Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats
As we enter the era of AI, both the way businesses operate and the landscape that they operate within are changing. To continue to support our customers, we’ve refocused our mission to be the essential cybersecurity platform using AI to proactively defend against novel and known threats.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Chris Kozup
Chief Marketing Officer
Share
27
Aug 2024
There’s a global paradigm shift underway, as we enter the era of AI, that is changing both the way businesses operate and the landscape that they operate within. Our customers are dealing with the impact that AI and automation, as well as the commodification of cybercrime-as-a-service, are having on the threat landscape. Attacks that once took a human weeks or months to propagate can now be done much faster, more effectively, and on a greater scale. Earlier this year, we released our 2024 State of AI Cybersecurity Report which found that 74% of security professionals surveyed agree that AI-powered cyber threats are already having a significant impact on their organizations.
On the other hand, we’ve never been more optimistic that the application of AI in cybersecurity is an essential enabler of innovation. That’s why Darktrace has been building a new model for cybersecurity since our founding in 2013. We remain squarely focused on innovating at the crossroads of AI and cybersecurity to better help our customers build resilience and stay one step ahead of changing threats. We’ve seen first-hand how AI can transform security operations by automating alert triage and freeing up valuable human time to focus on proactively hardening defenses.
As we continue this journey in support of our customers, it’s important that our corporate identity keep pace with our ambitions. We know that the world is a dynamic place, and we believe that a proactive approach to security is the best way to help our customers realize their innovation potential in this new era. To achieve this, we’ve refocused our mission to be the essential cybersecurity platform using AI to proactively defend against novel and known threats.
This week, we introduce a bold new brand promise that encapsulates our focus on championing the defenders who protect companies every day, while also pushing beyond the boundaries of conventional thinking to innovate ahead of current challenges. Defend Beyond – our new brand platform -- achieves just that. More than a brand tagline, Defend Beyond embodies the essence of Darktrace’s ability to harness the power of AI to help our customers to stay ahead of constantly changing cyber threats and threat actors. Take a closer look at this promise through our Defend Beyond brand video.
In addition to this redefined corporate positioning, Darktrace has continued to innovate for our customers. In April, we announced the Darktrace ActiveAI Security Platform™ – an
industry leading, AI-native offering that can visualize and correlate threats across the entire enterprise, provide more complete visibility to help mitigate risk, and automate time-intensive tasks to support a preventative and proactive approach to delivering cyber resilience. This platform-based approach allows our customers to be on the leading edge of AI in cybersecurity, while also reducing operational costs through security stack consolidation. Finally, as security operations teams struggle to keep up with the sheer volume of alerts, the Darktrace platform delivers industry-leading, investigative AI to automate the triaging of incidents and further save human time in the process.
This week, we go a step further as we unveil additional changes to our product portfolio including packaging and product naming. After extensive analysis and customer feedback, we’ve taken steps to streamline and simplify our product packaging. Specifically, our flagship products of Darktrace DETECT™ and Darktrace RESPOND™, along with Cyber AI Analyst™, have now been combined and serve as the foundation of the Darktrace ActiveAI Security platform. This approach ensures that customers benefit from the breadth of our real-time detection, autonomous response, and investigative AI capabilities in the easiest approach possible.
These foundational capabilities can be purchased through any one of the Darktrace primary products, which have been renamed as follows to better align to the challenges our customers are seeking to solve:
Darktrace / CLOUD™, delivering cyber resilience through real-time and intelligent multi-cloud security
Darktrace / EMAIL™, stopping sophisticated threats up to 13 days faster through revolutionary email security.
Darktrace / NETWORK™, combatting unknown threats with the most advanced Network Detection and Response.
Darktrace / OT™, redefining risk management with the most comprehensive solution purpose built for critical infrastructure.
Darktrace / IDENTITY™, unifying visibility and control of identity threats across your entire digital enterprise.
Darktrace / ENDPOINT™, providing advanced threat detection and response across devices, anywhere.
Customers can start their Darktrace journey with any of these primary products, realizing the additive benefits of the platform as their deployment grows. Cross platform products deliver value across the platform while also providing unique capabilities within their specific categories. We have renamed these products to better reflect the functionality of our offerings:
Darktrace PREVENT/E2E is now Proactive Exposure Management, stopping vulnerabilities from becoming reality.
Darktrace PREVENT/ASM is now Attack Surface Management, identifying and protecting unknown exposed assets.
Darktrace HEAL is now Incident Readiness & Recovery, uplifting security teams to reduce the impact of an incident.
At Darktrace, supporting our 9,700+ customers is the heart of our purpose and mission. We are inspired by the work they do every day to keep their organizations, and the world, moving in the face of constant change. Over the last year, we've continuously innovated across our products, services, and go-to-market strategy to enable them to stay ahead. The new positioning we're unveiling today is designed to simplify the experience for our customers and reflects our bold ambition to enable defenders today and for the future. I hope you join me in celebrating this evolution as we strive to defend beyond.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
From Exploit to Escalation: Tracking and Containing a Real-World Fortinet SSL-VPN Attack
Threat actors exploiting Fortinet CVEs
Over the years, Fortinet has issued multiple alerts about a wave of sophisticated attacks targeting vulnerabilities in its SSL-VPN infrastructure. Despite the release of patches to address these vulnerabilities, threat actors have continued to exploit a trio of Common Vulnerabilities and Exposures (CVEs) disclosed between 2022 and 2024 to gain unauthorized access to FortiGate devices.
Which vulnerabilities are exploited?
The vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—affect Fortinet’s SSL-VPN services and have been actively exploited by threat actors to establish initial access into target networks.
The vulnerabilities affect core components of FortiOS, allowing attackers to execute remote code on affected systems.
CVE-2022-42475
Type: Heap-Based Buffer Overflow in FortiOS SSL-VPN
This earlier vulnerability also targets the SSL-VPN interface and has been actively exploited in the wild. It allows attackers to execute arbitrary code remotely by overflowing a buffer in memory, often used to deploy malware or establish persistent backdoors [6].
CVE-2023-27997
Type: Heap-Based Buffer Overflow in FortiOS and FortiProxy
Impact: Remote Code Execution
This flaw exists in the SSL-VPN component of both FortiOS and FortiProxy. By exploiting a buffer overflow in the heap memory, attackers can execute malicious code remotely. This vulnerability is particularly dangerous because it can be triggered without authentication, making it ideal for an initial compromise [5].
CVE-2024-21762
Type: Out-of-Bounds Write in sslvpnd
Impact: Remote Code Execution
This vulnerability affects the SSL-VPN daemon (sslvpnd) in FortiOS. It allows unauthenticated remote attackers to send specially crafted HTTP requests that write data outside of allocated memory bounds. This can lead to arbitrary code execution, giving attackers full control over a device [4].
In short, these flaws enable remote attackers to execute arbitrary code without authentication by exploiting memory corruption issues such as buffer overflows and out-of-bounds writes. Once inside, threat actors use symbolic link (symlink) in order to maintain persistence on target devices across patches and firmware updates. This persistence then enables them to bypass security controls and manipulate firewall configurations, effectively turning patched systems into long-term footholds for deeper network compromise [1][2][3].
Darktrace’s Coverage
Darktrace detected a series of suspicious activities originating from a compromised Fortinet VPN device, including anomalous HTTP traffic, internal network scanning, and SMB reconnaissance, all indicative of post-exploitation behavior. Following initial detection by Darktrace’s real-time models, its Autonomous Response capability swiftly acted on the malicious activity, blocking suspicious connections and containing the threat before further compromise could occur.
Further investigation by Darktrace’s Threat Research team uncovered a stealthy and persistent attack that leveraged known Fortinet SSL-VPN vulnerabilities to facilitate lateral movement and privilege escalation within the network.
The attack on a Darktrace customer likely began on April 11 with the exploitation of a Fortinet VPN device running an outdated version of FortiOS. Darktrace observed a high volume of HTTP traffic originating from this device, specifically targeting internal systems. Notably, many of these requests were directed at the /cgi-bin/ directory, a common target for attackers attempting to exploit web interfaces to run unauthorized scripts or commands. This pattern strongly indicated remote code execution attempts via the SSL-VPN interface [7].
Once access was gained, the threat actor likely modified existing firewall rules, a tactic often used to disable security controls or create hidden backdoors for future access. While Darktrace does not have direct visibility into firewall configuration changes, the surrounding activity and post-exploitation behavior indicated that such modifications were made to support long-term persistence within the network.
Figure 1: HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080
Phase 2: Establishing Persistence & Lateral Movement
Shortly after the initial compromise of the Fortinet VPN device, the threat actor began to expand their foothold within the internal network. Darktrace detected initial signs of network scanning from this device, including the use of Nmap to probe the internal environment, likely in an attempt to identify accessible services and vulnerable systems.
Figure 2: Darktrace’s detection of unusual network scanning activities on the affected device.
Around the same time, Darktrace began detecting anomalous activity on a second device, specifically an internal firewall interface device. This suggested that the attacker had established a secondary foothold and was leveraging it to conduct deeper reconnaissance and move laterally through the network.
In an effort to maintain persistence within the network, the attackers likely deployed symbolic links in the SSL-VPN language file directory on the Fortinet device. While Darktrace did not directly observe symbolic link abuse, Fortinet has identified this as a known persistence technique in similar attacks [2][3]. Based on the observed post-exploitation behavior and likely firewall modifications, it is plausible that such methods were used here.
With lateral movement initiated from the internal firewall interface device, the threat actor proceeded to escalate their efforts to map the internal network and identify opportunities for privilege escalation.
Darktrace observed a successful NTLM authentication from the internal firewall interface to the domain controller over the outdated protocol SMBv1, using the account ‘anonymous’. This was immediately followed by a failed NTLM session connection using the hostname ‘nmap’, further indicating the use of Nmap for enumeration and brute-force attempts. Additional credential probes were also identified around the same time, including attempts using the credential ‘guest’.
Figure 3: Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.
The attacker then initiated DCE_RPC service enumeration, with over 300 requests to the Endpoint Mapper endpoint on the domain controller. This technique is commonly used to discover available services and their bindings, often as a precursor to privilege escalation or remote service manipulation.
Over the next few minutes, Darktrace detected more than 1,700 outbound connections from the internal firewall interface device to one of the customer’s subnets. These targeted common services such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), and HTTPS (443). The threat actor also probed administrative and directory services, including ports 135, 137, 389, and 445, as well as remote access via RDP on port 3389.
Further signs of privilege escalation attempts were observed with the detection of over 300 Netlogon requests to the domain controller. Just over half of these connections were successful, indicating possible brute-force authentication attempts, credential testing, or the use of default or harvested credentials.
Figure 4: Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.
Phase 4: Privilege Escalation & Remote Access
A few minutes later, the attacker initiated an RDP session from the internal firewall interface device to an internal server. The session lasted over three hours, during which more than 1.5MB of data was uploaded and over 5MB was downloaded.
Notably, no RDP cookie was observed during this session, suggesting manual access, tool-less exploitation, or a deliberate attempt to evade detection. While RDP cookie entries were present on other occasions, none were linked to this specific session—reinforcing the likelihood of stealthy remote access.
Additionally, multiple entries during and after this session show SSL certificate validation failures on port 3389, indicating that the RDP connection may have been established using self-signed or invalid certificates, a common tactic in unauthorized or suspicious remote access scenarios.
Figure 5: Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.
Darktrace Autonomous Response
Throughout the course of this attack, Darktrace’s Autonomous Response capability was active on the customer’s network. This enabled Darktrace to autonomously intervene by blocking specific connections and ports associated with the suspicious activity, while also enforcing a pre-established “pattern of life” on affected devices to ensure they were able to continue their expected business activities while preventing any deviations from it. These actions were crucial in containing the threat and prevent further lateral movement from the compromised device.
Figure 6: Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.
Conclusion
This incident highlights the importance of important staying on top of patching and closely monitoring VPN infrastructure, especially for internet-facing systems like Fortinet devices. Despite available patches, attackers were still able to exploit known vulnerabilities to gain access, move laterally and maintain persistence within the customer’s network.
Attackers here demonstrated a high level of stealth and persistence. Not only did they gain access to the network and carry out network scans and lateral movement, but they also used techniques such as symbolic link abuse, credential probing, and RDP sessions without cookies to avoid detection. Darktrace’s detection of the post-exploitation activity, combined with the swift action of its Autonomous Response technology, successfully blocked malicious connections and contained the attack before it could escalate
Credit to Priya Thapa (Cyber Analyst), Vivek Rajan (Cyber Analyst), and Ryan Traill (Analyst Content Lead)
The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.
Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.
Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.
The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.
How Organizations are Addressing Cloud Investigation and Response
Why cloud investigation and response needs to evolve
As organizations accelerate their move to the cloud, they’re confronting two interrelated pressures: a rapidly expanding attack surface and rising regulatory scrutiny. The dual pressure is forcing security practitioners to evolve their strategies in the cloud, particularly around investigation and response, where we see analysts spending the most time. This work is especially difficult in the cloud, often requiring experienced analysts to manually stitch together evidence across fragmented systems, unfamiliar platforms, and short-lived assets.
However, adapting isn’t easy. Many teams are operating with limited budgets and face a shortage of cloud-specific security talent. That’s why more organizations are now prioritizing tools that not only deliver deep visibility and rapid response in the cloud, but also help upskill their analysts to keep pace with threats and compliance demands.
Our 2024 survey report highlights just how organizations are recognizing gaps in their cloud security, feeling the heat from regulators, and making significant investments to bolster their cloud investigation capabilities.
In this blog post, we’ll explore the current challenges, approaches, and strategies organizations are employing to enhance their cloud investigation and incident response.
Recognizing the gaps in current cloud investigation and response methods
Complex environments & static tools
Due to the dynamic nature of cloud infrastructure, ephemeral assets, autoscaling environments, and multi-cloud complexity, traditional investigation and response methods which rely on static snapshots and point-in-time data, are fundamentally mismatched. And with Cloud environment APIs needing deep provider knowledge and scripting skills to extract much needed evidence its unrealistic for one person to master all aspects of cloud incident response.
Analysts are still stitching together logs from fragmented systems, manually correlating events, and relying on post-incident forensics that often arrive too late to drive meaningful response. These approaches were built for environments that rarely changed. In the cloud, where assets may only exist for minutes and attacker movement can span regions or accounts in seconds, point-in-time visibility simply can’t keep up. As a result, critical evidence is missed, timelines are incomplete, and investigations drag on longer than they should.
Even some modern approaches still depend heavily on static configurations, delayed snapshots, or siloed visibility that can’t keep pace with real-time attacker movement.
There is even the problem of identifying what cloud data sources hold the valuable information needed to investigate in the first place. With AWS alone having over 200 products, each with its own security practices and data sources.It can be challenging to identify where you need to be looking.
To truly secure the cloud, investigation and response must be continuous, automated, and context-rich. Tools should be able to surface the signal from the noise and support analysts at every step, even without deep forensics expertise.
Increasing compliance pressure
With the rise of data privacy regulations and incident reporting mandates worldwide, organizations face heightened scrutiny. Noncompliance can lead to severe penalties, making it crucial to have robust cloud investigation and response mechanisms in place. 74% of organizations surveyed reported that data privacy regulations complicate incident response, underscoring the urgency to adapt to regulatory requirements.
In addition, a majority of organizations surveyed (89%) acknowledged that they suffer damage before they can fully contain and investigate incidents, particularly in cloud environments, highlighting the need for enhanced cloud capabilities.
Enhancing cloud investigation and response
To address these challenges, organizations are actively growing their capabilities to perform investigations in the cloud. Key steps include:
Allocating and increasing budgets:
Recognizing the importance of cloud-specific investigation tools, many organizations have started to allocate dedicated budgets for cloud forensics. 83% of organizations have budgeted for cloud forensics, with 77% expecting this budget to increase. This reflects a strong commitment to improving cloud security.
Implementing automation that understands cloud behavior
Automation isn’t just about speeding up tasks. While modern threats require speed and efficiency from defenders, automation aims to achieve this by enabling consistent decision making across unique and dynamic environments. Traditional SOAR platforms, often designed for static on-prem environments, struggle to keep pace with the dynamic and ephemeral nature of the cloud, where resources can disappear before a human analyst even has a chance to look at them. Cloud-native automation, designed to act on transient infrastructure and integrate seamlessly with cloud APIs, is rapidly emerging as the more effective approach for real-time investigation and response. Automation can cover collection, processing, and storage of incident evidence without ever needing to wait for human intervention and the evidence is ready and waiting all in once place, regardless of if the evidence is cloud-provider logs, disk images, or memory dumps. With the right automation tools you can even go further and automate the full process from end to end covering acquisition, processing, analysis, and response.
Artificial Intelligence (AI) that augments analysts’ intuition not just adds speed
While many vendors tout AI’s ability to “analyze large volumes of data,” that’s table stakes. The real differentiator is how AI understands the narrative of an incident, surfacing high-fidelity alerts, correlating attacker movement across cloud and hybrid environments, and presenting findings in a way that upskills rather than overwhelms analysts.
In this space, AI isn’t just accelerating investigations, it’s democratizing them by reducing the reliance on highly specialized forensic expertise.
Strategies for effective cloud investigation and response
Organizations are also exploring various strategies to optimize their cloud investigation and response capabilities:
Enhancing visibility and control:
Unified platforms: Implementing platforms that provide a unified view across multiple cloud environments can help organizations achieve better visibility and control. This consolidation reduces the complexity of managing disparate tools and data sources.
Improved integration: Ensuring that all security tools and platforms are seamlessly integrated is critical. This integration facilitates better data sharing and cohesive incident management.
Cloud specific expertise: Training and Recruitment: Investing in training programs to develop cloud-specific skills among existing staff and recruiting experts with cloud security knowledge can bridge the skill gap.
Continuous learning: Given the constantly evolving nature of cloud threats, continuous learning and adaptation are essential for maintaining effective security measures.
Leveraging automation and AI:
Automation solutions: Automation solutions for cloud environments can significantly speed up and simplify incident response efficiency. These solutions can handle repetitive tasks, allowing security teams to focus on more complex issues.
AI powered analysis: AI can assist in rapidly analyzing incident data, identifying anomalies, and predicting potential threats. This proactive approach can help prevent incidents before they escalate.
Cloud investigation and response with Darktrace
Darktrace’s forensic acquisition & investigation capabilities helps organizations address the complexities of cloud investigations and incident response with ease. The product seamlessly integrates with AWS, GCP, and Azure, consolidating data from multiple cloud environments into one unified platform. This integration enhances visibility and control, making it easier to manage and respond to incidents across diverse cloud infrastructures.
By leveraging machine learning and automation, Forensic Acquisition & Investigation accelerates the investigation process by quickly analyzing vast amounts of data, identifying patterns, and providing actionable insights. Automation reduces manual effort and response times, allowing your security team to focus on the most pressing issues.
Forensic Acquisition & Investigation can help you stay ahead of threats whilst also meeting regulatory requirements, helping you to maintain a robust cloud security position.
