Learn how Darktrace’s AI identified the Mirai malware in an Internet-connected CTV camera, breaking down each stage of the attack life cycle.
Executive summary
Recently, Darktrace detected an attack targeting an Internet connected camera commonly used in CCTV surveillance. This attack is a variant of the Mirai malware, an old threat that is still used to target IoT devices.
IoT devices, such as Internet-connected cameras, are becoming common in personal and business environments. However, threats targeting IoT are difficult to detect and often go unnoticed since these devices effortlessly connect to digital infrastructure. This results in a greatly increased attack surface for businesses.
Attackers know that security for IoT devices is often severely lacking and continue to target these vulnerable devices.
Since traditional methods of antivirus and other legacy security approaches are powerless on IoT devices, Darktrace’s Cyber AI Platform fills the gap in protecting these essential appliances.
Introduction
In late May, Darktrace detected the Mirai malware infecting an Internet-facing DVR camera owned by a logistics company in Canada. Mirai, first discovered in 2016, continuously scans the Internet for the IP addresses of vulnerable devices in the Internet of Things (IoT), and then turns these devices into bots that can be used as part of botnets for large-scale network attacks.
By drawing on a bespoke, evolving understanding of what is normal for the network, Darktrace caught each stage in this attack’s lifecycle. However, because this company was still conducting their 30-day Proof of Value, Antigena was not in active mode and the attack continued past the point of initial compromise. Had Antigena been in active mode, the attack would not have advanced past initial compromise.
Timeline
Figure 1: This timeline roughly outlines the major attack phases over three days of activity
Technical analysis
At the time of the initial breach, this specific botnet’s infrastructure was not yet known to open source intelligence (OSINT). Darktrace, however, detected an EXE download from a location not previously visited by the network.
After the first anomalous EXE download, another was downloaded approximately twenty minutes later. The malware then reached out to multiple IP addresses that were statistically rare for the network. Specifically, the compromised device began transferring large amounts of data to an IP address in China.
Figure 2: An overview of Darktrace detections
Darktrace, by leveraging machine learning algorithms in a protocol agnostic capacity, analyzed this individual device’s transfers within the context of a continuously evolving understanding of what is normal both for this device and for the wider organization. It was therefore able to immediately flag all of these transfers as unusual.
This activity was fully investigated and reported on by Darktrace’s Cyber AI Analyst. A sample of the AI Analyst’s report is shown below. The Suspicious File Download, the Unusual Repeated Connections, and the Unusual External Data Transfer are all presented as unexpected events that call for further investigation. The destination IP of the suspicious download was determined to have 100% hostname rarity relative to what is normal for the organization.
Figure 3: Darktrace’s Cyber AI Analyst autonomously triages the attack
Moreover, the hash of the file, highlighted in a red box in the figure above, revealed that it was a well-known file related to the Mirai Botnet. However, with no antivirus or other security defending the IoT camera, this had gone undetected.
A one-click analysis of the infected device shows a timeline of the model breaches that occurred and graphs the activity to give the report’s readers a quick understanding of the successive stages of the attack. Here, we see the second and third stages of the attack’s lifecycle, in which it starts DDoS against other devices in order to complete its mission while simultaneously continuing outgoing connections to rare destinations in order to sustain its presence.
Figure 4: The device event log showing the list of model breaches on May 23
Conclusion
Interestingly, the client saw no indicators of this activity beyond a sluggish network. This change in network activity was only explained after being identified by Darktrace. Once the client was promptly notified, the compromise was deescalated, and discovering it was a DVR security camera, the client took the device offline.
As this customer was still concluding their trial deployment, Antigena was not in full autonomous mode. However, if it had been, Antigena would have responded with a two-tiered action to prevent the device from communicating with the malicious endpoint, cutting the compromised connection before the attack had gained its foothold.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
With the rise of GenAI and novel attacks, organizations can no longer rely solely on traditional network security solutions that depend on historical attack data, such as signatures and detection rules, to identify threats. However, in many cases network security vendors and traditional solutions like IDS/IPS focus on detecting known attacks using historical data. What happens is organizations are left vulnerable to unknown and novel threats, as these approaches only detect known malicious behavior and cannot keep up with unknown threats or zero-day attacks.
Advanced threats
Darktrace's End of Year Threat Report for 2023 highlights significant changes in the cyber threat landscape, particularly due to advancements in technology such as generative AI. The report notes a substantial increase in sophisticated attacks, including those utilizing generative AI, which have made it more challenging for traditional security measures to keep up. The report also details the rise of multi-functional malware, like Black Basta ransomware, which not only encrypts data for ransom but also spreads other types of malware such as the Qbot banking trojan. These complex attacks are increasingly being deployed by advanced cybercriminal groups, underscoring the need for organizations to adopt advanced security measures that can detect and respond to novel threats in real-time.
Defenders need a solution that can level the playing field, especially when they are operating with limited resources and getting overloaded with endless alerts. Most network security tools on the market have a siloed approach and do not integrate with the rest of an organization’s digital estate, but attackers don’t operate in a single domain.
Disparate workforce
With so many organizations continuing to support a remote or hybrid working environment, the need to secure devices that are outside the corporate network or off-VPN is increasingly important. While endpoint protection or endpoint detection and response (EDR) tools are a fundamental part of any security stack, it’s not possible to install an agent on every device, which can leave blind spots in an organization’s attack surface. Managing trust and access policies is also necessary to protect identities, however this comes with its own set of challenges in terms of implementation and minimizing business disruption.
This blog will dive into these challenges and show examples of how Darktrace has helped mitigate risk and stop novel and never-before-seen threats.
Network Security Challenge 1: Managing trust
What is trust in cybersecurity?
Trust in cybersecurity means that an entity can be relied upon. This can involve a person, organization, or system to be authorized or authenticated by proving their identity is legitimate and can be trusted to have access to the network or sensitive information.
Why is trust important in cybersecurity?
Granting access and privileges to your workforce and select affiliates has profound implications for cybersecurity, brand reputation, regulatory compliance, and financial liability. In a traditional network security model, traffic gets divided into two categories — trusted and untrusted — with some entities and segments of the network deemed more creditable than others.
How do you manage trust in cybersecurity?
Zero trust is too little, but any is too much.
Modern network security challenges point to an urgent need for organizations to review and update their approaches to managing trust. External pressure to adopt zero trust security postures literally suggests trusting no one, but that impedes your freedom to do business. IT leaders need a proven but practical process for deciding who should be allowed to use your network and how.
Questions to ask in updating Trusted User policies include:
What process should you follow to place trust in third parties and applications?
Do you subject trusted entities to testing and other due diligence first?
How often do you review this process — and trusted relationships themselves — after making initial decisions?
How do you tell when trusted users should no longer be trusted?
Once trust has been established, security teams need new and better ways to autonomously verify that those transacting within your network are indeed those trusted users that they claim to be, taking only the authorized actions you’ve allowed them to take.
Exploiting trust in the network
Insider threats have a major head start. The opposite of attacks launched by nameless, faceless strangers, insider threats originate through parties once deemed trustworthy. That might mean a current or former member of your workforce or a partner, vendor, investor, or service provider authorized by IT to access corporate systems and data. Threats also arise when a “pawn” gets unwittingly tricked into disclosing credentials or downloading malware.
Common motives for insider attacks include revenge, stealing or leaking sensitive data, taking down IT systems, stealing assets or IP, compromising your organization’s credibility, and simply harassing your workforce. Put simply, rules and signatures based security solutions won’t flag insider threats because an insider does not immediately present themselves as an intruder. Insider threats can only be stopped by an evolving understanding of ‘normal’ for every user that immediately alerts your team when trusted users do something strange.
“By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.” [1]
Darktrace/OT detected a subtle deviation from normal behavior when a reprogram command was sent by an engineering workstation to a PLC controlling a pump, an action an insider threat with legitimized access to OT systems would take to alter the physical process without any malware involved. In this instance, AI Analyst, Darktrace’s investigation tool that triages events to reveal the full security incident, detected the event as unusual based on multiple metrics including the source of the command, the destination device, the time of the activity, and the command itself.
As a result, AI Analyst created a complete security incident, with a natural language summary, the technical details of the activity, and an investigation process explaining how it came to its conclusion. By leveraging Explainable AI, a security team can quickly triage and escalate Darktrace incidents in real time before it becomes disruptive, and even when performed by a trusted insider.
Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in crypto currency which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.
Avoiding ransomware attacks ranks at the top of most CISOs’ and risk managers’ priority lists, and with good reason. Extortion was involved in 25% of all breaches in 2022, with front-page attacks wreaking havoc across healthcare, gas pipelines, food processing plants, and other global supply chains. [2]
What else is new?
The availability of “DIY” toolkits and subscription-based ransom- ware-as-a-service (RaaS) on the dark web equips novice threat actors to launch highly sophisticated attacks at machine speed. For less than $500, virtually anyone can acquire and tweak RaaS offerings such as Philadelphia that come with accessible customer interfaces, reviews, discounts, and feature updates — all the signature features of commercial SaaS offerings.
The preeminence of ransomware keeps security teams on high alert for indicators of attack but hypervigilance — and too many tools churning out too many alerts — quickly exhausts analysts’ bandwidth. To reverse this trend, AI needs to help prioritize and resolve versus merely detect risk.
Darktrace uses AI to recognize and contextualize possible signs of ransomware attacks as they appear in your network and across multiple domains. Viewing behaviors in the context of your organization’s normal ‘pattern of life’ updates and enhances detection that watches for a repeat of previous techniques.
Darktrace's AI brings the added advantage of continuously analyzing behavior in your environment at machine speed.
Darktrace AI also performs Autonomous Response, shutting down attacks at every stage of the ransomware cycle, including the first telltale signs of exfiltration and encryption of data for extortion purposes.
Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use.
In early 2022, Darktrace/Network identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.
Darktrace’s AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs.
You can’t predict tomorrow’s weather by reading yesterday’s forecast, yet that’s essentially what happens when network security tools only look for known attacks.
What are novel attacks?
“Novel attacks” include unknown or previously unseen exploits such as zero-days, or new variations of known threats that evade existing detection rules.
Depending on how threats get executed, the term “novel” can refer to brand new tactics, techniques, and procedures (TTPs), or to subtle new twists on perennial threats like DoS, DDoS, and Domain Name Server (DNS) attacks.
Old tools may be blind to new threats
Stopping novel threats is less about deciding whom to trust than it is about learning to spot something brand new. As we’ve seen with ransomware, the growing “aaS” attack market creates a profound paradigm shift by allowing non-technical perpetrators to tweak, customize, and coin never-before-seen threats that elude traditional network, email, VPN, and cloud security.
Tools based on traditional rules and signatures lack a frame of reference. This is where AI’s ability to spot and analyze abnormalities in the context of normal patterns of life comes into play.
Darktrace AI spots what other tools miss
Instead of training in cloud data lakes that pool data from unrelated attacks worldwide, Darktrace AI learns about your unique environment from your environment. By flagging and analyzing everything unusual — instead of only known signs of compromise — Darktrace’s Self-Learning AI keeps security stacks from missing less obvious but potentially more dangerous events.
The real challenge here is achieving faster “time to meaning” and contextualizing behavior that might — or might not — be part of a novel attack. Darktrace/Network does not require a “patient zero” to identify a novel attack, or one exploiting a zero-day vulnerability.
In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. Darktrace identified Akira ransomware on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. In cases where Darktrace’s autonomous response was enabled these attacks were mitigated in their early stages, thus minimizing any disruption or damage to customer networks.
Stemming the Citrix Bleed Vulnerability with Darktrace’s ActiveAI Platform
28
May 2024
What is Citrix Bleed?
Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed. Citrix Bleed, also known as CVE-2023-4966, remained undiscovered and even unpatched for several months, resulting in a wide range of security incidents across business and government sectors [1].
How does Citrix Bleed vulnerability work?
The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.
When used as a means of initial network access, the vulnerability has resulted in the exfiltration of sensitive data, as in the case of Xfinity, and even the deployment of ransomware variants including Lockbit [2]. Although Citrix has released a patch to address the vulnerability, slow patching procedures and the widespread use of these products has resulted in the continuing exploitation of Citrix Bleed into 2024 [3].
How Does Darktrace Handle Citrix Bleed?
Darktrace has demonstrated its proficiency in handling the exploitation of Citrix Bleed since it was disclosed back in 2023; its anomaly-based approach allows it to efficiently identify and inhibit post-exploitation activity as soon as it surfaces. Rather than relying upon traditional rules and signatures, Darktrace’s Self-Learning AI enables it to understand the subtle deviations in a device’s behavior that would indicate an emerging compromise, thus allowing it to detect anomalous activity related to the exploitation of Citrix Bleed.
In late 2023, Darktrace identified an instance of Citrix Bleed exploitation on a customer network. As this customer had subscribed to the Proactive Threat Notification (PTN) service, the suspicious network activity surrounding the compromise was escalated to Darktrace’s Security Operation Center (SOC) for triage and investigation by Darktrace Analysts, who then alerted the customer’s security team to the incident.
Darktrace’s Coverage
Initial Access and Beaconing of Citrix Bleed
Darktrace’s initial detection of indicators of compromise (IoCs) associated with the exploitation of Citrix Bleed actually came a few days prior to the SOC alert, with unusual external connectivity observed from a critical server. The suspicious connection in question, a SSH connection to the rare external IP 168.100.9[.]137, lasted several hours and utilized the Windows PuTTY client. Darktrace also identified an additional suspicious IP, namely 45.134.26[.]2, attempting to contact the server. Both rare endpoints had been linked with the exploitation of the Citrix Bleed vulnerability by multiple open-source intelligence (OSINT) vendors [4] [5].
Figure 1: Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.
As Darktrace is designed to identify network-level anomalies, rather than monitor edge infrastructure, the initial exploitation via the typical HTTP buffer overflow associated with this vulnerability fell outside the scope of Darktrace’s visibility. However, the aforementioned suspicious connectivity likely constituted initial access and beaconing activity following the successful exploitation of Citrix Bleed.
Command and Control (C2) and Payload Download
Around the same time, Darktrace also detected other devices on the customer’s network conducting external connectivity to various endpoints associated with remote management and IT services, including Action1, ScreenConnect and Fixme IT. Additionally, Darktrace observed devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory. While this tool is typically used for auditing and inventory management purposes, it could also be leveraged by attackers for the purpose of lateral movement.
Defense Evasion
In the days surrounding this compromise, Darktrace observed multiple devices engaging in potential defense evasion tactics using the ScreenConnect and Fixme IT services. Although ScreenConnect is a legitimate remote management tool, it has also been used by threat actors to carry out C2 communication [6]. ScreenConnect itself was the subject of a separate critical vulnerability which Darktrace investigated in early 2024. Meanwhile, CISA observed that domains associated with Fixme It (“fixme[.]it”) have been used by threat actors attempting to exploit the Citrix Bleed vulnerability [7].
Reconnaissance and Lateral Movement
A few days after the detection of the initial beaconing communication, Darktrace identified several devices on the customer’s network carrying out reconnaissance and lateral movement activity. This included SMB writes of “PSEXESVC.exe”, network scanning, DCE-RPC binds of numerous internal devices to IPC$ shares and the transfer of compromise-related tools. It was at this point that Darktrace’s Self-Learning AI deemed the activity to be likely indicative of an ongoing compromise and several Enhanced Monitoring models alerted, triggering the aforementioned PTNs and investigation by Darktrace’s SOC.
Darktrace observed a server on the network initiating a wide range of connections to more than 600 internal IPs across several critical ports, suggesting port scanning, as well as conducting unexpected DCE-RPC service control (svcctl) activity on multiple internal devices, amongst them domain controllers. Additionally, several binds to server service (srvsvc) and security account manager (samr) endpoints via IPC$ shares on destination devices were detected, indicating further reconnaissance activity. The querying of these endpoints was also observed through RPC commands to enumerate services running on the device, as well as Security Account Manager (SAM) accounts.
Darktrace also identified devices performing SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration. Further SMB file writes were observed around this time including PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution, and one device was observed making widespread failed NTLM authentication attempts on the network, indicating NTLM brute-forcing. Darktrace observed several devices using administrative credentials to carry out the above activity.
In addition to the transfer of tools and executables via SMB, Darktrace also identified numerous devices deleting files through SMB around this time. In one example, an MSI file associated with the patch management and remediation service, Action1, was deleted by an attacker. This legitimate security tool, if leveraged by attackers, could be used to uncover additional vulnerabilities on target networks.
A server on the customer’s network was also observed writing the file “m.exe” to multiple internal devices. OSINT investigation into the executable indicated that it could be a malicious tool used to prevent antivirus programs from launching or running on a network [8].
Impact and Data Exfiltration
Following the initial steps of the breach chain, Darktrace observed numerous devices on the customer’s network engaging in data exfiltration and impact events, resulting in additional PTN alerts and a SOC investigation into data egress. Specifically, two servers on the network proceeded to read and download large volumes of data via SMB from multiple internal devices over the course of a few hours. These hosts sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443. Darktrace also identified the use of additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io. In total the threat actor exfiltrated over 8.5 GB of data from the customer’s network.
Figure 2: Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.
Finally, Darktrace detected a user account within the customer’s Software-as-a-Service (SaaS) environment conducting several suspicious Office365 and AzureAD actions from a rare IP for the network, including uncommon file reads, creations and the deletion of a large number of files.
Unfortunately for the customer in this case, Darktrace RESPOND™ was not enabled on the network and the post-exploitation activity was able to progress until the customer was made aware of the attack by Darktrace’s SOC team. Had RESPOND been active and configured in autonomous response mode at the time of the attack, it would have been able to promptly contain the post-exploitation activity by blocking external connections, shutting down any C2 activity and preventing the download of suspicious files, blocking incoming traffic, and enforcing a learned ‘pattern of life’ on offending devices.
Conclusion
Given the widespread use of Netscaler Gateway and Netscaler ADC, Citrix Bleed remains an impactful and potentially disruptive vulnerability that will likely continue to affect organizations who fail to address affected assets. In this instance, Darktrace demonstrated its ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, enabling the customer to identify affected devices and enact their own remediation.
Darktrace’s anomaly-based approach to threat detection allows it to identify such post-exploitation activity resulting from the exploitation of a vulnerability, regardless of whether it is a known CVE or a zero-day threat. Unlike traditional security tools that rely on existing threat intelligence and rules and signatures, Darktrace’s ability to identify the subtle deviations in a compromised device’s behavior gives it a unique advantage when it comes to identifying emerging threats.
Credit to Vivek Rajan, Cyber Analyst, Adam Potter, Cyber Analyst
Appendices
Darktrace Model Coverage
Device / Suspicious SMB Scanning Activity
Device / ICMP Address Scan
Device / Possible SMB/NTLM Reconnaissance
Device / Network Scan
Device / SMB Lateral Movement
Device / Possible SMB/NTLM Brute Force
Device / Suspicious Network Scan Activity
User / New Admin Credentials on Server
Anomalous File / Internal::Unusual Internal EXE File Transfer
Compliance / SMB Drive Write
Device / New or Unusual Remote Command Execution
Anomalous Connection / New or Uncommon Service Control
Anomalous Connection / Rare WinRM Incoming
Anomalous Connection / Unusual Admin SMB Session
Device / Unauthorised Device
User / New Admin Credentials on Server
Anomalous Server Activity / Outgoing from Server
Device / Long Agent Connection to New Endpoint
Anomalous Connection / Multiple Connections to New External TCP Port
Device / New or Uncommon SMB Named Pipe
Device / Multiple Lateral Movement Model Breaches
Device / Large Number of Model Breaches
Compliance / Remote Management Tool On Server
Device / Anomalous RDP Followed By Multiple Model Breaches
Device / SMB Session Brute Force (Admin)
Device / New User Agent
Compromise / Large Number of Suspicious Failed Connections
Unusual Activity / Unusual External Data Transfer
Unusual Activity / Enhanced Unusual External Data Transfer
Device / Increased External Connectivity
Unusual Activity / Unusual External Data to New Endpoints
Anomalous Connection / Data Sent to Rare Domain
Anomalous Connection / Uncommon 1 GiB Outbound
Anomalous Connection / Active Remote Desktop Tunnel
Anomalous Server Activity / Anomalous External Activity from Critical Network Device
Compliance / Possible Unencrypted Password File On Server
Anomalous Connection / Suspicious Read Write Ratio and Rare External
Device / Reverse DNS Sweep]
Unusual Activity / Possible RPC Recon Activity
Anomalous File / Internal::Executable Uploaded to DC
Compliance / SMB Version 1 Usage
Darktrace AI Analyst Incidents
Scanning of Multiple Devices
Suspicious Remote Service Control Activity
SMB Writes of Suspicious Files to Multiple Devices
Possible SSL Command and Control to Multiple Devices
Extensive Suspicious DCE-RPC Activity
Suspicious DCE-RPC Activity
Internal Downloads and External Uploads
Unusual External Data Transfer
Unusual External Data Transfer to Multiple Related Endpoints
![Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/665644c9d902374aff832499_Screenshot%202024-05-28%20at%201.55.25%20PM.png)
