Blog
/
/
July 26, 2022

Self-Learning AI for Zero-Day and N-Day Attack Defense

Explore the differences between zero-day and n-day attacks on different customer servers to learn how Darktrace detects and prevents cyber threats effectively.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
26
Jul 2022

Key Terms:

Zero-day | A recently discovered security vulnerability in computer software that has no currently available fix or patch. Its name come from the reality that vendors have “zero days” to act and respond.

N-day | A vulnerability that emerges in computer software in which a vendor is aware and may have already issued (or are currently working on) a patch or fix. Active exploits often already exist and await abuse by nefarious actors.

Traditional security solutions often apply signature-based-detection when identifying cyber threats, helping to defend against legacy attacks but consequently missing novel ones. Therefore, security teams often lend a lot of focus to ensuring that the risk of zero-day vulnerabilities is reduced [1]. As explored in this blog, however, organizations can face just as much of a risk from n-day attacks, since they invite the most attention from malicious actors [2]. This is due in part to the reduced complexity, cost and time invested in researching and finding new exploits compared with that found when attackers exploit zero-days. 

This blog will examine both a zero-day and n-day attack that two different Darktrace customers faced in the fall of 2021. This will include the activity Darktrace detected, along with the steps taken by Darktrace/Network to intervene. It will then compare the incidents, discuss the possible dangers of third-party integrations, and assess the deprecation of legacy security tools.

Revisiting zero-day attacks 

Zero-days are among the greatest concerns security teams face in the era of modern technology and networking. Defending critical systems from zero-day compromises is a task most legacy security solutions are often unable to handle. Due to the complexity of uncovering new security flaws and developing elaborate code that can exploit them, these attacks are often carried out by funded or experienced groups such as nation-state actors and APTs. One of history’s most prolific zero-days, ‘Stuxnet’, sent security teams worldwide into a global panic in 2010. This involved a widespread attack on Iranian nuclear infrastructure and was widely accepted to be a result of nation-state actors [3]. The Stuxnet worm took advantage of four zero-day exploits, compromising over 200,000 devices and physically damaging around 10% of the 9,000 critical centrifuges at the Natanz nuclear site. 

More recently, 2021 saw the emergence of several critical zero-day vulnerabilities within SonicWall’s product suite [4]. SonicWall is a security hardware manufacturer that provides hardware firewall devices, unified threat management, VPN gateways and network security solutions. Some of these vulnerabilities lie within their Secure Mobile Access (SMA) 100 series (for example, CVE-2019-7481, CVE-2021-20016 and CVE-2021-20038 to name a few). These directly affected VPN devices and often allowed attackers easy remote access to company devices. CVE-2021-20016 in particular incorporates an SQL-Injection vulnerability within SonicWall’s SSL VPN SMA 100 product line [5]. If exploited, this defect would allow an unauthenticated remote attacker to perform their own malicious SQL query in order to access usernames, passwords and other session related information. 

The N-day underdog

The shadow cast by zero-day attacks often shrouds that of n-day attacks. N-days, however, often pose an equal - if not greater - risk to the majority of organizations, particularly those in industrial sectors. Since these vulnerabilities have fixes available, all of the hard work around research is already done; malicious actors only need to view proof of concepts (POCs) or, if proficient in coding, reverse-engineer software to reveal code-changes (binary diffing) in order to exploit these security flaws in the wild. These vulnerabilities are typically attributed to opportunistic hackers and script-kiddies, where little research or heavy lifting is required.  

August 2021 gave rise to a critical vulnerability in Atlassian Confluence servers, namely CVE-2021-26084 [6]. Confluence is a widely used collaboration wiki tool and knowledge-sharing platform. As introduced and discussed a few months ago in a previous Darktrace blog (Explore Internet-Facing System Vulnerabilities), this vulnerability allows attackers to remotely execute code on internet-facing servers after exploiting injection vulnerabilities in Object-Graph Navigation Language (OGNL). Whilst Confluence had patches and fixes available to users, attackers still jumped on this opportunity and began scanning the internet for signs of critical devices serving this outdated software [7]. Once identified, they would  exploit the vulnerability, often installing crypto mining software onto the device. More recently, Darktrace explored a new vulnerability (CVE-2022-26134), disclosed midway through 2022, that affected Confluence servers and data centers using similar techniques to that found in CVE-2021-26084 [8]. 

SonicWall in the wild – 1. Zero-day attack

At the beginning of August 2021, Darktrace prevented an attack from taking place within a European automotive customer’s environment (Figure 1). The attack targeted a vulnerable internet-facing SonicWall VPN server, and while the attacker’s motive remains unclear, similar historic events suggest that they intended to perform ransomware encryption or data exfiltration. 

Figure 1: Timeline of the SonicWall attack 

Darktrace was unable to confirm the definite tactics, techniques and procedures (TTPs) used by the attacker to compromise the customer’s environment, as the device was compromised before Darktrace installation and coverage. However, from looking at recently disclosed SonicWall VPN vulnerabilities and patterns of behaviour, it is likely CVE-2021-20016 played a part. At some point after this initial infection, it is also believed the device was able to move laterally to a domain controller (DC) using administrative credentials; it was this server that then initiated the anomalous activity that Darktrace detected and alerted on. 

On August 5th 2021 , Darktrace observed this compromised domain controller engaging in unusual ICMP scanning - a protocol used to discover active devices within an environment and create a map of an organization’s network topology. Shortly after, the infected server began scanning devices for open RDP ports and enumerating SMB shares using unorthodox methods. SMB delete and HTTP requests (over port 445 and 80 respectively) were made for files named delete.me in the root directory of numerous network shares using the user agent Microsoft WebDAV. However, no such files appeared to exist within the environment. This may have been the result of an attacker probing devices in the network in an effort to see their responses and gather information on properties and vulnerabilities they could later exploit. 

Soon the infected DC began establishing RDP tunnels back to the VPN server and making requests to an internal DNS server for multiple endpoints relating to exploit kits, likely in an effort to strengthen the attacker’s foothold within the environment. Some of the endpoints requested relate to:

-       EternalBlue vulnerability 

-       Petit Potam NTLM hash attack tool

-       Unusual GitHub repositories

-       Unusual Python repositories  

The DC made outgoing NTLM requests to other internal devices, implying the successful installation of Petit Potam exploitation tools. The server then began performing NTLM reconnaissance, making over 1,000 successful logins under ‘Administrator’ to several other internal devices. Around the same time, the device was also seen making anonymous SMBv1 logins to numerous internal devices, (possibly symptomatic of the attacker probing machines for EternalBlue vulnerabilities). 

Interestingly, the device also made numerous failed authentication attempts using a spoofed credential for one of the organization’s security managers. This was likely in an attempt to hide themselves using ‘Living off the Land’ (LotL) techniques. However, whilst the attacker clearly did their research on the company, they failed to acknowledge the typical naming convention used for credentials within the environment. This ultimately backfired and made the compromise more obvious and unusual. 

In the morning of the following day, the initially compromised VPN server began conducting further reconnaissance, engaging in similar activity to that observed by the domain controller. Until now, the customer had set Darktrace RESPOND to run in human confirmation mode, meaning interventions were not made autonomously but required confirmation by a member of the internal security team. However, thanks to Proactive Threat Notifications (PTNs) delivered by Darktrace’s dedicated SOC team, the customer was made immediately aware of this unusual behaviour, allowing them to apply manual Darktrace RESPOND blocks to all outgoing connections (Figure 2). This gave the security team enough time to respond and remediate before serious damage could be done.

Figure 2: Darktrace RESPOND model breach showing the manually applied “Quarantine Device” action taken against the compromised VPN server. This screenshot displays the UI from Darktrace version 5.1

Confluence in the wild – 2. N-day attack

Towards the end of 2021, Darktrace saw a European broadcasting customer leave an Atlassian Confluence internet-facing server unpatched and vulnerable to crypto-mining malware using CVE-2021-26084. Thanks to Darktrace, this attack was entirely immobilized within only a few hours of the initial infection, protecting the organization from damage (Figure 3). 

Figure 3: Timeline of the Confluence attack

On midday on September 1st 2021, an unpatched Confluence server was seen receiving SSL connections over port 443 from a suspicious new endpoint, 178.238.226[.]127.  The connections were encrypted, meaning Darktrace was unable to view the contents and ascertain what requests were being made. However, with the disclosure of CVE-2021-26084 just 7 days prior to this activity, it is likely that the TTPs used involved injecting OGNL expressions to Confluence server memory; allowing the attacker to remotely execute code on the vulnerable server.

Immediately after successful exploitation of the Confluence server, the infected device was observed making outgoing HTTP GET requests to several external endpoints using a new user agent (curl/7.61.1). Curl was used to silently download and configure multiple suspicious files relating to XMRig cryptocurrency miner, including ld.sh, XMRig and config.json. Subsequent outgoing connections were then made to europe.randomx-hub.miningpoolhub[.]com · 172.105.210[.]117 using the JSON-RPC protocol, seen alongside the mining credential maillocal.confluence (Figure 4). Only 3 seconds after initial compromise, the infected device began attempting to mine cryptocurrency using the Minergate protocol but was instantly and autonomously blocked by Darktrace RESPOND. This prevented the server from abusing system resources and generating profits for the attacker.

Figure 4: A graph showing the frequency of external connections using the JSON-RPC protocol made by the breach device over a 48-hour window. The orange-red dots represent models that breached as a result of this activity, demonstrating the “waterfall” effect commonly seen when a device suffers a compromise. This screenshot displays the UI from Darktrace version 5.1

In the afternoon, the malware persisted with its infection. The compromised server began making successive HTTP GET requests to a new rare endpoint 195.19.192[.]28 using the same curl user agent (Figures 5 & 6). These requests were for executable and dynamic library files associated with Kinsing malware (but fortunately were also blocked by Darktrace RESPOND). Kinsing is a malware strain found in numerous attack campaigns which is often associated with crypto-jacking, and has appeared in previous Darktrace blogs [9].

Figure 5: Cyber AI Analyst summarising the unusual download of Kinsing software using the new curl user agent. This screenshot displays the UI from Darktrace version 5.1

The attacker then began making HTTP POST requests to an IP 185.154.53[.]140, using the same curl user agent; likely a method for the attacker to maintain persistence within the network and establish a foothold using its C2 infrastructure. The Confluence server was then again seen attempting to mine cryptocurrency using the Minergate protocol. It made outgoing JSON-RPC connections to a different new endpoint, 45.129.2[.]107, using the following mining credential: ‘42J8CF9sQoP9pMbvtcLgTxdA2KN4ZMUVWJk6HJDWzixDLmU2Ar47PUNS5XHv4Kmfdh8aA9fbZmKHwfmFo8Wup8YtS5Kdqh2’. This was once again blocked by Darktrace RESPOND (Figure 7). 

Figure 6: VirusTotal showing the unusualness of one of these external IPs [10]
Figure 7: Log data showing the action taken by Darktrace RESPOND in response to the device breaching the “Crypto Currency Mining Activity” model. This screenshot displays the UI from Darktrace version 5.1

The final activity seen from this device involved the download of additional shell scripts over HTTP associated with Kinsing, namely spre.sh and unk.sh, from 194.38.20[.]199 and 195.3.146[.]118 respectively (Figure 8). A new user agent (Wget/1.19.5 (linux-gnu)) was used when connecting to the latter endpoint, which also began concurrently initiating repeated connections indicative of C2 beaconing. These scripts help to spread the Kinsing malware laterally within the environment and may have been the attacker's last ditch efforts at furthering their compromise before Darktrace RESPOND blocked all connections from the infected Confluence server [11]. With Darktrace RESPOND's successful actions, the customer’s security team were then able to perform their own response and remediation. 

Figure 8: Cyber AI Analyst revealing the last ditch efforts made by the threat actor to download further malicious software. This screenshot displays the UI from Darktrace version 5.1

Darktrace Coverage: N- vs Zero-days

In the SonicWall case the attacker was unable to achieve their actions on objectives (thanks to Darktrace's intervention). However, this incident displayed tactics of a more stealthy and sophisticated attacker - they had an exploited machine but waited for the right moment to execute their malicious code and initiate a full compromise. Due to the lack of visibility over attacker motive, it is difficult to deduce what type of actor led to this intrusion. However, with the disclosure of a zero-day vulnerability (CVE-2021-20016) not long before this attack, along with a seemingly dormant initially compromised device, it is highly possible that it was carried out by a sophisticated cyber criminal or gang. 

On the other hand, the Confluence case engaged in a slightly more noisy approach; it dropped crypto mining malware on vulnerable devices in the hope that the target’s security team did not maintain visibility over their network or would merely turn a blind eye. The files downloaded and credentials observed alongside the mining activity heavily imply the use of Kinsing malware [11]. Since this vulnerability (CVE-2021-26084) emerged as an n-day attack with likely easily accessible POCs, as well as there being a lack of LotL techniques and the motive being long term monetary gain, it is possible this attack was conducted by a less sophisticated or amateur actor (script-kiddie); one that opportunistically exploits known vulnerabilities in internet-facing devices in order to make a quick profit [12].

Whilst Darktrace RESPOND was enabled in human confirmation mode only during the start of the SonicWall attack, Darktrace’s Cyber AI Analyst still offered invaluable insight into the unusual activity associated with the infected machines during both the Confluence and SonicWall compromises. SOC analysts were able to see these uncharacteristic behaviours and escalate the incident through Darktrace’s PTN and ATE services. Analysts then worked through these tickets with the customers, providing support and guidance and, in the SonicWall case, quickly helping to configure Darktrace RESPOND. In both scenarios, Darktrace RESPOND was able to block abnormal connections and enforce a device’s pattern of life, affording the security team enough time to isolate the infected machines and prevent further threats such as ransomware detonation or data exfiltration. 

Concluding thoughts and dangers of third-party integrations 

Organizations with internet-facing devices will inevitably suffer opportunistic zero-day and n-day attacks. While little can be done to remove the risk of zero-days entirely, ensuring that organizations keep their systems up to date will at the very least help prevent opportunistic and script-kiddies from exploiting n-day vulnerabilities.  

However, it is often not always possible for organizations to keep their systems up to date, especially for those who require continuous availability. This may also pose issues for organizations that rely on, and put their trust in, third party integrations such as those explored in this blog (Confluence and SonicWall), as enforcing secure software is almost entirely out of their hands. Moreover, with the rising prevalence of remote working, it is essential now more than ever that organizations ensure their VPN devices are shielded from external threats, guidance on which has been released by the NSA/CISA [13].

These two case studies have shown that whilst organizations can configure their networks and firewalls to help identify known indicators of compromise (IoC), this ‘rearview mirror’ approach will not account for, or protect against, any new and undisclosed IoCs. With the aid of Self-Learning AI and anomaly detection, Darktrace can detect the slightest deviation from a device’s normal pattern of life and respond autonomously without the need for rules and signatures. This allows for the disruption and prevention of known and novel attacks before irreparable damage is caused- reassuring security teams that their digital estates are secure. 

Thanks to Paul Jennings for his contributions to this blog.

Appendices: SonicWall (Zero-day)

Darktrace model detections

·      AIA / Suspicious Chain of Administrative Credentials

·      Anomalous Connection / Active Remote Desktop Tunnel

·      Anomalous Connection / SMB Enumeration

·      Anomalous Connection / Unusual Internal Remote Desktop

·      Compliance / High Priority Compliance Model Breach

·      Compliance / Outgoing NTLM Request from DC

·      Device / Anomalous RDP Followed By Multiple Model Breaches

·      Device / Anomalous SMB Followed By Multiple Model Breaches

·      Device / ICMP Address Scan

·      Device / Large Number of Model Breaches

·      Device / Large Number of Model Breaches from Critical Network Device

·      Device / Multiple Lateral Movement Model Breaches (PTN/Enhanced Monitoring model)

·      Device / Network Scan

·      Device / Possible SMB/NTLM Reconnaissance

·      Device / RDP Scan

·      Device / Reverse DNS Sweep

·      Device / SMB Session Bruteforce

·      Device / Suspicious Network Scan Activity (PTN/Enhanced Monitoring model)

·      Unusual Activity / Possible RPC Recon Activity

Darktrace RESPOND (Antigena) actions (as displayed in example)

·      Antigena / Network / Manual / Quarantine Device

MITRE ATT&CK Techniques Observed
IoCs

Appendices: Confluence (N-day)

Darktrace model detections

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Anomalous Connection / Posting HTTP to IP Without Hostname

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Script from Rare Location

·      Compliance / Crypto Currency Mining Activity

·      Compromise / High Priority Crypto Currency Mining (PTN/Enhanced Monitoring model)

·      Device / Initial Breach Chain Compromise (PTN/Enhanced Monitoring model)

·      Device / Internet Facing Device with High Priority Alert

·      Device / New User Agent

Darktrace RESPOND (Antigena) actions (displayed in example)

·      Antigena / Network / Compliance / Antigena Crypto Currency Mining Block

·      Antigena / Network / External Threat / Antigena File then New Outbound Block

·      Antigena / Network / External Threat / Antigena Suspicious Activity Block

·      Antigena / Network / External Threat / Antigena Suspicious File Block

·      Antigena / Network / Significant Anomaly / Antigena Block Enhanced Monitoring

MITRE ATT&CK Techniques Observed
IOCs

References:

[1] https://securitybrief.asia/story/why-preventing-zero-day-attacks-is-crucial-for-businesses

[2] https://electricenergyonline.com/energy/magazine/1150/article/Security-Sessions-More-Dangerous-Than-Zero-Days-The-N-Day-Threat.htm

[3] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SonicWall+2021 

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016

[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084

[7] https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/

[8] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

[9] https://attack.mitre.org/software/S0599/

[10] https://www.virustotal.com/gui/ip-address/195.19.192.28/detection 

[11] https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

[12] https://github.com/alt3kx/CVE-2021-26084_PoC

[13] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst

More in this series

No items found.

Blog

/

Network

/

July 24, 2025

Untangling the web: Darktrace’s investigation of Scattered Spider’s evolving tactics

man on computer doing work scattered spider cybersecurityDefault blog imageDefault blog image

What is Scattered Spider?

Scattered Spider is a native English-speaking group, also referred to, or closely associated with, aliases such as UNC3944, Octo Tempest and Storm-0875. They are primarily financially motivated with a clear emphasis on leveraging social engineering, SIM swapping attacks, exploiting legitimate tooling as well as using Living-Off-the-Land (LOTL) techniques [1][2].

In recent years, Scattered Spider has been observed employing a shift in tactics, leveraging Ransomware-as-a-Service (RaaS) platforms in their attacks. This adoption reflects a shift toward more scalable attacks with a lower barrier to entry, allowing the group to carry out sophisticated ransomware attacks without the need to develop it themselves.

While RaaS offerings have been available for purchase on the Dark Web for several years, they have continued to grow in popularity, providing threat actors a way to cause significant impact to critical infrastructure and organizations without requiring highly technical capabilities [12].

This blog focuses on the group’s recent changes in tactics, techniques, and procedures (TTPs) reported by open-source intelligence (OSINT) and how TTPs in a recent Scattered Spider attack observed by Darktrace compare.

How has Scattered Spider been reported to operate?

First observed in 2022, Scattered Spider is known to target various industries globally including telecommunications, technology, financial services, and commercial facilities.

Overview of key TTPs

Scattered Spider has been known to utilize the following methods which cover multiple stages of the Cyber Kill Chain including initial access, lateral movement, evasion, persistence, and action on objective:

Social engineering [1]:

Impersonating staff via phone calls, SMS and Telegram messages; obtaining employee credentials (MITRE techniques T1598,T1656), multi-factor authentication (MFA) codes such as one-time passwords, or convincing employees to run commercial remote access tools enabling initial access (MITRE techniques T1204,T1219,T1566)

  • Phishing using specially crafted domains containing the victim name e.g. victimname-sso[.]com
  • MFA fatigue: sending repeated requests for MFA approval with the intention that the victim will eventually accept (MITRE technique T1621)

SIM swapping [1][3]:

  • Includes hijacking phone numbers to intercept 2FA codes
  • This involves the actor migrating the victim's mobile number to a new SIM card without legitimate authorization

Reconnaissance, lateral movement & command-and-control (C2) communication via use of legitimate tools:

  • Examples include Mimikatz, Ngrok, TeamViewer, and Pulseway [1]. A more recently reported example is Teleport [3].

Financial theft through their access to victim networks: Extortion via ransomware, data theft (MITRE technique T1657) [1]

Bring Your Own Vulnerable Driver (BYOVD) techniques [4]:

  • Exploiting vulnerable drivers to evade detection from Endpoint Detection and Response (EDR) security products (MITRE technique T1068) frequently used against Windows devices.

LOTL techniques

LOTL techniques are also closely associated with Scattered Spider actors once they have gained initial access; historically this has allowed them to evade detection until impact starts to be felt. It also means that specific TTPs may vary from case-to-case, making it harder for security teams to prepare and harden defences against the group.

Prominent Scattered Spider attacks over the years

While attribution is sometimes unconfirmed, Scattered Spider have been linked with a number of highly publicized attacks since 2022.

Smishing attacks on Twilio: In August 2022 the group conducted multiple social engineering-based attacks. One example was an SMS phishing (smishing) attack against the cloud communication platform Twilio, which led to the compromise of employee accounts, allowing actors to access internal systems and ultimately target Twilio customers [5][6].

Phishing and social engineering against MailChimp: Another case involved a phishing and social engineering attack against MailChimp. After gaining access to internal systems through compromised employee accounts the group conducted further attacks specifically targeting MailChimp users within cryptocurrency and finance industries [5][7].

Social engineering against Riot Games: In January 2023, the group was linked with an attack on video game developer Riot Games where social engineering was once again used to access internal systems. This time, the attackers exfiltrated game source code before sending a ransom note [8][9].

Attack on Caesars & MGM: In September 2023, Scattered Spider was linked with attacked on Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. It was reported that the group gathered nearly six terabytes of stolen data from the hotels and casinos, including sensitive information of guests, and made use of the RaaS strain BlackCat [10].

Ransomware against Marks & Spencer: More recently, in April 2025, the group has also been linked to the alleged ransomware incident against the UK-based retailer Marks & Spencer (M&S) making use of the DragonForce RaaS [11].

How a recent attack observed by Darktrace compares

In May 2025, Darktrace observed a Scattered Spider attack affecting one of its customers. While initial access in this attack fell outside of Darktrace’s visibility, information from the affected customer suggests similar social engineering techniques involving abuse of the customer’s helpdesk and voice phishing (vishing) were used for reconnaissance.

Initial access

It is believed the threat actor took advantage of the customer’s third-party Software-as-a-Service (SaaS) applications, such as Salesforce during the attack.

Such applications are a prime target for data exfiltration due to the sensitive data they hold; customer, personnel, and business data can all prove useful in enabling further access into target networks.

Techniques used by Scattered Spider following initial access to a victim network tend to vary more widely and so details are sparser within OSINT. However, Darktrace is able to provide some additional insight into what techniques were used in this specific case, based on observed activity and subsequent investigation by its Threat Research team.

Lateral movement

Following initial access to the customer’s network, the threat actor was able to pivot into the customer’s Virtual Desktop Infrastructure (VDI) environment.

Darktrace observed the threat actor spinning up new virtual machines and activating cloud inventory management tools to enable discovery of targets for lateral movement.

In some cases, these virtual machines were not monitored or managed by the customer’s security tools, allowing the threat actor to make use of additional tooling such as AnyDesk which may otherwise have been blocked.

Tooling in further stages of the attack sometimes overlapped with previous OSINT reporting on Scattered Spider, with anomalous use of Ngrok and Teleport observed by Darktrace, likely representing C2 communication. Additional tooling was also seen being used on the virtual machines, such as Pastebin.

 Cyber AI Analyst’s detection of C2 beaconing to a teleport endpoint with hostname CUSTOMERNAME.teleport[.]sh, likely in an attempt to conceal the traffic.
Figure 1: Cyber AI Analyst’s detection of C2 beaconing to a teleport endpoint with hostname CUSTOMERNAME.teleport[.]sh, likely in an attempt to conceal the traffic.

Leveraging LOTL techniques

Alongside use of third-party tools that may have been unexpected on the network, various LOTL techniques were observed during the incident; this primarily involved the abuse of standard network protocols such as:

  • SAMR requests to alter Active Directory account details
  • Lateral movement over RDP and SSH
  • Data collection over LDAP and SSH

Coordinated exfiltration activity linked through AI-driven analysis

Multiple methods of exfiltration were observed following internal data collection. This included SSH transfers to IPs associated with Vultr, alongside significant uploads to an Amazon S3 bucket.

While connections to this endpoint were not deemed unusual for the network at this stage due to the volume of traffic seen, Darktrace’s Cyber AI Analyst was still able to identify the suspiciousness of this behavior and launched an investigation into the activity.

Cyber AI Analyst successfully correlated seemingly unrelated internal download and external upload activity across multiple devices into a single, broader incident for the customer’s security team to review.

Cyber AI Analyst Incident summary showing a clear outline of the observed activity, including affected devices and the anomalous behaviors detected.
Figure 2: Cyber AI Analyst Incident summary showing a clear outline of the observed activity, including affected devices and the anomalous behaviors detected.
Figure 3: Cyber AI Analyst’s detection of internal data downloads and subsequent external uploads to an Amazon S3 bucket.

Exfiltration and response

Unfortunately, as Darktrace was not configured in Autonomous Response mode at the time, the attack was able to proceed without interruption, ultimately escalating to the point of data exfiltration.

Despite this, Darktrace was still able to recommend several Autonomous Response actions, aimed at containing the attack by blocking the internal data-gathering activity and the subsequent data exfiltration connections.

These actions required manual approval by the customer’s security team and as shown in Figure 3, at least one of the recommended actions was subsequently approved.

Had Darktrace been enabled in Autonomous Response mode, these measures would have been applied immediately, effectively halting the data exfiltration attempts.

Further recommendations for Autonomous Response actions in Darktrace‘s Incident Interface, with surgical response targeting both the internal data collection and subsequent exfiltration.
Figure 4: Further recommendations for Autonomous Response actions in Darktrace‘s Incident Interface, with surgical response targeting both the internal data collection and subsequent exfiltration.

Scattered Spider’s use of RaaS

In this recent Scattered Spider incident observed by Darktrace, exfiltration appears to have been the primary impact. While no signs of ransomware deployment were observed here, it is possible that this was the threat actors’ original intent, consistent with other recent Scattered Spider attacks involving RaaS platforms like DragonForce.

DragonForce emerged towards the end of 2023, operating by offering their platform and capabilities on a wide scale. They also launched a program which offered their affiliates 80% of the eventual ransom, along with tools for further automation and attack management [13].

The rise of RaaS and attacker customization is fragmenting TTPs and indicators, making it harder for security teams to anticipate and defend against each unique intrusion.

While DragonForce appears to be the latest RaaS used by Scattered Spider, it is not the first, showcasing the ongoing evolution of tactics used the group.

In addition, the BlackCat RaaS strain was reportedly used by Scattered Spider for their attacks against Caesars Entertainment and MGM Resorts International [10].

In 2024 the group was also seen making use of additional RaaS strains; RansomHub and Qilin [15].

What security teams and CISOs can do to defend against Scattered Spider

The ongoing changes in tactics used by Scattered Spider, reliance on LOTL techniques, and continued adoption of evolving RaaS providers like DragonForce make it harder for organizations and their security teams to prepare their defenses against such attacks.

CISOs and security teams should implement best practices such as MFA, Single Sign-On (SSO), notifications for suspicious logins, forward logging, ethical phishing tests.

Also, given Scattered Spider’s heavy focus on social engineering, and at times using their native English fluency to their advantage, it is critical to IT and help desk teams are reminded they are possible targets.

Beyond social engineering, the threat actor is also adept at taking advantage of third-party SaaS applications in use by victims to harvest common SaaS data, such as PII and configuration data, that enable the threat actor to take on multiple identities across different domains.

With Darktrace’s Self-Learning AI, anomaly-based detection, and Autonomous Response inhibitors, businesses can halt malicious activities in real-time, whether attackers are using known TTPs or entirely new ones. Offerings such as Darktrace /Attack Surface Management enable security teams to proactively identify signs of malicious activity before it can cause an impact, while more generally Darktrace’s ActiveAI Security Platform can provide a comprehensive view of an organization’s digital estate across multiple domains.

Credit to Justin Torres (Senior Cyber Analyst), Emma Foulger (Global Threat Research Operations Lead), Zaki Al-Dhamari (Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO), and Ryan Traill (Analyst Content Lead)

---------------------

The information provided in this blog post is for general informational purposes only and is provided "as is" without any representations or warranties, express or implied. While Darktrace makes reasonable efforts to ensure the accuracy and timeliness of the content related to cybersecurity threats such as Scattered Spider, we make no warranties or guarantees regarding the completeness, reliability, or suitability of the information for any purpose.

This blog post does not constitute professional cybersecurity advice, and should not be relied upon as such. Readers should seek guidance from qualified cybersecurity professionals or legal counsel before making any decisions or taking any actions based on the content herein.

No warranty of any kind, whether express or implied, including, but not limited to, warranties of performance, merchantability, fitness for a particular purpose, or non-infringement, is given with respect to the contents of this post.

Darktrace expressly disclaims any liability for any loss or damage arising from reliance on the information contained in this blog.

Appendices

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

[2] https://attack.mitre.org/groups/G1015/

[3] https://www.rapid7.com/blog/post/scattered-spider-rapid7-insights-observations-and-recommendations/

[4] https://www.crowdstrike.com/en-us/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

[5] https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/?web_view=true

[6] https://www.cxtoday.com/crm/uk-teenager-accused-of-hacking-twilio-lastpass-mailchimp-arrested/

[7] https://mailchimp.com/newsroom/august-2022-security-incident/

[8] https://techcrunch.com/2023/02/02/0ktapus-hackers-are-back-and-targeting-tech-and-gaming-companies-says-leaked-report/

[9] https://www.pcmag.com/news/hackers-behind-riot-games-breach-stole-league-of-legends-source-code

[10] https://www.bbrown.com/us/insight/a-look-back-at-the-mgm-and-caesars-incident/

[11] https://cyberresilience.com/threatonomics/scattered-spider-uk-retail-attacks/

[12] https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/ransomware-as-a-service-raas/

[13] https://www.group-ib.com/blog/dragonforce-ransomware/
[14] https://blackpointcyber.com/wp-content/uploads/2024/11/DragonForce.pdf
[15] https://x.com/MsftSecIntel/status/1812932749314978191?lang=en

Select MITRE tactics associated with Scattered Spider

Tactic – Technique – Technique Name

Reconnaissance - T1598 -   Phishing for Information

Initial Access - T1566 – Phishing

Execution - T1204 - User Execution

Privilege Escalation - T1068 - Exploitation for Privilege Escalation

Defense Evasion - T1656 - Impersonation

Credential Access - T1621 - Multi-Factor Authentication Request Generation

Lateral Movement - T1021 - Remote Services

Command and Control - T1102 - Web Service

Command and Control - T1219 - Remote Access Tools

Command and Control - T1572 - Protocol Tunneling

Exfiltration - T1567 - Exfiltration Over Web Service

Impact - T1657 - Financial Theft

Select MITRE tactics associated with DragonForce

Tactic – Technique – Technique Name

Initial Access, Defense Evasion, Persistence, Privilege Escalation - T1078 - Valid Accounts

Initial Access, Persistence - T1133 - External Remote Services

Initial Access - T1190 - Exploit Public-Facing Application

Initial Access - T1566 – Phishing

Execution - T1047 - Windows Management Instrumentation

Privilege Escalation - T1068 - Exploitation for Privilege Escalation

Lateral Movement - T1021 - Remote Services

Impact - T1486 - Data Encrypted for Impact

Impact - T1657 - Financial Theft

Select Darktrace models

Compliance / Internet Facing RDP Server

Compliance / Incoming Remote Access Tool

Compliance / Remote Management Tool on Server

Anomalous File / Internet Facing System File Download

Anomalous Server Activity/ New User Agent from Internet Facing System

Anomalous Connection / Callback on Web Facing Device

Device / Internet Facing System with High Priority Alert

Anomalous Connection / Unusual Admin RDP

Anomalous Connection / High Priority DRSGetNCChanges

Anomalous Connection / Unusual Internal SSH

Anomalous Connection / Active Remote Desktop Tunnel

Compliance / Pastebin

Anomalous Connection / Possible Tunnelling to Rare Endpoint

Compromise / Beaconing Activity to External Rare

Device / Long Agent Connection to New Endpoint

Compromise / SSH to Rare External AWS

Compliance / SSH to Rare External Destination

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Large Volume of LDAP Download

Unusual Activity / Internal Data Transfer on New Device

Anomalous Connection / Download and Upload

Unusual Activity / Enhanced Unusual External Data Transfer

Compromise / Ransomware/Suspicious SMB Activity

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

/

July 24, 2025

Closing the Cloud Forensics and Incident Response Skills Gap

DFIR skills gap, man working on computer, SOC analyst, incident response, cloud incident responseDefault blog imageDefault blog image

Every alert that goes uninvestigated is a calculated risk — and teams are running out of room for error

Security operations today are stretched thin. SOCs face an overwhelming volume of alerts, and the shift to cloud has only made triage more complex.

Our research suggests that 23% of cloud alerts are never investigated, leaving risk on the table.

The rapid migration to cloud resources has security teams playing catch up. While they attempt to apply traditional on-prem tools to the cloud, it’s becoming increasingly clear that they are not fit for purpose. Especially in the context of forensics and incident response, the cloud presents unique complexities that demand cloud-specific solutions.

Organizations are increasingly adopting services from multiple cloud platforms (in fact, recent studies suggest 89% of organizations now operate multi-cloud environments), and container-based and serverless setups have become the norm. Security analysts already have enough on their plates; it’s unrealistic to expect them to be cloud experts too.

Why Digital Forensics and Incident Response (DFIR) roles are so hard to fill

Compounding these issues of alert fatigue and cloud complexity, there is a lack of DFIR talent. The cybersecurity skills gap is a well-known problem.

According to the 2024 ISC2 Cybersecurity Workforce Study, there is a global shortage of 4.8 million cybersecurity workers, up 19% from the previous year.

Why is this such an issue?

  • Highly specialized skill set: DFIR professionals need to have a deep understanding of various operating systems, network protocols, and security architectures, even more so when working in the cloud. They also need to be proficient in using a wide range of forensic tools and techniques. This level of expertise takes a lot of time and effort to develop.
  • Rapid technological changes: The cloud landscape is constantly changing and evolving with new services, monitoring tools, security mechanisms, and threats emerging regularly. Keeping up with these changes and staying current requires continuous learning and adaptation.
  • Lack of formal education and training: There are limited educational programs specifically dedicated for DFIR. Further, an industry for cloud DFIR has yet to be defined. While some universities and institutions offer courses or certifications in digital forensics, they may not cover the full spread of knowledge required in real-world incident response scenarios, especially for cloud-based environments.
  • High-stress nature of the job: DFIR professionals often work under tight deadlines in high-pressure situations, especially when handling security incidents. This can lead to burnout and high turnover rates in the profession.

Bridging the skills gap with usable cloud digital forensics and incident response tools  

To help organizations close the DFIR skills gap, it's critical that we modernize our approaches and implement a new way of doing things in DFIR that's fit for the cloud era. Modern cloud forensics and incident response platforms must prioritize usability in order to up-level security teams. A platform that is easy to use has the power to:

  • Enable more advanced analysts to be more efficient and have the ability to take on more cases
  • Uplevel more novel analysts to perform more advanced tasks than ever before
  • Eliminate cloud complexity– such as the complexities introduced by multi-cloud environments and container-based and serverless setups

What to look for in cloud forensics and incident response solutions

The following features greatly improve the impact of cloud forensics and incident response:

Data enrichment: Automated correlation of collected data with threat intelligence feeds, both external and proprietary, delivers immediate insight into suspicious or malicious activities. Data enrichment expedites investigations, enabling analysts to seamlessly pivot from key events and delve deeper into the raw data.

Single timeline view: A unified perspective across various cloud platforms and data sources is crucial. A single timeline view empowers security teams to seamlessly navigate evidence based on timestamps, events, users, and more, enhancing investigative efficiency. Pulling together a timeline has historically been a very time consuming task when using traditional approaches.

Saved search: Preserving queries during investigations allows analysts to re-execute complex searches or share them with colleagues, increasing efficiency and collaboration.

Faceted search: Facet search options provide analysts with quick insights into core data attributes, facilitating efficient dataset refinement.

Cross-cloud investigations: Analyzing evidence acquired from multiple cloud providers in a single platform is crucial for security teams. A unified view and timeline across cross cloud is critical in streamlining investigations.

How Darktrace can help

Darktrace’s cloud offerings have been bolstered with the acquisition of Cado Security Ltd., which enables security teams to gain immediate access to forensic-level data in multi-cloud, container, serverless, SaaS, and on-premises environments.

Not only does Darktrace offer centralized automation solutions for cloud forensics and investigation, but it also delivers a proactive approach Cloud Detection and Response (CDR). Darktrace / CLOUD is built with advanced AI to make cloud security accessible to all security teams and SOCs. By using multiple machine learning techniques, Darktrace brings unprecedented visibility, threat detection, investigation, and incident response to hybrid and multi-cloud environments.

[related-resource]

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI