Attack trends: Cloud-Based Cyber-Attacks and the Rise of Alternative Initial Access Methods
29
Apr 2024
29
Apr 2024
Using data from Darktrace's End of Year Threat Report 2023 this blog details how cyber attackers are increasingly using cloud-based services including Dropbox and Microsoft 365 to stealthily bypass detection by traditional email security solutions.
What is the primary entry point for malware attacks?
Phishing attacks targeting employee inboxes are the most common initial access method used by malicious threat actors to deliver malware.
What are new entry points cyber attackers are using?
While traditional phishing attacks are very common for attackers, they are not the only method threat actors are using to initiate malware delivery and other malicious campaigns of cyber disruption.
For its End of Year Threat Report, Darktrace analyzed attacks targeting customer environments. While email remains the most common means of attempted initial compromise, the second half of 2023 saw a significant rise in alternative initial access methods.
Much of this is taking advantage of cloud-base applications and collaboration tools including Dropbox, Microsoft Teams, and SharePoint which have become fundamental to how organizations operate in the era of hybrid work.
DarkGate exploits Microsoft Teams
Darktrace analysts have seen threat actors attempting to infect target networks with malware by leveraging Microsoft Teams and SharePoint.
In one example, Darktrace detected an attacker delivering DarkGate a trojan used to download other malware, by sending messages and attachments in Microsoft Teams and SharePoint.
The External Access functionality in Microsoft Teams allows users to contact people who aren’t in their organization. It’s designed as a tool to aid collaboration, but threat actors have realized they can abuse it for their own gain.
Users are told to lookout for suspicious email phishing messages, but often this thinking isn’t applied to Microsoft Teams and other collaboration platforms.
Messages from outside the organization are marked with a note that they are coming from an external source, but a well-designed phishing message with an urgent call to action can persuade the target to ignore this, driving them towards an external SharePoint URL, which tricks the user into downloading and installing malware.
Because this happens outside of the inbox, the activity can be missed by traditional email security solutions. Fortunately, in this case, it was detected by Darktrace DETECT and the activity was contained by Darktrace RESPOND before it could drop any additional malware.
Dropbox has established itself as a leading cloud storage service by allowing users to share and access files, no matter where they are in the world or what device they’re using. But while this is legitimate and useful for organizations, it has also opened a new avenue for threat actors to exploit.
Dropbox as an attack vector
Darktrace recently detected attackers attempting to leverage Dropbox as an initial access method. Emails from ‘no-reply@dropbox[.]com’ – a legitimate email address – were sent to employees at a Darktrace customer.
The emails contained a link to push users towards to a PDF file hosted on Dropbox, which in turn contained a phishing link which if followed, took users to a convincing looking spoof of a Microsoft 365 login page designed to steal usernames and passwords.
A user fell victim to this campaign, unwittingly entering their Microsoft 365 credentials. Shortly after that, Darktrace/Apps started to see suspicious activity relating to the account, with multiple logins from unusual locations which had never been associated with the account previously.
While many traditional security solutions successfully detect and disrupt email-based attacks, many struggle with cloud-based apps and services like Dropbox, Microsoft 365 and others.
There are several reasons for this, including the way in which the use of multiple different cloud services fragments the attack surface, making it hard for network administrators to keep track of everything, alongside the way in which some security solutions don’t take behavior into account in a system which can be accessed from anywhere. That means even from the other side of the world, attackers who have the right cloud credentials could access the network, potentially without being disrupted.
Why are attackers turning to alternative access methods?
Attackers are turning to alternative methods because delivering malicious links and payloads via cloud-based services potentially bypasses traditional cybersecurity protections. That, combined with how attackers can take legitimate login credentials to access system means attackers actions can’t be easily traced.
This rise in alternative initial access methods is likely a result of the continued development and enhancement of traditional email security solutions. But in the cat and mouse game of cybersecurity, threat actors continue to evolve new techniques to get by defenses.
Darktrace’s Self-Learning AI learns the unique digital environment and patterns of each business, meaning it can recognize subtle deviations in activity, even within cloud services, helping to mitigate and neutralize attacks and helping to keep your organization safe from cyber disruption.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
With the rise of GenAI and novel attacks, organizations can no longer rely solely on traditional network security solutions that depend on historical attack data, such as signatures and detection rules, to identify threats. However, in many cases network security vendors and traditional solutions like IDS/IPS focus on detecting known attacks using historical data. What happens is organizations are left vulnerable to unknown and novel threats, as these approaches only detect known malicious behavior and cannot keep up with unknown threats or zero-day attacks.
Advanced threats
Darktrace's End of Year Threat Report for 2023 highlights significant changes in the cyber threat landscape, particularly due to advancements in technology such as generative AI. The report notes a substantial increase in sophisticated attacks, including those utilizing generative AI, which have made it more challenging for traditional security measures to keep up. The report also details the rise of multi-functional malware, like Black Basta ransomware, which not only encrypts data for ransom but also spreads other types of malware such as the Qbot banking trojan. These complex attacks are increasingly being deployed by advanced cybercriminal groups, underscoring the need for organizations to adopt advanced security measures that can detect and respond to novel threats in real-time.
Defenders need a solution that can level the playing field, especially when they are operating with limited resources and getting overloaded with endless alerts. Most network security tools on the market have a siloed approach and do not integrate with the rest of an organization’s digital estate, but attackers don’t operate in a single domain.
Disparate workforce
With so many organizations continuing to support a remote or hybrid working environment, the need to secure devices that are outside the corporate network or off-VPN is increasingly important. While endpoint protection or endpoint detection and response (EDR) tools are a fundamental part of any security stack, it’s not possible to install an agent on every device, which can leave blind spots in an organization’s attack surface. Managing trust and access policies is also necessary to protect identities, however this comes with its own set of challenges in terms of implementation and minimizing business disruption.
This blog will dive into these challenges and show examples of how Darktrace has helped mitigate risk and stop novel and never-before-seen threats.
Network Security Challenge 1: Managing trust
What is trust in cybersecurity?
Trust in cybersecurity means that an entity can be relied upon. This can involve a person, organization, or system to be authorized or authenticated by proving their identity is legitimate and can be trusted to have access to the network or sensitive information.
Why is trust important in cybersecurity?
Granting access and privileges to your workforce and select affiliates has profound implications for cybersecurity, brand reputation, regulatory compliance, and financial liability. In a traditional network security model, traffic gets divided into two categories — trusted and untrusted — with some entities and segments of the network deemed more creditable than others.
How do you manage trust in cybersecurity?
Zero trust is too little, but any is too much.
Modern network security challenges point to an urgent need for organizations to review and update their approaches to managing trust. External pressure to adopt zero trust security postures literally suggests trusting no one, but that impedes your freedom to do business. IT leaders need a proven but practical process for deciding who should be allowed to use your network and how.
Questions to ask in updating Trusted User policies include:
What process should you follow to place trust in third parties and applications?
Do you subject trusted entities to testing and other due diligence first?
How often do you review this process — and trusted relationships themselves — after making initial decisions?
How do you tell when trusted users should no longer be trusted?
Once trust has been established, security teams need new and better ways to autonomously verify that those transacting within your network are indeed those trusted users that they claim to be, taking only the authorized actions you’ve allowed them to take.
Exploiting trust in the network
Insider threats have a major head start. The opposite of attacks launched by nameless, faceless strangers, insider threats originate through parties once deemed trustworthy. That might mean a current or former member of your workforce or a partner, vendor, investor, or service provider authorized by IT to access corporate systems and data. Threats also arise when a “pawn” gets unwittingly tricked into disclosing credentials or downloading malware.
Common motives for insider attacks include revenge, stealing or leaking sensitive data, taking down IT systems, stealing assets or IP, compromising your organization’s credibility, and simply harassing your workforce. Put simply, rules and signatures based security solutions won’t flag insider threats because an insider does not immediately present themselves as an intruder. Insider threats can only be stopped by an evolving understanding of ‘normal’ for every user that immediately alerts your team when trusted users do something strange.
“By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.” [1]
Darktrace/OT detected a subtle deviation from normal behavior when a reprogram command was sent by an engineering workstation to a PLC controlling a pump, an action an insider threat with legitimized access to OT systems would take to alter the physical process without any malware involved. In this instance, AI Analyst, Darktrace’s investigation tool that triages events to reveal the full security incident, detected the event as unusual based on multiple metrics including the source of the command, the destination device, the time of the activity, and the command itself.
As a result, AI Analyst created a complete security incident, with a natural language summary, the technical details of the activity, and an investigation process explaining how it came to its conclusion. By leveraging Explainable AI, a security team can quickly triage and escalate Darktrace incidents in real time before it becomes disruptive, and even when performed by a trusted insider.
Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in crypto currency which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.
Avoiding ransomware attacks ranks at the top of most CISOs’ and risk managers’ priority lists, and with good reason. Extortion was involved in 25% of all breaches in 2022, with front-page attacks wreaking havoc across healthcare, gas pipelines, food processing plants, and other global supply chains. [2]
What else is new?
The availability of “DIY” toolkits and subscription-based ransom- ware-as-a-service (RaaS) on the dark web equips novice threat actors to launch highly sophisticated attacks at machine speed. For less than $500, virtually anyone can acquire and tweak RaaS offerings such as Philadelphia that come with accessible customer interfaces, reviews, discounts, and feature updates — all the signature features of commercial SaaS offerings.
The preeminence of ransomware keeps security teams on high alert for indicators of attack but hypervigilance — and too many tools churning out too many alerts — quickly exhausts analysts’ bandwidth. To reverse this trend, AI needs to help prioritize and resolve versus merely detect risk.
Darktrace uses AI to recognize and contextualize possible signs of ransomware attacks as they appear in your network and across multiple domains. Viewing behaviors in the context of your organization’s normal ‘pattern of life’ updates and enhances detection that watches for a repeat of previous techniques.
Darktrace's AI brings the added advantage of continuously analyzing behavior in your environment at machine speed.
Darktrace AI also performs Autonomous Response, shutting down attacks at every stage of the ransomware cycle, including the first telltale signs of exfiltration and encryption of data for extortion purposes.
Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use.
In early 2022, Darktrace/Network identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.
Darktrace’s AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs.
You can’t predict tomorrow’s weather by reading yesterday’s forecast, yet that’s essentially what happens when network security tools only look for known attacks.
What are novel attacks?
“Novel attacks” include unknown or previously unseen exploits such as zero-days, or new variations of known threats that evade existing detection rules.
Depending on how threats get executed, the term “novel” can refer to brand new tactics, techniques, and procedures (TTPs), or to subtle new twists on perennial threats like DoS, DDoS, and Domain Name Server (DNS) attacks.
Old tools may be blind to new threats
Stopping novel threats is less about deciding whom to trust than it is about learning to spot something brand new. As we’ve seen with ransomware, the growing “aaS” attack market creates a profound paradigm shift by allowing non-technical perpetrators to tweak, customize, and coin never-before-seen threats that elude traditional network, email, VPN, and cloud security.
Tools based on traditional rules and signatures lack a frame of reference. This is where AI’s ability to spot and analyze abnormalities in the context of normal patterns of life comes into play.
Darktrace AI spots what other tools miss
Instead of training in cloud data lakes that pool data from unrelated attacks worldwide, Darktrace AI learns about your unique environment from your environment. By flagging and analyzing everything unusual — instead of only known signs of compromise — Darktrace’s Self-Learning AI keeps security stacks from missing less obvious but potentially more dangerous events.
The real challenge here is achieving faster “time to meaning” and contextualizing behavior that might — or might not — be part of a novel attack. Darktrace/Network does not require a “patient zero” to identify a novel attack, or one exploiting a zero-day vulnerability.
In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. Darktrace identified Akira ransomware on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. In cases where Darktrace’s autonomous response was enabled these attacks were mitigated in their early stages, thus minimizing any disruption or damage to customer networks.
Stemming the Citrix Bleed Vulnerability with Darktrace’s ActiveAI Security Platform
28
May 2024
What is Citrix Bleed?
Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed. Citrix Bleed, also known as CVE-2023-4966, remained undiscovered and even unpatched for several months, resulting in a wide range of security incidents across business and government sectors [1].
How does Citrix Bleed vulnerability work?
The vulnerability, which impacts the Citrix Netscaler Gateway and Netscaler ADC products, allows for outside parties to hijack legitimate user sessions, thereby bypassing password and multifactor authentication (MFA) requirements.
When used as a means of initial network access, the vulnerability has resulted in the exfiltration of sensitive data, as in the case of Xfinity, and even the deployment of ransomware variants including Lockbit [2]. Although Citrix has released a patch to address the vulnerability, slow patching procedures and the widespread use of these products has resulted in the continuing exploitation of Citrix Bleed into 2024 [3].
How Does Darktrace Handle Citrix Bleed?
Darktrace has demonstrated its proficiency in handling the exploitation of Citrix Bleed since it was disclosed back in 2023; its anomaly-based approach allows it to efficiently identify and inhibit post-exploitation activity as soon as it surfaces. Rather than relying upon traditional rules and signatures, Darktrace’s Self-Learning AI enables it to understand the subtle deviations in a device’s behavior that would indicate an emerging compromise, thus allowing it to detect anomalous activity related to the exploitation of Citrix Bleed.
In late 2023, Darktrace identified an instance of Citrix Bleed exploitation on a customer network. As this customer had subscribed to the Proactive Threat Notification (PTN) service, the suspicious network activity surrounding the compromise was escalated to Darktrace’s Security Operation Center (SOC) for triage and investigation by Darktrace Analysts, who then alerted the customer’s security team to the incident.
Darktrace’s Coverage
Initial Access and Beaconing of Citrix Bleed
Darktrace’s initial detection of indicators of compromise (IoCs) associated with the exploitation of Citrix Bleed actually came a few days prior to the SOC alert, with unusual external connectivity observed from a critical server. The suspicious connection in question, a SSH connection to the rare external IP 168.100.9[.]137, lasted several hours and utilized the Windows PuTTY client. Darktrace also identified an additional suspicious IP, namely 45.134.26[.]2, attempting to contact the server. Both rare endpoints had been linked with the exploitation of the Citrix Bleed vulnerability by multiple open-source intelligence (OSINT) vendors [4] [5].
Figure 1: Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.
As Darktrace is designed to identify network-level anomalies, rather than monitor edge infrastructure, the initial exploitation via the typical HTTP buffer overflow associated with this vulnerability fell outside the scope of Darktrace’s visibility. However, the aforementioned suspicious connectivity likely constituted initial access and beaconing activity following the successful exploitation of Citrix Bleed.
Command and Control (C2) and Payload Download
Around the same time, Darktrace also detected other devices on the customer’s network conducting external connectivity to various endpoints associated with remote management and IT services, including Action1, ScreenConnect and Fixme IT. Additionally, Darktrace observed devices downloading suspicious executable files, including “tniwinagent.exe”, which is associated with the tool Total Network Inventory. While this tool is typically used for auditing and inventory management purposes, it could also be leveraged by attackers for the purpose of lateral movement.
Defense Evasion
In the days surrounding this compromise, Darktrace observed multiple devices engaging in potential defense evasion tactics using the ScreenConnect and Fixme IT services. Although ScreenConnect is a legitimate remote management tool, it has also been used by threat actors to carry out C2 communication [6]. ScreenConnect itself was the subject of a separate critical vulnerability which Darktrace investigated in early 2024. Meanwhile, CISA observed that domains associated with Fixme It (“fixme[.]it”) have been used by threat actors attempting to exploit the Citrix Bleed vulnerability [7].
Reconnaissance and Lateral Movement
A few days after the detection of the initial beaconing communication, Darktrace identified several devices on the customer’s network carrying out reconnaissance and lateral movement activity. This included SMB writes of “PSEXESVC.exe”, network scanning, DCE-RPC binds of numerous internal devices to IPC$ shares and the transfer of compromise-related tools. It was at this point that Darktrace’s Self-Learning AI deemed the activity to be likely indicative of an ongoing compromise and several Enhanced Monitoring models alerted, triggering the aforementioned PTNs and investigation by Darktrace’s SOC.
Darktrace observed a server on the network initiating a wide range of connections to more than 600 internal IPs across several critical ports, suggesting port scanning, as well as conducting unexpected DCE-RPC service control (svcctl) activity on multiple internal devices, amongst them domain controllers. Additionally, several binds to server service (srvsvc) and security account manager (samr) endpoints via IPC$ shares on destination devices were detected, indicating further reconnaissance activity. The querying of these endpoints was also observed through RPC commands to enumerate services running on the device, as well as Security Account Manager (SAM) accounts.
Darktrace also identified devices performing SMB writes of the WinRAR data compression tool, in what likely represented preparation for the compression of data prior to data exfiltration. Further SMB file writes were observed around this time including PSEXESVC.exe, which was ultimately used by attackers to conduct remote code execution, and one device was observed making widespread failed NTLM authentication attempts on the network, indicating NTLM brute-forcing. Darktrace observed several devices using administrative credentials to carry out the above activity.
In addition to the transfer of tools and executables via SMB, Darktrace also identified numerous devices deleting files through SMB around this time. In one example, an MSI file associated with the patch management and remediation service, Action1, was deleted by an attacker. This legitimate security tool, if leveraged by attackers, could be used to uncover additional vulnerabilities on target networks.
A server on the customer’s network was also observed writing the file “m.exe” to multiple internal devices. OSINT investigation into the executable indicated that it could be a malicious tool used to prevent antivirus programs from launching or running on a network [8].
Impact and Data Exfiltration
Following the initial steps of the breach chain, Darktrace observed numerous devices on the customer’s network engaging in data exfiltration and impact events, resulting in additional PTN alerts and a SOC investigation into data egress. Specifically, two servers on the network proceeded to read and download large volumes of data via SMB from multiple internal devices over the course of a few hours. These hosts sent large outbound volumes of data to MEGA file storage sites using TLS/SSL over port 443. Darktrace also identified the use of additional file storage services during this exfiltration event, including 4sync, file[.]io, and easyupload[.]io. In total the threat actor exfiltrated over 8.5 GB of data from the customer’s network.
Figure 2: Darktrace Cyber AI Analyst investigation highlighting the details of a data exfiltration attempt.
Finally, Darktrace detected a user account within the customer’s Software-as-a-Service (SaaS) environment conducting several suspicious Office365 and AzureAD actions from a rare IP for the network, including uncommon file reads, creations and the deletion of a large number of files.
Unfortunately for the customer in this case, Darktrace RESPOND™ was not enabled on the network and the post-exploitation activity was able to progress until the customer was made aware of the attack by Darktrace’s SOC team. Had RESPOND been active and configured in autonomous response mode at the time of the attack, it would have been able to promptly contain the post-exploitation activity by blocking external connections, shutting down any C2 activity and preventing the download of suspicious files, blocking incoming traffic, and enforcing a learned ‘pattern of life’ on offending devices.
Conclusion
Given the widespread use of Netscaler Gateway and Netscaler ADC, Citrix Bleed remains an impactful and potentially disruptive vulnerability that will likely continue to affect organizations who fail to address affected assets. In this instance, Darktrace demonstrated its ability to track and inhibit malicious activity stemming from Citrix Bleed exploitation, enabling the customer to identify affected devices and enact their own remediation.
Darktrace’s anomaly-based approach to threat detection allows it to identify such post-exploitation activity resulting from the exploitation of a vulnerability, regardless of whether it is a known CVE or a zero-day threat. Unlike traditional security tools that rely on existing threat intelligence and rules and signatures, Darktrace’s ability to identify the subtle deviations in a compromised device’s behavior gives it a unique advantage when it comes to identifying emerging threats.
Credit to Vivek Rajan, Cyber Analyst, Adam Potter, Cyber Analyst
Appendices
Darktrace Model Coverage
Device / Suspicious SMB Scanning Activity
Device / ICMP Address Scan
Device / Possible SMB/NTLM Reconnaissance
Device / Network Scan
Device / SMB Lateral Movement
Device / Possible SMB/NTLM Brute Force
Device / Suspicious Network Scan Activity
User / New Admin Credentials on Server
Anomalous File / Internal::Unusual Internal EXE File Transfer
Compliance / SMB Drive Write
Device / New or Unusual Remote Command Execution
Anomalous Connection / New or Uncommon Service Control
Anomalous Connection / Rare WinRM Incoming
Anomalous Connection / Unusual Admin SMB Session
Device / Unauthorised Device
User / New Admin Credentials on Server
Anomalous Server Activity / Outgoing from Server
Device / Long Agent Connection to New Endpoint
Anomalous Connection / Multiple Connections to New External TCP Port
Device / New or Uncommon SMB Named Pipe
Device / Multiple Lateral Movement Model Breaches
Device / Large Number of Model Breaches
Compliance / Remote Management Tool On Server
Device / Anomalous RDP Followed By Multiple Model Breaches
Device / SMB Session Brute Force (Admin)
Device / New User Agent
Compromise / Large Number of Suspicious Failed Connections
Unusual Activity / Unusual External Data Transfer
Unusual Activity / Enhanced Unusual External Data Transfer
Device / Increased External Connectivity
Unusual Activity / Unusual External Data to New Endpoints
Anomalous Connection / Data Sent to Rare Domain
Anomalous Connection / Uncommon 1 GiB Outbound
Anomalous Connection / Active Remote Desktop Tunnel
Anomalous Server Activity / Anomalous External Activity from Critical Network Device
Compliance / Possible Unencrypted Password File On Server
Anomalous Connection / Suspicious Read Write Ratio and Rare External
Device / Reverse DNS Sweep]
Unusual Activity / Possible RPC Recon Activity
Anomalous File / Internal::Executable Uploaded to DC
Compliance / SMB Version 1 Usage
Darktrace AI Analyst Incidents
Scanning of Multiple Devices
Suspicious Remote Service Control Activity
SMB Writes of Suspicious Files to Multiple Devices
Possible SSL Command and Control to Multiple Devices
Extensive Suspicious DCE-RPC Activity
Suspicious DCE-RPC Activity
Internal Downloads and External Uploads
Unusual External Data Transfer
Unusual External Data Transfer to Multiple Related Endpoints
![Darktrace model alert highlighting an affected device making an unusual SSH connection to 168.100.9[.]137 via port 22.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/665644c9d902374aff832499_Screenshot%202024-05-28%20at%201.55.25%20PM.png)
