Blog

RESPOND

Ransomware

Inside the SOC

자율 대응은 폭주하는 트릭봇 침입을 차단합니다.

Default blog imageDefault blog image
22
Mar 2022
22
Mar 2022

In the lead-up to the 2020 US election, Microsoft and its partners attempted to bring down the pernicious Trickbot malware and reduce election tampering attempts. These efforts were successful, to an extent: the takedown effectively eliminated 94% of Trickbot’s infrastructure and massively reduced its influence in late 2020.

Malware rarely stays dead, however. We discussed previously how the arrests which followed REvil’s widespread attacks in 2021 have done little to disrupt that group’s Ransomware-as-a-Service operation, and how Ryuk ransomware fell into new hands after being abandoned by its creators.

Trickbot has seen a resurrection of even greater proportions. By June 2021, when Darktrace detected a Trickbot intrusion in one of its customer environments, the malware was far from a forgotten, ineffectual strain. It had instead become the most prevalent malware in the world.

It was only due to a last-minute activation of Darktrace’s Autonomous Response that this customer was able to avoid falling victim to a successful ransomware attack. Because it can take action at any stage of an attack, Autonomous Response could interrupt Trickbot even after it had taken root within the digital environment, and successfully prevent the execution of ransomware.

Trickbot takes root

The intrusion took place at a public administration organization in the EMEA region. Prior to Darktrace’s deployment, a single internal domain controller had been compromised by Trickbot, which then lay dormant for at least a month. By the time the malware began to take action, however, Darktrace’s AI had been deployed. Despite entering a compromised environment, the AI was able to differentiate between benign and malicious activity and immediately detect the threat, though at this point Autonomous Response was configured to not take any action without human confirmation.

Darktrace detected the compromised domain controller uploading a malicious DLL file – very likely Trickbot itself – to approximately 280 devices in the organization over SMB, and then using Windows Management Instrumentation (WMI) to configure and execute it. Despite Trickbot’s age and infamy, tools dependent on threat intelligence remained silent at this stage.

Figure 1: Timeline of the attack

How attackers resurrected Trickbot

Trickbot’s modular nature makes it a perfect gateway for a host of criminal activities, and keeps the malware itself adaptable and therefore hard to defend against. The action coordinated by Microsoft successfully took down the known IP addresses of multiple Trickbot command and control (C2) servers and temporarily prevented Trickbot operators from purchasing or leasing new ones. But it did not take long for the Trickbot infrastructure to be rebuilt, and in May and June of 2021 it was again deemed the most prevalent malware in a Global Threat Index.

Trickbot’s ability to evolve and circumvent existing OSINT was demonstrated in this attack, as Darktrace noticed 160 of the 280 compromised devices it had detected beginning to connect to a host of new C2 endpoints. None of these had OSINT associating them with malicious activity, but Darktrace considered the activity highly unusual in the context of previous behavior, and the security team were notified of this potential high-severity incident via a Proactive Threat Notification (PTN).

The attackers laid low for over a month, before the compromised devices were detected downloading masqueraded executable files and conducting anomalous scanning activity. These files were likely Ryuk ransomware payloads. By spacing out these stages of the attack, the threat actors made it harder for human teams to connect the dots and reveal the full scope of the threat.

Darktrace’s Cyber AI Analyst, which investigates and triages threats across entire digital environments, was able to piece these disparate events into a single attack narrative, however, and deliver a further PTN. Due to the severity of the situation, the customer submitted to Darktrace’s Ask the Expert (ATE) service to receive assistance with their threat response.

Figure 2: Cyber AI Analyst investigates suspicious executable files being spread to multiple internal devices

Autonomous Response shuts down a late-stage attack

Having understood the scale of the threat they now faced, the team activated Autonomous Response to take autonomous action to contain the threat. If Autonomous Response had been in place from the beginning, it would have stopped this attack in its earliest stages, while it was restricted to a single compromised domain controller. Crucially, however, Autonomous Response can take action at any stage of a ransomware attack.

Even at this late stage, it was able to halt the attackers and prevent Ryuk from being executed on the network. The AI blocked a chain of malicious activities including SMB enumeration, networking scanning, and suspicious outbound connections in seconds, disrupting the attack while enforcing normal business operations to ensure that the rest of the company’s work could continue uninterrupted.

With their C2 communications and lateral movement efforts disrupted, the attackers were unable to execute Ryuk, and the attack came to an end just in time. It is likely that this last-minute activation of Autonomous Response avoided widespread data encryption and possibly exfiltration, as well as the numerous costs which follow a successful ransomware attack even if a ransom is paid.

Deploying Autonomous Response before it’s too late

Despite only being activated once the attack had taken root, Darktrace was still able to distinguish malicious activity from normal business operations and stop the threat without causing disruption. Next time an attack strikes, this organization will be prepared with Autonomous Response in fully autonomous mode from the outset, ready to take action at the first sign of an emerging threat and minimize their remediation efforts.

The journey to fully autonomous security requires organizations to build trust in AI’s accuracy and decision-making. What this journey looks like for each individual organization will differ, but the need for technology that can autonomously respond to emerging threats is not a lesson any organization ought to learn the hard way.

Thanks to Darktrace analyst Sam Lister for his insights on the above threat find.

Like this and want more?

Receive the latest blog in your inbox
감사합니다! 제출되었습니다!
양식을 제출하는 동안 문제가 발생했습니다.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
토니 자비스
엔터프라이즈 보안 이사, 아시아 태평양 및 일본

Tony Jarvis is Director of Enterprise Security, Asia Pacific and Japan, at Darktrace. Tony is a seasoned cyber security strategist who has advised Fortune 500 companies around the world on best practice for managing cyber risk. He has counselled governments, major banks and multinational companies, and his comments on cyber security and the rising threat to critical national infrastructure have been reported in local and international media including CNBC, Channel News Asia and The Straits Times. Before joining Darktrace, Tony previously served as CTO at Check Point and held senior advisory positions at FireEye, Standard Chartered Bank and Telstra. Tony holds a BA in Information Systems from the University of Melbourne.

share this article
COre coverage

Blog

Inside the SOC

How Abuse of ‘PerfectData Software’ May Create a Perfect Storm: An Emerging Trend in Account Takeovers  

Default blog imageDefault blog image
05
Jun 2023

Amidst the ever-changing threat landscape, new tactics, techniques, and procedures (TTPs) seem to emerge daily, creating extreme challenges for security teams. The broad range of attack methods utilized by attackers seems to present an insurmountable problem: how do you defend against a playbook that does not yet exist?

Faced with the growing number of novel and uncommon attack methods, it is essential for organizations to adopt a security solution able to detect threats based on their anomalies, rather than relying on threat intelligence alone.   

In March 2023, Darktrace observed an emerging trend in the use of an application known as ‘PerfectData Software’ for probable malicious purposes in several Microsoft 365 account takeovers.

Using its anomaly-based detection, Darktrace DETECT™ was able to identify the activity chain surrounding the use of this application, potentially uncovering a novel piece of threat actor tradecraft in the process.

Microsoft 365 Intrusions

In recent years, Microsoft’s Software-as-a-Service (SaaS) suite, Microsoft 365, along with its built-in identity and access management (IAM) service, Azure Active Directory (Azure AD), have been heavily targeted by threat actors due to their near-ubiquitous usage across industries. Four out of every five Fortune 500 companies, for example, use Microsoft 365 services [1].  

Malicious actors typically gain entry to organizations’ Microsoft 365 environments by abusing either stolen account credentials or stolen session cookies [2]. Once inside, actors can access sensitive data within mailboxes or SharePoint repositories, and send out emails or Teams messages. This activity can often result in serious financial harm, especially in cases where the malicious actor’s end-goal is to elicit fraudulent transactions.  

Darktrace regularly observes malicious actors behaving in predictable ways once they gain access to customer Microsoft 365 environment. One typical example is the creation of new inbox rules and sending deceitful emails intended to convince recipients to carry out subsequent actions, such as following a malicious link or providing sensitive information. It is also common for actors to register new applications in Azure AD so that they can be used to conduct follow-up activities, like mass-mailing or data theft. The registration of applications in Azure AD therefore seems to be a relatively predictable threat actor behavior [3][4]. Darktrace DETECT understands that unusual application registrations in Azure AD may constitute a deviation in expected behavior, and therefore a possible indicator of account compromise.

These registrations of applications in Azure AD are evidenced by creations of, as well as assignments of permissions to, Service Principals in Azure AD. Darktrace has detected a growing trend in actors creating and assigning permissions to a Service Principal named ‘PerfectData Software’. Further investigation of this Azure AD activity revealed it to be part of an ongoing account takeover. 

 ‘PerfectData Software’ Activity 

Darktrace observed variations of the following pattern of activity relating to an application named ‘PerfectData Software’ within its customer base:

  1. Actor signs in to a Microsoft 365 account from an endpoint associated with a Virtual Private Server (VPS) or Virtual Private Network (VPN) service
  2. Actor registers an application called 'PerfectData Software' with Azure AD, and then grants permissions to the application
  3. Actor accesses mailbox data and creates inbox rule 

In two separate incidents, malicious actors were observed conducting their activities from endpoints associated with VPN services (HideMyAss (HMA) VPN and Surfshark VPN, respectively) and from endpoints within the Autonomous System AS396073 MAJESTIC-HOSTING-01. 

In March 2023, Darktrace observed a malicious actor signing in to a Microsoft 365 account from a Kuwait-based IP address within the Autonomous System, AS198605 AVAST Software s.r.o. This IP address is associated with the VPN service, HMA VPN. Over the next couple of days, an actor (likely the same malicious actor) signed in to the account several more times from two different Nigeria-based endpoints, as well as a VPS-related endpoint and a HMA VPN endpoint. 

During their login sessions, the actor performed a variety of actions. First, they created and assigned permissions to a Service Principal named ‘PerfectData Software’. This Service Principal creation represents the registration of an application called ‘PerfectData Software’ in Azure AD.  Although the reason for registering this application is unclear, within a few days the actor registered and granted permission to another application, ‘Newsletter Software Supermailer’, and created a new inbox rule names ‘s’ on the mailbox of the hijacked account. This inbox rule moved emails meeting certain conditions to a folder named ‘RSS Subscription. The ‘Newsletter Software Supermailer’ application was likely registered by the actor to facilitate mass-mailing activity.

Immediately after these actions, Darktrace detected the actor sending out thousands of malicious emails from the account. The emails included an attachment named ‘Credit Transfer Copy.html’, which contained a suspicious link. Further investigation revealed that the customer’s network had received several fake invoice emails prior to this initial intrusion activity. Additionally, there was an unusually high volume of failed logins to the compromised account around the time of the initial access. 

Figure 1: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.
Figure 1: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.

In a separate case also observed by Darktrace in March 2023, a malicious actor was observed signing in to a Microsoft 365 account from an endpoint within the Autonomous System, AS397086 LAYER-HOST-HOUSTON. The endpoint appears to be related to the VPN service, Surfshark VPN. This login was followed by several failed and successful logins from a VPS-related within the Autonomous System, AS396073 MAJESTIC-HOSTING-01. The actor was then seen registering and assigning permissions to an application called ‘PerfectData Software’. As with the previous example, the motives for this registration are unclear. The actor proceeded to log in several more times from a Surfshark VPN endpoint, however, they were not observed carrying out any further suspicious activity. 

Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.
Figure 2: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.

It was not clear in either of these examples, nor in fact any of cases observed by Darktrace, why actors had registered and assigned permissions to an application called ‘PerfectData Software’, and there do not appear to be any open-source intelligence (OSINT) resources or online literature related to the malicious usage of an application by that name. That said, there are several websites which appear to provide email migration and data recovery/backup tools under the moniker ‘PerfectData Software’. 

It is unclear whether the use of ‘PerfectData Software’ by malicious actors observed on the networks of Darktrace customers was one of these tools. However, given the nature of the tools, it is possible that the actors intended to use them to facilitate the exfiltration of email data from compromises mailboxes.

If the legitimate software ‘PerfectData’ is the application in question in these incidents, it is likely being purchased and misused by attackers for malicious purposes. It is also possible the application referenced in the incidents is a spoof of the legitimate ‘PerfectData’ software designed to masquerade a malicious application as legitimate.

Darktrace Coverage

Cases of ‘PerfectData Software’ activity chains detected by Darktrace typically began with an actor signing into an internal user’s Microsoft 365 account from a VPN or VPS-related endpoint. These login events, along with the suspicious email and/or brute-force activity which preceded them, caused the following DETECT models to breach:

  • SaaS / Access / Unusual External Source for SaaS Credential Use
  • SaaS / Access / Suspicious Login Attempt
  • SaaS / Compromise / Login From Rare Following Suspicious Login Attempt(s)
  • SaaS / Email Nexus / Unusual Location for SaaS and Email Activity

Subsequent activities, including inbox rule creations, registration of applications in Azure AD, and mass-mailing activity, resulted in breaches of the following DETECT models.

  • SaaS / Admin / OAuth Permission Grant 
  • SaaS / Compromise / Unusual Logic Following OAuth Grant 
  • SaaS / Admin / New Application Service Principal
  • IaaS / Admin / Azure Application Administration Activities
  • SaaS / Compliance / New Email Rule
  • SaaS / Compromise / Unusual Login and New Email Rule
  • SaaS / Email Nexus / Suspicious Internal Exchange Activity
  • SaaS / Email Nexus / Possible Outbound Email Spam
  • SaaS / Compromise / Unusual Login and Outbound Email Spam
  • SaaS / Compromise / Suspicious Login and Suspicious Outbound Email(s)
DETECT Model Breaches highlighting unusual login and 'PerfectData Software' registration activity from a malicious actor
Figure 3: DETECT Model Breaches highlighting unusual login and 'PerfectData Software' registration activity from a malicious actor.

In cases where Darktrace RESPOND™ was enabled in autonomous response mode, ‘PerfectData Software’ activity chains resulted in breaches of the following RESPOND models:

• Antigena / SaaS / Antigena Suspicious SaaS Activity Block

• Antigena / SaaS / Antigena Significant Compliance Activity Block

In response to these model breaches, Darktrace RESPOND took immediate action, performing aggressive, inhibitive actions, such as forcing the actor to log out of the SaaS platform, and disabling the user entirely. When applied autonomously, these RESPOND actions would seriously impede an attacker’s progress and minimize network disruption.

Figure 4: A RESPOND model breach created in response to a malicious actor's registration of 'PerfectData Software'

In addition, Darktrace Cyber AI Analyst was able to autonomously investigate registrations of the ‘PerfectData Software’ application and summarized its findings into digestible reports. 

A Cyber AI Analyst Incident Event log
Figure 5: A Cyber AI Analyst Incident Event log showing AI Analyst autonomously pivoting off a breach of 'SaaS / Admin / OAuth Permission Grant' to uncover details of an account hijacking.

Conclusion 

Due to the widespread adoption of Microsoft 365 services in the workplace and continued emphasis on a remote workforce, account hijackings now pose a more serious threat to organizations around the world than ever before. The cases discussed here illustrate the tendency of malicious actors to conduct their activities from endpoints associated with VPN services, while also registering new applications, like PerfectData Software, with malicious intent. 

While it was unclear exactly why the malicious actors were using ‘PerfectData Software’ as part of their account hijacking, it is clear that either the legitimate or spoofed version of the application is becoming an very likely emergent piece of threat actor tradecraft.

Darktrace DETECT’s anomaly-based approach to threat detection allowed it to recognize that the use of ‘PerfectData Software’ represented a deviation in the SaaS user’s expected behavior. While Darktrace RESPOND, when enabled in autonomous response mode, was able to quickly take preventative action against threat actors, blocking the potential use of the application for data exfiltration or other nefarious purposes.

Appendices

MITRE ATT&CK Mapping

Reconnaissance:

T1598 ­– Phishing for Information

Credential Access:

T1110 – Brute Force

Initial Access:

T1078.004 – Valid Accounts: Cloud Accounts

Command and Control:

T1105 ­– Ingress Tool Transfer

Persistence:

T1098.003 – Account Manipulation: Additional Cloud Roles 

Collection:

• T1114 – Email Collection 

Defense Evasion:

• T1564.008 ­– Hide Artifacts: Email Hiding Rules­

Lateral Movement:

T1534 – Internal Spearphishing

Unusual Source IPs

• 5.62.60[.]202  (AS198605 AVAST Software s.r.o.) 

• 160.152.10[.]215 (AS37637 Smile-Nigeria-AS)

• 197.244.250[.]155 (AS37705 TOPNET)

• 169.159.92[.]36  (AS37122 SMILE)

• 45.62.170[.]237 (AS396073 MAJESTIC-HOSTING-01)

• 92.38.180[.]49 (AS202422 G-Core Labs S.A)

• 129.56.36[.]26 (AS327952 AS-NATCOM)

• 92.38.180[.]47 (AS202422 G-Core Labs S.A.)

• 107.179.20[.]214 (AS397086 LAYER-HOST-HOUSTON)

• 45.62.170[.]31 (AS396073 MAJESTIC-HOSTING-01)

References

[1] https://www.investing.com/academy/statistics/microsoft-facts/

[2] https://intel471.com/blog/countering-the-problem-of-credential-theft

[3] https://darktrace.com/blog/business-email-compromise-to-mass-phishing-campaign-attack-analysis

[4] https://darktrace.com/blog/breakdown-of-a-multi-account-compromise-within-office-365

Continue reading
About the author
Sam Lister
SOC Analyst

Blog

클라우드

Darktrace Integrates Self-Learning AI with Amazon Security Lake to Support Security Investigations

Default blog imageDefault blog image
31
May 2023

Darktrace has deepened its relationship with AWS by integrating its detection and response capabilities with Amazon Security Lake

This development will allow mutual customers to seamlessly combine Darktrace AI’s bespoke understanding of their organization with the Threat Intelligence offered by other security tools, and investigate all of their alerts in one central location. 

This integration will improve the value security teams get from both products, streamlining analyst workflows and improving their ability to detect and respond to the full spectrum of known and unknown cyber-threats. 

How Darktrace and Amazon Security Lake augment security teams

Amazon Security Lake is a newly-released service that automatically centralizes an organization’s security data from cloud, on-premises, and custom sources into a customer owned purpose-built data lake. Both Darktrace and Amazon Security Lake support the Open Cybersecurity Schema Framework (OCSF), an open standard to simplify, combine, and analyze security logs.  

Customers can store security logs, events, alerts, and other relevant data generated by various AWS services and security tools. By consolidating security data in a central lake, organizations can gain a holistic view of their security posture, perform advanced analytics, detect anomalies and open investigations to improve their security practices.

With Darktrace DETECT and RESPOND AI engines covering all assets across IT, OT, network, endpoint, IoT, email and cloud, organizations can augment the value of their security data lakes by feeding Darktrace’s rich and context-aware datapoints to Amazon Security Lake. 

Amazon Security Lake empowers security teams to improve the protection of your digital estate:

  • Quick and painless data normalization 
  • Fast-tracks ability to investigate, triage and respond to security events
  • Broader visibility aids more effective decision-making
  • Surfaces and prioritizes anomalies for further investigation
  • Single interface for seamless data management

How will Darktrace customers benefit?

Across the Cyber AI Loop, all Darktrace solutions have been architected with AWS best practices in mind. With this integration, Darktrace is bringing together its understanding of ‘self’ for every organization with the centralized data visibility of the Amazon Security Lake. Darktrace’s unique approach to cyber security, powered by groundbreaking AI research, delivers a superior dataset based on a deep and interconnected understanding of the enterprise. 

Where other cyber security solutions are trained to identify threats based on historical attack data and techniques, Darktrace DETECT gains a bespoke understanding of every digital environment, continuously analyzing users, assets, devices and the complex relationships between them. Our AI analyzes thousands of metrics to reveal subtle deviations that may signal an evolving issue – even unknown techniques and novel malware. It distinguishes between malicious and benign behavior, identifying harmful activity that typically goes unnoticed. This rich dataset is fed into RESPOND, which takes precise action to neutralize threats against any and every asset, no matter where data resides.

Both DETECT and RESPOND are supported by Darktrace Self-Learning AI, which provides full, real-time visibility into an organization’s systems and data. This always-on threat analysis already makes humans better at cyber security, improving decisions and outcomes based on total visibility of the digital ecosystem, supporting human performance with AI coverage and empowering security teams to proactively protect critical assets.  

Converting Darktrace alerts to the Amazon Security Lake Open Cybersecurity Schema Framework (OCSF) supplies the Security Operations Center (SOC) and incident response team with contextualized data, empowering them to accelerate their investigation, triage and response to potential cyber threats. 

Darktrace is available for purchase on the AWS Marketplace.

Learn more about how Darktrace provides full-coverage, AI-powered cloud security for AWS, or see how our customers use Darktrace in their AWS cloud environments.

Continue reading
About the author
나빌 졸드잘랄리
기술 혁신 부사장

귀하의 비즈니스에 좋은 소식입니다.
나쁜 사람들에게 나쁜 소식입니다.

무료 평가판 시작

무료 평가판 시작

유연한 배송
가상환경에 설치하거나 하드웨어에 설치할 수 있습니다.
빠른 설치
설치하는 데 1 시간 밖에 걸리지 않으며 이메일 보안 평가판의 경우 더 적게 걸립니다.
여정 선택
클라우드, 네트워크 또는 이메일을 포함하여 가장 필요한 곳 어디에서나 셀프 러닝 AI를 사용해 보십시오.
약정 없음
Darktrace Threat Visualizer 및 세 개의 맞춤형 위협 보고서에 대한 모든 액세스 권한이 있으며 구매 의무는 없습니다.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
양식을 제출하는 동안 문제가 발생했습니다.

Get a demo

유연한 배송
가상환경에 설치하거나 하드웨어에 설치할 수 있습니다.
빠른 설치
설치하는 데 1 시간 밖에 걸리지 않으며 이메일 보안 평가판의 경우 더 적게 걸립니다.
여정 선택
클라우드, 네트워크 또는 이메일을 포함하여 가장 필요한 곳 어디에서나 셀프 러닝 AI를 사용해 보십시오.
약정 없음
Darktrace Threat Visualizer 및 세 개의 맞춤형 위협 보고서에 대한 모든 액세스 권한이 있으며 구매 의무는 없습니다.
감사합니다! 제출되었습니다!
양식을 제출하는 동안 문제가 발생했습니다.