Phishing de l'intérieur : Détournement de compte Microsoft 365
03
Aug 2020
03
Aug 2020
Lorsqu'une entreprise technologique a pris le contrôle d'un compte Microsoft 365, la plateforme d'intelligence artificielle du cyberespace Darktracea immédiatement détecté un comportement anormal. Lorsque le compte compromis a commencé à envoyer des centaines de courriels, l'analyste de l'IA cybernétique a enquêté en temps réel et a lancé une alerte de confiance à l'équipe de sécurité.
Cyber-criminals are increasingly impersonating trusted SaaS platforms and suppliers with their attacks. Recently, Darktrace has detected threats leveraging QuickBooks, WeTransfer and Microsoft Teams brand names. Many of these emails attempt to coax a recipient into clicking a malicious link that leads to a page containing credential-harvesting malware. This blog post demonstrates a possible next phase in an attack – what happens after an employee enters their details on this malicious webpage and has their account compromised.
Even just one compromised internal account can greatly increase the success rate of a phishing campaign. Attackers can use a compromised Microsoft 365 account to gain access to multiple other accounts within hours.
Darktrace’s AI was monitoring over 9,000 devices at a leading technology firm in the APAC region when one employee became victim to a Microsoft 365 account takeover over the weekend. This account was then used to send hundreds of phishing emails to both internal and external contacts. Darktrace detected the early signs of account compromise and raised a high-confidence alert to the security team well before these emails were sent. If the security team had acted quickly in response to the alert, the delivery of the phishing emails – and a second account compromise – could have been avoided.
Timeline of the attack
Figure 1: A timeline of the attack
We can see in the timeline that the attacker only spent three hours performing research before acting. This raises questions on the nature of this threat. Was the attack automated? Had the attacker done preliminary research? Did they know what they were after?
A bespoke and targeted attack
Darktrace first alerted to the security incident when the AI detected that someone was logging in from an unusual geographical location, promptly setting up new inbox rules, and viewing several shared files. The attacker then proceeded to send out over 200 phishing emails to internal and external recipients.
The emails contained a link to a Microsoft OneDrive landing page titled “Contract & Proposal – Customer,” indicating the page was specifically built for this attack. The page contained a phishing link hidden under the display text “Click to Review Fax Document.” Less than one hour after the phishing emails were sent, Darktrace’s AI detected an an unusual login from the same IP to a second account in the organization, indicating this account had likely also been compromised.
How did the attack bypass the rest of the security stack?
The attacker leveraged compromised M365 credentials, with the initial entry likely via compromised credentials from a previous phishing campaign before Darktrace’s AI was deployed;
Traditional email security software trusts internal emails;
Phishing emails contained a OneDrive link, a trusted SaaS platform, so other email security products would not have identified these links as suspicious.
AI Analyst investigates
The technology firm had deployed Darktrace’s Enterprise Immune System across their network and SaaS applications, and consequently had real-time visibility across every event in this attack as it unfolded. Additionally, when the unusual login location was detected, Darktrace’s Cyber AI Analyst immediately launched an automated investigation into the malicious activity, generating a natural language summary of the events and other crucial information to help with incident review.
Figure 2: An excerpt of Cyber AI Analyst’s report of the account hijack
Darktrace’s SaaS Console also reported on the event in the context of activity on that device over the previous week.
Figure 3: Darktrace’s SaaS dashboard displaying an overview of the incident
This attack is another example of the changing nature of cyber-threats in the context of digital transformation. It is not devices, but identities that are increasingly being targeted and attacked.
Darktrace’s real-time alerting on the evolving situation could have enabled the security team to isolate the initial compromised account and change the credentials before the attack escalated further. The initial rare login destination caused Darktrace’s Cyber AI Analyst to launch an ongoing investigation into the compromised account, such that an alert was raised just three minutes after new processing rules were set up by the attacker. With eyes on the technology, a more serious breach could have been avoided, and the breach remeditated in minutes.
Thanks to Darktrace analyst Stefan Rowe for his insights on the above threat find.
For eight more case studies of cyber-threats detected within SaaS environments, read the White Paper.
IoCs:
IoCCommentcovingtonok[.]buzzUsed to host fake login page
Darktrace model detections:
SaaS / Unusual External Source for SaaS Credential Use
SaaS / New Email
SaaS / Unusual Login and New Email Rule
SaaS / Anomalous Exchange Activity
Vous aimez ça et en voulez plus ?
Recevez le dernier blog dans votre boîte de réception
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
NEWSLETTER
Vous aimez ça et en voulez plus ?
Stay up to date on the latest industry news and insights.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Max Heinemeyer
Directeur général des produits
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework
17
Apr 2024
Offensive Security Tools
As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.
What is Sliver C2?
Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.
The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].
Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].
Why Do Attackers Use Sliver C2?
Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].
Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.
Darktrace’s Coverage of Sliver C2 Activity
Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.
Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.
Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.
The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.
Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].
However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base. In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].
Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:
This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.
Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].
Conclusion
Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.
While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.
Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
09
Apr 2024
Organizations Should Demand More from their Email Security
In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.
Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.
With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:
AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
an easy way to deploy DMARC quickly with AI
major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams
Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss
Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.
Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.
Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.
Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.
Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.
And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.
End User and Security Workflows
Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1
Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.
Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.
Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.
For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.
Microsoft Teams
Detect threats within your Teams environment such as account compromise, phishing, malware and data loss
Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3
Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.
The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.
Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.
Lateral Mail Analysis
Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks
The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.
Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.
DMARC
Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC
Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.
Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.
Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.
Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.
Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.