise / Large Number of Suspicious Successful Connections

- Compromise / Slow Beaconing Activity To External Rare

- Anomalous Server Activity / Outgoing from Server

- Device / Multiple C2 Model Breaches

- Possible SSL Command and Control (Cyber AI Analyst)

- Unusual Repeated Connections (Cyber AI Analyst)

- Device / ICMP Address Scan

- Device / RDP Scan

- Device / Network Scan

- Device / Suspicious Network Scan Activity

- Scanning of Multiple Devices (Cyber AI Analyst)

- ICMP Address Scan (Cyber AI Analyst)

- Device / Anomalous Github Download

- Unusual Activity / Unusual External Data Transfer

- Device / Initial Breach Chain Compromise

MITRE ATT&CK Mapping

Resource Development techniques:

- Acquire Infrastructure: Malvertising (T1583.008)

Initial Access techniques:

- Drive-by Compromise (T1189)

Execution techniques:

- User Execution: Malicious File (T1204.002)

- System Services: Service Execution (T1569.002)

- Windows Management Instrumentation (T1047)

Defence Evasion techniques:

- Masquerading: Match Legitimate Name or Location (T1036.005)

Discovery techniques:

- Remote System Discovery (T1018)

- Network Service Discovery (T1046)

Lateral Movement techniques:

- Remote Services: SMB/Windows Admin Shares

- Lateral Tool Transfer (T1570)

Command and Control techniques:

- Application Layer Protocol: Web Protocols (T1071.001)

- Encrypted Channel: Asymmetric Cryptography (T1573.002)

- Non-Standard Port (T1571)

- Ingress Tool Channel (T1105)

Exfiltration techniques:

- Exfiltration Over C2 Channel (T1041)

Impact techniques:

- Data Encrypted for Impact (T1486)

List of Indicators of Compromise

- allpcsoftware[.]com

- wireshhark[.]com

- pse[.]ac • 194.169.175[.]132

- 194.180.48[.]169

- 193.42.33[.]14

- 141.98.6[.]195

References  

[1] https://darktrace.com/threat-report-2023

[2] https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

[3] https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/

[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

[5] https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant

[6] https://www.state.gov/u-s-department-of-state-announces-reward-offers-for-criminal-associates-of-the-alphv-blackcat-ransomware-variant/

[7] https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/

[8] https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

[9] https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

[10] https://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication

[11] https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware

[12] https://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire

Continue reading
About the author
Sam Lister
SOC Analyst

Boas notícias para sua empresa.
Más notícias para os bandidos.

Comece seu teste gratuito

Comece seu teste gratuito

Entrega flexível
Cloud-based deployment.
Instalação rápida
Apenas 1 hora para a instalação - e ainda menos para um teste de segurança por e-mail.
Escolha seu percurso
Experimente a IA de auto-aprendizagem onde quiser - incluindo nuvem, rede ou e-mail.
Sem compromisso
Acesso total ao Darktrace Threat Visualizer e três relatórios de ameaças feitos sob medida, sem compromisso.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Oops! Alguma coisa deu errado ao enviar o formulário.

Solicite uma demonstração

Entrega flexível
Você pode instalá-lo virtualmente ou com hardware.
Instalação rápida
Apenas 1 hora para a instalação - e ainda menos para um teste de segurança por e-mail.
Escolha seu percurso
Experimente a IA de auto-aprendizagem onde quiser - incluindo nuvem, rede ou e-mail.
Sem compromisso
Acesso total ao Darktrace Threat Visualizer e três relatórios de ameaças feitos sob medida, sem compromisso.
Obrigado! Seu pedido foi recebido!
Oops! Alguma coisa deu errado ao enviar o formulário.