How a cloud server nearly released IP at a major manufacturing company

Andrew Tsonchev, Director of Cyber Analysis | Monday September 18, 2017

4 million customers had their information exposed in the Time Warner compromise. In the Verizon breach, that number rose to 14 million. Third-party cloud vulnerabilities were responsible for both.

Signature-based security tools consistently fail to detect cloud-based threats like these, which are often subtle and unique from threats found on the physical network.

At a leading manufacturing company in Europe, Darktrace detected a similar cloud vulnerability, only instead of customer data at risk, it was sensitive intellectual property.

The company was using a third-party cloud server to store files containing product details and sales projections. The files on the server and the root IP were gated with a username and password.

After entering their credentials, however, the files contained on the server were left unencrypted. Darktrace detected this vulnerability when a device downloaded a ZIP file from a rare external IP address that Darktrace deemed highly anomalous compared to the device’s normal behavior.

94:65:9c:a6:XX:XX made an HTTP connection to XX[.]23.0.23 on TCP port 80

Source: 10.84.16.50
Destination: 10.3.0.1
Destination Port: 8080
Path: hxxp://XX.23.0[.]23/dl/ntt_download.php?key=DLNT57fe6b54[PARTLY REDACTED]

Ordinarily, this activity would indicate unauthorized content entering the network, but in this case, the anomaly revealed a critical security flaw. Darktrace’s AI algorithms and mathematical models immediately recognized this activity as a deviation from the device’s normal ‘pattern of life’.

Upon investigation of the anomaly, it was discovered that the ZIP file wasn’t access restricted. In other words, anybody could have downloaded the ZIP file if they knew the URL, which could have been obtained by simply intercepting network traffic, either internally or externally. More dedicated attackers could have even brute-forced the file ‘key’ parameter of the URL.

The files in question included product specs, market research, and other sensitive data. The loss or leakage of such information could have placed the entire product line at risk.

A sample of the file names in the ZIP file included:

2016-09-30 - [REDACTED] - Spectral Reconstruction and Measurement.docx
2016-09-30 - [REDACTED] - Brightness analysis.docx
2016-09-30 - Coverage on validation cards - Statistical analysis.xlsx

By reporting this incident as soon as it was detected, the company prevented the loss of valuable intellectual property and internal documents. Darktrace assisted the security team in revising their data storage practices in order to better protect their product information moving forward.

Too often, subtle anomalies like these are obscured by the cloud or lost in the noise of the network. Traditional security tools tend to have limited visibility of cloud activity, and even then, they only look for known threats. This vulnerability was unique and would have gone undetected by signature-based controls.

To learn more, check out our Threat Use Cases page which details some of the most interesting recent threats we’ve found.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.