Trouvailles menaces de Darktrace OT : Sabotage industriel
21
Jul 2020
21
Jul 2020
With increasing convergence between the cyber-physical realm and the corporate network, Darktrace has seen a rise in cyber-attacks that start in IT before traversing into industrial systems. This blog details one such threat, that was detected and investigated on by AI.
Darktrace recently detected a case of industrial sabotage while deployed at a food-processing organization in the EMEA region. Like many more high-profile attack campaigns such as EKANS, Havex, and BlackEnergy, this attack started in the business’s IT infrastructure before pivoting to target the OT network.
Despite having a substantial OT network, the company was not aware of the extent of IT/OT convergence in their architecture. They initially chose to deploy Darktrace’s Enterprise Immune System, but not the Industrial Immune System assuming their OT systems were secure. As this attack moved from their IT systems and into OT, the additional visibility and ICS-specific models provided by Darktrace’s industrial offering would have delivered valuable additional context and further helped with threat remediation.
However, thanks to the Enterprise Immune System monitoring the events in real time, we can follow the threat as it moved through the corporate network over the span of three hours.
Timeline of incident
Figure 1: A timeline of events
Darktrace first detected a new device appearing in the “Computing” VLAN, which successfully connected to the “Industrial” VLAN using an admin RDP connection. The device then scanned the industrial network using OT ports 102 and 502, before appearing to call home to external locations using insecure HTTPS and making failed attempts to connect to external servers using OT port 502.
The device then appeared to make successful S7 and Modbus connections to other industrial devices, the nature of which could have been easily determined by the Industrial Immune System.
This new device was introduced directly onto the corporate network, bypassing traditional defenses that sit at the border. Any attempts made by the organization to segregate their IT and OT networks were insufficient in the face of the techniques used by the attacker.
Investigating at machine speed
Darktrace’s Cyber AI Analyst identified the breach device establishing a high volume of connections to unusual external IPs and transferring an unusually high volume of data with the internal WinCC server over port 3389. Simultaneously, the device was observed attempting to establish a high volume of internal connections over ports associated with ICS services. This activity suggests the breach device was conducting an internal scan.
Figure 2: A summary of the unusual data upload
Figure 3: A summary of the scanning activity
Figure 4: The device summary
The graph below details failed connections to external IP addresses made by the breach device when it joined the network (blue), and the mathematical importance of the activity (green), which reveals how statistically important this behavior is due to the size of its deviation from normal. Below that, Darktrace’s user interface surfaces every connection on the breach device over port 102.
Figure 5: The number of external connections made to closed ports
Figure 6: The Event Log for connections to S7 port 102 at the time of the incident
An immune system for industrial networks
Cross-examining and analyzing these multiple anomalies in real time, Darktrace identified this as a case of network reconnaissance. This is particularly suspicious as the device was only seen on the network for a two-day period. The unusual use of administrative credentials in the initial stages suggests the new device was attempting to control the WinCC Server, which allows Windows computers to communicate with industrial devices. Unauthorized access to this server could cause serious harm to the organization, as it would allow an attacker to learn about an industrial process, reconfigure multiple devices, or even fully sabotage the process.
The incident clearly demonstrates IT/OT convergence and the risks that entails, even – or especially – when businesses believe these systems are separate. Improper network segmentation makes ICS networks, particularly HMIs (human machine interfaces), an easy target for cyber-criminals or rogue insiders, making total visibility crucial in defending these systems.
This incident affirms that enterprise security needs to encompass OT security – the two can’t be treated as separate. The Industrial Immune System provides security analysts visibility across OT networks and subnets and defends against threats which might target industrial systems. Further, with AI learning the ‘pattern of life’ for every user, device, and controller, the technology can detect subtle deviations in behavior that evade other security tools, alerting security teams to potentially threatening activity in seconds. As attackers increasingly look to cause disruption and target industrial systems in their efforts, AI will be critical to keeping these systems secure and operational.
Thanks to Darktrace analyst Kendra Gonzalez Duran for her insights on the above threat find.
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Max Heinemeyer
Directeur général des produits
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework
17
Apr 2024
Offensive Security Tools
As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.
What is Sliver C2?
Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.
The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].
Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].
Why Do Attackers Use Sliver C2?
Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].
Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.
Darktrace’s Coverage of Sliver C2 Activity
Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.
Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.
Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.
The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.
Figure 1: Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.
Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.
Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].
However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base. In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].
Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:
This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.
Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].
Conclusion
Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.
Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
09
Apr 2024
Organizations Should Demand More from their Email Security
In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.
Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.
With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:
AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
an easy way to deploy DMARC quickly with AI
major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams
Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss
Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.
Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.
Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.
Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.
Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.
And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.
End User and Security Workflows
Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1
Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.
Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.
Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.
For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.
Darktrace takes a user-focused and business-centric approach to email security, in contrast to the attack-centric rules and signatures approach of secure email gateways
Microsoft Teams
Detect threats within your Teams environment such as account compromise, phishing, malware and data loss
Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3
Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.
The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.
Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.
Lateral Mail Analysis
Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks
The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.
Darktrace integrates signals from across the entire mailflow and communication patterns to determine symptoms of account compromise, now including lateral mailflow
Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.
DMARC
Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC
Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.
Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.
Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.
Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.
Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.
