How Autonomous Cyber AI Scaled to Protect Arrow McLaren SP
Darktrace's Cyber AI has seamlessly scaled, extended, and adapted to protect Arrow McLaren's Formula 1 and IndyCar teams from machine-speed cyberattacks.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Fier
SVP, Red Team Operations
Written by
Nick Snyder
Performance Director, Arrow McLaren SP
Share
25
May 2021
It’s been decades since a racing team has had the ambition to compete at the highest level simultaneously in Formula 1 and in the NTT INDYCAR Series. And why would they? With hectic schedules, tight timelines, and the finest margins between victory and defeat, one series alone may seem a daunting enough feat. But to compete across both requires cross-continent collaboration, creativity, and innovation at every turn.
Rather than being daunted by the challenge, McLaren has embraced the unique advantages of racing in both series simultaneously. Arrow McLaren SP, in a strategic partnership with McLaren Racing, communicates on a daily basis with the McLaren Technology Centre in the UK, gathering and sharing data including car telemetry, on-board video and audio files, timing and scoring information, car set-ups, and reporting.
The security of this critical and highly sensitive data is paramount to the performance of AMSP, and after the success of Darktrace’s AI in protecting the cloud, email, and network environments of McLaren F1, AMSP recently announced they would be seamlessly extending the coverage to the US.
How adaptive, scalable AI drives success
Darktrace’s autonomous Cyber AI has protected the McLaren F1 team since early 2020, shielding their workforce and critical systems during a time of fundamental digital change, with conditions arising from COVID-19 forcing many employees to work from home. During this time the organization had a heightened reliance on cloud collaboration platforms, including video conferencing and file sharing.
Cyber AI technology adapted to these unforeseen changes, protecting the McLaren F1 team from novel and advanced attacks targeting their dynamic workforce. While traditional tools bound by set rules and playbooks had to be reconfigured, a self-learning approach allowed continuous protection of McLaren’s email systems, cloud services, and network traffic, with little maintenance required from busy human teams.
Now, the technology is being put to the test again. McLaren has extended Darktrace’s AI technology to protect the large volumes of sensitive data that travels back and forth between Arrow McLaren SP and the MTC.
Responding to machine-speed ransomware with Autonomous Response
As a wave of ransomware attacks brings fresh concerns to the cyber security industry, AMSP is turning to a technology fundamental to stopping these machine-speed attacks. With Autonomous Response, Darktrace not only detects emerging threats, but responds in real time, stopping attackers in their tracks without human teams having to lift a finger.
The response is surgical and proportionate: only the malicious activity is contained, whilst normal operations are allowed to continue. This will be a crucial capability for the AMSP team, as any unnecessary downtime severely undermines their ability to get access to the right data at the right time – ultimately having an impact on performance on race day.
With Darktrace’s autonomous Cyber AI protecting both its F1 and INDYCAR teams, McLaren’s human IT resources are augmented with real-time protection and Autonomous Response working across different time zones and providing that 24/7 overwatch they need.
Indianapolis 500: The toughest test yet
The month of May is a busy and critical period of the season for AMSP, with three races culminating in the 105th Running of the Indianapolis 500, which will be held in front of a reduced crowd of 135,000 spectators. The IT team has been busy preparing a temporary trackside data centre for this event, and the sheer volume of data circulating between that and the MTC is ramping up.
All of this data must be gathered, organized, and transferred securely back and forth between the two hubs. The speed of that transfer is absolutely vital, as speed of analysis and real-time decision-making is critical to race performance. AMSP’s engineering team and McLaren’s engineering team operate as if they’re sitting next to each other, despite being thousands of miles away.
Moreover, some data files can be extremely large, and reliable connectivity is key in ensuring that all files, no matter the size, can be transferred and downloaded as quickly as possible. Lack or loss of any data gathered trackside would prevent AMSP’s abilities to accurately recap on-track sessions.
This clearly represents an incredibly busy time for the security personnel on the ground both at Indianapolis and in the UK. Leaning on AI to facilitate the secure and reliable movement of highly sensitive data empowers AMSP’s IT team to stay proactive, rather than being reactive and playing catch up in the case of a security incident.
Facing the future with Cyber AI
AMSP is in a unique position in the INDYCAR paddock – no other team transmits so much data, so often or over so far of a distance. Darktrace’s Cyber AI technology is helping to protect AMSP’s at-track engineering crews, remote engineering teams, data transfer processes and cloud infrastructure, from an increasingly hostile cyber-threat landscape.
Relying on Darktrace to safeguard and protect its sensitive data and digital assets will become critical in securing AMSP’s overall approach to race weekend activation. As the collaboration between McLaren Racing and Arrow McLaren SP continues to drive success on the track, the targeted actions of Darktrace’s Autonomous Response capability ensures both sides of the technical partnership stay protected across different time zones, around the clock, no matter what threat is waiting round the corner.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
From Exploit to Escalation: Tracking and Containing a Real-World Fortinet SSL-VPN Attack
Threat actors exploiting Fortinet CVEs
Over the years, Fortinet has issued multiple alerts about a wave of sophisticated attacks targeting vulnerabilities in its SSL-VPN infrastructure. Despite the release of patches to address these vulnerabilities, threat actors have continued to exploit a trio of Common Vulnerabilities and Exposures (CVEs) disclosed between 2022 and 2024 to gain unauthorized access to FortiGate devices.
Which vulnerabilities are exploited?
The vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—affect Fortinet’s SSL-VPN services and have been actively exploited by threat actors to establish initial access into target networks.
The vulnerabilities affect core components of FortiOS, allowing attackers to execute remote code on affected systems.
CVE-2022-42475
Type: Heap-Based Buffer Overflow in FortiOS SSL-VPN
This earlier vulnerability also targets the SSL-VPN interface and has been actively exploited in the wild. It allows attackers to execute arbitrary code remotely by overflowing a buffer in memory, often used to deploy malware or establish persistent backdoors [6].
CVE-2023-27997
Type: Heap-Based Buffer Overflow in FortiOS and FortiProxy
Impact: Remote Code Execution
This flaw exists in the SSL-VPN component of both FortiOS and FortiProxy. By exploiting a buffer overflow in the heap memory, attackers can execute malicious code remotely. This vulnerability is particularly dangerous because it can be triggered without authentication, making it ideal for an initial compromise [5].
CVE-2024-21762
Type: Out-of-Bounds Write in sslvpnd
Impact: Remote Code Execution
This vulnerability affects the SSL-VPN daemon (sslvpnd) in FortiOS. It allows unauthenticated remote attackers to send specially crafted HTTP requests that write data outside of allocated memory bounds. This can lead to arbitrary code execution, giving attackers full control over a device [4].
In short, these flaws enable remote attackers to execute arbitrary code without authentication by exploiting memory corruption issues such as buffer overflows and out-of-bounds writes. Once inside, threat actors use symbolic link (symlink) in order to maintain persistence on target devices across patches and firmware updates. This persistence then enables them to bypass security controls and manipulate firewall configurations, effectively turning patched systems into long-term footholds for deeper network compromise [1][2][3].
Darktrace’s Coverage
Darktrace detected a series of suspicious activities originating from a compromised Fortinet VPN device, including anomalous HTTP traffic, internal network scanning, and SMB reconnaissance, all indicative of post-exploitation behavior. Following initial detection by Darktrace’s real-time models, its Autonomous Response capability swiftly acted on the malicious activity, blocking suspicious connections and containing the threat before further compromise could occur.
Further investigation by Darktrace’s Threat Research team uncovered a stealthy and persistent attack that leveraged known Fortinet SSL-VPN vulnerabilities to facilitate lateral movement and privilege escalation within the network.
The attack on a Darktrace customer likely began on April 11 with the exploitation of a Fortinet VPN device running an outdated version of FortiOS. Darktrace observed a high volume of HTTP traffic originating from this device, specifically targeting internal systems. Notably, many of these requests were directed at the /cgi-bin/ directory, a common target for attackers attempting to exploit web interfaces to run unauthorized scripts or commands. This pattern strongly indicated remote code execution attempts via the SSL-VPN interface [7].
Once access was gained, the threat actor likely modified existing firewall rules, a tactic often used to disable security controls or create hidden backdoors for future access. While Darktrace does not have direct visibility into firewall configuration changes, the surrounding activity and post-exploitation behavior indicated that such modifications were made to support long-term persistence within the network.
Figure 1: HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080
Phase 2: Establishing Persistence & Lateral Movement
Shortly after the initial compromise of the Fortinet VPN device, the threat actor began to expand their foothold within the internal network. Darktrace detected initial signs of network scanning from this device, including the use of Nmap to probe the internal environment, likely in an attempt to identify accessible services and vulnerable systems.
Figure 2: Darktrace’s detection of unusual network scanning activities on the affected device.
Around the same time, Darktrace began detecting anomalous activity on a second device, specifically an internal firewall interface device. This suggested that the attacker had established a secondary foothold and was leveraging it to conduct deeper reconnaissance and move laterally through the network.
In an effort to maintain persistence within the network, the attackers likely deployed symbolic links in the SSL-VPN language file directory on the Fortinet device. While Darktrace did not directly observe symbolic link abuse, Fortinet has identified this as a known persistence technique in similar attacks [2][3]. Based on the observed post-exploitation behavior and likely firewall modifications, it is plausible that such methods were used here.
With lateral movement initiated from the internal firewall interface device, the threat actor proceeded to escalate their efforts to map the internal network and identify opportunities for privilege escalation.
Darktrace observed a successful NTLM authentication from the internal firewall interface to the domain controller over the outdated protocol SMBv1, using the account ‘anonymous’. This was immediately followed by a failed NTLM session connection using the hostname ‘nmap’, further indicating the use of Nmap for enumeration and brute-force attempts. Additional credential probes were also identified around the same time, including attempts using the credential ‘guest’.
Figure 3: Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.
The attacker then initiated DCE_RPC service enumeration, with over 300 requests to the Endpoint Mapper endpoint on the domain controller. This technique is commonly used to discover available services and their bindings, often as a precursor to privilege escalation or remote service manipulation.
Over the next few minutes, Darktrace detected more than 1,700 outbound connections from the internal firewall interface device to one of the customer’s subnets. These targeted common services such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), and HTTPS (443). The threat actor also probed administrative and directory services, including ports 135, 137, 389, and 445, as well as remote access via RDP on port 3389.
Further signs of privilege escalation attempts were observed with the detection of over 300 Netlogon requests to the domain controller. Just over half of these connections were successful, indicating possible brute-force authentication attempts, credential testing, or the use of default or harvested credentials.
Figure 4: Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.
Phase 4: Privilege Escalation & Remote Access
A few minutes later, the attacker initiated an RDP session from the internal firewall interface device to an internal server. The session lasted over three hours, during which more than 1.5MB of data was uploaded and over 5MB was downloaded.
Notably, no RDP cookie was observed during this session, suggesting manual access, tool-less exploitation, or a deliberate attempt to evade detection. While RDP cookie entries were present on other occasions, none were linked to this specific session—reinforcing the likelihood of stealthy remote access.
Additionally, multiple entries during and after this session show SSL certificate validation failures on port 3389, indicating that the RDP connection may have been established using self-signed or invalid certificates, a common tactic in unauthorized or suspicious remote access scenarios.
Figure 5: Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.
Darktrace Autonomous Response
Throughout the course of this attack, Darktrace’s Autonomous Response capability was active on the customer’s network. This enabled Darktrace to autonomously intervene by blocking specific connections and ports associated with the suspicious activity, while also enforcing a pre-established “pattern of life” on affected devices to ensure they were able to continue their expected business activities while preventing any deviations from it. These actions were crucial in containing the threat and prevent further lateral movement from the compromised device.
Figure 6: Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.
Conclusion
This incident highlights the importance of important staying on top of patching and closely monitoring VPN infrastructure, especially for internet-facing systems like Fortinet devices. Despite available patches, attackers were still able to exploit known vulnerabilities to gain access, move laterally and maintain persistence within the customer’s network.
Attackers here demonstrated a high level of stealth and persistence. Not only did they gain access to the network and carry out network scans and lateral movement, but they also used techniques such as symbolic link abuse, credential probing, and RDP sessions without cookies to avoid detection. Darktrace’s detection of the post-exploitation activity, combined with the swift action of its Autonomous Response technology, successfully blocked malicious connections and contained the attack before it could escalate
Credit to Priya Thapa (Cyber Analyst), Vivek Rajan (Cyber Analyst), and Ryan Traill (Analyst Content Lead)
The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.
Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.
Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.
The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.
How Organizations are Addressing Cloud Investigation and Response
Why cloud investigation and response needs to evolve
As organizations accelerate their move to the cloud, they’re confronting two interrelated pressures: a rapidly expanding attack surface and rising regulatory scrutiny. The dual pressure is forcing security practitioners to evolve their strategies in the cloud, particularly around investigation and response, where we see analysts spending the most time. This work is especially difficult in the cloud, often requiring experienced analysts to manually stitch together evidence across fragmented systems, unfamiliar platforms, and short-lived assets.
However, adapting isn’t easy. Many teams are operating with limited budgets and face a shortage of cloud-specific security talent. That’s why more organizations are now prioritizing tools that not only deliver deep visibility and rapid response in the cloud, but also help upskill their analysts to keep pace with threats and compliance demands.
Our 2024 survey report highlights just how organizations are recognizing gaps in their cloud security, feeling the heat from regulators, and making significant investments to bolster their cloud investigation capabilities.
In this blog post, we’ll explore the current challenges, approaches, and strategies organizations are employing to enhance their cloud investigation and incident response.
Recognizing the gaps in current cloud investigation and response methods
Complex environments & static tools
Due to the dynamic nature of cloud infrastructure, ephemeral assets, autoscaling environments, and multi-cloud complexity, traditional investigation and response methods which rely on static snapshots and point-in-time data, are fundamentally mismatched. And with Cloud environment APIs needing deep provider knowledge and scripting skills to extract much needed evidence its unrealistic for one person to master all aspects of cloud incident response.
Analysts are still stitching together logs from fragmented systems, manually correlating events, and relying on post-incident forensics that often arrive too late to drive meaningful response. These approaches were built for environments that rarely changed. In the cloud, where assets may only exist for minutes and attacker movement can span regions or accounts in seconds, point-in-time visibility simply can’t keep up. As a result, critical evidence is missed, timelines are incomplete, and investigations drag on longer than they should.
Even some modern approaches still depend heavily on static configurations, delayed snapshots, or siloed visibility that can’t keep pace with real-time attacker movement.
There is even the problem of identifying what cloud data sources hold the valuable information needed to investigate in the first place. With AWS alone having over 200 products, each with its own security practices and data sources.It can be challenging to identify where you need to be looking.
To truly secure the cloud, investigation and response must be continuous, automated, and context-rich. Tools should be able to surface the signal from the noise and support analysts at every step, even without deep forensics expertise.
Increasing compliance pressure
With the rise of data privacy regulations and incident reporting mandates worldwide, organizations face heightened scrutiny. Noncompliance can lead to severe penalties, making it crucial to have robust cloud investigation and response mechanisms in place. 74% of organizations surveyed reported that data privacy regulations complicate incident response, underscoring the urgency to adapt to regulatory requirements.
In addition, a majority of organizations surveyed (89%) acknowledged that they suffer damage before they can fully contain and investigate incidents, particularly in cloud environments, highlighting the need for enhanced cloud capabilities.
Enhancing cloud investigation and response
To address these challenges, organizations are actively growing their capabilities to perform investigations in the cloud. Key steps include:
Allocating and increasing budgets:
Recognizing the importance of cloud-specific investigation tools, many organizations have started to allocate dedicated budgets for cloud forensics. 83% of organizations have budgeted for cloud forensics, with 77% expecting this budget to increase. This reflects a strong commitment to improving cloud security.
Implementing automation that understands cloud behavior
Automation isn’t just about speeding up tasks. While modern threats require speed and efficiency from defenders, automation aims to achieve this by enabling consistent decision making across unique and dynamic environments. Traditional SOAR platforms, often designed for static on-prem environments, struggle to keep pace with the dynamic and ephemeral nature of the cloud, where resources can disappear before a human analyst even has a chance to look at them. Cloud-native automation, designed to act on transient infrastructure and integrate seamlessly with cloud APIs, is rapidly emerging as the more effective approach for real-time investigation and response. Automation can cover collection, processing, and storage of incident evidence without ever needing to wait for human intervention and the evidence is ready and waiting all in once place, regardless of if the evidence is cloud-provider logs, disk images, or memory dumps. With the right automation tools you can even go further and automate the full process from end to end covering acquisition, processing, analysis, and response.
Artificial Intelligence (AI) that augments analysts’ intuition not just adds speed
While many vendors tout AI’s ability to “analyze large volumes of data,” that’s table stakes. The real differentiator is how AI understands the narrative of an incident, surfacing high-fidelity alerts, correlating attacker movement across cloud and hybrid environments, and presenting findings in a way that upskills rather than overwhelms analysts.
In this space, AI isn’t just accelerating investigations, it’s democratizing them by reducing the reliance on highly specialized forensic expertise.
Strategies for effective cloud investigation and response
Organizations are also exploring various strategies to optimize their cloud investigation and response capabilities:
Enhancing visibility and control:
Unified platforms: Implementing platforms that provide a unified view across multiple cloud environments can help organizations achieve better visibility and control. This consolidation reduces the complexity of managing disparate tools and data sources.
Improved integration: Ensuring that all security tools and platforms are seamlessly integrated is critical. This integration facilitates better data sharing and cohesive incident management.
Cloud specific expertise: Training and Recruitment: Investing in training programs to develop cloud-specific skills among existing staff and recruiting experts with cloud security knowledge can bridge the skill gap.
Continuous learning: Given the constantly evolving nature of cloud threats, continuous learning and adaptation are essential for maintaining effective security measures.
Leveraging automation and AI:
Automation solutions: Automation solutions for cloud environments can significantly speed up and simplify incident response efficiency. These solutions can handle repetitive tasks, allowing security teams to focus on more complex issues.
AI powered analysis: AI can assist in rapidly analyzing incident data, identifying anomalies, and predicting potential threats. This proactive approach can help prevent incidents before they escalate.
Cloud investigation and response with Darktrace
Darktrace’s forensic acquisition & investigation capabilities helps organizations address the complexities of cloud investigations and incident response with ease. The product seamlessly integrates with AWS, GCP, and Azure, consolidating data from multiple cloud environments into one unified platform. This integration enhances visibility and control, making it easier to manage and respond to incidents across diverse cloud infrastructures.
By leveraging machine learning and automation, Forensic Acquisition & Investigation accelerates the investigation process by quickly analyzing vast amounts of data, identifying patterns, and providing actionable insights. Automation reduces manual effort and response times, allowing your security team to focus on the most pressing issues.
Forensic Acquisition & Investigation can help you stay ahead of threats whilst also meeting regulatory requirements, helping you to maintain a robust cloud security position.
