AI reveals 2018’s biggest cyber-threats: Part two — to err is human

Max Heinemeyer, Director of Threat Hunting | Friday February 8, 2019

For security professionals around the world, it is hardly a secret that cyber-attacks are becoming ever more difficult to detect — incorporating stealthier tactics and even automated elements to breach the network perimeter. Yet despite the increasing sophistication of these threats, the greatest security risk confronting today’s businesses, governments, and nonprofits continues to be their own employees.

Such credentialed network users present a relatively easy avenue into the digital estate for cyber-criminals who manage to deceive them. From banking trojans that are spread using social engineering to cryptocurrency mining carried out by disgruntled workers, the past year witnessed a significant upswing in threats that either exploited the fallibility of employees or which were authored by employees themselves.

By monitoring and analyzing raw traffic from all our clients’ users, internet-connected devices, and cloud deployments, we saw a number of trends emerge in 2018. As the second installment of a two-part series, this article will review specifically those attack trends that involve trickery, subtlety, and the art of deception. Because, as organizations deploy the latest technologies and tools to improve their cyber defenses, the weakest link in our network security is not a machine — it is human.

Banking trojan attacks increased by 239%

Named after the legendary act of Grecian subterfuge, today a trojan horse refers to a malicious computer program that misleads its user of its actual purpose, taking advantage of the fundamental weakness of human error inherent to any security posture. Over the last 12 months, the incidence of banking trojans in particular — which harvest the credentials of online banking customers from infected machines — has increased by a staggering 239% across our customer base.

This dramatic increase may be a consequence of the declining popularity of ransomware for monetary gain: it seems that banking trojans are, at least at present, a more profitable tool for cyber-criminals. Unlike ransomware, banking trojans do not rely on a victim’s conscious willingness to pay; rather, they use deception to perform transactions without the victim’s knowledge. And as the number of ransomware incidents declined in 2018, it seems that subtler attacks have become the weapons of choice for cyber-crime.

The proliferation of banking trojans has been accompanied by a growing sophistication in the malware itself, with many banking trojans having expanded beyond their original target of online banking access. Indeed, advanced trojans like Emotet now deliver other forms of malware as payloads, after using fraudulent emails, online advertisements, and other forms of social engineering to breach the perimeter.

Cryptocurrency-related incidents up 78%

Figure 1: Cryptocurrency values declined precipitously in 2018 after rapid growth.

Alongside the increase in banking trojans, Darktrace detected 78% growth in the frequency of another under-the-radar threat: crypto-jacking. Defined as the secret usage of computing power to mine cryptocurrency, crypto-jacking operates by the opposite logic of ransomware, acting as a parasite on an organization’s computing systems or injecting hidden code into an organization’s web pages. Whereas ransomware attackers demand payment immediately, cryptocurrency miners seek to go unnoticed for as long as possible.

Deceptive threats like banking trojans and crypto-jacking are particularly elusive when they originate from insiders. In one Fortune 500 e-commerce company this year, Darktrace discovered a privileged access user — a disgruntled systems administrator — hijacking power sources from the company’s infrastructure for his own monetary gain. The employee co-opted other users’ credentials and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.

At the same time, the growth rate of cryptocurrency-related threats is less than in the previous year, likely as a result of the dramatic fall in the value of most cryptocurrencies (see Figure 1). But with many experts anticipating these values to bounce back, we expect crypto-jacking to become far more common in the years to come. The cyber-criminal ecosystem still responds to macroeconomic factors, and as payment systems continue to evolve, so too will attackers’ revenue streams.

The weakest link: still people

The rapid escalation of deceptive and subtle threats — from banking trojans that gain access with social engineering to crypto-jacking carried out by insiders to targeted spear phishing emails — is the product of a fundamental flaw with the traditional approach to cyber defense, which entails securing the perimeter against known threats. Indeed, once an employee, maliciously or inadvertently, compromises the network from the inside, protecting the perimeter does little good. And as we look ahead to 2019, a year likely to be even more dominated by deceptive attacks and internal threats, organizations must seek to better understand their own networks to recognize whenever something is, ever so slightly, amiss.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Anatomy of a zero-day trojan caught by our Darktrace appliance

Keith Siepel, IT Manager at Hydrotech, Inc. (Guest Contributor) | Monday February 4, 2019

The following guest-authored blog post examines an advanced cyber-threat discovered by Darktrace on a customer’s network.


Previously I have talked about how Darktrace is a force multiplier for Hydrotech. As an example of this, I am sharing the anatomy of a zero-day trojan that was caught by our Darktrace system on the afternoon of Thursday, January 17. The following process was completed, in its entirety, within 20 minutes. 

Remediation started within five minutes of the initial identification of the VMWare recompose process. Although the following notifications appeared at 1:38 p.m., I was working on another unrelated issue and didn’t find this information until 2:15 p.m., at which point I started my investigation and remediation efforts.

Darktrace Email Notifications @ 1:38PM EST 1/17/2018:
2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Pattern of Life Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:37:57 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena Malware File Block"

FileTransfer::Exe file transfer started with filetype (application/x-dosexec)

2019-01-17 18:38:05 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block"

Anomalous File / Multiple EXE from Rare External Locations

2019-01-17 18:38:14 UTC
o365n-88.ad.hydrotech[.]com breached "Antigena / Network / External Threat / Antigena File then New Outbound Block"

Anomalous File / EXE from Rare External Location

Review of Darktrace breach logs

The first breach log showed a file downloaded by the name “MediaTable.bin.”

This was followed shortly after by a second file downloaded by the name “OfficeActivate.bin.”

At this point I contacted the end user and told them that I was going to perform an emergency recompose within VMWare — restoring their VM to a previously known good version of the operating system — to block a suspicious software that they had downloaded 30 minutes prior. This action effectively removes any applications that have been installed on the virtual desktop computer.

After starting the recompose efforts, I then proceeded to run the URLs that I had gathered through virustotal.com to see what had been downloaded:

For the file MediaTable.bin, virustotal.com informed me that four engines detected the URL as containing malicious content.

For the file OfficeActivate.bin, virustotal.com informed me that three engines detected the URL as containing malicious content.

Review of our Intrusion Detection System on the firewall showed the following initial approval, followed by a second alert — several hours later — that changed the approval to a diagnostic of malicious, after the files had already been downloaded.

1/17/2019 13:38
File Scanned
69.163.33[.]84
Allowed
OfficeActivate.bin downloaded from [http://69.163.33[.]84:8080/ELjOX2c8/OfficeActivate.bin]
1/17/2019 13:37
File Scanned
91.205.215[.]13
Allowed
MediaTable.bin downloaded from [http://91.205.215[.]13:8080/O11L9Qub/MediaTable.bin]
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: OfficeActivate.bin
1/17/2019 19:34
File Disposition Changed
Malicious
Disposition was Unknown and has been seen 1 time: MediaTable.bin

I then input the IP addresses previously identified into the Darktrace interface to determine if any other devices had accessed them. Fortunately, I found that they had not.

Images of the event logs for those IP addresses from within Darktrace are as follows:

Event log for 69.163.33[.]84.

Event log for 91.205.215[.]13.

Further research showed that this attack was, in fact, a zero-day trojan that was first detected in the wild on January 17, 2019 — the same day as our breach. My review of the forensics for this breach, along with my review of the activity of the user utilizing the victimized virtual machine, revealed that the attack originated from this user clicking on a phishing link from their email.

I feel fairly lucky that I have Darktrace, because without it I am not sure if or when this trojan would have been identified on our network.

If there is anyone out there who has questions about Darktrace, please message me privately, as I have just become Darktrace’s biggest evangelist!