Blog
Crypto
Inside the SOC
GitLab vulnerability exploit detected by AI
Darktrace has discovered a significant number of cases involving a successful exploit of GitLab servers — a common open source software used by developers. The vulnerability, tracked as CVE-2021-22205, allows an unauthenticated, remote attacker to execute arbitrary commands as the ‘git’ user, giving them full access to the repository, including deleting, modifying, and exfiltrating source code.
In each case discovered by Darktrace AI, attackers successfully exploited servers and ran crypto-mining malware. However, this vulnerability opens the door into a wider range of possibilities, including data exfiltration, ransomware, and supply chain attacks.
The flaw was fixed on April 14, 2021, but recent research has revealed that this vulnerability is still exploitable with over 30,000 GitLab servers remaining unpatched.
The vulnerability has affected customers in every corner of the world, with Darktrace customers in the US, EMEA and APAC all targeted. Affected industries include technology, transportation, and education.
Attack details
The cases detailed below generally follow the same pattern. First, user accounts with admin privileges are registered on a publicly accessible GitLab server belonging to an unnamed customer. This is followed by a remote execution of commands that grant the rogue accounts elevated permissions.
Figure 1: Multiple model breaches firing on an unusual data egress event on October 30, which resulted in a Proactive Threat Notification model breach.
After multiple model breaches on malicious EXE downloads and command and control (C2) activities with the TOR network, the organization received a Proactive Threat Notification (PTN) from Darktrace that immediately alerted them to the issue. This enabled the customer to remove the compromised device from the network.
The next day, Darktrace discovered cryptocurrency mining occurring on a compromised server that was communicating on a non-standard port. This triggered alerts to the customer through Darktrace’s Proactive Threat Notification service, immediately escalating the threat to their security team.
Figure 2: Multiple cryptocurrency mining model breaches from the same server firing on November 3.
The related breaches include scripts from rare external locations and rare endpoints (endpoints that have never been contacted by the breach devices in the past). Not surprisingly, the endpoints in question are crypto-mining pools.
It is important to note that this GitLab vulnerability represents only the initial attack vector, which could result in a number of scenarios. In the customer environment detailed above, crypto-mining has occurred; however, exploitation of this vulnerability could serve as the first stage of a more destructive ransomware attack, or result in stolen intellectual property.
Lastly, throughout the compromises identified across Darktrace’s customer base, it appears that the Interactsh tool was leveraged by the threat actors in the attack. Interactsh is an open-source tool for out of band data transfers and validation of security flaws, and it is commonly used by both researchers and hackers. Darktrace was easily able to identify this tool as part of the larger threat.
Cyber AI Analyst investigates
Darktrace’s Cyber AI Analyst launched an immediate investigation, stitching together different events across a five-day period and revealing four stages of the attack. This presented the security team with all the information they needed to perform effective investigation and clean up, including isolating the infected devices.
Figure 3: Cyber AI Analyst automatically investigates, piecing together the events into a single narrative.
In another customer environment, Cyber AI Analyst was again able to piece together multiple security events to present a coherent security narrative, determining that the suspicious file downloads likely contained malicious software, and recommending immediate attention from security staff.
Figure 4: In a different case, Cyber AI Analyst surfaces a summary and key metrics around the suspicious file downloads.
Cyber AI Analyst made stellar detections and Proactive Threat Notification alerted affected clients ASAP. Clients were then supported through Ask the Expert (ATE) services. There has been no evidence of ransomware thus far, but these types of attacks typically gain a foothold on Internet-exposed servers and then pivot internally to deploy ransomware.
In a third example with a separate customer, Cyber AI Analyst stitched together six different security events into a single security narrative. Here, Darktrace’s technology was able to connect the dots between C2 behavior, suspicious file downloads, unusual connections, and Tor activity, eventually leading to its discovery of cryptocurrency mining.
Cyber AI Analyst specifically identified GitLab in the suspicious file downloads from a rare external endpoint. The fact that Darktrace was able to identify this in the context of a holistic view of threatening activity across this organization’s digital ecosystem — stretching from suspicious SSL connections to the eventual crypto-mining activity — presents a remarkable picture of Cyber AI Analyst in action.
Figure 5: Cyber AI Analyst identifying the GitLab activity in the context of the wider security narrative.
Concluding thoughts
Though the patch was released in April, over 50% of deployments remain unpatched. There are potential reasons why they remain unpatched — overworked security staff, or simply negligence.
Even when CVEs are mapped and patched promptly, however, novel and never-before-seen attacks can still slip through the cracks. Before the Gitlab flaw was publicly disclosed and fixed, this vulnerability was a zero-day.
And so, rather than wait for CVEs to be publicly disclosed, organizations would be prudent to adopt technologies that can detect and respond to emerging attacks at their earliest stages — regardless of whether they are exploiting known or unknown vulnerabilities.
At Darktrace we talk a lot about the problems novel and unknown threats pose for traditional security solutions. This case shows that even when a threat is known for over six months, difficulties in implementing and rolling out patching mean it can still cause issues.
Thanks to Darktrace’s AI continuously monitoring the behavior of our customer’s devices, they were able to identify the threat at its earliest stages, before it could develop into something more disruptive like ransomware. And had the customers had Darktrace Antigena configured, the technology would have responded autonomously to contain the malicious behavior before the attackers could get past stage one.
Thanks to Darktrace analyst Waseem Akhter for his insights on the above threat find.
Learn more about Darktrace’s Self-Learning AI
Technical details
Proactive Threat Notification model detections:
- Compromise / Anomalous File then Tor
- Compromise / High Priority Crypto Currency Mining
- Device / Initial Breach Chain Compromise
- Device / Large Number of Model Breaches from Critical Network Device
- Unusual Activity / Enhanced Unusual External Data Transfer
Other Darktrace model detections:
- Anomalous Connection / Anomalous SSL without SNI to New External
- Anomalous Connection / Application Protocol on Uncommon Port
- Anomalous Connection / Callback on Web Facing Device
- Anomalous Connection / Data Sent to Rare Domain
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous Connection / Posting HTTP to IP Without Hostname
- Anomalous File / Multiple EXE from Rare External Locations
- Anomalous File / Internet Facing System File Download
- Anomalous File / Script from Rare Location
- Anomalous Server Activity / Outgoing from Serve
- Compromise / Beaconing Activity To External Rare
- Compliance / Crypto Currency Mining Activity
- Compromise / High Volume of Connections with Beacon Score
- Compromise / Large DNS Volume for Suspicious Domain
- Compromise / Monero Mining
- Compliance / Possible Tor Usage
- Device / Internet Facing Device with High Priority Alert
- Device / Large Number of Model Breaches
- Device / Large Number of Connections to New Endpoints
- Device / Suspicious Domain
- Unusual Activity / Unusual External Data to New IPs
Like this and want more?
More in this series
Blog
Inside the SOC
ViperSoftX: How Darktrace Uncovered A Venomous Intrusion
Fighting Info-Stealing Malware
The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.
What is ViperSoftX?
ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.
ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].
Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.
ViperSoftX Attack & Darktrace Coverage
In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.
Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files. This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.
The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.
For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:
- Compromise / Agent Beacon (Short Period)
- Compromise / Agent Beacon (Medium Period)
- Compromise / Agent Beacon (Long Period)
- Compromise / Quick and Regular Windows HTTP Beaconing
- Compromise / SSL or HTTP Beacon
Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.
URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.
Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.
Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.
The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.
Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].
Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.
How did the attack bypass the rest of the security stack?
As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]
ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).
Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.
Insights/Conclusion
Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.
ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.
However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.
Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.
Appendices
References
[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat
[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/
Darktrace DETECT Model Detections
· Anomalous File / Anomalous Octet Stream (No User Agent)
· Anomalous Connection / PowerShell to Rare External
· Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
· Anomalous Connection / Lots of New Connections
· Anomalous Connection / Multiple Failed Connections to Rare Endpoint
· Anomalous Server Activity / Outgoing from Server
· Compromise / Large DNS Volume for Suspicious Domain
· Compromise / Quick and Regular Windows HTTP Beaconing
· Compromise / Beacon for 4 Days
· Compromise / Suspicious Beaconing Behaviour
· Compromise / Large Number of Suspicious Failed Connections
· Compromise / Large Number of Suspicious Successful Connections
· Compromise / POST and Beacon to Rare External
· Compromise / DGA Beacon
· Compromise / Agent Beacon (Long Period)
· Compromise / Agent Beacon (Medium Period)
· Compromise / Agent Beacon (Short Period)
· Compromise / Fast Beaconing to DGA
· Compromise / SSL or HTTP Beacon
· Compromise / Slow Beaconing Activity To External Rare
· Compromise / Beaconing Activity To External Rare
· Compromise / Excessive Posts to Root
· Compromise / Connections with Suspicious DNS
· Compromise / HTTP Beaconing to Rare Destination
· Compromise / High Volume of Connections with Beacon Score
· Compromise / Sustained SSL or HTTP Increase
· Device / New PowerShell User Agent
· Device / New User Agent and New IP
Darktrace RESPOND Model Detections
· Antigena / Network / External Threat / Antigena Suspicious File Block
· Antigena / Network / External Threat / Antigena File then New Outbound Block
· Antigena / Network / External Threat / Antigena Watched Domain Block
· Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
· Antigena / Network / External Threat / Antigena Suspicious Activity Block
· Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
· Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block
· Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block
· Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
List of IoCs
Indicator - Type - Description
ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
apibilng[.]com - Hostname - ViperSoftX C2 endpoint
arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint
counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint
fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint
wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint
wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent
MITRE ATT&CK Mapping
Tactic - Technique - Notes
Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms
Command and Control - T1321 Data Encoding
Credential Access - T1555.005 Credentials from Password Stores: Password Managers
Defense Evasion - T1027 Obfuscated Files or Information
Execution - T1059.001 Command and Scripting Interpreter: PowerShell
Execution - T1204 User Execution T1204.002 Malicious File
Persistence - T1176 Browser Extensions - VenomSoftX specific
Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading
Blog
Inside the SOC
Protecting Prospects: How Darktrace Detected an Account Hijack Within Days of Deployment
Cloud Migration Expanding the Attack Surface
Cloud migration is here to stay – accelerated by pandemic lockdowns, there has been an ongoing increase in the use of public cloud services, and Gartner has forecasted worldwide public cloud spending to grow around 20%, or by almost USD 600 billion [1], in 2023. With more and more organizations utilizing cloud services and moving their operations to the cloud, there has also been a corresponding shift in malicious activity targeting cloud-based software and services, including Microsoft 365, a prominent and oft-used Software-as-a-Service (SaaS).
With the adoption and implementation of more SaaS products, the overall attack surface of an organization increases – this gives malicious actors additional opportunities to exploit and compromise a network, necessitating proper controls to be in place. This increased attack surface can leave organization’s open to cyber risks like cloud misconfigurations, supply chain attacks and zero-day vulnerabilities [2]. In order to achieve full visibility over cloud activity and prevent SaaS compromise, it is paramount for security teams to deploy sophisticated security measures that are able to learn an organization’s SaaS environment and detect suspicious activity at the earliest stage.
Darktrace Immediately Detects Hijacked Account
In May 2023, Darktrace observed a chain of suspicious SaaS activity on the network of a customer who was about to begin their trial of Darktrace/Cloud™ and Darktrace/Email™. Despite being deployed on the network for less than a week, Darktrace DETECT™ recognized that the legitimate SaaS account, belonging to an executive at the organization, had been hijacked. Darktrace/Email was able to provide full visibility over inbound and outbound mail and identified that the compromised account was subsequently used to launch an internal spear-phishing campaign.
If Darktrace RESPOND™ were enabled in autonomous response mode at the time of this compromise, it would have been able to take swift preventative action to disrupt the account compromise and prevent the ensuing phishing attack.
Account Hijack Attack Overview
Unusual External Sources for SaaS Credentials
On May 9, 2023, Darktrace DETECT/Cloud detected the first in a series of anomalous activities performed by a Microsoft 365 user account that was indicative of compromise, namely a failed login from an external IP address located in Virginia.
Just a few minutes later, Darktrace observed the same user credential being used to successfully login from the same unusual IP address, with multi-factor authentication (MFA) requirements satisfied.
A few hours after this, the user credential was once again used to login from a different city in the state of Virginia, with MFA requirements successfully met again. Around the time of this activity, the SaaS user account was also observed previewing various business-related files hosted on Microsoft SharePoint, behavior that, taken in isolation, did not appear to be out of the ordinary and could have represented legitimate activity.
The following day, May 10, however, there were additional login attempts observed from two different states within the US, namely Texas and Florida. Darktrace understood that this activity was extremely suspicious, as it was highly improbable that the legitimate user would be able to travel over 2,500 miles in such a short period of time. Both login attempts were successful and passed MFA requirements, suggesting that the malicious actor was employing techniques to bypass MFA. Such MFA bypass techniques could include inserting malicious infrastructure between the user and the application and intercepting user credentials and tokens, or by compromising browser cookies to bypass authentication controls [3]. There have also been high-profile cases in the recent years of legitimate users mistakenly (and perhaps even instinctively) accepting MFA prompts on their token or mobile device, believing it to be a legitimate process despite not having performed the login themselves.
New Email Rule
On the evening of May 10, following the successful logins from multiple US states, Darktrace observed the Microsoft 365 user creating a new inbox rule, named “.’, in Microsoft Outlook from an IP located in Florida. Threat actors are often observed naming new email rules with single characters, likely to evade detection, but also for the sake of expediency so as to not expend any additional time creating meaningful labels.
In this case the newly created email rules included several suspicious properties, including ‘AlwaysDeleteOutlookRulesBlob’, ‘StopProcessingRules’ and “MoveToFolder”.
Firstly, ‘AlwaysDeleteOutlookRulesBlob’ suppresses or hides warning messages that typically appear if modifications to email rules are made [4]. In this case, it is likely the malicious actor was attempting to implement this property to obfuscate the creation of new email rules.
The ‘StopProcessingRules’ rule meant that any subsequent email rules created by the legitimate user would be overridden by the email rule created by the malicious actor [5]. Finally, the implementation of “MoveToFolder” would allow the malicious actor to automatically move all outgoing emails from the “Sent” folder to the “Deleted Items” folder, for example, further obfuscating their malicious activities [6]. The utilization of these email rule properties is frequently observed during account hijackings as it allows attackers to delete and/or forward key emails, delete evidence of exploitation and launch phishing campaigns [7].
In this incident, the new email rule would likely have enabled the malicious actor to evade the detection of traditional security measures and achieve greater persistence using the Microsoft 365 account.
Account Update
A few hours after the creation of the new email rule, Darktrace observed the threat actor successfully changing the Microsoft 365 user’s account password, this time from a new IP address in Texas. As a result of this action, the attacker would have locked out the legitimate user, effectively gaining full access over the SaaS account.
Phishing Emails
The compromised SaaS account was then observed sending a high volume of suspicious emails to both internal and external email addresses. Darktrace was able to identify that the emails attempting to impersonate the legitimate service DocuSign and contained a malicious link prompting users to click on the text “Review Document”. Upon clicking this link, users would be redirected to a site hosted on Adobe Express, namely hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/.
Adobe Express is a free service that allows users to create web pages which can be hosted and shared publicly; it is likely that the threat actor here leveraged the service to use in their phishing campaign. When clicked, such links could result in a device unwittingly downloading malware hosted on the site, or direct unsuspecting users to a spoofed login page attempting to harvest user credentials by imitating legitimate companies like Microsoft.
The malicious site hosted on Adobe Express was subsequently taken down by Adobe, possibly in response to user reports of maliciousness. Unfortunately though, platforms like this that offer free webhosting services can easily and repeatedly be abused by malicious actors. Simply by creating new pages hosted on different IP addresses, actors are able to continue to carry out such phishing attacks against unsuspecting users.
In addition to the suspicious SaaS and email activity that took place between May 9 and May 10, Darktrace/Email also detected the compromised account sending and receiving suspicious emails starting on May 4, just two days after Darktrace’s initial deployment on the customer’s environment. It is probable that the SaaS account was compromised around this time, or even prior to Darktrace’s deployment on May 2, likely via a phishing and credential harvesting campaign similar to the one detailed above.
Darktrace Coverage
As the customer was soon to begin their trial period, Darktrace RESPOND was set in “human confirmation” mode, meaning that any preventative RESPOND actions required manual application by the customer’s security team.
If Darktrace RESPOND had been enabled in autonomous response mode during this incident, it would have taken swift mitigative action by logging the suspicious user out of the SaaS account and disabling the account for a defined period of time, in doing so disrupting the attack at the earliest possible stage and giving the customer the necessary time to perform remediation steps. As it was, however, these RESPOND actions were suggested to the customer’s security team for them to manually apply.
Nevertheless, with Darktrace DETECT/Cloud in place, visibility over the anomalous cloud-based activities was significantly increased, enabling the swift identification of the chain of suspicious activities involved in this compromise.
In this case, the prospective customer reached out to Darktrace directly through the Ask the Expert (ATE) service. Darktrace’s expert analyst team then conducted a timely and comprehensive investigation into the suspicious activity surrounding this SaaS compromise, and shared these findings with the customer’s security team.
Conclusion
Ultimately, this example of SaaS account compromise highlights Darktrace’s unique ability to learn an organization’s digital environment and recognize activity that is deemed to be unexpected, within a matter of days.
Due to the lack of obvious or known indicators of compromise (IoCs) associated with the malicious activity in this incident, this account hijack would likely have gone unnoticed by traditional security tools that rely on a rules and signatures-based approach to threat detection. However, Darktrace’s Self-Learning AI enables it to detect the subtle deviations in a device’s behavior that could be indicative of an ongoing compromise.
Despite being newly deployed on a prospective customer’s network, Darktrace DETECT was able to identify unusual login attempts from geographically improbable locations, suspicious email rule updates, password changes, as well as the subsequent mounting of a phishing campaign, all before the customer’s trial of Darktrace had even begun.
When enabled in autonomous response mode, Darktrace RESPOND would be able to take swift preventative action against such activity as soon as it is detected, effectively shutting down the compromise and mitigating any subsequent phishing attacks.
With the full deployment of Darktrace’s suite of products, including Darktrace/Cloud and Darktrace/Email, customers can rest assured their critical data and systems are protected, even in the case of hybrid and multi-cloud environments.
Credit: Samuel Wee, Senior Analyst Consultant & Model Developer
Appendices
References
[2] https://www.upguard.com/blog/saas-security-risks
[4] https://learn.microsoft.com/en-us/powershell/module/exchange/disable-inboxrule?view=exchange-ps
[7] https://blog.knowbe4.com/check-your-email-rules-for-maliciousness
Darktrace Model Detections
Darktrace DETECT/Cloud and RESPOND Models Breached:
SaaS / Access / Unusual External Source for SaaS Credential Use
SaaS / Unusual Activity / Multiple Unusual External Sources for SaaS Credential
Antigena / SaaS / Antigena Unusual Activity Block (RESPOND Model)
SaaS / Compliance / New Email Rule
Antigena / SaaS / Antigena Significant Compliance Activity Block
SaaS / Compromise / Unusual Login and New Email Rule (Enhanced Monitoring Model)
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
SaaS / Compromise / SaaS Anomaly Following Anomalous Login (Enhanced Monitoring Model)
SaaS / Compromise / Unusual Login and Account Update
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
IoC – Type – Description & Confidence
hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/ - Domain – Probable Phishing Page (Now Defunct)
37.19.221[.]142 – IP Address – Unusual Login Source
35.174.4[.]92 – IP Address – Unusual Login Source
MITRE ATT&CK Mapping
Tactic - Techniques
INITIAL ACCESS, PRIVILEGE ESCALATION, DEFENSE EVASION, PERSISTENCE
T1078.004 – Cloud Accounts
DISCOVERY
T1538 – Cloud Service Dashboards
CREDENTIAL ACCESS
T1539 – Steal Web Session Cookie
RESOURCE DEVELOPMENT
T1586 – Compromise Accounts
PERSISTENCE
T1137.005 – Outlook Rules
