To achieve compliance in 2020, human teams need artificial intelligence to make sense of their dynamic digital estates.
From credit card details and medical records, through to private conversations and even dating preferences, the modern consumer entrusts an unprecedented number of organizations with their most sensitive information, hoping against hope that it will be stored on the digital equivalent of Fort Knox.
The reality, however, is that robust data privacy has thus far proven elusive. Almost 13 billion records were breached over the last two years — including from Facebook, Google, and the US Postal Service — demonstrating once again that no network perimeter can keep motivated attackers at bay.
For governments whose principal responsibility is to safeguard their citizens, implementing a strong data protection regime is therefore as challenging as it is critical. At a time when cyber-criminals find vulnerabilities in the most ostensibly airtight systems, these regulators have tended to shy away from mandating concrete security practices, since no one can anticipate which measures will repel the next unpredictable attack. Instead, most data protection laws default to ambiguous calls for “reasonable,” “adequate,” or “appropriate” cyber defenses — language that arguably renders any breached company noncompliant by definition.
While such ambiguity makes prediction pieces like this one speculative to some extent, the coming year will almost certainly witness both an increase in data protection laws around the world as well as a less forgiving interpretation of their requirements. Ultimately, as governments attempt to address growing public concern over data privacy, the mere fact of having suffered a breach could be seen as grounds for significant fines. Avoiding these fines — and doing right by one’s customers — entails assuming that the bad guys will inevitably get past the perimeter.
Figure 1: Noncompliance penalties are only getting larger as the 2020s near. Data source: CSO.
GDPR goes global
The EU’s adoption of the General Data Protection Regulation (GDPR) in April 2016 was the watershed moment in the history of data protection legislation. Its enumeration of individual privacy rights, its 72-hour breach notification requirement, and its broad data protection directives continue to serve as a blueprint for countless others, such as Brazil’s General Data Protection Law (LGPD), Thailand’s Personal Data Protection Act (PDPA), and the California Consumer Privacy Act (CCPA). All three of these regulations become enforceable in 2020, with major ramifications for companies worldwide.
Brazil’s law, which will go into effect on August 15, 2020, is modeled closely after GDPR. Like GDPR, the law applies to all companies that handle the personal data of any of Brazil’s 210 million residents — regardless of where these companies themselves are headquartered. Also like GDPR, of course, the LGPD’s security clauses are open to interpretation. The law compels data handlers to “adopt security, technical, and administrative measures able to protect personal data from unauthorized access,” taking into account “the current state of technology.”
The PDPA in Thailand — effective starting on May 27, 2020 — is similarly vague in mandating unspecified security measures. It parts company, however, in that violators face the possibility of criminal prosecution and even imprisonment for up to one year, in addition to civil damages. Organizations classified as Critical Information Infrastructure (CII), including banks, telecoms, utilities, and hospitals, are regulated under Thailand’s separate Cybersecurity Act and its slightly more detailed obligations.
Figure 2: New GDPR-inspired laws like Brazil’s will turn this map increasingly blue. Image source: DLA Piper.
In California, meanwhile, the CCPA will enforce noncompliance penalties of up to $750 per consumer per incident beginning on the first day of 2020, which could result in multibillion-dollar fines in the case of large-scale breaches. Such precise provisions indicate that GDPR-style legislation is more than a symbolic step toward data protection. And yet, as of August 2019, only 2% of companies reported that they were fully compliant with CCPA, perhaps because, according to a state-commissioned study, California firms will be forced to shell out $55 billion on just their initial compliance efforts.
Checkmate for checkbox compliance
Between the hundreds of data protection fines levied under GDPR and analogous laws, the common thread is that penalized companies are deemed to have suffered a preventable breach. For instance, in the aftermath of the 2017 Equifax compromise that exposed the personal information of more than 140 million consumers, the company was found to have been in violation of the FTC Safeguards Rule, which compelled it to adopt security measures “appropriate to [the] size and complexity” of its digital infrastructure. The US government concluded that the incident was “entirely preventable” had Equifax performed a “routine” security update on the impacted database — an oversight that precipitated at least $1.4 billion in total damages.
However, a closer inspection reveals challenges far deeper than just a simple oversight. Equifax did indeed scan its network for vulnerabilities, but the automated scanner it used was not properly configured to search all of its assets. The truth is that these kinds of misconfigurations and blind spots are a symptom of the conventional approach to cyber security itself, an approach reliant on humans to adjust and monitor a vast array of siloed security tools. In the context of cloud environments designed to be dynamic and IoT devices that are often unbeknownst to the security team, there is nothing routine about defending the “size and complexity” of the modern enterprise.
The upshot of all these new laws, requirements, and fines is that the days of mere checkbox compliance are over. Breached companies can no longer throw up their hands and point to the list of perimeter security tools they had in place, particularly because attackers largely exploit user errors and misconfigurations that — while inevitable — also appear preventable in a vacuum. Rather, to achieve compliance in 2020, human teams need artificial intelligence to make sense of their dynamic digital estates. By learning how each unique user and device normally functions while ‘on the job’, such Cyber AI detects threats that are already inside the perimeter — before they cost the company in court.
Like this and want more?
Receive the latest blog in your inbox
양식을 제출하는 동안 문제가 발생했습니다.
Like this and want more?
Stay up to date on the latest industry news and insights.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
ABOUT ThE AUTHOR
SVP, Red Team Operations
Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.
share this article
Stay up to date on the latest industry news and insights.
Since their appearance in the wild over three decades ago, botnets have consistently been the attack vector of choice for many threat actors. The most prevalent of these attack vectors are distributed denial of service (DDoS) and phishing campaigns. Their persistent nature means that even if a compromised device in identified, attackers can continue to operate by using the additional compromised devices they will likely have on the target network. Similarly, command and control (C2) infrastructure can easily be restructured between infected systems, making it increasingly difficult to remove the infection.
One of the most prevalent and sophisticated examples in recent years is the MyKings botnet, also known as Smominru or DarkCloud. Darktrace has observed numerous cases of MyKings botnet compromises across multiple customer environments in several different industries as far back as August 2022. The diverse tactics, techniques, and procedures (TTPs) and sophisticated kill chains employed by MyKings botnet may prove a challenge to traditional rule and signature-based detections.
However, Darktrace’s anomaly-centric approach enabled it to successfully detect a wide-range of indicators of compromise (IoCs) related to the MyKings botnet and bring immediate awareness to customer security teams, as it demonstrated on the network of multiple customers between March and August 2023.
Background on MyKings Botnet
MyKings has been active and spreading steadily since 2016 resulting in over 520,000 infections worldwide. Although verified attribution of the botnet remains elusive, the variety of targets and prevalence of crypto-mining software on affected devices suggests the threat group behind the malware is financially motivated. The operators behind MyKings appear to be highly opportunistic, with attacks lacking an obvious specific target industry. Across Darktrace’s customer base, the organizations affected were representative of multiple industries such as entertainment, mining, education, information technology, health, and transportation.
Given its longevity, the MyKings botnet has unsurprisingly evolved since its first appearance years ago. Initial analyses of the botnet showed that the primary crypto-related activity on infected devices was the installation of Monero-mining software. However, in 2019 researchers discovered a new module within the MyKings malware that enabled clipboard-jacking, whereby the malware replaces a user's copied cryptowallet address with the operator's own wallet address in order to siphon funds.
Similar to other botnets such as the Outlaw crypto-miner, the MyKings botnet can also kill running processes of unrelated malware on the compromised hosts that may have resulted from prior infection. MyKings has also developed a comprehensive set of persistence techniques, including: the deployment of bootkits, initiating the botnet immediately after a system reboot, configuring Registry run keys, and generating multiple Scheduled Tasks and WMI listeners. MyKings have also been observed rotating tools and payloads over time to propagate the botnet. For example, some operators have been observed utilizing PCShare, an open-source remote access trojan (RAT) customized to conduct C2 services, execute commands, and download mining software.
Across observed customer networks between March and August 2023, Darktrace identified the MyKings botnet primarily targeting Windows-based servers that supports services like MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and Remote Desktop (RDP). In the initial phase of the attack, the botnet would initiate a variety of attacks against a target including brute-forcing and exploitation of unpatched vulnerabilities on exposed servers. The botnet delivers a variety of payloads to the compromised systems including worm downloaders, trojans, executable files and scripts.
This pattern of activity was detected across the network of one particular Darktrace customer in the education sector in early March 2023. Unfortunately, this customer did not have Darktrace RESPOND™ deployed on their network at the time of the attack, meaning the MyKings botnet was able to move through the cyber kill chain ultimately achieving its goal, which in this case was mining cryptocurrency.
On March 6, Darktrace observed an internet-facing SQL server receiving an unusually large number of incoming MySQL connections from the rare external endpoint 171.91.76[.]31 via port 1433. While it is not possible to confirm whether these suspicious connections represented the exact starting point of the infection, such a sudden influx of SQL connection from a rare external endpoint could be indicative of a malicious attempt to exploit vulnerabilities in the server's SQL database or perform password brute-forcing to gain unauthorized access. Given that MyKings typically spreads primarily through such targeting of internet-exposed devices, the pattern of activity is consistent with potential initial access by MyKings.
Initial Command and Control
The device then proceeded to initiate a series of repeated HTTP connections between March 6 and March 10, to the domain www[.]back0314[.]ru (107.148.239[.]111). These connections included HTTP GET requests featuring URIs such as ‘/back.txt', suggesting potential beaconing and C2 communication. The device continued this connectivity to the external host over the course of four days, primarily utilizing destination ports 80, and 6666. While port 80 is commonly utilized for HTTP connections, port 6666 is a non-standard port for the protocol. Such connectivity over non-standard ports can indicate potential detection evasion and obfuscation tactics by the threat actors. During this time, the device also initiated repeated connections to additional malicious external endpoints with seemingly algorithmically generated hostnames such as pc.pc0416[.]xyz.
While this beaconing activity was taking place, the affected device also began to receive potential payloads from unusual external endpoints. On April 29, the device made an HTTP GET request for “/power.txt” to the endpoint 192.236.160[.]237, which was later discovered to have multiple open-source intelligence (OSINT) links to malware. Power.txt is a shellcode written in PowerShell which is downloaded and executed with the purpose of disabling Windows Defenders related functions. After the initial script was downloaded (and likely executed), Darktrace went on to detect the device making a series of additional GET requests for several varying compressed and executable files. For example, the device made HTTP requests for '/pld/cmd.txt' to the external endpoint 104.233.224[.]173. In response the external server provided numerous files, including ‘u.exe’, and ‘upsup4.exe’ for download, both of which share file names with previously identified MyKings payloads.
MyKings deploys a diverse array of payloads to expand the botnet and secure a firm position within a compromised system. This multi-faceted approach may render conventional security measures less effective due to the intricacies of and variety of payloads involved in compromises. Darktrace, however, does not rely on static or outdated lists of IoCs in order to detect malicious activity. Instead, DETECT’s Self-Learning AI allows it to identify emerging compromise activity by recognizing the subtle deviations in an affected device’s behavior that could indicate it has fallen into the hands of malicious actors.
Achieving Objectives – Crypto-Mining
Several weeks after the initial payloads were delivered and beaconing commenced, Darktrace finally detected the initiation of crypto-mining operations. On May 27, the originally compromised server connected to the rare domain other.xmrpool[.]ru over port 1081. As seen in the domain name, this endpoint appears to be affiliated with pool mining activity and the domain has various OSINT affiliations with the cryptocurrency Monero coin. During this connection, the host was observed passing Monero credentials, activity which parallels similar mining operations observed on other customer networks that had been compromised by the MyKings botnet.
Although mining activity may not pose an immediate or urgent concern for security unauthorized cryptomining on devices can result in detrimental consequences, such as compromised hardware integrity, elevated energy costs, and reduced productivity, and even potential involvement in money laundering.
Detecting future iterations of the MyKings botnet will likely demand a shift away from an overreliance on traditional rules and signatures and lists of “known bads”, instead requiring organizations to employ AI-driven technology that can identify suspicious activity that represents a deviation from previously established patterns of life.
Despite the diverse range of payloads, malicious endpoints, and intricate activities that constitute a typical MyKing botnet compromise, Darktrace was able successfully detect multiple critical phases within the MyKings kill chain. Given the evolving nature of the MyKings botnet, it is highly probable the botnet will continue to expand and adapt, leveraging new tactics and technologies. By adopting Darktrace’s product of suites, including Darktrace DETECT, organizations are well-positioned to identify these evolving threats as soon as they emerge and, when coupled with the autonomous response technology of Darktrace RESPOND, threats like the MyKings botnet can be stopped in their tracks before they can achieve their ultimate goals.
Credit to: Oluwatosin Aturaka, Analyst Team Lead, Cambridge, Adam Potter, Cyber Analyst
The NIS2 Directive requires member states to adopt laws that will improve the cyber resilience of organizations within the EU. It impacts organizations that are “operators of essential services”. Under NIS 1, EU member states could choose what this meant. In an effort to ensure more consistent application, NIS2 has set out its own definition. It eliminates the distinction between operators of essential services and digital service providers from NIS1, instead defining a new list of sectors:
Energy (electricity, district heating and cooling, gas, oil, hydrogen)
Transport (air, rail, water, road)
Banking (credit institutions)
Financial market infrastructures
Health (healthcare providers and pharma companies)
Drinking water (suppliers and distributors)
Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
ICT service providers (B2B): MSSPs and managed service providers
Public administration (central and regional government institutions, as defined per member state)
Postal and courier services
Manufacturing of medical devices
Computers and electronics
Machinery and equipment
Motor vehicles, trailers and semi-trailers and other transport equipment
Digital providers (online market places, online search engines, and social networking service platforms) and research organizations.
With these updates, it becomes harder to try and find industry segments not included within the scope. NIS2 represents legally binding cyber security requirements for a significant region and economy. Standout features that have garnered the most attention include the tight timelines associated with notification requirements. Under NIS 2, in-scope entities must submit an initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) within 24 hours from when the entity became aware of a significant incident. This is a new development from the first iteration of the Directive, which used more vague language of the need to notify authorities “without undue delay”.
Another aspect gaining attention is oversight and regulation – regulators are going to be empowered with significant investigation and supervision powers including on-site inspections.
The stakes are now higher, with the prospect of fines that are capped at €10 million or 2% of an offending organization’s annual worldwide turnover – whichever is greater. Added to that, the NIS2 Directive includes an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations – and members can be held personally liable.
The risk management measures introduced in the Directive are not altogether surprising – they reflect common best practices. Many organizations (especially those that are newly in scope for NIS2) may have to expand their cyber security capabilities, but there’s nothing controversial or alarming in the required measures. For organizations in this situation, there are various tools, best practices, and frameworks they can leverage. Darktrace in particular provides capabilities in the areas of visibility, incident handling, and reporting that can help.
NIS2 and Cyber AI
The use of AI is not an outright requirement within NIS2 – which may be down to lack of knowledge and expertise in the area, and/or the immaturity of the sector. The clue to this might be in the timing: the provisional agreement on the NIS2 text was reached in May 2022 – six months before ChatGPT and other open-source Generative AI tools propelled broader AI technology into the forefront of public consciousness. If the language were drafted today, it's not far-fetched to imagine AI being mentioned much more prominently and perhaps even becoming a requirement.
NIS2 does, however, very clearly recommend that “member states should encourage the use of any innovative technology, including artificial intelligence”. Another section speaks directly to essential and important entities, saying that they should “evaluate their own cyber security capabilities, and where appropriate, pursue the integration of cyber security enhancing technologies, such as artificial intelligence or machine learning systems…”
One of the recitals states that “member states should adopt policies on the promotion of active cyber protection”. Where active cyber protection is defined as “the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner.”
From a Darktrace perspective, our self-learning Cyber AI technology is precisely what enables our technology to deliver active cyber protection – protecting organizations and uplifting security teams at every stage of an incident lifecycle – from proactively hardening defenses before an attack is launched, to real-time threat detection and response, through to recovering quickly back to a state of good health.
The visibility provided by Darktrace is vital to understanding the effectiveness of policies and ensuring policy compliance. NIS2 also covers incident handling and business continuity, which Darktrace HEAL addresses through AI-enabled incident response, readiness reports, simulations, and secure collaborations.
Reporting is integral to NIS2 and organizations can leverage Darktrace’s incident reporting features to present the necessary technical details of an incident and provide a jump start to compiling a full report with business context and impact.
What’s Next for NIS2
We don’t yet know the details for how EU member states will transpose NIS2 into national law – they have until 17th October 2024 to work this out. The Commission also commits to reviewing the functioning of the Directive every three years. Given how much our overall understanding and appreciation for not only the dangers of AI but also its power (perhaps even necessity in the realm of cyber security) is changing, we may see many member states will leverage the recitals’ references to AI in order to make a strong push if not a requirement that essential and important organizations within their jurisdiction leverage AI.
Organizations are starting to prepare now to meet the forthcoming legislation related to NIS2. To see how Darktrace can help, talk to your representative or contact us.
 (51) on page 11  (89) on page 17  (57) on page 12