Utilizing leaked credentials to achieve unauthorized entry

Darkish internet marketplaces promoting delicate knowledge have elevated accessibility for malicious actors, much like Ransomware-as-a-Service (RaaS), decreasing the barrier to entry normally related to malicious exercise. By using leaked credentials, malicious actors can simply acquire unauthorized entry to accounts and programs which they will leverage to hold out malicious actions like knowledge exfiltration or malware deployment.

Utilization of leaked credentials by malicious actors is a persistent concern for each organizations and safety suppliers. Google Cloud’s ‘H1 2024 Threat Horizons Report’ particulars that preliminary entry seen in 2.9% of cloud compromises noticed on Google Cloud resulted from leaked credential utilization [1], with the ‘IBM X-Force Threat Intelligence Index 2024’ reporting 71% year-on-year improve in cyber-attacks which make the most of stolen or compromised credentials [2].

Darktrace protection of leaked credentials

In early 2024, one Darktrace buyer was compromised by a malicious actor after their inside credentials had been leaked on the darkish internet. Subsequent assault phases had been detected by Darktrace/Community and the client was alerted to the suspicious exercise through the Proactive Risk Notification (PTN) service, following an investigation by Darktrace’s Safety Operation Middle (SOC).

Darktrace detected a tool on the community of a buyer within the US finishing up a string of anomalous exercise indicative of community compromise. The machine was noticed utilizing a brand new service account to authenticate to a Digital Personal Community (VPN) server, earlier than continuing to carry out a variety of suspicious exercise together with inside reconnaissance and lateral motion.

Malicious actors seemingly gained entry to a beforehand unused service account for which they had been capable of set up multi-factor authentication (MFA) to entry the VPN. As this MFA setup was made doable by the configuration of the client’s managed service supplier (MSP), the preliminary entry part of the assault fell exterior of Darktrace’s purview.

Sadly for the client on this case, Darktrace RESPOND™ was not enabled on the community on the time of the assault. Had RESPOND been lively, it could have been capable of autonomously act towards the malicious exercise by disabling customers, strategically blocking suspicious connections and limiting units to their anticipated patterns of exercise.

Community Scanning Exercise

On February 22, 2024, Darktrace detected the affected machine performing exercise indicative of community scanning, particularly initiating connections on a number of ports, together with ports 80, 161 389 and 445, to different inside units. Whereas many of those inside connection makes an attempt had been unsuccessful, some profitable connections had been noticed.

Units on a community can collect details about different inside units by performing community scanning exercise. Defensive scanning can be utilized to help community safety, permitting inside safety groups to find vulnerabilities and potential entry factors that require their consideration, nonetheless attackers are additionally capable of benefit from such info, equivalent to open ports and companies out there on inside units, with offensive scanning.

Brute Power Login Makes an attempt

Darktrace proceeded to establish the malicious actor making an attempt to entry a beforehand unused service account for which they had been capable of efficiently set up MFA to entry the group’s VPN. Because the buyer’s third-party MSP had been configured to permit all customers to login to the group’s VPN utilizing MFA, this login was profitable. Furthermore, the service account had by no means beforehand been used and MFA and by no means been established, permitting the attacker to leverage it for their very own nefarious means.

Darktrace/Community recognized the attacker making an attempt to authenticate over the Kerberos protocol utilizing a complete of 30 totally different usernames, of which two had been noticed efficiently authenticating. There was a complete of 6 profitable Kerberos logins recognized from two totally different credentials.  Darktrace additionally noticed over 100 profitable NTLM makes an attempt from the identical machine for a number of usernames together with “Administrator” and “mail”. These credentials had been later confirmed by the client to have been stolen and leaked on the darkish internet.

Despite the fact that MFA necessities had been happy when the menace actor accessed the group’s VPN, Darktrace acknowledged that this exercise represented a deviation from its beforehand realized habits.

Malicious actors often try to achieve unauthorized entry to accounts and inside programs by performing login makes an attempt utilizing a number of doable usernames and passwords. Any such brute-force exercise is usually completed utilizing computational energy through the usage of software program or scripts to aim totally different username/password mixtures till one is profitable.

By buying stolen credentials from darkish internet marketplaces, attackers are capable of considerably improve the success price of brute-force assaults and, in the event that they do acquire entry, they will simply act on their targets, be that exfiltrating delicate knowledge or shifting by means of their goal networks to additional the compromise.

Share Enumeration

Round half-hour after the preliminary community scanning exercise, the compromised machine was noticed performing SMB enumeration utilizing one of many aforementioned accounts. Darktrace understood that this exercise was suspicious because the machine had by no means beforehand been used to carry out SMB exercise and had not been tagged as a safety machine.

Such enumeration can be utilized by malicious actors to achieve insights into the buildings and configurations of a goal machine, view permissions related to shared assets, and likewise view common figuring out details about the system.

Darktrace additional recognized that the machine linked to the named pipe “srvsvc”. By enumerating over srvsvc, a menace actor is ready to request an inventory of all out there SMB shares on a vacation spot machine, enabling additional knowledge gathering as a part of community reconnaissance. Srvsvc additionally supplies entry to distant process name (RPC) for varied companies on a vacation spot machine.

At this stage, a Darktrace/Community Enhanced Monitoring mannequin was triggered for lateral motion exercise going down on the client’s community. As this explicit buyer was subscribed to the PTN service, the Enhanced Monitoring mannequin alert was promptly triaged and investigated by the Darktrace SOC. The client was alerted to the rising exercise and given full particulars of the incident and the SOC workforce’s investigation.

Assault and Reconnaissance Instrument Utilization

A couple of minutes later, Darktrace noticed the machine making a reference to a person agent related to the Nmap community scanning device, “Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse[.]html)”. Whereas these instruments are sometimes used legitimately by a corporation’s safety workforce, they may also be used maliciously by attackers to use vulnerabilities that attackers might have unearthed throughout earlier reconnaissance exercise.

As such companies are sometimes seen as regular community site visitors, attackers can usually use them to bypass conventional safety measures. Darktrace’s Self-Studying AI, nonetheless, was capable of acknowledge that the affected machine was not a safety machine and subsequently not anticipated to hold out such exercise, even when it was utilizing a reliable Nmap service.

Additional Lateral Motion

Following this suspicious Nmap utilization, Darktrace noticed a variety of extra anomalous SMB exercise from the aforementioned compromised account. The affected machine tried to determine nearly 900 SMB classes, in addition to performing 65 uncommon file reads from 29 totally different inside units and over 300 file deletes for the file “delete.me” from over 100 units utilizing a number of paths, together with ADMIN$, C$, print$.

Darktrace additionally noticed the machine making a number of DCE-RPC connections related to Lively Listing Area enumeration, together with DRSCrackNames and DRSGetNCChanges; a complete of greater than 1000 profitable DCE-RPC connection had been noticed to a website controller.

As this buyer didn’t have Darktrace/Community’s autonomous response deployed on their community, the above detailed lateral motion and community reconnaissance exercise was allowed to progress unfettered, till Darktrace’s SOC alerted the client’s safety workforce to take pressing motion. The client additionally obtained follow-up help by means of Darktrace’s Ask the Skilled (ATE) service, permitting them to contact the analyst workforce immediately for additional particulars and help on the incident.

Due to this early detection, the client was capable of rapidly establish and disable affected person accounts, successfully halting the assault and stopping additional escalation.

Conclusions

Given the growing development of ransomware attackers exfiltrating delicate knowledge for double extortion and the rise of knowledge stealers, stolen credentials are commonplace throughout darkish internet marketplaces. Malicious actors can exploit these leaked credentials to drastically decrease the barrier to entry related to brute-forcing entry to their goal networks.

Whereas implementing well-configured MFA and implementing common password adjustments might help shield organizations, these measures alone might not be sufficient to totally negate the benefit attackers acquire with stolen credentials.

On this occasion, an attacker used leaked credentials to compromise an unused service account, permitting them to determine MFA and entry the client’s VPN. Whereas this tactic might have allowed the attacker to evade human safety groups and conventional safety instruments, Darktrace’s AI detected the bizarre use of the account, indicating a possible compromise regardless of the group’s MFA necessities being met. This underscores the significance of adopting an clever resolution maker, like Darktrace, that is ready to establish and reply to anomalies past normal protecting measures.

Credit score to Charlotte Thompson, Cyber Safety Analyst, Ryan Traill, Risk Content material Lead

Appendices

Darktrace DETECT Mannequin Protection

–       System / Suspicious SMB Scanning Exercise (Mannequin Alert)

–       System / ICMP Handle Scan (Mannequin Alert)

–       System / Community Scan (Mannequin Alert)

–       System / Suspicious LDAP Search Operation (Mannequin Alert)

–       Person / Kerberos Username Brute Power (Mannequin Alert)

–       System / Giant Variety of Mannequin Breaches (Mannequin Alert)

–       Anomalous Connection / SMB Enumeration (Mannequin Alert)

–       System / A number of Lateral Motion Mannequin Breaches (Enhanced Monitoring Mannequin Alert)

–       System / Potential SMB/NTLM Reconnaissance (Mannequin Alert)

–       Anomalous Connection / Potential Share Enumeration Exercise (Mannequin Alert)

–       System / Assault and Recon Instruments (Mannequin Alert)

MITRE ATT&CK Mapping

Tactic – Approach – Code

INITIAL ACCESS – {Hardware} Additions     -T1200

DISCOVERY – Community Service Scanning -T1046

DISCOVERY – Distant System Discovery – T1018

DISCOVERY – Area Belief Discovery      – T1482

DISCOVERY – File and Listing Discovery – T1083

DISCOVERY – Community Share Discovery – T1135

RECONNAISSANCE – Scanning IP Blocks – T1595.001

RECONNAISSANCE – Vulnerability Scanning – T1595.002

RECONNAISSANCE – Consumer Configurations – T1592.004

RECONNAISSANCE – IP Addresses – T1590.005

CREDENTIAL ACCESS – Brute Power – T1110

LATERAL MOVEMENT – Exploitation of Distant Companies -T1210

References

1. 2024 Google Cloud Risk Horizons Report
   https://companies.google.com/fh/information/misc/threat_horizons_report_h12024.pdf
2. IBM X-Power Risk Intelligence Index 2024
   https://www.ibm.com/stories/threat-intelligence