Predicting the Future of Cyber Security and Cyber Threats
13
Feb 2024
13
Feb 2024
Read about cyber security predictions and cyber threats in 2024. Staying up-to-date on cyber attacks and cyber security is vital to all organizations.
2024 Cyber Threat Predictions
After analyzing the observed threats and trends that have affected customers across the Darktrace fleet in the second half of 2023, the Darktrace Threat Research team have made a series of predictions. These assessments highlight the threats that are expected to impact Darktrace customers and the wider threat landscape in 2024.
1. Initial access broker malware, especially loader malware, is likely to be a prominent threat.
Initial access malware such as loaders, information stealers, remote access trojans (RATs), and downloaders, will probably remain some of the most relevant threats to most organizations, especially when noted in the context that many are interoperable, tailorable Malware-as-a-Service (MaaS) tools.
These types of malware often serve as a gateway for threat actors to compromise a target network before launching subsequent, and often more severe, attacks. Would-be cyber criminals are now able to purchase and deploy these malware without the need for technical expertise.
2. Infrastructure complexity will increase SaaS attacks and leave cloud environments vulnerable.
The increasing reliance on SaaS solutions and platforms for business operations, coupled with larger attack surfaces than ever before, make it likely that attackers will continue targeting organizations’ cloud environments with account takeovers granting unauthorized access to privileged accounts. These account hijacks can be further exploited to perform a variety of nefarious activities, such as data exfiltration or launching phishing campaigns.
It is paramount for organizations to not only fortify their SaaS environments with security strategies including multifactor authentication (MFA), regular monitoring of credential usage, and strict access control, but moreover augment SaaS security using anomaly detection.
3. The prevalence and evolution of ransomware will surge.
The Darktrace Threat Research team anticipates a surge in Ransomware-as-a-Service (RaaS) attacks, marking a shift away from conventional ransomware. The uptick in RaaS observed in 2023 evidences that ransomware itself is becoming increasingly accessible, lowering the barrier to entry for threat actors. This surge also demonstrates how lucrative RaaS is for ransomware operators in the current threat landscape, further reinforcing a rise in RaaS.
This development is likely to coincide with a pivot away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods. Rather than relying solely on encrypting a target’s data for ransom, malicious actors are expected to employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.
4. Threat actors will continue to rely on living-off-the-land techniques.
With evolving sophistication of security tools and greater industry adoption of AI techniques, threat actors have focused more and more on living-off-the-land. The extremely high volume of vulnerabilities discovered in 2023 highlights threat actors’ persistent need to compromise trusted organizational mechanisms and infrastructure to gain a foothold in networks. Although inbox intrusions remain prevalent, the exploitation of edge infrastructure has demonstrably expanded compared to previously endpoint-focused attacks.
Given the prevalence of endpoint evasion techniques and the high proportion of tactics utilizing native programs, threat actors will likely progressively live off the land, even utilizing new techniques or vulnerabilities to do so, rather than relying on unidentified malicious programs which evade traditional detection.
5. The “as-a-Service” marketplace will contribute to an increase in multi-phase compromises.
With the increasing “as-a-Service” marketplaces, it is likely that organizations will face more multi-phase compromises, where one strain of malware is observed stealing information and that data is sold to additional threat actors or utilized for second and/or third-stage malware or ransomware.
This trend builds on the concept of initial access brokers but utilizes basic browser scraping and data harvesting to make as much profit throughout the compromise process as possible. This will likely result in security teams observing multiple malicious tools and strains of malware during incident response and/or multi-functional malware, with attack cycles and kill chains morphing into less linear and more abstract chains of activity. This makes it more essential than ever for security teams to apply an anomaly approach to stay ahead of asymmetric threats.
6. Generative AI will let attackers phish across language barriers.
Classic phishing scams play a numbers game, targeting as many inboxes as possible and hoping that some users take the bait, even if there are spelling and grammar errors in the email. Now, Generative AI has reduced the barrier for entry, so malicious actors do not have to speak English to produce a convincing phishing email.
In 2024, we anticipate this to extend to other languages and regions. For example, many countries in Asia have not yet been greatly impacted by phishing. Yet Generative AI continues to develop, with improved data input yielding improved output. More phishing emails will start to be generated in various languages with increasing sophistication.
7. AI regulation and data privacy rules will stifle AI adoption.
AI regulation, like the European Union’s AI Act, is starting to be implemented around the world. As policies continue to come out about AI and data privacy, practical and pragmatic AI adoption becomes more complex.
Businesses will likely have to take a second look at AI they are adopting into their tech stacks to consider what may happen if a tool is suddenly deprecated because it is no longer fit for purpose or loses the approvals in place. Many will also have to use completely different supply chain evaluations from their usual ones based on developing compliance registrars. This increased complication may make businesses reticent to adopt innovative AI solutions as legislation scrambles to keep up.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Connecting the Dots: Darktrace’s Detection of the Exploitation of the ConnectWise ScreenConnect Vulnerabilities
10
May 2024
Introduction
Across an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications. While attackers are likely to prioritize developing exploits for the more severe and global Common Vulnerabilities and Exposures (CVEs), they typically have the most success exploiting known vulnerabilities within the first couple years of disclosure to the public.
Addressing these vulnerabilities in a timely manner reduces the effectiveness of known vulnerabilities, decreasing the pace of malicious actor operations and forcing pursuit of more costly and time-consuming methods, such as zero-day related exploits or attacking software supply chain operations. While actors also develop tools to exploit other vulnerabilities, developing exploits for critical and publicly known vulnerabilities gives actors impactful tools at a low cost they are able to use for quite some time.
Between January and March 2024, the Darktrace Threat Research team investigated one such example that involved indicators of compromise (IoCs) suggesting the exploitation of vulnerabilities in ConnectWise’s remote monitoring and management (RMM) software ScreenConnect.
What are the ConnectWise ScreenConnect vulnerabilities?
CVE-2024-1708 is an authentication bypass vulnerability in ScreenConnect 23.9.7 (and all earlier versions) that, if exploited, would enable an attacker to execute remote code or directly impact confidential information or critical systems. This exploit would pave the way for a second ScreenConnect vunerability, CVE-2024-1709, which allows attackers to directly access confidential information or critical systems [1].
ConnectWise released a patch and automatically updated cloud versions of ScreenConnect 23.9.9, while urging security temas to update on-premise versions immediately [3].
If exploited in conjunction, these vulnerabilities could allow a malicious actor to create new administrative accounts on publicly exposed instances by evading existing security measures. This, in turn, could enable attackers to assume an administrative role and disable security tools, create backdoors, and disrupt RMM processes. Access to an organization’s environment in this manner poses serious risk, potentially leading to significant consequences such as deploying ransomware, as seen in various incidents involving the exploitation of ScreenConnect [2]
Darktrace’s anomaly-based detection was able to identify evidence of exploitation related to CVE-2024-1708 and CVE-2024-1709 across two distinct timelines; these detections included connectivity with endpoints that were later confirmed to be malicious by multiple open-source intelligence (OSINT) vendors. The activity observed by Darktrace suggests that threat actors were actively exploiting these vulnerabilities across multiple customer environments.
In the cases observed across the Darktrace fleet, Darktrace DETECT™ and Darktrace RESPOND™ were able to work in tandem to pre-emptively identify and contain network compromises from the onset. While Darktrace RESPOND was enabled in most customer environments affected by the ScreenConnect vulnerabilities, in the majority of cases it was configured in Human Confirmation mode. Whilst in Human Confirmation mode, RESPOND will provide recommended actions to mitigate ongoing attacks, but these actions require manual approval from human security teams.
When enabled in autonomous response mode, Darktrace RESPOND will take action automatically, shutting down suspicious activity as soon as it is detected without the need for human intervention. This is the ideal end state for RESPOND as actions can be taken at machine speed, without any delays waiting for user approval.
Looking within the patterns of activity observed by Darktrace , the typical attack timeline included:
Darktrace observed devices on affected customer networks performing activity indicative of ConnectWise ScreenConnect usage, for example connections over 80 and 8041, connections to screenconnect[.]com, and the use of the user agent “LabTech Agent”. OSINT research suggests that this user agent is an older name for ConnectWise Automate [5] which also includes ScreenConnect as standard [6].
Figure 1: Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.
This activity was typically followed by anomalous connections to the external IP address 108.61.210[.]72 using URIs of the form “/MyUserName_DEVICEHOSTNAME”, as well as additional connections to another external, IP 185.62.58[.]132. Both of these external locations have since been reported as potentially malicious [14], with 185.62.58[.]132 in particular linked to ScreenConnect post-exploitation activity [2].
Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.
Same Exploit, Different Tactics?
While the majority of instances of ConnectWise ScreenConnect exploitation observed by Darktrace followed the above pattern of activity, Darktrace was able to identify some deviations from this.
In one customer environment, Darktrace’s detection of post-exploitation activity began with the same indicators of ScreenConnect usage, including connections to screenconnect[.]com via port 8041, followed by connections to unusual domains flagged as malicious by OSINT, in this case 116.0.56[.]101 [16] [17]. However, on this deployment Darktrace also observed threat actors downloading a suspicious AnyDesk installer from the endpoint with the URI “hxxp[:]//116.0.56[.]101[:]9191/images/Distribution.exe”.
Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.
Further investigation by Darktrace’s Threat Research team revealed that this endpoint was associated with threat actors exploiting CVE-2024-1708 and CVE-2024-1709 [1]. Darktrace was additionally able to identify that, despite the customer being based in the United Kingdom, the file downloaded came from Pakistan. Darktrace recognized that this represented a deviation from the device’s expected pattern of activity and promptly alerted for it, bringing it to the attention of the customer.
Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.
Darktrace’s Autonomous Response
In this instance, the customer had Darktrace enabled in autonomous response mode and the post-exploitation activity was swiftly contained, preventing the attack from escalating.
As soon as the suspicious AnyDesk download was detected, Darktrace RESPOND applied targeted measures to prevent additional malicious activity. This included blocking connections to 116.0.56[.]101 and “*.56.101”, along with blocking all outgoing traffic from the device. Furthermore, RESPOND enforced a “pattern of life” on the device, restricting its activity to its learned behavior, allowing connections that are considered normal, but blocking any unusual deviations.
Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.
The customer was later able to use RESPOND to manually quarantine the offending device, ensuring that all incoming and outgoing traffic to or from the device was prohibited, thus preventing ay further malicious communication or lateral movement attempts.
Figure 8: The actions applied by Darktrace RESPOND in response to the post-exploitation activity related to the ScreenConnect vulnerabilities, including the manually applied “Quarantine device” action.
Conclusion
In the observed cases of the ConnectWise ScreenConnect vulnerabilities being exploited across the Darktrace fleet, Darktrace was able to pre-emptively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.
While much of the post-exploitation activity observed by Darktrace remained the same across different customer environments, important deviations were also identified suggesting that threat actors may be adapting their tactics, techniques and procedures (TTPs) from campaign to campaign.
While new vulnerabilities will inevitably surface and threat actors will continually look for novel ways to evolve their methods, Darktrace’s Self-Learning AI and behavioral analysis offers organizations full visibility over new or unknown threats. Rather than relying on existing threat intelligence or static lists of “known bads”, Darktrace is able to detect emerging activity based on anomaly and respond to it without latency, safeguarding customer environments whilst causing minimal disruption to business operations.
Credit: Emma Foulger, Principal Cyber Analyst for their contribution to this blog.
Appendices
Darktrace Model Coverage
DETECT Models
Compromise / Agent Beacon (Medium Period)
Compromise / Agent Beacon (Long Period)
Anomalous File / EXE from Rare External Location
Device / New PowerShell User Agent
Anomalous Connection / Powershell to Rare External
Anomalous Connection / New User Agent to IP Without Hostname
User / New Admin Credentials on Client
Device / New User Agent
Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
Anomalous Server Activity / Anomalous External Activity from Critical Network Device
Compromise / Suspicious Request Data
Compliance / Remote Management Tool On Server
Anomalous File / Anomalous Octet Stream (No User Agent)
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
08
May 2024
Why do we pay attention to the end user?
Every email security solution filters inbound mail, then typically hands over false positives and false negatives to the security team for manual triage. A crucial problem with this lifecycle is that it ignores the inevitability of end users being at the front line of any organization. Employees may receive point in time security awareness training, but it is rarely engaging or contextualized to their reality. While an employee may report a suspicious-looking email to the security team, they will rarely get to understand the outcome or impact of that decision. This means that the quality of reporting never improves, so the burden on the security team of triaging these emails – of which 90% are falsely reported – persists and grows with the business over time.
At Darktrace, we recognize that employees will always be on the front line of email security. That’s why we aim to improve end-user reporting from the ground up, reducing the overall number of emails needing triage and saving security team resource.
How does Darktrace improve the quality of end-user reporting?
Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one. We train users and optimize their experience, which in turn provides better detection.
That starts with training and security awareness. Traditionally, organizations oblige employees to attend point-in-time training sessions which interrupt their daily work schedules. With Darktrace/Email, if a message contains some potentially suspicious markers but is most likely safe, Darktrace takes a specific action to neutralize the risky components and presents it to the user with a simple narrative explaining why certain elements have been held back. The user can then decide whether to report this email to the security team.
Figure 1: AI shares its analysis in context and in real time at the moment a user is questioning an email
The AI narrative gives the user context for why their specific email may carry risk, putting their security awareness training into practice. This creates an element of trust with the security solution, rather than viewing it as outside of daily workflows. Users may also receive a daily or weekly digest of their held emails and make a decision on whether to release or report them.
Whatever the user’s existing workflow is for reporting emails, Darktrace/Email can integrate with it and improve its quality. Our add-in for Outlook gives users a fully optimized experience, allowing them to engage with the narratives for each email, as well as non-productive mail management. However, if teams want to integrate Darktrace into an existing workflow, it can analyze emails reported to an internal SOC mailbox, the native email provider’s 'Report Phish’ button, or the ‘Knowbe4’ button.
By empowering the user with contextual feedback on each unique email, we foster employee engagement and elevate both reporting quality and security awareness. In fact, 60% fewer benign emails are reported because of the extra context supplied by Darktrace to end users. The eventual report is then fed back to the detection algorithm, improving future decision-making.
Reducing the amount of emails that reach the SOC
Out of the higher-quality emails that do end up being reported by users, the next step is to reduce the amount of emails that reach the SOC.
Once a user reports an email, Darktrace will independently determine if the mail should be automatically remediated based on second level triage. Darktrace/Email’s Mailbox Security Assistant automates secondary triage by combining additional behavioral signals and the most advanced link analysis engine we have ever built. It detects 70% more sophisticated malicious phishing links by looking at an additional twenty times more context than at the primary analysis stage, revealing the hidden intent within interactive and dynamic webpages. This directly alleviates the burden of manual triage for security analysts.
Following this secondary triage the emails that are deemed worthy of security team attention are then passed over, resulting in a lower quantity and higher quality of emails for SOC manual triage.
Centralizing and speeding analysis for investigations
For those emails that are received by the SOC, Darktrace also helps to improve triage time for manual remediation.
AI-generated narratives and automated remediation actions empower teams to fast-track manual triage and remediation, while still providing security analysts with the necessary depth. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. With all security workflows consolidated within a unified interface, users can analyze and take remediation actions without the need to navigate multiple tools, such as e-discovery platforms – eliminating console hopping and accelerating incident response.
Our customers tell us that our AI allows them to go in-depth quickly for investigations, versus other solutions that only provide a high-level view.
Figure 2: Cyber AI Analyst provides a simple language narrative for each reported email, allowing teams to quickly understand why it may be suspicious
Conclusion
Unlike our competitors, we believe that improving the quality of users’ experience is not only a nice-to-have, but a fundamental means for improving security. Any modern solution should consider end users as a key source of information as well as an opportunity for defense. Darktrace does both – optimizing the user experience as well as our AI learning from the user to augment detection.
The benefits of empowering users are ultimately felt by the security team, who benefit from improved detection, a reduction in manual triage of benign emails, and faster investigation workflows.
Augmented end user reporting is just one of a range of features new to Darktrace/Email. Check out the latest Innovations to Darktrace/Email in our recent blog.
![Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e65c6b0ee97378e4509af_Screenshot%202024-05-10%20at%2011.21.43%20AM.png)
![Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e66b4de1b5491cb1af256_Screenshot%202024-05-10%20at%2011.22.47%20AM.png)
![Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e66d3c53f1631e9d6f3ec_Screenshot%202024-05-10%20at%2011.23.04%20AM.png)
![Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e671300e1a5b26483fcea_Screenshot%202024-05-10%20at%2011.27.20%20AM.png)
![Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e67ff976d5b71245b32a4_Screenshot%202024-05-10%20at%2011.31.17%20AM.png)
