Blog

Cloud

How a cloud server nearly released IP at a major manufacturing company

How a cloud server nearly released IP at a major manufacturing companyDefault blog imageDefault blog image
18
Sep 2017
18
Sep 2017

4 million customers had their information exposed in the Time Warner compromise. In the Verizon breach, that number rose to 14 million. Third-party cloud vulnerabilities were responsible for both.

Signature-based security tools consistently fail to detect cloud-based threats like these, which are often subtle and unique from threats found on the physical network.

At a leading manufacturing company in Europe, Darktrace detected a similar cloud vulnerability, only instead of customer data at risk, it was sensitive intellectual property.

The company was using a third-party cloud server to store files containing product details and sales projections. The files on the server and the root IP were gated with a username and password.

After entering their credentials, however, the files contained on the server were left unencrypted. Darktrace detected this vulnerability when a device downloaded a ZIP file from a rare external IP address that Darktrace deemed highly anomalous compared to the device’s normal behavior.

94:65:9c:a6:XX:XX made an HTTP connection to XX[.]23.0.23 on TCP port 80

Source: 10.84.16.50
Destination: 10.3.0.1
Destination Port: 8080
Path: hxxp://XX.23.0[.]23/dl/ntt_download.php?key=DLNT57fe6b54[PARTLY REDACTED]

Ordinarily, this activity would indicate unauthorized content entering the network, but in this case, the anomaly revealed a critical security flaw. Darktrace’s AI algorithms and mathematical models immediately recognized this activity as a deviation from the device’s normal ‘pattern of life’.

Upon investigation of the anomaly, it was discovered that the ZIP file wasn’t access restricted. In other words, anybody could have downloaded the ZIP file if they knew the URL, which could have been obtained by simply intercepting network traffic, either internally or externally. More dedicated attackers could have even brute-forced the file ‘key’ parameter of the URL.

The files in question included product specs, market research, and other sensitive data. The loss or leakage of such information could have placed the entire product line at risk.

A sample of the file names in the ZIP file included:

2016-09-30 - [REDACTED] - Spectral Reconstruction and Measurement.docx
2016-09-30 - [REDACTED] - Brightness analysis.docx
2016-09-30 - Coverage on validation cards - Statistical analysis.xlsx

By reporting this incident as soon as it was detected, the company prevented the loss of valuable intellectual property and internal documents. Darktrace assisted the security team in revising their data storage practices in order to better protect their product information moving forward.

Too often, subtle anomalies like these are obscured by the cloud or lost in the noise of the network. Traditional security tools tend to have limited visibility of cloud activity, and even then, they only look for known threats. This vulnerability was unique and would have gone undetected by signature-based controls.

To learn more, check out our Threat Use Cases page which details some of the most interesting recent threats we’ve found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
Director of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
How a cloud server nearly released IP at a major manufacturing company
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.