Blog

Dentro del SOC

Amadey Info-Stealer: Exploiting N-Day Vulnerabilities to Launch Information Stealing Malware

Default blog imageDefault blog image
22
Mar 2023
22
Mar 2023

The continued prevalence of Malware as a Service (MaaS) across the cyber threat landscape means that even the most inexperienced of would-be malicious actors are able to carry out damaging and wide-spread cyber-attacks with relative ease. Among these commonly employed MaaS are information stealers, or info-stealers, a type of malware that infects a device and attempts to gather sensitive information before exfiltrating it to the attacker. Info-stealers typically target confidential information, such as login credentials and bank details, and attempt to lie low on a compromised device, allowing access to sensitive data for longer periods of time. 

It is essential for organizations to have efficient security measures in place to defend their networks from attackers in an increasing versatile and accessible threat landscape, however incident response alone is not enough. Having an autonomous decision maker able to not only detect suspicious activity, but also take action against it in real time, is of the upmost importance to defend against significant network compromise. 

Between August and December 2022, Darktrace detected the Amadey info-stealer on more than 30 customer environments, spanning various regions and industry verticals across the customer base. This shows a continual presence and overlap of info-stealer indicators of compromise (IOCs) across the cyber threat landscape, such as RacoonStealer, which we discussed last November (Part 1 and Part 2).

Background on Amadey

Amadey Bot, a malware that was first discovered in 2018, is capable of stealing sensitive information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums as MaaS starting from $500 USD [1]. 

Researchers at AhnLab found that Amadey is typically distributed via existing SmokeLoader loader malware campaigns. Downloading cracked versions of legitimate software causes SmokeLoader to inject malicious payload into Windows Explorer processes and proceeds to download Amadey.  

The botnet has also been used for distributed denial of service (DDoS) attacks, and as a vector to install malware spam campaigns, such as LockBit 3.0 [2]. Regardless of the delivery techniques, similar patterns of activity were observed across multiple customer environments. 

Amadey’s primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.

Darktrace DETECT/Network™ and its built-in features, such as Wireshark Packet Captures (PCAP), identified Amadey activity on customer networks, whilst Darktrace RESPOND/Network™ autonomously intervened to halt its progress.

Attack Details

Figure 1: Timeline of Amadey info-stealer kill chain.

Acceso inicial  

User engagement with malicious email attachments or cracked software results in direct execution of the SmokeLoader loader malware on a device. Once the loader has executed its payload, it is then able to download additional malware, including the Amadey info-stealer.

Unusual Outbound Connections 

After initial access by the loader and download of additional malware, the Amadey info-stealer captures screenshots of network information and sends them to Amadey command and control (C2) servers via HTTP POST requests with no GET to a .php URI. An example of this can be seen in Figure 2.  

Figure 2: PCAP from an affected customer showing screenshots being sent out to the Amadey C2 server via a .jpg file. 

C2 Communications  

The infected device continues to make repeated connections out to this Amadey endpoint. Amadey's C2 server will respond with instructions to download additional plugins in the form of dynamic-link libraries (DLLs), such as "/Mb1sDv3/Plugins/cred64.dll", or attempt to download secondary info-stealers such as RedLine or RaccoonStealer. 

Internal Reconnaissance 

The device downloads executable and DLL files, or stealer configuration files to steal additional network information from software including RealVNC and Outlook. Most compromised accounts were observed downloading additional malware following commands received from the attacker.

Exfiltración de datos 

The stolen information is then sent out via high volumes of HTTP connection. It makes HTTP POSTs to malicious .php URIs again, this time exfiltrating more data such as the Amadey version, device names, and any anti-malware software installed on the system.

How did the attackers bypass the rest of the security stack?

Existing N-Day vulnerabilities are leveraged to launch new attacks on customer networks and potentially bypass other tools in the security stack. Additionally, exfiltrating data via low and slow HTTP connections, rather than large file transfers to cloud storage platforms, is an effective means of evading the detection of traditional security tools which often look for large data transfers, sometimes to a specific list of identified “bad” endpoints.

Darktrace Coverage 

Amadey activity was autonomously identified by DETECT and the Cyber AI Analyst. A list of DETECT models that were triggered on deployments during this kill chain can be found in the Appendices. 

Various Amadey activities were detected and highlighted in DETECT model breaches and their model breach event logs. Figure 3 shows a compromised device making suspicious HTTP POST requests, causing the ‘Anomalous Connection / Posting HTTP to IP Without Hostname’ model to breach. It also downloaded an executable file (.exe) from the same IP.

Figure 3: Amadey activity on a customer deployment captured by model breaches and event logs. 

DETECT’s built-in features also assisted with detecting the data exfiltration. Using the PCAP integration, the exfiltrated data was captured for analysis. Figure 4 shows a connection made to the Amadey endpoint, in which information about the infected device, such as system ID and computer name, were sent. 

Figure 4: PCAP downloaded from Darktrace event logs highlighting data egress to the Amadey endpoint. 

Further information about the infected system can be seen in the above PCAP. As outlined by researchers at Ahnlab and shown in Figure 5, additional system information sent includes the Amadey version (vs=), the device’s admin privilege status (ar=), and any installed anti-malware or anti-virus software installed on the infected environment (av=) [3]. 

Figure 5: AhnLab’s glossary table explaining the information sent to the Amadey C2 server. 

Darktrace’s AI Analyst was also able to connect commonalities between model breaches on a device and present them as a connected incident made up of separate events. Figure 6 shows the AI Analyst incident log for a device having breached multiple models indicative of the Amadey kill chain. It displays the timeline of these events, the specific IOCs, and the associated attack tactic, in this case ‘Command and Control’. 

Figure 6: A screenshot of multiple IOCs and activity correlated together by AI Analyst. 

When enabled on customer’s deployments, RESPOND was able to take immediate action against Amadey to mitigate its impact on customer networks. RESPOND models that breached include: 

  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block 
  • Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

On one customer’s environment, a device made a POST request with no GET to URI ‘/p84Nls2/index.php’ and unepeureyore[.]xyz. RESPOND autonomously enforced a previously established pattern of life on the device twice for 30 minutes each and blocked all outgoing traffic from the device for 10 minutes. Enforcing a device’s pattern of life restricts it to conduct activity within the device and/or user’s expected pattern of behavior and blocks anything anomalous or unexpected, enabling normal business operations to continue. This response is intended to reduce the potential scale of attacks by disrupting the kill chain, whilst ensuring business disruption is kept to a minimum. 

Figure 7: RESPOND actions taken on a customer deployment to disrupt the Amadey kill chain. 

The Darktrace Threat Research team conducted thorough investigations into Amadey activity observed across the customer base. They were able to identify and contextualize this threat across the fleet, enriching AI insights with collaborative human analysis. Pivoting from AI insights as their primary source of information, the Threat Research team were able to provide layered analysis to confirm this campaign-like activity and assess the threat across multiple unique environments, providing a holistic assessment to customers with contextualized insights.

Conclusion

The presence of the Amadey info-stealer in multiple customer environments highlights the continuing prevalence of MaaS and info-stealers across the threat landscape. The Amadey info-stealer in particular demonstrates that by evading N-day vulnerability patches, threat actors routinely launch new attacks. These malicious actors are then able to evade detection by traditional security tools by employing low and slow data exfiltration techniques, as opposed to large file transfers.

Crucially, Darktrace’s AI insights were coupled with expert human analysis to detect, respond, and provide contextualized insights to notify customers of Amadey activity effectively. DETECT captured Amadey activity taking place on customer deployments, and where enabled, RESPOND’s autonomous technology was able to take immediate action to reduce the scale of such attacks. Finally, the Threat Research team were in place to provide enhanced analysis for affected customers to help security teams future-proof against similar attacks.

Appendices

Darktrace Model Detections 

Anomalous File / EXE from Rare External Location

Device / Initial Breach Chain Compromise

Anomalous Connection / Posting HTTP to IP Without Hostname 

Anomalous Connection / POST to PHP on New External Host

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname 

Compromise / Beaconing Activity To External Rare

Compromise / Slow Beaconing Activity To External Rare

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

List of IOCs

f0ce8614cc2c3ae1fcba93bc4a8b82196e7139f7 - SHA1 - Amadey DLL File Hash

e487edceeef3a41e2a8eea1e684bcbc3b39adb97 - SHA1 - Amadey DLL File Hash

0f9006d8f09e91bbd459b8254dd945e4fbae25d9 - SHA1 - Amadey DLL File Hash

4069fdad04f5e41b36945cc871eb87a309fd3442 - SHA1 - Amadey DLL File Hash

193.106.191[.]201 - IP - Amadey C2 Endpoint

77.73.134[.]66 - IP - Amadey C2 Endpoint

78.153.144[.]60 - IP - Amadey C2 Endpoint

62.204.41[.]252 - IP - Amadey C2 Endpoint

45.153.240[.]94 - IP - Amadey C2 Endpoint

185.215.113[.]204 - IP - Amadey C2 Endpoint

85.209.135[.]11 - IP - Amadey C2 Endpoint

185.215.113[.]205 - IP - Amadey C2 Endpoint

31.41.244[.]146 - IP - Amadey C2 Endpoint

5.154.181[.]119 - IP - Amadey C2 Endpoint

45.130.151[.]191 - IP - Amadey C2 Endpoint

193.106.191[.]184 - IP - Amadey C2 Endpoint

31.41.244[.]15 - IP - Amadey C2 Endpoint

77.73.133[.]72 - IP - Amadey C2 Endpoint

89.163.249[.]231 - IP - Amadey C2 Endpoint

193.56.146[.]243 - IP - Amadey C2 Endpoint

31.41.244[.]158 - IP - Amadey C2 Endpoint

85.209.135[.]109 - IP - Amadey C2 Endpoint

77.73.134[.]45 - IP - Amadey C2 Endpoint

moscow12[.]at - Hostname - Amadey C2 Endpoint

moscow13[.]at - Hostname - Amadey C2 Endpoint

unepeureyore[.]xyz - Hostname - Amadey C2 Endpoint

/fb73jc3/index.php - URI - Amadey C2 Endpoint

/panelis/index.php - URI - Amadey C2 Endpoint

/panelis/index.php?scr=1 - URI - Amadey C2 Endpoint

/panel/index.php - URI - Amadey C2 Endpoint

/panel/index.php?scr=1 - URI - Amadey C2 Endpoint

/panel/Plugins/cred.dll - URI - Amadey C2 Endpoint

/jg94cVd30f/index.php - URI - Amadey C2 Endpoint

/jg94cVd30f/index.php?scr=1 - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/index.php - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/index.php?scr=1 - URI - Amadey C2 Endpoint

/o7Vsjd3a2f/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/gjend7w/index.php - URI - Amadey C2 Endpoint

/hfk3vK9/index.php - URI - Amadey C2 Endpoint

/v3S1dl2/index.php - URI - Amadey C2 Endpoint

/f9v33dkSXm/index.php - URI - Amadey C2 Endpoint

/p84Nls2/index.php - URI - Amadey C2 Endpoint

/p84Nls2/Plugins/cred.dll - URI - Amadey C2 Endpoint

/nB8cWack3/index.php - URI - Amadey C2 Endpoint

/rest/index.php - URI - Amadey C2 Endpoint

/Mb1sDv3/index.php - URI - Amadey C2 Endpoint

/Mb1sDv3/index.php?scr=1 - URI - Amadey C2 Endpoint

/Mb1sDv3/Plugins/cred64.dll  - URI - Amadey C2 Endpoint

/h8V2cQlbd3/index.php - URI - Amadey C2 Endpoint

/f5OknW/index.php - URI - Amadey C2 Endpoint

/rSbFldr23/index.php - URI - Amadey C2 Endpoint

/rSbFldr23/index.php?scr=1 - URI - Amadey C2 Endpoint

/jg94cVd30f/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/mBsjv2swweP/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/rSbFldr23/Plugins/cred64.dll - URI - Amadey C2 Endpoint

/Plugins/cred64.dll - URI - Amadey C2 Endpoint

Mitre Attack and Mapping 

Collection:

T1185 - Man the Browser

Initial Access and Resource Development:

T1189 - Drive-by Compromise

T1588.001 - Malware

Persistence:

T1176 - Browser Extensions

Command and Control:

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1090.002 - External Proxy

T1095 - Non-Application Layer Protocol

T1571 - Non-Standard Port

T1105 - Ingress Tool Transfer

References 

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

[2] https://asec.ahnlab.com/en/41450/

[3] https://asec.ahnlab.com/en/36634/

¿Te gusta esto y quieres más?

Reciba el último blog en su bandeja de entrada
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.
DENTRO DEL SOC
Darktrace son expertos de talla mundial en inteligencia de amenazas, caza de amenazas y respuesta a incidentes, y proporcionan apoyo al SOC las 24 horas del día a miles de clientes de Darktrace en todo el mundo. Inside the SOC está redactado exclusivamente por estos expertos y ofrece un análisis de los ciberincidentes y las tendencias de las amenazas, basado en la experiencia real sobre el terreno.
AUTOR
SOBRE EL AUTOR
Zoe Tilsiter
Cyber Analyst
The Darktrace Threat Research Team
share this article
CASOS DE USO
No se ha encontrado ningún artículo.
Cobertura básica
No se ha encontrado ningún artículo.

Blog

Dentro del SOC

How Abuse of ‘PerfectData Software’ May Create a Perfect Storm: An Emerging Trend in Account Takeovers

Default blog imageDefault blog image
05
Jun 2023

Amidst the ever-changing threat landscape, new tactics, techniques, and procedures (TTPs) seem to emerge daily, creating extreme challenges for security teams. The broad range of attack methods utilized by attackers seems to present an insurmountable problem: how do you defend against a playbook that does not yet exist?

Faced with the growing number of novel and uncommon attack methods, it is essential for organizations to adopt a security solution able to detect threats based on their anomalies, rather than relying on threat intelligence alone.   

In March 2023, Darktrace observed an emerging trend in the use of an application known as ‘PerfectData Software’ for probable malicious purposes in several Microsoft 365 account takeovers.

Using its anomaly-based detection, Darktrace DETECT™ was able to identify the activity chain surrounding the use of this application, potentially uncovering a novel piece of threat actor tradecraft in the process.

Microsoft 365 Intrusions

In recent years, Microsoft’s Software-as-a-Service (SaaS) suite, Microsoft 365, along with its built-in identity and access management (IAM) service, Azure Active Directory (Azure AD), have been heavily targeted by threat actors due to their near-ubiquitous usage across industries. Four out of every five Fortune 500 companies, for example, use Microsoft 365 services [1].  

Malicious actors typically gain entry to organizations’ Microsoft 365 environments by abusing either stolen account credentials or stolen session cookies [2]. Once inside, actors can access sensitive data within mailboxes or SharePoint repositories, and send out emails or Teams messages. This activity can often result in serious financial harm, especially in cases where the malicious actor’s end-goal is to elicit fraudulent transactions.  

Darktrace regularly observes malicious actors behaving in predictable ways once they gain access to customer Microsoft 365 environment. One typical example is the creation of new inbox rules and sending deceitful emails intended to convince recipients to carry out subsequent actions, such as following a malicious link or providing sensitive information. It is also common for actors to register new applications in Azure AD so that they can be used to conduct follow-up activities, like mass-mailing or data theft. The registration of applications in Azure AD therefore seems to be a relatively predictable threat actor behavior [3][4]. Darktrace DETECT understands that unusual application registrations in Azure AD may constitute a deviation in expected behavior, and therefore a possible indicator of account compromise.

These registrations of applications in Azure AD are evidenced by creations of, as well as assignments of permissions to, Service Principals in Azure AD. Darktrace has detected a growing trend in actors creating and assigning permissions to a Service Principal named ‘PerfectData Software’. Further investigation of this Azure AD activity revealed it to be part of an ongoing account takeover. 

 ‘PerfectData Software’ Activity 

Darktrace observed variations of the following pattern of activity relating to an application named ‘PerfectData Software’ within its customer base:

  1. Actor signs in to a Microsoft 365 account from an endpoint associated with a Virtual Private Server (VPS) or Virtual Private Network (VPN) service
  2. Actor registers an application called 'PerfectData Software' with Azure AD, and then grants permissions to the application
  3. Actor accesses mailbox data and creates inbox rule 

In two separate incidents, malicious actors were observed conducting their activities from endpoints associated with VPN services (HideMyAss (HMA) VPN and Surfshark VPN, respectively) and from endpoints within the Autonomous System AS396073 MAJESTIC-HOSTING-01. 

In March 2023, Darktrace observed a malicious actor signing in to a Microsoft 365 account from a Kuwait-based IP address within the Autonomous System, AS198605 AVAST Software s.r.o. This IP address is associated with the VPN service, HMA VPN. Over the next couple of days, an actor (likely the same malicious actor) signed in to the account several more times from two different Nigeria-based endpoints, as well as a VPS-related endpoint and a HMA VPN endpoint. 

During their login sessions, the actor performed a variety of actions. First, they created and assigned permissions to a Service Principal named ‘PerfectData Software’. This Service Principal creation represents the registration of an application called ‘PerfectData Software’ in Azure AD.  Although the reason for registering this application is unclear, within a few days the actor registered and granted permission to another application, ‘Newsletter Software Supermailer’, and created a new inbox rule names ‘s’ on the mailbox of the hijacked account. This inbox rule moved emails meeting certain conditions to a folder named ‘RSS Subscription. The ‘Newsletter Software Supermailer’ application was likely registered by the actor to facilitate mass-mailing activity.

Immediately after these actions, Darktrace detected the actor sending out thousands of malicious emails from the account. The emails included an attachment named ‘Credit Transfer Copy.html’, which contained a suspicious link. Further investigation revealed that the customer’s network had received several fake invoice emails prior to this initial intrusion activity. Additionally, there was an unusually high volume of failed logins to the compromised account around the time of the initial access. 

Figure 1: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.
Figure 1: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.

In a separate case also observed by Darktrace in March 2023, a malicious actor was observed signing in to a Microsoft 365 account from an endpoint within the Autonomous System, AS397086 LAYER-HOST-HOUSTON. The endpoint appears to be related to the VPN service, Surfshark VPN. This login was followed by several failed and successful logins from a VPS-related within the Autonomous System, AS396073 MAJESTIC-HOSTING-01. The actor was then seen registering and assigning permissions to an application called ‘PerfectData Software’. As with the previous example, the motives for this registration are unclear. The actor proceeded to log in several more times from a Surfshark VPN endpoint, however, they were not observed carrying out any further suspicious activity. 

Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.
Figure 2: Advanced Search logs depicting the steps which the actor took after logging in to a user’s Microsoft 365 account.

It was not clear in either of these examples, nor in fact any of cases observed by Darktrace, why actors had registered and assigned permissions to an application called ‘PerfectData Software’, and there do not appear to be any open-source intelligence (OSINT) resources or online literature related to the malicious usage of an application by that name. That said, there are several websites which appear to provide email migration and data recovery/backup tools under the moniker ‘PerfectData Software’. 

It is unclear whether the use of ‘PerfectData Software’ by malicious actors observed on the networks of Darktrace customers was one of these tools. However, given the nature of the tools, it is possible that the actors intended to use them to facilitate the exfiltration of email data from compromises mailboxes.

If the legitimate software ‘PerfectData’ is the application in question in these incidents, it is likely being purchased and misused by attackers for malicious purposes. It is also possible the application referenced in the incidents is a spoof of the legitimate ‘PerfectData’ software designed to masquerade a malicious application as legitimate.

Darktrace Coverage

Cases of ‘PerfectData Software’ activity chains detected by Darktrace typically began with an actor signing into an internal user’s Microsoft 365 account from a VPN or VPS-related endpoint. These login events, along with the suspicious email and/or brute-force activity which preceded them, caused the following DETECT models to breach:

  • SaaS / Access / Unusual External Source for SaaS Credential Use
  • SaaS / Access / Suspicious Login Attempt
  • SaaS / Compromise / Login From Rare Following Suspicious Login Attempt(s)
  • SaaS / Email Nexus / Unusual Location for SaaS and Email Activity

Subsequent activities, including inbox rule creations, registration of applications in Azure AD, and mass-mailing activity, resulted in breaches of the following DETECT models.

  • SaaS / Admin / OAuth Permission Grant 
  • SaaS / Compromise / Unusual Logic Following OAuth Grant 
  • SaaS / Admin / New Application Service Principal
  • IaaS / Admin / Azure Application Administration Activities
  • SaaS / Compliance / New Email Rule
  • SaaS / Compromiso / Inicio de sesión inusual y nueva regla de correo electrónico
  • SaaS / Email Nexus / Suspicious Internal Exchange Activity
  • SaaS / Email Nexus / Possible Outbound Email Spam
  • SaaS / Compromise / Unusual Login and Outbound Email Spam
  • SaaS / Compromise / Suspicious Login and Suspicious Outbound Email(s)
DETECT Model Breaches highlighting unusual login and 'PerfectData Software' registration activity from a malicious actor
Figure 3: DETECT Model Breaches highlighting unusual login and 'PerfectData Software' registration activity from a malicious actor.

In cases where Darktrace RESPOND™ was enabled in autonomous response mode, ‘PerfectData Software’ activity chains resulted in breaches of the following RESPOND models:

• Antigena / SaaS / Antigena Suspicious SaaS Activity Block

• Antigena / SaaS / Antigena Significant Compliance Activity Block

In response to these model breaches, Darktrace RESPOND took immediate action, performing aggressive, inhibitive actions, such as forcing the actor to log out of the SaaS platform, and disabling the user entirely. When applied autonomously, these RESPOND actions would seriously impede an attacker’s progress and minimize network disruption.

Figure 4: A RESPOND model breach created in response to a malicious actor's registration of 'PerfectData Software'

In addition, Darktrace Cyber AI Analyst was able to autonomously investigate registrations of the ‘PerfectData Software’ application and summarized its findings into digestible reports. 

A Cyber AI Analyst Incident Event log
Figure 5: A Cyber AI Analyst Incident Event log showing AI Analyst autonomously pivoting off a breach of 'SaaS / Admin / OAuth Permission Grant' to uncover details of an account hijacking.

Conclusion 

Due to the widespread adoption of Microsoft 365 services in the workplace and continued emphasis on a remote workforce, account hijackings now pose a more serious threat to organizations around the world than ever before. The cases discussed here illustrate the tendency of malicious actors to conduct their activities from endpoints associated with VPN services, while also registering new applications, like PerfectData Software, with malicious intent. 

While it was unclear exactly why the malicious actors were using ‘PerfectData Software’ as part of their account hijacking, it is clear that either the legitimate or spoofed version of the application is becoming an very likely emergent piece of threat actor tradecraft.

Darktrace DETECT’s anomaly-based approach to threat detection allowed it to recognize that the use of ‘PerfectData Software’ represented a deviation in the SaaS user’s expected behavior. While Darktrace RESPOND, when enabled in autonomous response mode, was able to quickly take preventative action against threat actors, blocking the potential use of the application for data exfiltration or other nefarious purposes.

Appendices

MITRE ATT&CK Mapping

Reconnaissance:

T1598 ­– Phishing for Information

Credential Access:

T1110 – Brute Force

Initial Access:

T1078.004 – Valid Accounts: Cloud Accounts

Command and Control:

T1105 ­– Ingress Tool Transfer

Persistence:

T1098.003 – Account Manipulation: Additional Cloud Roles 

Collection:

• T1114 – Email Collection 

Defense Evasion:

• T1564.008 ­– Hide Artifacts: Email Hiding Rules­

Lateral Movement:

T1534 – Internal Spearphishing

Unusual Source IPs

• 5.62.60[.]202  (AS198605 AVAST Software s.r.o.) 

• 160.152.10[.]215 (AS37637 Smile-Nigeria-AS)

• 197.244.250[.]155 (AS37705 TOPNET)

• 169.159.92[.]36  (AS37122 SMILE)

• 45.62.170[.]237 (AS396073 MAJESTIC-HOSTING-01)

• 92.38.180[.]49 (AS202422 G-Core Labs S.A)

• 129.56.36[.]26 (AS327952 AS-NATCOM)

• 92.38.180[.]47 (AS202422 G-Core Labs S.A.)

• 107.179.20[.]214 (AS397086 LAYER-HOST-HOUSTON)

• 45.62.170[.]31 (AS396073 MAJESTIC-HOSTING-01)

References

[1] https://www.investing.com/academy/statistics/microsoft-facts/

[2] https://intel471.com/blog/countering-the-problem-of-credential-theft

[3] https://darktrace.com/blog/business-email-compromise-to-mass-phishing-campaign-attack-analysis

[4] https://darktrace.com/blog/breakdown-of-a-multi-account-compromise-within-office-365

Continue reading
About the author
Sam Lister
Analista SOC

Blog

Cloud

Darktrace Integrates Self-Learning AI with Amazon Security Lake to Support Security Investigations

Default blog imageDefault blog image
31
May 2023

Darktrace has deepened its relationship with AWS by integrating its detection and response capabilities with Amazon Security Lake

This development will allow mutual customers to seamlessly combine Darktrace AI’s bespoke understanding of their organization with the Threat Intelligence offered by other security tools, and investigate all of their alerts in one central location. 

This integration will improve the value security teams get from both products, streamlining analyst workflows and improving their ability to detect and respond to the full spectrum of known and unknown cyber-threats. 

How Darktrace and Amazon Security Lake augment security teams

Amazon Security Lake is a newly-released service that automatically centralizes an organization’s security data from cloud, on-premises, and custom sources into a customer owned purpose-built data lake. Both Darktrace and Amazon Security Lake support the Open Cybersecurity Schema Framework (OCSF), an open standard to simplify, combine, and analyze security logs.  

Customers can store security logs, events, alerts, and other relevant data generated by various AWS services and security tools. By consolidating security data in a central lake, organizations can gain a holistic view of their security posture, perform advanced analytics, detect anomalies and open investigations to improve their security practices.

With Darktrace DETECT and RESPOND AI engines covering all assets across IT, OT, network, endpoint, IoT, email and cloud, organizations can augment the value of their security data lakes by feeding Darktrace’s rich and context-aware datapoints to Amazon Security Lake. 

Amazon Security Lake empowers security teams to improve the protection of your digital estate:

  • Quick and painless data normalization 
  • Fast-tracks ability to investigate, triage and respond to security events
  • Broader visibility aids more effective decision-making
  • Surfaces and prioritizes anomalies for further investigation
  • Single interface for seamless data management

How will Darktrace customers benefit?

Across the Cyber AI Loop, all Darktrace solutions have been architected with AWS best practices in mind. With this integration, Darktrace is bringing together its understanding of ‘self’ for every organization with the centralized data visibility of the Amazon Security Lake. Darktrace’s unique approach to cyber security, powered by groundbreaking AI research, delivers a superior dataset based on a deep and interconnected understanding of the enterprise. 

Where other cyber security solutions are trained to identify threats based on historical attack data and techniques, Darktrace DETECT gains a bespoke understanding of every digital environment, continuously analyzing users, assets, devices and the complex relationships between them. Our AI analyzes thousands of metrics to reveal subtle deviations that may signal an evolving issue – even unknown techniques and novel malware. It distinguishes between malicious and benign behavior, identifying harmful activity that typically goes unnoticed. This rich dataset is fed into RESPOND, which takes precise action to neutralize threats against any and every asset, no matter where data resides.

Both DETECT and RESPOND are supported by Darktrace Self-Learning AI, which provides full, real-time visibility into an organization’s systems and data. This always-on threat analysis already makes humans better at cyber security, improving decisions and outcomes based on total visibility of the digital ecosystem, supporting human performance with AI coverage and empowering security teams to proactively protect critical assets.  

Converting Darktrace alerts to the Amazon Security Lake Open Cybersecurity Schema Framework (OCSF) supplies the Security Operations Center (SOC) and incident response team with contextualized data, empowering them to accelerate their investigation, triage and response to potential cyber threats. 

Darktrace is available for purchase on the AWS Marketplace.

Learn more about how Darktrace provides full-coverage, AI-powered cloud security for AWS, or see how our customers use Darktrace in their AWS cloud environments.

Continue reading
About the author
Nabil Zoldjalali
VP, Innovación Tecnológica

Artículos relacionados

No se ha encontrado ningún artículo.

Buenas noticias para su negocio.
Malas noticias para los malos.

Inicie su prueba gratuita

Inicie su prueba gratuita

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
¡Ups! Algo salió mal al enviar el formulario.

Obtenga una demostración

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.