This blog investigates the network-based activity detected by Darktrace in compromises stemming from the exploitation of a vulnerability in Palo Alto Networks firewall devices, namely CVE-2024-3400.
IntroductionPerimeter devices such as firewalls, virtual private networks (VPNs), and intrusion prevention systems (IPS), have long been the target of adversarial actors attempting to gain access to internal networks.…
In the face of increasingly vigilant security teams and adept defense tools, attackers are continually looking for new ways to circumvent network security and gain access to their target environments. One common tactic is the leveraging of readily available utilities and services within a target organization’s environment in order to move through the kill chain; a popular method known as living off the land (LotL).…
This blog investigates Medusa ransomware, a Ransomware-as-a-Service (RaaS) variant that is known to use living off the land techniques to infect target networks and move towards its ultimate goals, data encryption and exfiltration.
What is Living off the Land attack?In the face of increasingly vigilant security teams and adept defense tools, attackers are continually looking for new ways to circumvent network security and gain access to their target environments.…
In this blog we examine how Darktrace was able to detect and block malicious phishing emails sent via Microsoft Teams that were impersonating an international hotel chain.
Social Engineering in Phishing AttacksFaced with increasingly cyber-aware endpoint users and vigilant security teams, more and more threat actors are forced to think psychologically about the individuals they are targeting with their phishing attacks. Social…
This blog delves into Darktrace’s investigation into the exploitation of the Citrix Bleed vulnerability on the network of a customer in late 2024. Darktrace’s Self-Learning AI ensured the customer was well equipped to track the post-compromise activity and identify affected devices.
What is Citrix Bleed?Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed.…
Across an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications. While attackers are likely to prioritize developing exploits for the more severe and global Common Vulnerabilities and Exposures (CVEs), they typically have the most success exploiting known vulnerabilities within the first couple years of disclosure to the public.…
This blog focuses on the exploitation of the ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) and Darktrace’s coverage of affected customer networks in early 2024.
IntroductionAcross an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications.…
In May 2023, Kroll Cyber Threat Intelligence Analysts identified CACTUS as a new ransomware strain that had been actively targeting large commercial organizations since March 2023 [1]. CACTUS ransomware gets its name from the filename of the ransom note, “cAcTuS.readme.txt”. Encrypted files are appended with the extension “.cts”,…
This blog examines CACTUS, a relatively new strain of ransomware that first appeared in the threat landscape in March 2023. In November 2023, Darktrace detected CACTUS ransomware on a US customer network and was able to provide full visibility over the attack and its kill chain.…
In May 2023, Kroll Cyber Threat Intelligence Analysts identified CACTUS as a new ransomware strain that had been actively targeting large commercial organizations since March 2023 [1]. CACTUS ransomware gets its name from the filename of the ransom note, “cAcTuS.readme.txt”. Encrypted files are appended with the extension “.cts”,…
This blog explores Darktrace’s detection of Balada Injector, a malware known to exploit vulnerabilities in WordPress to gain unauthorized access to networks. Darktrace was able to define numerous use-cases within customer environments which followed previously identified patterns of activity spikes across multiple weeks.
IntroductionWith millions of users relying on digital platforms in their day-to-day lives, and organizations across the world depending on them for their business operations, they have inevitably also become a prime target for threat actors.…
This blog discusses the Darktrace Threat Research team’s investigation into Raspberry Robin, an evasive worm that is primarily distributed through infected USB drives. Once it has gained access to a target network, Raspberry Robin is able to infect devices with additional malware variants.
IntroductionIn the face of increasingly hardened digital infrastructures and skilled security teams, malicious actors are forced to constantly adapt their attack methods, resulting in sophisticated attacks that are designed to evade human detection and bypass traditional network security measures.…
Throughout 2023, the Darktrace Threat Research team identified and investigated multiple strains of loader malware affecting customers across its fleet. These malicious programs typically serve as a gateway for threat actors to gain initial access to an organization’s network, paving the way for subsequent attacks, including additional malware infections or disruptive ransomware attacks.…
This blog details Darktrace’s investigation into the Pikabot loader malware, observed across multiple customers in 2023. In an October 2023 incident, Darktrace identified Pikabot employing new tactics that may have bypassed traditional security measures. With Darktrace’s support, the customer was able to contain the attack and prevent it from escalating into a ransomware infection.…
While email has long been the vector of choice for carrying out phishing attacks, threat actors, and their tactics, techniques, and procedures (TTPs), are continually adapting and evolving to keep pace with the emergence of new technologies that represent new avenues to exploit.…
This blog discusses an example of a malicious actor utilizing the cloud storage service Dropbox in order to carry out a phishing attack against a Darktrace customer. Thanks to Darktrace/Email and Apps, this compromise was promptly brought to the attention of the customer and shut down.…
In October 2023, the network of a Darktrace customer was targeted with ALPHV, or BlackCat, ransomware. An investigation into the attack revealed the usage of methods associated with the Nitrogen campaign, such as ‘malvertising’ and the distribution of malicious Python packages.
As-a-Service malware trendingThroughout the course of 2023, “as-a-Service” strains of malware remained the most consistently observed threat type to affect Darktrace customers, mirroring their overall prominence across the cyber threat landscape.…
Quasar is a legitimate remote administration tool that has become popular among threat actors due to its range of capabilities and availability in open source. This blog details how Darktrace detected this tool without using signatures and how Darktrace RESPOND can be configured to block its malicious usage.…
In this blog we discuss Gootloader, a popular loader malware variant that was observed affecting a Darktrace customer in late 2023. Darktrace was able to identify and contain the suspicious attack activity before it could become a disruptive network compromise.
What is multi-functional malware?While traditional malware variants were designed with one specific objective in mind, the emergence of multi-functional malware, such as loader malware, means that organizations are likely to be confronted with multiple malicious tools and strains of malware at once.…
This blog explores a series of CoinLoader compromises observed by Darktrace in late 2023. CoinLoader is a loader malware known to carry out cryptocurrency mining on infected devices. Darktrace’s autonomous detection and response capabilities allowed it to identify and shut down compromises in the first instance.…