AI reveals 2018’s biggest cyber-threats: Part two — to err is human
07
Feb 2019
07
Feb 2019
In the second installment of a two-part series, Darktrace’s Max Heinemeyer analyzes the rise of deceptive attacks and insider threats that Darktrace AI detected in 2018.
For security professionals around the world, it is hardly a secret that cyber-attacks are becoming ever more difficult to detect — incorporating stealthier tactics and even automated elements to breach the network perimeter. Yet despite the increasing sophistication of these threats, the greatest security risk confronting today’s businesses, governments, and nonprofits continues to be their own employees.
Such credentialed network users present a relatively easy avenue into the digital estate for cyber-criminals who manage to deceive them. From banking trojans that are spread using social engineering to cryptocurrency mining carried out by disgruntled workers, the past year witnessed a significant upswing in threats that either exploited the fallibility of employees or which were authored by employees themselves.
By monitoring and analyzing raw traffic from all our clients’ users, internet-connected devices, and cloud deployments, we saw a number of trends emerge in 2018. As the second installment of a two-part series, this article will review specifically those attack trends that involve trickery, subtlety, and the art of deception. Because, as organizations deploy the latest technologies and tools to improve their cyber defenses, the weakest link in our network security is not a machine — it is human.
Banking trojan attacks increased by 239%
Named after the legendary act of Grecian subterfuge, today a trojan horse refers to a malicious computer program that misleads its user of its actual purpose, taking advantage of the fundamental weakness of human error inherent to any security posture. Over the last 12 months, the incidence of banking trojans in particular — which harvest the credentials of online banking customers from infected machines — has increased by a staggering 239% across our customer base.
This dramatic increase may be a consequence of the declining popularity of ransomware for monetary gain: it seems that banking trojans are, at least at present, a more profitable tool for cyber-criminals. Unlike ransomware, banking trojans do not rely on a victim’s conscious willingness to pay; rather, they use deception to perform transactions without the victim’s knowledge. And as the number of ransomware incidents declined in 2018, it seems that subtler attacks have become the weapons of choice for cyber-crime.
The proliferation of banking trojans has been accompanied by a growing sophistication in the malware itself, with many banking trojans having expanded beyond their original target of online banking access. Indeed, advanced trojans like Emotet now deliver other forms of malware as payloads, after using fraudulent emails, online advertisements, and other forms of social engineering to breach the perimeter.
Cryptocurrency-related incidents up 78%
Figure 1: Cryptocurrency values declined precipitously in 2018 after rapid growth.
Alongside the increase in banking trojans, Darktrace detected 78% growth in the frequency of another under-the-radar threat: crypto-jacking. Defined as the secret usage of computing power to mine cryptocurrency, crypto-jacking operates by the opposite logic of ransomware, acting as a parasite on an organization’s computing systems or injecting hidden code into an organization’s web pages. Whereas ransomware attackers demand payment immediately, cryptocurrency miners seek to go unnoticed for as long as possible.
Deceptive threats like banking trojans and crypto-jacking are particularly elusive when they originate from insiders. In one Fortune 500 e-commerce company this year, Darktrace discovered a privileged access user — a disgruntled systems administrator — hijacking power sources from the company’s infrastructure for his own monetary gain. The employee co-opted other users’ credentials and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.
At the same time, the growth rate of cryptocurrency-related threats is less than in the previous year, likely as a result of the dramatic fall in the value of most cryptocurrencies (see Figure 1). But with many experts anticipating these values to bounce back, we expect crypto-jacking to become far more common in the years to come. The cyber-criminal ecosystem still responds to macroeconomic factors, and as payment systems continue to evolve, so too will attackers’ revenue streams.
The weakest link: still people
The rapid escalation of deceptive and subtle threats — from banking trojans that gain access with social engineering to crypto-jacking carried out by insiders to targeted spear phishing emails — is the product of a fundamental flaw with the traditional approach to cyber defense, which entails securing the perimeter against known threats. Indeed, once an employee, maliciously or inadvertently, compromises the network from the inside, protecting the perimeter does little good. And as we look ahead to 2019, a year likely to be even more dominated by deceptive attacks and internal threats, organizations must seek to better understand their own networks to recognize whenever something is, ever so slightly, amiss.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NEWSLETTER
Like this and want more?
Stay up to date on the latest industry news and insights.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
With the rise of GenAI and novel attacks, organizations can no longer rely solely on traditional network security solutions that depend on historical attack data, such as signatures and detection rules, to identify threats. However, in many cases network security vendors and traditional solutions like IDS/IPS focus on detecting known attacks using historical data. What happens is organizations are left vulnerable to unknown and novel threats, as these approaches only detect known malicious behavior and cannot keep up with unknown threats or zero-day attacks.
Advanced threats
Darktrace's End of Year Threat Report for 2023 highlights significant changes in the cyber threat landscape, particularly due to advancements in technology such as generative AI. The report notes a substantial increase in sophisticated attacks, including those utilizing generative AI, which have made it more challenging for traditional security measures to keep up. The report also details the rise of multi-functional malware, like Black Basta ransomware, which not only encrypts data for ransom but also spreads other types of malware such as the Qbot banking trojan. These complex attacks are increasingly being deployed by advanced cybercriminal groups, underscoring the need for organizations to adopt advanced security measures that can detect and respond to novel threats in real-time.
Defenders need a solution that can level the playing field, especially when they are operating with limited resources and getting overloaded with endless alerts. Most network security tools on the market have a siloed approach and do not integrate with the rest of an organization’s digital estate, but attackers don’t operate in a single domain.
Disparate workforce
With so many organizations continuing to support a remote or hybrid working environment, the need to secure devices that are outside the corporate network or off-VPN is increasingly important. While endpoint protection or endpoint detection and response (EDR) tools are a fundamental part of any security stack, it’s not possible to install an agent on every device, which can leave blind spots in an organization’s attack surface. Managing trust and access policies is also necessary to protect identities, however this comes with its own set of challenges in terms of implementation and minimizing business disruption.
This blog will dive into these challenges and show examples of how Darktrace has helped mitigate risk and stop novel and never-before-seen threats.
Network Security Challenge 1: Managing trust
What is trust in cybersecurity?
Trust in cybersecurity means that an entity can be relied upon. This can involve a person, organization, or system to be authorized or authenticated by proving their identity is legitimate and can be trusted to have access to the network or sensitive information.
Why is trust important in cybersecurity?
Granting access and privileges to your workforce and select affiliates has profound implications for cybersecurity, brand reputation, regulatory compliance, and financial liability. In a traditional network security model, traffic gets divided into two categories — trusted and untrusted — with some entities and segments of the network deemed more creditable than others.
How do you manage trust in cybersecurity?
Zero trust is too little, but any is too much.
Modern network security challenges point to an urgent need for organizations to review and update their approaches to managing trust. External pressure to adopt zero trust security postures literally suggests trusting no one, but that impedes your freedom to do business. IT leaders need a proven but practical process for deciding who should be allowed to use your network and how.
Questions to ask in updating Trusted User policies include:
What process should you follow to place trust in third parties and applications?
Do you subject trusted entities to testing and other due diligence first?
How often do you review this process — and trusted relationships themselves — after making initial decisions?
How do you tell when trusted users should no longer be trusted?
Once trust has been established, security teams need new and better ways to autonomously verify that those transacting within your network are indeed those trusted users that they claim to be, taking only the authorized actions you’ve allowed them to take.
Exploiting trust in the network
Insider threats have a major head start. The opposite of attacks launched by nameless, faceless strangers, insider threats originate through parties once deemed trustworthy. That might mean a current or former member of your workforce or a partner, vendor, investor, or service provider authorized by IT to access corporate systems and data. Threats also arise when a “pawn” gets unwittingly tricked into disclosing credentials or downloading malware.
Common motives for insider attacks include revenge, stealing or leaking sensitive data, taking down IT systems, stealing assets or IP, compromising your organization’s credibility, and simply harassing your workforce. Put simply, rules and signatures based security solutions won’t flag insider threats because an insider does not immediately present themselves as an intruder. Insider threats can only be stopped by an evolving understanding of ‘normal’ for every user that immediately alerts your team when trusted users do something strange.
“By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.” [1]
Darktrace/OT detected a subtle deviation from normal behavior when a reprogram command was sent by an engineering workstation to a PLC controlling a pump, an action an insider threat with legitimized access to OT systems would take to alter the physical process without any malware involved. In this instance, AI Analyst, Darktrace’s investigation tool that triages events to reveal the full security incident, detected the event as unusual based on multiple metrics including the source of the command, the destination device, the time of the activity, and the command itself.
As a result, AI Analyst created a complete security incident, with a natural language summary, the technical details of the activity, and an investigation process explaining how it came to its conclusion. By leveraging Explainable AI, a security team can quickly triage and escalate Darktrace incidents in real time before it becomes disruptive, and even when performed by a trusted insider.
Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in crypto currency which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.
Avoiding ransomware attacks ranks at the top of most CISOs’ and risk managers’ priority lists, and with good reason. Extortion was involved in 25% of all breaches in 2022, with front-page attacks wreaking havoc across healthcare, gas pipelines, food processing plants, and other global supply chains. [2]
What else is new?
The availability of “DIY” toolkits and subscription-based ransom- ware-as-a-service (RaaS) on the dark web equips novice threat actors to launch highly sophisticated attacks at machine speed. For less than $500, virtually anyone can acquire and tweak RaaS offerings such as Philadelphia that come with accessible customer interfaces, reviews, discounts, and feature updates — all the signature features of commercial SaaS offerings.
The preeminence of ransomware keeps security teams on high alert for indicators of attack but hypervigilance — and too many tools churning out too many alerts — quickly exhausts analysts’ bandwidth. To reverse this trend, AI needs to help prioritize and resolve versus merely detect risk.
Darktrace uses AI to recognize and contextualize possible signs of ransomware attacks as they appear in your network and across multiple domains. Viewing behaviors in the context of your organization’s normal ‘pattern of life’ updates and enhances detection that watches for a repeat of previous techniques.
Darktrace's AI brings the added advantage of continuously analyzing behavior in your environment at machine speed.
Darktrace AI also performs Autonomous Response, shutting down attacks at every stage of the ransomware cycle, including the first telltale signs of exfiltration and encryption of data for extortion purposes.
Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use.
In early 2022, Darktrace/Network identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.
Darktrace’s AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs.
You can’t predict tomorrow’s weather by reading yesterday’s forecast, yet that’s essentially what happens when network security tools only look for known attacks.
What are novel attacks?
“Novel attacks” include unknown or previously unseen exploits such as zero-days, or new variations of known threats that evade existing detection rules.
Depending on how threats get executed, the term “novel” can refer to brand new tactics, techniques, and procedures (TTPs), or to subtle new twists on perennial threats like DoS, DDoS, and Domain Name Server (DNS) attacks.
Old tools may be blind to new threats
Stopping novel threats is less about deciding whom to trust than it is about learning to spot something brand new. As we’ve seen with ransomware, the growing “aaS” attack market creates a profound paradigm shift by allowing non-technical perpetrators to tweak, customize, and coin never-before-seen threats that elude traditional network, email, VPN, and cloud security.
Tools based on traditional rules and signatures lack a frame of reference. This is where AI’s ability to spot and analyze abnormalities in the context of normal patterns of life comes into play.
Darktrace AI spots what other tools miss
Instead of training in cloud data lakes that pool data from unrelated attacks worldwide, Darktrace AI learns about your unique environment from your environment. By flagging and analyzing everything unusual — instead of only known signs of compromise — Darktrace’s Self-Learning AI keeps security stacks from missing less obvious but potentially more dangerous events.
The real challenge here is achieving faster “time to meaning” and contextualizing behavior that might — or might not — be part of a novel attack. Darktrace/Network does not require a “patient zero” to identify a novel attack, or one exploiting a zero-day vulnerability.
In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. Darktrace identified Akira ransomware on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. In cases where Darktrace’s autonomous response was enabled these attacks were mitigated in their early stages, thus minimizing any disruption or damage to customer networks.
Stemming the Citrix Bleed Vulnerability with Darktrace’s ActiveAI Security Platform
28
May 2024
What is Citrix Bleed?
Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed. Citrix Bleed, also known as CVE-2023-4966, remained undiscovered and even unpatched for several months, resulting in a wide range of security incidents across business and government sectors [1].
How does Citrix Bleed vulnerability work?
The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.
When used as a means of initial network access, the vulnerability has resulted in the exfiltration of sensitive data, as in the case of Xfinity, and even the deployment of ransomware variants including Lockbit [2]. Although Citrix has released a patch to address the vulnerability, slow patching procedures and the widespread use of these products has resulted in the continuing exploitation of Citrix Bleed into 2024 [3].
How Does Darktrace Handle Citrix Bleed?
Darktrace has demonstrated its proficiency in handling the exploitation of Citrix Bleed since it was disclosed back in 2023; its anomaly-based approach allows it to efficiently identify and inhibit post-exploitation activity as soon as it surfaces. Rather than relying upon traditional rules and signatures, Darktrace’s Self-Learning AI enables it to understand the subtle deviations in a device’s behavior that would indicate an emerging compromise, thus allowing it to detect anomalous activity related to the exploitation of Citrix Bleed.
In late 2023, Darktrace identified an instance of Citrix Bleed exploitation on a customer network. As this customer had subscribed to the Proactive Threat Notification (PTN) service, the suspicious network activity surrounding the compromise was escalated to Darktrace’s Security Operation Center (SOC) for triage and investigation by Darktrace Analysts, who then alerted the customer’s security team to the incident.
Darktrace’s Coverage
Initial Access and Beaconing of Citrix Bleed
Darktrace’s initial detection of indicators of compromise (IoCs) associated with the exploitation of Citrix Bleed actually came a few days prior to the SOC alert, with unusual external connectivity observed from a critical server. The suspicious connection in question, a SSH connection to the rare external IP 168.100.9[.]137, lasted several hours and utilized the Windows PuTTY client. Darktrace also identified an additional suspicious IP, namely 45.134.26[.]2, attempting to contact the server. Both rare endpoints had been linked with the exploitation of the Citrix Bleed vulnerability by multiple open-source intelligence (OSINT) vendors [4] [5].
Figure 1: Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.
As Darktrace is designed to identify network-level anomalies, rather than monitor edge infrastructure, the initial exploitation via the typical HTTP buffer overflow associated with this vulnerability fell outside the scope of Darktrace’s visibility. However, the aforementioned suspicious connectivity likely constituted initial access and beaconing activity following the successful exploitation of Citrix Bleed.
Command and Control (C2) and Payload Download
Around the same time, Darktrace also detected other devices on the customer’s network conducting external connectivity to various endpoints associated with remote management and IT services, including Action1, ScreenConnect and Fixme IT. Additionally, Darktrace observed devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory. While this tool is typically used for auditing and inventory management purposes, it could also be leveraged by attackers for the purpose of lateral movement.
Defense Evasion
In the days surrounding this compromise, Darktrace observed multiple devices engaging in potential defense evasion tactics using the ScreenConnect and Fixme IT services. Although ScreenConnect is a legitimate remote management tool, it has also been used by threat actors to carry out C2 communication [6]. ScreenConnect itself was the subject of a separate critical vulnerability which Darktrace investigated in early 2024. Meanwhile, CISA observed that domains associated with Fixme It (“fixme[.]it”) have been used by threat actors attempting to exploit the Citrix Bleed vulnerability [7].
Reconnaissance and Lateral Movement
A few days after the detection of the initial beaconing communication, Darktrace identified several devices on the customer’s network carrying out reconnaissance and lateral movement activity. This included SMB writes of “PSEXESVC.exe”, network scanning, DCE-RPC binds of numerous internal devices to IPC$ shares and the transfer of compromise-related tools. It was at this point that Darktrace’s Self-Learning AI deemed the activity to be likely indicative of an ongoing compromise and several Enhanced Monitoring models alerted, triggering the aforementioned PTNs and investigation by Darktrace’s SOC.
Darktrace observed a server on the network initiating a wide range of connections to more than 600 internal IPs across several critical ports, suggesting port scanning, as well as conducting unexpected DCE-RPC service control (svcctl) activity on multiple internal devices, amongst them domain controllers. Additionally, several binds to server service (srvsvc) and security account manager (samr) endpoints via IPC$ shares on destination devices were detected, indicating further reconnaissance activity. The querying of these endpoints was also observed through RPC commands to enumerate services running on the device, as well as Security Account Manager (SAM) accounts.
Darktrace also identified devices performing SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration. Further SMB file writes were observed around this time including PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution, and one device was observed making widespread failed NTLM authentication attempts on the network, indicating NTLM brute-forcing. Darktrace observed several devices using administrative credentials to carry out the above activity.
In addition to the transfer of tools and executables via SMB, Darktrace also identified numerous devices deleting files through SMB around this time. In one example, an MSI file associated with the patch management and remediation service, Action1, was deleted by an attacker. This legitimate security tool, if leveraged by attackers, could be used to uncover additional vulnerabilities on target networks.
A server on the customer’s network was also observed writing the file “m.exe” to multiple internal devices. OSINT investigation into the executable indicated that it could be a malicious tool used to prevent antivirus programs from launching or running on a network [8].
Impact and Data Exfiltration
Following the initial steps of the breach chain, Darktrace observed numerous devices on the customer’s network engaging in data exfiltration and impact events, resulting in additional PTN alerts and a SOC investigation into data egress. Specifically, two servers on the network proceeded to read and download large volumes of data via SMB from multiple internal devices over the course of a few hours. These hosts sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443. Darktrace also identified the use of additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io. In total the threat actor exfiltrated over 8.5 GB of data from the customer’s network.
Figure 2: Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.
Finally, Darktrace detected a user account within the customer’s Software-as-a-Service (SaaS) environment conducting several suspicious Office365 and AzureAD actions from a rare IP for the network, including uncommon file reads, creations and the deletion of a large number of files.
Unfortunately for the customer in this case, Darktrace RESPOND™ was not enabled on the network and the post-exploitation activity was able to progress until the customer was made aware of the attack by Darktrace’s SOC team. Had RESPOND been active and configured in autonomous response mode at the time of the attack, it would have been able to promptly contain the post-exploitation activity by blocking external connections, shutting down any C2 activity and preventing the download of suspicious files, blocking incoming traffic, and enforcing a learned ‘pattern of life’ on offending devices.
Conclusion
Given the widespread use of Netscaler Gateway and Netscaler ADC, Citrix Bleed remains an impactful and potentially disruptive vulnerability that will likely continue to affect organizations who fail to address affected assets. In this instance, Darktrace demonstrated its ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, enabling the customer to identify affected devices and enact their own remediation.
Darktrace’s anomaly-based approach to threat detection allows it to identify such post-exploitation activity resulting from the exploitation of a vulnerability, regardless of whether it is a known CVE or a zero-day threat. Unlike traditional security tools that rely on existing threat intelligence and rules and signatures, Darktrace’s ability to identify the subtle deviations in a compromised device’s behavior gives it a unique advantage when it comes to identifying emerging threats.
Credit to Vivek Rajan, Cyber Analyst, Adam Potter, Cyber Analyst
Appendices
Darktrace Model Coverage
Device / Suspicious SMB Scanning Activity
Device / ICMP Address Scan
Device / Possible SMB/NTLM Reconnaissance
Device / Network Scan
Device / SMB Lateral Movement
Device / Possible SMB/NTLM Brute Force
Device / Suspicious Network Scan Activity
User / New Admin Credentials on Server
Anomalous File / Internal::Unusual Internal EXE File Transfer
Compliance / SMB Drive Write
Device / New or Unusual Remote Command Execution
Anomalous Connection / New or Uncommon Service Control
Anomalous Connection / Rare WinRM Incoming
Anomalous Connection / Unusual Admin SMB Session
Device / Unauthorised Device
User / New Admin Credentials on Server
Anomalous Server Activity / Outgoing from Server
Device / Long Agent Connection to New Endpoint
Anomalous Connection / Multiple Connections to New External TCP Port
Device / New or Uncommon SMB Named Pipe
Device / Multiple Lateral Movement Model Breaches
Device / Large Number of Model Breaches
Compliance / Remote Management Tool On Server
Device / Anomalous RDP Followed By Multiple Model Breaches
Device / SMB Session Brute Force (Admin)
Device / New User Agent
Compromise / Large Number of Suspicious Failed Connections
Unusual Activity / Unusual External Data Transfer
Unusual Activity / Enhanced Unusual External Data Transfer
Device / Increased External Connectivity
Unusual Activity / Unusual External Data to New Endpoints
Anomalous Connection / Data Sent to Rare Domain
Anomalous Connection / Uncommon 1 GiB Outbound
Anomalous Connection / Active Remote Desktop Tunnel
Anomalous Server Activity / Anomalous External Activity from Critical Network Device
Compliance / Possible Unencrypted Password File On Server
Anomalous Connection / Suspicious Read Write Ratio and Rare External
Device / Reverse DNS Sweep]
Unusual Activity / Possible RPC Recon Activity
Anomalous File / Internal::Executable Uploaded to DC
Compliance / SMB Version 1 Usage
Darktrace AI Analyst Incidents
Scanning of Multiple Devices
Suspicious Remote Service Control Activity
SMB Writes of Suspicious Files to Multiple Devices
Possible SSL Command and Control to Multiple Devices
Extensive Suspicious DCE-RPC Activity
Suspicious DCE-RPC Activity
Internal Downloads and External Uploads
Unusual External Data Transfer
Unusual External Data Transfer to Multiple Related Endpoints
![Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/665644c9d902374aff832499_Screenshot%202024-05-28%20at%201.55.25%20PM.png)
