Blog

該当する項目はありません。

政府機関のネットワークにおけるバンキング型トロイFeodoの復活

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
01
Oct 2017
01
Oct 2017
AI detects new Feodo banking Trojan on a government network

Famous malware like Zeus, Conficker, and CryptoLocker are still some of the most common threats globally. By repurposing and repackaging known threats like these, attackers can create unknown variants that bypass signature-based security tools.

For instance, an older class of banking Trojans – known as Feodo – recently cropped up again on the network of a local US government. However, this particular strain had a key differentiator.

Darktrace detected the malware when it first was downloaded onto the government’s network. After analysis, the malware was found to be consistent with two well-documented Trojans in the Feodo family: Dridex and Emotet.

Traditionally, Trojans in the Feodo family will infect just a single device, but this attack immediately began propagating on the network, spreading to over 200 devices in a matter of hours.

The incident is part of an emerging trend of similar infections, suggesting that the Feodo family of Trojans is undergoing a resurgence, but this time retooled with ability to rapidly spread across the network.

Darktrace first detected the threat when an internal device made a series of anomalous SSL connections to IPs with self-signed certificates. The abnormal connections were a deviation from what Darktrace’s AI algorithms had learned to be normal, triggering Darktrace to raise the first in a series of alerts.

Time: 2017-04-26 11:38:05 [UTC]
Source: 172.16.14.39
Destination: 76.164.161.46
Destination Port: 995
Protocol: SSL
Version: TLSv12 [Considered HIGH security]
Cipher: TLS_RSA_WI TH_AES_256_ GCM_SHA384 [Considered HIGH security]
UID: CbenK822ViUMxJok00

The identical IP certificate subject and issuer:
Subject: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO
Issuer: CN=euwtrdjuee.biz,OU=Tslspyqh Dfxdekt Brftapckwr,O=Kaqt Aooscr LLC.,street=132 Vfjteuadivm Fklhnxdmza.,L=Elqazgap Nvax,ST=XI,C=PO

The device proceeded to download an anomalous ZIP file from an unusual external server. The email purported to be a notification from FedEx, and the file was disguised as an attachment containing tracking numbers. The download was nearly identical to the malicious files usually seen in Dridex and Emotet infections.

Time: 2017-04-28 16:01:03 [UTC]
Source: 172.16.14.39
Destination: 89.38.128.232
Destination Port: 80/tcp
Protocol: HTTP
Path: hxxp://XX[.]ro/UPS__Ship__Notification__Tracking__Number__2SM099383266006810/Y0894C/FEDEX-TRACK/track-tracknumbers-673639733202/
Filename: fedex-track-tracknumbers-133977976498-language-en.zip
Mime Type: application/zip

After downloading the ZIP, the device wrote an executable file to a second device via SMB. This strongly suggested that the infection was spreading, and quickly.

Time: 2017-04-28 16:52:57 [UTC]
Source: 172.16.14.39
Destination: 172.16.10.41
Destination Port: 445/tcp
Protocol: SMB
Action: write
Filename: tptzfqa.exe
Path: \\PU12881\C$
Write Size: 65536
UID: Cxq64s3tCi1vq4Uo00

The graph shows the internal connectivity of the initial device. The spike in activity, which includes numerous alerts due to unusual behavior, occurs immediately following the SMB write made by the original device.

Devices across the network started to mimic this activity by performing the same type of SMB write, each time with the same amount of data – 65536B – and a random string of characters followed by the .exe filetype.

Meanwhile, the initial device was flagged for making a large number of SMB and Kerberos login attempts. At this point, the infection had spread to over 200 devices, which were all attempting to bruteforce passwords using the same credentials as the original device, in addition to standard usernames like ‘Administrator’ and ‘misadmin’.

Bruteforcing over SMB is consistent with lateral movement seen in recent instances of Emotet, in which the Trojan was seen with new, built-in functionality designed for network propagation.

As the malware continued to spread in the government network, devices began making anomalous SSL connections without SNI (Server Name Indication).

This series of anomalies represented a massive deviation from the network’s normal ‘pattern of life’, causing the Enterprise Immune System to raise three high-priority alerts in real time: one alert for the SMB session bruteforce, another for the Kerberos activity, and another for the anomalous SSL connections without SNI.

The final anomaly occurred when devices made a flurry of unusual DNS requests for DGA-generated domains, often involving rare TLDs such as .biz and .info. The DNS requests illustrate a sophisticated method to disguise communications to the attacker’s command and control centers. Darktrace’s AI algorithms deemed this domain fluxing activity to be highly unusual compared to ordinary behavior, thus raising one final alert before the security team was able to intervene.

A sample of the DNS requests:

15:33:00 hd12530.mi.SALTEDHAZE.org made a successful DNS request for rbqfkjjemttqumeobxb.org to dc1-2012.mi.[REDACTED].org
15:33:10 hd12530.mi.SALTEDHAZE.org made a successful DNS request for tmmiqtsdnkjdcqr.biz to dc1-2012.mi.SALTEDHAZE.org
15:33:20 hd12530.mi.SALTEDHAZE.org made a successful DNS request for mehqdlodsgggehchxdwfsmmoq.biz to dc1-2012.mi.SALTEDHAZE.org

Taken on their own, each of these anomalies could be explained as an isolated incident or perhaps a false-positive. But taken together, they form a broader picture of a widespread and aggressive infection, in which an external hacker had taken control of over 200 devices and was using them to attempt to harvest the users’ banking credentials and transfer funds into their own account.

In accordance with the Feodo family of banking Trojans, the malware was likely attempting to steal banking credentials by intercepting web form submissions. Yet, by adding the ability to spread through the network, the attacker was able to create a completely novel attack type that circumvented the perimeter security controls and infected over 200 devices.

As the threat progressed, the Enterprise Immune System raised real-time alerts and revealed in-depth details on the nature of the compromise. Using this information, the government’s security team was able to remediate the situation before any banking credentials could be stolen.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which discusses a host of other novel infections that were stopped by the Enterprise Immune System.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
VP of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

Book a 1-1 meeting with one of our experts
この記事を共有
USE CASES
該当する項目はありません。
PRODUCT SPOTLIGHT
該当する項目はありません。
COre coverage
該当する項目はありません。

More in this series

該当する項目はありません。

Blog

Inside the SOC

Identifying the Imposter: Darktrace’s Detection of Simulated Malware vs the Real Thing

Default blog imageDefault blog image
13
Mar 2024

Distinguishing attack simulations from the real thing

In an era marked by the omnipresence of digital technologies and the relentless advancement of cyber threats, organizations face an ongoing battle to safeguard their digital environment. Although red and blue team exercises have long served as cornerstones in evaluating organizational defenses, their reliance on manual processes poses significant constraints [1]. Led by seasoned security professionals, these tests offer invaluable insights into security readiness but can be marred by their resource-intensive and infrequent testing cycles. The gaps between assessments leave organizations open to undetected vulnerabilities, compromising the true state of their security environment. In response to the ever-changing threat landscape, organizations are adopting a proactive stance towards cyber security to fortify their defenses.

At the forefront, these efforts tend to revolve around simulated attacks, a process designed to test an organization's security posture against both known and emerging threats in a safe and controlled environment [2]. These meticulously orchestrated simulations imitate the tactics, techniques, and procedures (TTPs) employed by actual adversaries and provide organizations with invaluable insights into their security resilience and vulnerabilities. By immersing themselves in simulated attack scenarios, security teams can proactively probe for vulnerabilities, adopt a more aggressive defense posture, and stay ahead of evolving cyber threats.

Distinguishing between simulated malware observations and authentic malware activities stands as a critical imperative for organizations bolstering their cyber defenses. While simulated platforms offer controlled scenarios for testing known attack patterns, Darktrace’s Self-Learning AI can detect known and unknown threats, identify zero-day threats, and previously unseen malware variants, including attack simulations. Whereas simulated platforms focus on specific known attack vectors, Darktrace DETECT™ and Darktrace RESPOND™ can identify and contain both known and unknown threats across the entire attack surface, providing unparalleled protection of the cyber estate.

Darktrace’s Coverage of Simulated Attacks

In January 2024, the Darktrace Security Operations Center (SOC) received a high volume of alerts relating to an unspecified malware strain that was affecting multiple customers across the fleet, raising concerns, and prompting the Darktrace Analyst team to swiftly investigate the multitude of incident. Initially, these activities were identified as malicious, exhibiting striking resemblance to the characteristics of Remcos, a sophisticated remote access trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards [3]. However, further investigation revealed that these activities were intricately linked to a simulated malware provider.

This discovery underscores a pivotal insight into Darktrace’s capabilities. To this point, leveraging advanced AI, Darktrace operates with a sophisticated framework that extends beyond conventional threat detection. By analyzing network behavior and anomalies, Darktrace not only discerns between simulated threats, such as those orchestrated by breach and attack simulation platforms and genuine malicious activities but can also autonomously respond to these threats with RESPOND. This showcases Darktrace’s advanced capabilities in effectively mitigating cyber threats.

Attack Simulation Process: Initial Access and Intrusion

Darktrace initially observed devices breaching several DETECT models relating to the hostname “new-tech-savvy[.]com”, an endpoint that was flagged as malicious by multiple open-source intelligence (OSINT) vendors [4].

In addition, multiple HTML Application (HTA) file downloads were observed from the malicious endpoint, “new-tech-savvy[.]com/5[.]hta”. HTA files are often seen as part of the UAC-0050 campaign, known for its cyber-attacks against Ukrainian targets, which tends to leverage the Remcos RAT with advanced evasion techniques [5] [6]. Such files are often critical components of a malware operation, serving as conduits for the deployment of malicious payloads onto a compromised system. Often, within the HTA file resides a VBScript which, upon execution, triggers a PowerShell script. This PowerShell script is designed to facilitate the download of a malicious payload, namely “word_update.exe”, from a remote server. Upon successful execution, “word_update.exe” is launched, invoking cmd.exe and initiating the sharing of malicious data. This process results in the execution of explorer.exe, with the malicious RemcosRAT concealed within the memory of explorer.exe. [7].

As the customers were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, an Enhanced Monitoring model was breached upon detection of the malicious HTA file. Enhanced Monitoring models are high-fidelity DETECT models designed to identify activity likely to be indicative of compromise. These PTN alerts were swiftly investigated by Darktrace’s round the clock SOC team.

Following this successful detection, Darktrace RESPOND took immediate action by autonomously blocking connections to the malicious endpoint, effectively preventing additional download attempts. Similar activity may be seen in the case of a legitimate malware attack; however, in this instance, the hostname associated with the download confirmed the detected malicious activity was the result of an attack simulation.

Figure 1: The Breach Log displays the model breach, “Anomalous File/Incoming HTA File”, where a device was detected downloading the HTA file, “5.hta” from the endpoint, “new-tech-savvy[.]com”.
'
Figure 2: The Model Breach Event Log shows a device making connections to the endpoint, “new-tech-savvy[.]com”. As a result, theRESPOND model, “Antigena/Network/External Threat/Antigena File then New Outbound Block", breached and connections to this malicious endpoint were blocked.
Figure 3: The Breach Log further showcases another RESPOND model, “Antigena/Network/External Threat/Antigena Suspicious File Block", which was triggered when the device downloaded a  HTA file from the malicious endpoint, “new-tech-savvy[.]com".

In other cases, Darktrace observed SSL and HTTP connections also attributed to the same simulated malware provider, highlighting Darktrace’s capability to distinguish between legitimate and simulated malware attack activity.

Figure 4: The Model Breach “Anomalous Connection/Low and Slow Exfiltration" displays the hostname of a simulated malware provider, confirming the detected malicious activity as the result of an attack simulation.
Figure 5: The Model Breach Event Log shows the SSL connections made to an endpoint associated with the simulated malware provider.
Figure 6: Darktrace’s Advanced Search displays SSL connection logs to the endpoint of the simulated malware provider around the time the simulation activity was observed.

Upon detection of the malicious activity occurring within affected customer networks, Darktrace’s Cyber AI Analyst™ investigated and correlated the events at machine speed. Figure 8 illustrates the synopsis and additional technical information that AI Analyst generated on one customer’s environment, detailing that over 220 HTTP queries to 18 different endpoints for a single device were seen. The investigation process can also be seen in the screenshot, showcasing Darktrace’s ability to provide ‘explainable AI’ detail. AI Analyst was able to autonomously search for all HTTP connections made by the breach device and identified a single suspicious software agent making one HTTP request to the endpoint, 45.95.147[.]236.

Furthermore, the malicious endpoints, 45.95.147[.]236, previously observed in SSH attacks using brute-force or stolen credentials, and “tangible-drink.surge[.]sh”, associated with the Androxgh0st malware [8] [9] [10], were detected to have been requested by another device.

This highlights Darktrace’s ability to link and correlate seemingly separate events occurring on different devices, which could indicate a malicious attack spreading across the network.  AI Analyst was also able to identify a username associated with the simulated malware prior to the activity through Kerberos Authentication Service (AS) requests. The device in question was also tagged as a ‘Security Device’ – such tags provide human analysts with valuable context about expected device activity, and in this case, the tag corroborates with the testing activity seen. This exemplifies how Darktrace’s Cyber AI Analyst takes on the labor-intensive task of analyzing thousands of connections to hundreds of endpoints at a rapid pace, then compiling results into a single pane that provides customer security teams with the information needed to evaluate activities observed on a device.

All in all, this demonstrates how Darktrace’s Self-Learning AI is capable of offering an unparalleled level of awareness and visibility over any anomalous and potentially malicious behavior on the network, saving security teams and administrators a great deal of time.

Figure 7: Cyber AI Analyst Incident Log containing a summary of the attack simulation activity,, including relevant technical details, and the AI investigation process.

結論

Simulated cyber-attacks represent the ever-present challenge of testing and validating security defenses, while the threat of legitimate compromise exemplifies the constant risk of cyber threats in today’s digital landscape. Darktrace emerges as the solution to this conflict, offering real-time detection and response capabilities that identify and mitigate simulated and authentic threats alike.

While simulations are crafted to mimic legitimate threats within predefined parameters and controlled environments, the capabilities of Darktrace DETECT transcend these limitations. Even in scenarios where intent is not malicious, Darktrace’s ability to identify anomalies and raise alerts remains unparalleled. Moreover, Darktrace’s AI Analyst and autonomous response technology, RESPOND, underscore Darktrace’s indispensable role in safeguarding organizations against emerging threats.

Credit to Priya Thapa, Cyber Analyst, Tiana Kelly, Cyber Analyst & Analyst Team Lead

付録

モデルブリーチ 一覧

Darktrace DETECT Model Breach Coverage

Anomalous File / Incoming HTA File

Anomalous Connection / Low and Slow Exfiltration

Darktrace RESPOND Model Breach Coverage

§  Antigena / Network/ External Threat/ Antigena File then New Outbound Block

Cyber AI Analyst Incidents

• Possible HTTP Command and Control

• Suspicious File Download

IoC一覧

IP Address

38.52.220[.]2 - Malicious Endpoint

46.249.58[.]40 - Malicious Endpoint

45.95.147[.]236 - Malicious Endpoint

Hostname

tangible-drink.surge[.]sh - Malicious Endpoint

new-tech-savvy[.]com - Malicious Endpoint

参考文献

1.     https://xmcyber.com/glossary/what-are-breach-and-attack-simulations/

2.     https://www.picussecurity.com/resource/glossary/what-is-an-attack-simulation

3.     https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null

4.     https://www.virustotal.com/gui/url/c145cf7010545791602e9585f447347c75e5f19a0850a24e12a89325ded88735

5.     https://www.virustotal.com/gui/url/7afd19e5696570851e6413d08b6f0c8bd42f4b5a19d1e1094e0d1eb4d2e62ce5

6.     https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html

7.     https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

8.     https://www.virustotal.com/gui/ip-address/45.95.147.236/community

9.     https://www.virustotal.com/gui/domain/tangible-drink.surge.sh/community

10.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

続きを読む
著者について
Priya Thapa
Cyber Analyst

Blog

該当する項目はありません。

Mastering Cloud Migration: Strategies, Services, and Risks

Default blog imageDefault blog image
12
Mar 2024

What is cloud migration?

Cloud migration, in its simplest form, refers to the process of moving digital assets, such as data, applications, and IT resources, from on-premises infrastructure or legacy systems to cloud computing environments. There are various flavours of migration and utilization, but according to a survey conducted by IBM, one of the most common is the 'Hybrid' approach, with around 77% of businesses adopting a hybrid cloud approach.

There are three key components of a hybrid cloud migration model:

  1. On-Premises (On-Prem): Physical location with some amount of hardware and networking, traditionally a data centre.
  2. Public Cloud: Third-party providers like AWS, Azure, and Google, who offer multiple services such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
  3. Private Cloud: A cloud computing environment where resources are isolated for one customer.

Why does cloud migration matter for enterprises?

Cloud adoption provides many benefits to businesses, including:

  1. Scalability: Cloud environments allow enterprises to scale resources up or down based on demand, enabling them to quickly adapt to changing business requirements.
  2. Flexibility and Agility: Cloud platforms provide greater flexibility and agility, enabling enterprises to innovate and deploy new services more rapidly compared to traditional on-premises infrastructure.
  3. Cost Efficiency: Pay-as-you-go model, allowing enterprises to reduce capital expenditures on hardware and infrastructure.
  4. Enhanced Security: Cloud service providers invest heavily in security measures to protect data and infrastructure, offering advanced security features and compliance certifications.

The combination of these benefits provides significant potential for businesses to innovate and move quickly, ultimately allowing them to be flexible and adapt to changing market conditions, customer demands, and technological advancements with greater agility and efficiency.

Cloud migration strategy

There are multiple migration strategies a business can adopt, including:

  1. Rehosting (Lift-and-shift): Quickly completed but may lead to increased costs for running workloads.
  2. Refactoring (Cloud Native): Designed specifically for the cloud but requires a steep learning curve and staff training on new processes.
  3. Hybrid Cloud: Mix of on-premises and public cloud use, offering flexibility and scalability while keeping data secure on-premises. This can introduce complexities in setup and management overhead and requires ensuring security and compliance in both environments.

It is important to note that each strategy has its trade-offs and there is no single gold standard for a one size fits all cloud migration strategy. Different businesses will prioritize and leverage different benefits, for instance while some might prefer a rehosting strategy as it gets them migrated the fastest, it typically ends up also being the most costly strategy as “lift-and-shift” doesn’t take advantage of many key benefits that the cloud has to offer. Conversely, refactoring is a strategy optimized at making the most of the benefits that cloud providers have to offer, however the process of redesigning applications requires cloud expertise and based on the scale of applications that are required to be refactored this strategy might not be the quickest when it comes to moving applications from being hosted on premise to in the cloud.  

Phases of a cloud migration

At the highest level, there are four main steps in a successful migration:

  1. Discover: Identify and categorize IT assets, applications, and critical dependencies.
  2. Plan: Develop a detailed migration plan, including timelines, resource allocation, and risk management strategies.
  3. Migrate: Execute the migration plan, minimizing disruption to business operations.
  4. Optimize: Continuously optimize the cloud environment using automation, performance monitoring, and cost management tools to improve efficiency, performance, and scalability.

While it is natural to race towards the end goals of a cloud migration, most successful cloud migration strategies allocate the appropriate timelines to each phase.  

The “Discover” phase specifically is where most businesses can set themselves up for success. Having a complete understanding of assets, applications, services, and dependencies needed to migrate however is much easier said than done. Given the pace of change and how laborious of a task inventorying everything can be to manage and maintain, most mistakes at this stage will propagate and amplify through the migration journey.  

Risks and challenges of cloud migration

Though cloud migration offers a wealth of benefits, it also introduces new risks that need to be accounted for and managed effectively. Security should be considered a fundamental part of the process, not an additional measure that can be ‘bolted’ on at the end.

Let’s consider the most popular migration strategy, using a ‘Hybrid Cloud’. A recent report by the industry analyst group Forrester cited that Cloud Security Posture Management (CSPM) tools are just one facet of security, stating:

"No matter how good it is, using a CSPM solution alone will not provide you with full visibility, detection, and effective remediation capabilities for all threats. Your adversaries are also targeting operating systems, existing on-prem network infrastructure, and applications in their quest to steal valuable data".

Unpacking some of the risks here, it’s clear they fall into a range of categories, including:

  1. Security Concerns: Ensuring security across both on-premises and cloud environments, addressing potential misconfigurations and vulnerabilities.
  2. Contextual Understanding: Effective security requires a deep understanding of the organization's business processes and the context in which data and applications operate.
  3. Threat Detection and Response: Identifying and responding to threats in real-time requires advanced capabilities such as AI and anomaly detection.
  4. Platform Approach: Deploying integrated security solutions that provide end-to-end visibility, centralized management, and automated responses across hybrid infrastructure.

Since the cloud doesn’t operate in a vacuum, businesses will always have a myriad of 3rd party applications, users, endpoints, external services, and partners connecting and interacting with their cloud environments. From this perspective, being able to correlate and understand behaviors and activity both within the cloud and its surroundings becomes imperative.

It then follows that context from a business wide perspective is necessary. This has two distinct implications, the first is application or workload specific context (i.e. where do the assets, services, and functions alerted on reside within the cloud application) and the second is business wide context. Given the volume of alerts that security practitioners need to manage, findings that lack the appropriate context to fully understand and resolve the issue create additional strain on teams that are already managing a difficult challenge.  

結論

With that in mind, Darktrace’s approach to security, with its existing and new advances in Cloud Detection and Response capabilities, anomaly detection across SaaS applications, and native ability to leverage many AI techniques to understand the business context within your dynamic cloud environment and on-premises infrastructure. It provides you with the integrated building blocks to provide the ‘360’ degree view required to detect and respond to threats before, during, and long after your enterprise migrates to the cloud.

参考文献

IBM Transformation Index: State of Cloud https://www.ibm.com/blog/hybrid-cloud-use-cases/

https://www.forrester.com/report/the-top-trends-shaping-cloud-security-posture-management-cspm-in-2024/RES180379  

続きを読む
著者について
Adam Stevens
Analyst Technical Director
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

無償トライアルを開始
Darktrace AI protecting a business from cyber threats.