Darktrace Threat Report
Darktrace’s distinctive approach to threat analysis yields us a unique perspective on the threat landscape. In our End of Year Threat Report, we built on the work of our First 6: Half-Year Threat Report, sharing the insights we've garnered throughout the latter half of 2023.
We have observed not only the continuing development and evolution of identified threats in the malware and ransomware spaces, but also changes brought about by the innovation of cyber security tools.
Amid these challenges, the breadth, scope, and complexity of threats to organizations has grown, underscoring the importance of employing behavioral analysis, anomaly detection, and AI for cyber security.
Threat Research Across the Customer Fleet
Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) together represent the majority of malicious tools across the cyber threat landscape and were the most consistently identified threats affecting Darktrace customers in the second half of 2023. These malicious tools have a variety of capabilities, with many including tailorable or bespoke elements alterable from campaign to campaign.
The Darktrace Threat Research team found that within MaaS and RaaS offerings detected across the customer fleet, loader malware was the most observed threat category, accounting for 77% of all investigated threats.
MaaS initial access offerings were often observed harvesting data, which could then be sold, and loading or enabling subsequent infections by second and third-stage payloads, resulting in more damaging malware attacks and even ransomware.
Similar to how the MaaS and RaaS tools were often customized in an attempt to land an attack, Darktrace observed the cross-functional adaptation of many other malware strains, such as remote access trojans (RATs) and information-stealing malware, along with existing tools like Cobalt Strike.
The ability to remix known strains of malware can increase the difficulty of detection by combining kill chain elements and utilizing overlapping compromised infrastructure. Malware developers achieve this by using open-source repositories, leaked code, and multi-faceted tooling.
SOC Team Insights on Major Trends
The Darktrace Security Operations Center (SOC), which helps customers investigate threats, observed two significant trends in the second half of 2023.
1. Enhanced Defense Evasion Methods
Darktrace's SOC saw an increase in usage of a variety of defense evasion methods, such as the session cookie abuse to evade multi-factor authentication (MFA), the targeting of ESXi servers for ransomware encryption to evade host-based security measures, and the use of tunnelling services such as Cloudflare Tunnel to hide command-and-control (C2) infrastructure.
Malicious actors' increased usage of these defense evasion methods is a probable result of prominence of endpoint solutions within the security industry.
Ransomware continued to be the most common compromise. Darktrace's SOC observed ransomware actors compromising Internet-facing servers, such as Exchange, Citrix Netscaler, Ivanti Sentry, Remote Desktop Services (RDS) hosts, VPN appliances, and Confluence, in order to gain entry to target networks. Once inside, ransomware actors abused Remote Monitoring and Management (RMM) tools such as Splashtop, Atera, AnyDesk, and Action1, to gain access to target systems.
A variety of ransomware strains were observed, with LockBit, ALPHV (i.e, BlackCat), Play, and Akira being the most common.
Top Critical Vulnerabilities
New critical vulnerabilities (CVEs), like Log4J and ProxyLogon, regularly enter the public domain within a short time of discovery, meaning the average time to exploitation is shorter than ever. As such, organizations must be able to promptly identify whether they are susceptible to new vulnerabilities and understand mitigation techniques.
In the second half of 2023, there were five major vulnerabilities observed by Darktrace across its customer fleet, as determined by the number of affected assets.
1. CVE-2022-42889 is a critical vulnerability in the Apache Commons Text Library which has been compared to Log4Shell, albeit not as widespread. Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Affected versions are vulnerable to remote code execution or unintentional exposure to remote servers if untrusted configuration values are used.
2. CVE-2023-25690 is a critical vulnerability which enables HTTP request smuggling attacks on Apache HTTP Server. If exploited, it could be used by an attacker to bypass access constraints in proxy servers, route undesired URLs to existing origin servers and perform cache poisoning.
3. Two critical vulnerabilities were observed in Git that would enable attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses. CVE-2022-41903 would allow an attacker to trigger a heap-based memory corruption during clone or pull operations, resulting in remote code execution, while CVE-2022-23521 could enable code execution during an archive operation, which is commonly performed by Git forges.
4. CVE-2023-2982 is an authentication bypass vulnerability disclosed in miniOrange's Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user, provided that they know the corresponding email address.
5. CVE-2023-46747 is a critical vulnerability rooted in the configuration of BIG-IP that could result in unauthenticated remote code execution. This vulnerability allows malicious actors to gain unauthorized access to networks through the management port and/or self-IP addresses to execute arbitrary system commands.
Stay Ahead of Threats with AI-Powered Cyber Security
After tracking threat trends across its customer fleet in the second half of 2023, Darktrace found that MaaS like loader malware, ransomware and especially RaaS, and enhanced defense evasion methods were top threats.
As threats continue to evolve, it’s more important than ever to have cyber security tools that can detect and respond in real time, even when dealing with remixed and novel attacks.
Darktrace’s approach to cyber security allows it to do just that. The Darktrace platform uses AI that learns from each organization’s specific data to understand ‘normal’ in order to recognize activity that is abnormal and indicative of a cyber-attack.
As a result, Darktrace can detect and respond to attacks, including customized strains of malware and ransomware, even if they have been altered from previously known instances. Since it is powered by AI, Darktrace can take action within seconds.
Darktrace can also help organizations address new CVEs. Darktrace/Newsroom, a capability included with Darktrace’s attack surface management (ASM) tool, continuously monitors open-source intelligence (OSINT) sources for new CVEs and assesses each organization’s exposure through its in-depth knowledge of the unique external attack surface. It then presents a detailed summary of the vulnerability, highlighting the affected software and how many assets run this software on the customer’s network.
With AI that is trained on your organization’s data, Darktrace protects against the trending threats of today and the emerging threats of tomorrow.