Blog

Inside the SOC

Akira Ransomware: How Darktrace Foiled Another Novel Ransomware Attack

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Sep 2023
13
Sep 2023
This blog investigates the novel Akira ransomware strain, that was first observed in the wild in March 2023, and explores how Darktrace is uniquely placed to identify and contain such ransomware attacks.

Threats Landscape: New Strains of Ransomware

In the face of a seemingly never-ending production line of novel ransomware strains, security teams across the threat landscape are continuing to see a myriad of new variants and groups targeting their networks. Naturally, new strains and threat groups present unique challenges to organizations. The use of previously unseen tactics, techniques, and procedures (TTPs) means that threat actors can often completely bypass traditional rule and signature-based security solutions, thus rendering an organization’s digital environment vulnerable to attack.

What is Akira Ransomware?

One such example of a novel ransomware family is Akira, which was first observed in the wild in March 2023. Much like many other strains, Akira is known to target corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from being posted online [1].

In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection, Darktrace DETECT™ successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. In cases where Darktrace RESPOND™ was enabled in autonomous response mode, these attacks were mitigated the early stages of the attack, thus minimizing any disruption or damage to customer networks.

Initial access and privilege escalation

The Akira ransomware group typically uses spear-phishing campaigns containing malicious downloads or links as their primary initial access vector; however, they have also been known to use Remote Desktop Protocol (RDP) brute-force attacks to access target networks [2].

While Darktrace did observe the early access activities that are detailed below, it is very likely that the actual initial intrusion happened prior to this, through targeted phishing attacks that fell outside of Darktrace’s purview.  The first indicators of compromise (IoCs) that Darktrace observed on customer networks affected by Darktrace were typically unusual RDP sessions, and the use of compromised administrative credentials.

On one Darktrace customer’s network (customer A), Darktrace DETECT identified a highly privileged credential being used for the first time on an internal server on May 21, 2023. Around a week later, this server was observed establishing RDP connections with multiple internal destination devices via port 3389. Further investigation carried out by the customer revealed that this credential had indeed been compromised. On May 30, Darktrace detected another device scanning internal devices and repeatedly failing to authenticate via Kerberos.

As the customer had integrated Darktrace with Microsoft Defender, their security team received additional cyber threat intelligence from Microsoft which, coupled with the anomaly alerts provided by Darktrace, helped to further contextualize these anomalous events. One specific detail gleaned from this integration was that the anomalous scanning activity and failed authentication attempts were carried out using the compromised administrative credentials mentioned earlier.

By integrating Microsoft Defender with Darktrace, customers can efficiently close security gaps across their digital infrastructure. While Darktrace understands customer environments and provides valuable network-level insights, by integrating with Microsoft Defender, customers can further enrich these insights with endpoint-specific information and activity.

In another customer’s network (customer B), Darktrace detected a device, later observed writing a ransom note, receiving an unusual RDP connection from another internal device. The RDP cookie used during this activity was an administrative RDP cookie that appeared to have been compromised. This device was also observed making multiple connections to the domain, api.playanext[.]com, and using the user agent , AnyDesk/7.1.11, indicating the use of the AnyDesk remote desktop service.

Although this external domain does not appear directly related to Akira ransomware, open-source intelligence (OSINT) found associations with multiple malicious files, and it appeared to be associated with the AnyDesk user agent, AnyDesk/6.0.1 [3]. The connections to this endpoint likely represented the malicious use of AnyDesk to remotely control the customer’s device, rather than Akira command-and-control (C2) infrastructure or payloads. Alternatively, it could be indicative of a spoofing attempt in which the threat actor is attempting to masquerade as legitimate remote desktop service to remain undetected by security tools.

Around the same time, Darktrace observed many devices on customer B’s network making anomalous internal RDP connections and authenticating via Kerberos, NTLM, or SMB using the same administrative credential. These devices were later confirmed to be affected by Akira ransomware.

Figure 1 shows how Darktrace detected one of those internal devices failing to login via SMB multiple times with a certain credential (indication of a possible SMB/NTLM brute force), before successfully accessing other internal devices via SMB, NTLM and RDP using the likely compromised administrative credential mentioned earlier.

Figure 1: Model Breach Event Log indicating unusual SMB, NTLM and RDP activity with different credentials detected which led to the Darktrace DETECT model breaches, "Unusual Admin RDP Session” and “Successful Admin Brute-Force Activity”.

Darktrace DETECT models observed for initial access and privilege escalation:

  • Device / Anomalous RDP Followed By Multiple Model Breaches
  • Anomalous Connection / Unusual Admin RDP Session
  • New Admin Credentials on Server
  • Possible SMB/NTLM Brute Force Indicator
  • Unusual Activity / Successful Admin Brute-Force Activity

Internal Reconnaissance and Lateral Movement

The next step Darktrace observed during Akira ransomware attacks across the customer was internal reconnaissance and lateral movement.

In another customer’s environment (customer C), after authenticating via NTLM using a compromised credential, a domain controller was observed accessing a large amount of SMB shares it had never previously accessed. Darktrace DETECT understood that this SMB activity represented a deviation in the device’s expected behavior and recognized that it could be indicative of SMB enumeration. Darktrace observed the device making at least 196 connections to 34 unique internal IPs via port 445. SMB actions read, write, and delete were observed during those connections. This domain controller was also one of many devices on the customer’s network that was received incoming connections from an external endpoint over port 3389 using the RDP protocol, indicating that the devices were likely being remotely controlled from outside the network. While there were no direct OSINT links with this endpoint and Akira ransomware, the domain controller in question was later confirmed to be compromised and played a key role in this phase of the attack.

Moreover, this represents the second IoC that Darktrace observed that had no obvious connection to Akira, likely indicating that Akira actors are establishing entirely new infrastructure to carry out their attacks, or even utilizing newly compromised legitimate infrastructure. As Darktrace DETECT adopts an anomaly-based approach to threat detection, it can recognize suspicious activity indicative of an emerging ransomware attack based on its unusualness, rather than having to rely on previously observed IoCs and lists of ‘known-bads’.

Darktrace further observed a flurry of activity related to lateral movement around this time, primarily via SMB writes of suspicious files to other internal destinations. One particular device on customer C’s network was detected transferring multiple executable (.exe) and script files to other internal devices via SMB.

Darktrace recognized that these transfers represented a deviation from the device’s normal SMB activity and may have indicated threat actors were attempting to compromise additional devices via the transfer of malicious software.

Figure 2: Advanced Search results showing 20 files associated with suspicious SMB write activity, amongst them executable files and dynamic link libraries (DLLs).

Darktrace DETECT models observed for internal reconnaissance and lateral movement:

  • Device / RDP Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Possible Share Enumeration Activity
  • Scanning of Multiple Devices (Cyber AI Analyst Incident)
  • Device / Possible SMB/NTLM Reconnaissance
  • Compliance / Incoming Remote Desktop
  • Compliance / Outgoing NTLM Request from DC
  • Unusual Activity / Internal Data Transfer
  • Security Integration / Lateral Movement and Integration Detection
  • Device / Anomalous SMB Followed By Multiple Model Breaches

Ransomware deployment

In the final phase of Akira ransomware attacks detected on Darktrace customer networks, Darktrace DETECT identified the file extension “.akira” being added after encryption to a variety of files on the affected network shares, as well as a ransom note titled “akira_readme.txt” being dropped on affected devices.

On customer A’s network, after nearly 9,000 login failures and 2,000 internal connection attempts indicative of scanning activity, one device was detected transferring suspicious files over SMB to other internal devices. The device was then observed connecting to another internal device via SMB and continuing suspicious file activity, such as appending files on network shares with the “.akira” extension, and performing suspicious writes to SMB shares on other internal devices.

Darktrace’s autonomous threat investigator, Cyber AI Analyst™, was able to analyze the multiple events related to this encryption activity and collate them into one AI Analyst incident, presenting a detailed and comprehensive summary of the entire incident within 10 minutes of Darktrace’s initial detection. Rather than simply viewing individual breaches as standalone activity, AI Analyst can identify the individual steps of an ongoing attack to provide complete visibility over emerging compromises and their kill chains. Not only does this bolster the network’s defenses, but the autonomous investigations carried out by AI Analyst also help to save the security team’s time and resources in triaging and monitoring ongoing incidents.

Figure 3: Darktrace Cyber AI Analyst incident correlated multiple model breaches together to show Akira ransomware encryption activity.

In addition to analyzing and compiling Darktrace DETECT model breaches, AI Analyst also leveraged the host-level insights provided by Microsoft Defender to enrich its investigation into the encryption event. By using the Security Integration model breaches, AI Analyst can retrieve timestamp and device details from a Defender alert and further investigate any unusual activity surrounding the alert to present a full picture of the suspicious activity.

In customer B’s environment, following the unusual RDP sessions and rare external connections using the AnyDesk user agent, an affected device was later observed writing around 2,000 files named "akira_readme.txt" to multiple internal SMB shares. This represented the malicious actor dropping ransom notes, containing the demands and extortion attempts of the actors.

Figure 4: Model Breach Event Log indicating the ransom note detected on May 12, 2023, which led to the Darktrace DETECT model breach, Anomalous Server Activity / Write to Network Accessible WebRoot.
Figure 5: Packet Capture (PCAP) demonstrating the Akira ransom note captured from the connection details seen in Figure 4.

As a result of this ongoing activity, an Enhanced Monitoring model breach, a high-fidelity DETECT model type that detects activities that are more likely to be indicative of compromise, was escalated to Darktrace’s Security Operations Center (SOC) who, in turn were able to further investigate and triage this ransomware activity. Customers who have subscribed to Darktrace’s Proactive Threat Notification (PTN) service would receive an alert from the SOC team, advising urgent follow up action.

Darktrace DETECT models observed during ransomware deployment:

  • Security Integration / Integration Ransomware Incident
  • Security Integration / High Severity Integration Detection
  • Security Integration / Integration Ransomware Detected
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity (Proactive Threat Notification Alerted by the Darktrace SOC)
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous File / Internal / Unusual SMB Script Write
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous Server Activity /Write to Network Accessible WebRoot
  • Anomalous Server Activity /Write to Network Accessible WebRoot

Darktrace RESPOND

When Darktrace is configured in autonomous response mode, RESPOND is able to follow up successful threat identifications by DETECT with instant autonomous actions that stop malicious actors in their tracks and prevent them from achieving their end goals.

In the examples of Darktrace customers affected by Akira outlined above, only customer A had RESPOND enabled in autonomous response mode during their ransomware attack. The autonomous response capability of Darktrace RESPOND helped the customer to minimize disruption to the business through multiple targeted actions on devices affected by ransomware.

One action carried out by RESPOND was to block all on-going traffic from affected devices. In doing so, Darktrace effectively shuts down communications between devices affected by Akira and the malicious infrastructure used by threat actors, preventing the spread of data on the client network or threat actor payloads.

Another crucial RESPOND action applied on this customer’s network was combat Akira was to “Enforce a Pattern of Life” on affected devices. This action is designed to prevent devices from performing any activity that would constitute a deviation from their expected behavior, while allowing them to continue their ‘usual’ business operations without causing any disruption.

While the initial intrusion of the attack on customer A’s network likely fell outside of the scope of Darktrace’s visibility, Darktrace RESPOND was able to minimize the disruption caused by Akira, containing the ransomware and allowing the customer to further investigate and remediate.

Darktrace RESPOND model breaches:

  • Antigena / Network / External Threat / Antigena Ransomware Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network /Insider Threat /Antigena SMB Enumeration Block

Conclusion

Novel ransomware strains like Akira present a significant challenge to security teams across the globe due to the constant evolution of attack methods and tactics, making it huge a challenge for security teams to stay up to date with the most current threat intelligence.  

Therefore, it is paramount for organizations to adopt a technology designed around an intelligent decision maker able to identify unusual activity that could be indicative of a ransomware attack without depending solely on rules, signatures, or statistic lists of malicious IoCs.

Darktrace DETECT identified Akira ransomware at every stage of the attack’s kill chain on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. When enabled in autonomous response mode, Darktrace RESPOND is able to follow up initial detections with machine-speed preventative actions to stop the spread of ransomware and minimize the damage caused to customer networks.  

There is no silver bullet to defend against novel cyber-attacks, however Darktrace’s anomaly-based approach to threat detection and autonomous response capabilities are uniquely placed to detect and respond to cyber disruption without latency.

Credit to: Manoel Kadja, Cyber Analyst, Nahisha Nobregas, SOC Analyst.

Appendices

IOC - Type - Description/Confidence

202.175.136[.]197 - External destination IP -Incoming RDP Connection

api.playanext[.]com - External hostname - Possible RDP Host

.akira - File Extension - Akira Ransomware Extension

akira_readme.txt - Text File - Akira Ransom Note

AnyDesk/7.1.11 - User Agent -AnyDesk User Agent

MITRE ATT&CK Mapping

Tactic & Technique

DISCOVERY

T1083 - File and Directory Discovery

T1046 - Network Service Scanning

T1135 - Network Share Discovery

RECONNAISSANCE

T1595.002 - Vulnerability Scanning

CREDENTIAL ACCESS, COLLECTION

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

DEFENSE EVASION, LATERAL MOVEMENT

T1550.002 - Pass the Hash

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078 - Valid Accounts

DEFENSE EVASION

T1006 - Direct Volume Access

LATERAL MOVEMENT

T1563.002 - RDP Hijacking

T1021.001 - Remote Desktop Protocol

T1080 - Taint Shared Content

T1021.002 - SMB/Windows Admin Shares

INITIAL ACCESS

T1190 - Exploit Public-Facing Application

T1199 - Trusted Relationship

PERSISTENCE, INITIAL ACCESS

T1133 - External Remote Services

PERSISTENCE

T1505.003 - Web Shell

IMPACT

T1486 - Data Encrypted for Impact

References

[1] https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/

[2] https://www.civilsdaily.com/news/cert-in-warns-against-akira-ransomware/#:~:text=Spread%20Methods%3A%20Akira%20ransomware%20is,Desktop%20connections%20to%20infiltrate%20systems

[3] https://hybrid-analysis.com/sample/0ee9baef94c80647eed30fa463447f000ec1f50a49eecfb71df277a2ca1fe4db?environmentId=100

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Manoel Kadja
Cyber Analyst
Book a 1-1 meeting with one of our experts
share this article
USE CASES
Nessun articolo trovato.
PRODUCT SPOTLIGHT
Nessun articolo trovato.
COre coverage
Nessun articolo trovato.

More in this series

Nessun articolo trovato.

Blog

Nessun articolo trovato.

The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions

Default blog imageDefault blog image
13
May 2024

About the AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners” which was an overview of the entire report. This blog will focus on one aspect of the overarching report, the impact of AI on cybersecurity solutions.

To access the full report, click here.

The effects of AI on cybersecurity solutions

Overwhelming alert volumes, high false positive rates, and endlessly innovative threat actors keep security teams scrambling. Defenders have been forced to take a reactive approach, struggling to keep pace with an ever-evolving threat landscape. It is hard to find time to address long-term objectives or revamp operational processes when you are always engaged in hand-to-hand combat.                  

The impact of AI on the threat landscape will soon make yesterday’s approaches untenable. Cybersecurity vendors are racing to capitalize on buyer interest in AI by supplying solutions that promise to meet the need. But not all AI is created equal, and not all these solutions live up to the widespread hype.  

Do security professionals believe AI will impact their security operations?

Yes! 95% of cybersecurity professionals agree that AI-powered solutions will level up their organization’s defenses.                                                                

Not only is there strong agreement about the ability of AI-powered cybersecurity solutions to improve the speed and efficiency of prevention, detection, response, and recovery, but that agreement is nearly universal, with more than 95% alignment.

This AI-powered future is about much more than generative AI. While generative AI can help accelerate the data retrieval process within threat detection, create quick incident summaries, automate low-level tasks in security operations, and simulate phishing emails and other attack tactics, most of these use cases were ranked lower in their impact to security operations by survey participants.

There are many other types of AI, which can be applied to many other use cases:

Supervised machine learning: Applied more often than any other type of AI in cybersecurity. Trained on attack patterns and historical threat intelligence to recognize known attacks.

Natural language processing (NLP): Applies computational techniques to process and understand human language. It can be used in threat intelligence, incident investigation, and summarization.

Large language models (LLMs): Used in generative AI tools, this type of AI applies deep learning models trained on massively large data sets to understand, summarize, and generate new content. The integrity of the output depends upon the quality of the data on which the AI was trained.

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies. With the correct models, this AI can use anomaly-based detections to identify all kinds of cyber-attacks, including entirely unknown and novel ones.

What are the areas of cybersecurity AI will impact the most?

Improving threat detection is the #1 area within cybersecurity where AI is expected to have an impact.                                                                                  

The most frequent response to this question, improving threat detection capabilities in general, was top ranked by slightly more than half (57%) of respondents. This suggests security professionals hope that AI will rapidly analyze enormous numbers of validated threats within huge volumes of fast-flowing events and signals. And that it will ultimately prove a boon to front-line security analysts. They are not wrong.

Identifying exploitable vulnerabilities (mentioned by 50% of respondents) is also important. Strengthening vulnerability management by applying AI to continuously monitor the exposed attack surface for risks and high-impact vulnerabilities can give defenders an edge. If it prevents threats from ever reaching the network, AI will have a major downstream impact on incident prevalence and breach risk.

Where will defensive AI have the greatest impact on cybersecurity?

Cloud security (61%), data security (50%), and network security (46%) are the domains where defensive AI is expected to have the greatest impact.        

Respondents selected broader domains over specific technologies. In particular, they chose the areas experiencing a renaissance. Cloud is the future for most organizations,
and the effects of cloud adoption on data and networks are intertwined. All three domains are increasingly central to business operations, impacting everything everywhere.

Responses were remarkably consistent across demographics, geographies, and organization sizes, suggesting that nearly all survey participants are thinking about this similarly—that AI will likely have far-reaching applications across the broadest fields, as well as fewer, more specific applications within narrower categories.

Going forward, it will be paramount for organizations to augment their cloud and SaaS security with AI-powered anomaly detection, as threat actors sharpen their focus on these targets.

How will security teams stop AI-powered threats?            

Most security stakeholders (71%) are confident that AI-powered security solutions are better able to block AI-powered threats than traditional tools.

There is strong agreement that AI-powered solutions will be better at stopping AI-powered threats (71% of respondents are confident in this), and there’s also agreement (66%) that AI-powered solutions will be able to do so automatically. This implies significant faith in the ability of AI to detect threats both precisely and accurately, and also orchestrate the correct response actions.

There is also a high degree of confidence in the ability of security teams to implement and operate AI-powered solutions, with only 30% of respondents expressing doubt. This bodes well for the acceptance of AI-powered solutions, with stakeholders saying they’re prepared for the shift.

On the one hand, it is positive that cybersecurity stakeholders are beginning to understand the terms of this contest—that is, that only AI can be used to fight AI. On the other hand, there are persistent misunderstandings about what AI is, what it can do, and why choosing the right type of AI is so important. Only when those popular misconceptions have become far less widespread can our industry advance its effectiveness.  

To access the full report, click here.

Continue reading
About the author
The Darktrace Community

Blog

Inside the SOC

Connecting the Dots: Darktrace’s Detection of the Exploitation of the ConnectWise ScreenConnect Vulnerabilities

Default blog imageDefault blog image
10
May 2024

Introduction

Across an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications. While attackers are likely to prioritize developing exploits for the more severe and global Common Vulnerabilities and Exposures (CVEs), they typically have the most success exploiting known vulnerabilities within the first couple years of disclosure to the public.

Addressing these vulnerabilities in a timely manner reduces the effectiveness of known vulnerabilities, decreasing the pace of malicious actor operations and forcing pursuit of more costly and time-consuming methods, such as zero-day related exploits or attacking software supply chain operations. While actors also develop tools to exploit other vulnerabilities, developing exploits for critical and publicly known vulnerabilities gives actors impactful tools at a low cost they are able to use for quite some time.

Between January and March 2024, the Darktrace Threat Research team investigated one such example that involved indicators of compromise (IoCs) suggesting the exploitation of vulnerabilities in ConnectWise’s remote monitoring and management (RMM) software ScreenConnect.

What are the ConnectWise ScreenConnect vulnerabilities?

CVE-2024-1708 is an authentication bypass vulnerability in ScreenConnect 23.9.7 (and all earlier versions) that, if exploited, would enable an attacker to execute remote code or directly impact confidential information or critical systems. This exploit would pave the way for a second ScreenConnect vunerability, CVE-2024-1709, which allows attackers to directly access confidential information or critical systems [1].

ConnectWise released a patch and automatically updated cloud versions of ScreenConnect 23.9.9, while urging security temas to update on-premise versions immediately [3].

If exploited in conjunction, these vulnerabilities could allow a malicious actor to create new administrative accounts on publicly exposed instances by evading existing security measures. This, in turn, could enable attackers to assume an administrative role and disable security tools, create backdoors, and disrupt RMM processes. Access to an organization’s environment in this manner poses serious risk, potentially leading to significant consequences such as deploying ransomware, as seen in various incidents involving the exploitation of ScreenConnect [2]

Darktrace Coverage of ConnectWise Exploitation

Darktrace’s anomaly-based detection was able to identify evidence of exploitation related to CVE-2024-1708 and CVE-2024-1709 across two distinct timelines; these detections included connectivity with endpoints that were later confirmed to be malicious by multiple open-source intelligence (OSINT) vendors. The activity observed by Darktrace suggests that threat actors were actively exploiting these vulnerabilities across multiple customer environments.

In the cases observed across the Darktrace fleet, Darktrace DETECT™ and Darktrace RESPOND™ were able to work in tandem to pre-emptively identify and contain network compromises from the onset. While Darktrace RESPOND was enabled in most customer environments affected by the ScreenConnect vulnerabilities, in the majority of cases it was configured in Human Confirmation mode. Whilst in Human Confirmation mode, RESPOND will provide recommended actions to mitigate ongoing attacks, but these actions require manual approval from human security teams.

When enabled in autonomous response mode, Darktrace RESPOND will take action automatically, shutting down suspicious activity as soon as it is detected without the need for human intervention. This is the ideal end state for RESPOND as actions can be taken at machine speed, without any delays waiting for user approval.

Looking within the patterns of activity observed by Darktrace , the typical  attack timeline included:

Darktrace observed devices on affected customer networks performing activity indicative of ConnectWise ScreenConnect usage, for example connections over 80 and 8041, connections to screenconnect[.]com, and the use of the user agent “LabTech Agent”. OSINT research suggests that this user agent is an older name for ConnectWise Automate [5] which also includes ScreenConnect as standard [6].

Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.
Figure 1: Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.

This activity was typically followed by anomalous connections to the external IP address 108.61.210[.]72 using URIs of the form “/MyUserName_DEVICEHOSTNAME”, as well as additional connections to another external, IP 185.62.58[.]132. Both of these external locations have since been reported as potentially malicious [14], with 185.62.58[.]132 in particular linked to ScreenConnect post-exploitation activity [2].

Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.

Same Exploit, Different Tactics?  

While the majority of instances of ConnectWise ScreenConnect exploitation observed by Darktrace followed the above pattern of activity, Darktrace was able to identify some deviations from this.

In one customer environment, Darktrace’s detection of post-exploitation activity began with the same indicators of ScreenConnect usage, including connections to screenconnect[.]com via port 8041, followed by connections to unusual domains flagged as malicious by OSINT, in this case 116.0.56[.]101 [16] [17]. However, on this deployment Darktrace also observed threat actors downloading a suspicious AnyDesk installer from the endpoint with the URI “hxxp[:]//116.0.56[.]101[:]9191/images/Distribution.exe”.

Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.
Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.

Further investigation by Darktrace’s Threat Research team revealed that this endpoint was associated with threat actors exploiting CVE-2024-1708 and CVE-2024-1709 [1]. Darktrace was additionally able to identify that, despite the customer being based in the United Kingdom, the file downloaded came from Pakistan. Darktrace recognized that this represented a deviation from the device’s expected pattern of activity and promptly alerted for it, bringing it to the attention of the customer.

Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.
Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.

Darktrace’s Autonomous Response

In this instance, the customer had Darktrace enabled in autonomous response mode and the post-exploitation activity was swiftly contained, preventing the attack from escalating.

As soon as the suspicious AnyDesk download was detected, Darktrace RESPOND applied targeted measures to prevent additional malicious activity. This included blocking connections to 116.0.56[.]101 and “*.56.101”, along with blocking all outgoing traffic from the device. Furthermore, RESPOND enforced a “pattern of life” on the device, restricting its activity to its learned behavior, allowing connections that are considered normal, but blocking any unusual deviations.

Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.

The customer was later able to use RESPOND to manually quarantine the offending device, ensuring that all incoming and outgoing traffic to or from the device was prohibited, thus preventing ay further malicious communication or lateral movement attempts.

Figure 8: The actions applied by Darktrace RESPOND in response to the post-exploitation activity related to the ScreenConnect vulnerabilities, including the manually applied “Quarantine device” action.

Conclusion

In the observed cases of the ConnectWise ScreenConnect vulnerabilities being exploited across the Darktrace fleet, Darktrace was able to pre-emptively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.

While much of the post-exploitation activity observed by Darktrace remained the same across different customer environments, important deviations were also identified suggesting that threat actors may be adapting their tactics, techniques and procedures (TTPs) from campaign to campaign.

While new vulnerabilities will inevitably surface and threat actors will continually look for novel ways to evolve their methods, Darktrace’s Self-Learning AI and behavioral analysis offers organizations full visibility over new or unknown threats. Rather than relying on existing threat intelligence or static lists of “known bads”, Darktrace is able to detect emerging activity based on anomaly and respond to it without latency, safeguarding customer environments whilst causing minimal disruption to business operations.

Credit: Emma Foulger, Principal Cyber Analyst for their contribution to this blog.

Appendices

Darktrace Model Coverage

DETECT Models

Compromise / Agent Beacon (Medium Period)

Compromise / Agent Beacon (Long Period)

Anomalous File / EXE from Rare External Location

Device / New PowerShell User Agent

Anomalous Connection / Powershell to Rare External

Anomalous Connection / New User Agent to IP Without Hostname

User / New Admin Credentials on Client

Device / New User Agent

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Compromise / Suspicious Request Data

Compliance / Remote Management Tool On Server

Anomalous File / Anomalous Octet Stream (No User Agent)

RESPOND Models

Antigena / Network::External Threat::Antigena Suspicious File Block

Antigena / Network::External Threat::Antigena File then New Outbound Block

Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block

Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach

Antigena / Network::Insider Threat::Antigena Unusual Privileged User Activities Block

Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Pattern of Life Block

List of IoCs

IoC - Type - Description + Confidence

185.62.58[.]132 – IP- IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

108.61.210[.]72- IP - IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

116.0.56[.]101    - IP - IP linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

/MyUserName_ DEVICEHOSTNAME – URI - URI linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

/images/Distribution.exe – URI - URI linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

24780657328783ef50ae0964b23288e68841a421 - SHA1 Filehash - Filehash linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

a21768190f3b9feae33aaef660cb7a83 - MD5 Filehash - Filehash linked with threat actors exploiting CVE-2024-1708 and CVE-2024-17091

MITRE ATT&CK Mapping

Technique – Tactic – ID - Sub-technique of

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Web Services      - RESOURCE DEVELOPMENT - T1583.006 - T1583

Drive-by Compromise - INITIAL ACCESS - T1189 – NA

Ingress Tool Transfer   - COMMAND AND CONTROL - T1105 - NA

Malware - RESOURCE DEVELOPMENT - T1588.001- T1588

Exploitation of Remote Services - LATERAL MOVEMENT - T1210 – NA

PowerShell – EXECUTION - T1059.001 - T1059

Pass the Hash      - DEFENSE EVASION, LATERAL MOVEMENT     - T1550.002 - T1550

Valid Accounts - DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - T1078 – NA

Man in the Browser – COLLECTION - T1185     - NA

Exploit Public-Facing Application - INITIAL ACCESS - T1190         - NA

Exfiltration Over C2 Channel – EXFILTRATION - T1041 – NA

IP Addresses – RECONNAISSANCE - T1590.005 - T1590

Remote Access Software - COMMAND AND CONTROL - T1219 – NA

Lateral Tool Transfer - LATERAL MOVEMENT - T1570 – NA

Application Layer Protocol - COMMAND AND CONTROL - T1071 – NA

References:

[1] https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/  

[2] https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708    

[3] https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

[4] https://www.speedguide.net/port.php?port=8041  

[5] https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate

[6] https://www.connectwise.com/solutions/software-for-internal-it/automate

[7] https://www.securityweek.com/slashandgrab-screenconnect-vulnerability-widely-exploited-for-malware-delivery/

[8] https://arcticwolf.com/resources/blog/cve-2024-1709-cve-2024-1708-follow-up-active-exploitation-and-pocs-observed-for-critical-screenconnect-vulnerabilities/https://success.trendmicro.com/dcx/s/solution/000296805?language=en_US&sfdcIFrameOrigin=null

[9] https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

[10] https://socradar.io/critical-vulnerabilities-in-connectwise-screenconnect-postgresql-jdbc-and-vmware-eap-cve-2024-1597-cve-2024-22245/

[11] https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

[12] https://otx.alienvault.com/indicator/ip/185.62.58.132

[13] https://www.virustotal.com/gui/ip-address/185.62.58.132/community

[14] https://www.virustotal.com/gui/ip-address/108.61.210.72/community

[15] https://otx.alienvault.com/indicator/ip/108.61.210.72

[16] https://www.virustotal.com/gui/ip-address/116.0.56[.]101/community

[17] https://otx.alienvault.com/indicator/ip/116.0.56[.]101

Continue reading
About the author
Justin Torres
Cyber Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Iniziare la prova gratuita
Darktrace AI protecting a business from cyber threats.