We are now in the middle of 2022 and we have already seen a series of cyber attacks, known and unknown, that are disrupting organizations. However, we’ve also seen uplifting stories of successful threat detection attempts.
In this article, we’ll look at five new, advanced, or creative threats that used techniques like “life of the countryto evade detection by traditional defense measures. These threats have all been discovered by artificial intelligence (AI) technology, which can detect subtle deviations in device and user behavior and autonomously enforce “normal”, thereby stopping a threat.
1. Leading Lab Suspends Dark Web Insider Threat With AI
Cyber attacks on the healthcare sector reached record highs last year and for these organizations, cyber threats can have serious real-world consequences. One of Darktrace’s healthcare customers is a company that specializes in researching, developing and manufacturing innovative in vitro diagnostic tests for diseases, disorders and infections.
In March, this company became the target of a malicious threat from within. An employee tried to abuse his access within the organization to sell intellectual property, perhaps even medical supplies, on the dark web† The employee was detected using Tor on a corporate device to connect to a Dark Web pharmaceutical market forum.
Malicious or Compromised Insiders can be difficult to identify because their privileged access and knowledge of business operations allow them to evade detection by traditional security tools. To protect intellectual property from insider threats, organizations must augment security teams with AI-powered technology to stop malicious activity in real time.
In this case, since no other corporate device had visited the Tor network in the past, Darktrace’s AI signaled the activity to the security team, who were then able to investigate the employee and discover their malicious intent.
2. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer
Babuk is a double extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. However, in February 2022, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The intended company will facilitate the adoption of smart medical devices, as well as electric and autonomous vehicles. This means that uptime is important and ransomware poses a significant risk.
The first sign of a threat came in the early morning hours, when the AI detected a corporate device running network scans and making unusual connections to other internal devices. Based on its understanding of the device’s usual “life pattern,” the AI identified this extraordinary behavior as malicious and calculated a response.
The AI was able to stop this attack without disrupting normal operations in the company’s office or production floor. It only blocked the malicious connections, while allowing the rest of the compromised device’s operations to continue.
After the attack stopped, a post-compromise analysis conducted by the AI found that the compromised device had indeed attempted to distribute files with “babyk” extensions. These attacks often strike outside office hours, so Critical Infrastructure Defenders should consider using artificial intelligence to enable their organizations to defend themselves against advanced threats.
3. HR Spoofing Attack Targets Employees at Private Equity Firm
Phishing and spoofing emails remain the preferred first entry point for cyber attacks. Earlier this year, a private equity firm looking to bolster its email security efforts tried an AI email security solution and almost immediately discovered a targeted spoofing attack.
The attackers had modified their email to mimic the company’s internal HR communications, titled “Q3 Commission 2021 and Agenda” and designed to look like a SharePoint Microsoft document. For a company employee, this email wouldn’t look out of place in their inbox.
Further investigation revealed that the email is part of a broader trend of targeted phishing campaigns that use fake Microsoft branding mislead employees. The exact motivations of this attack are unknown as it was stopped at the earliest stages, but such attacks are often launched with the aim of causing operational disruption or carrying out IP and financial theft.
4. Ransomware Attack on a Financial Services Company Stopped
In March 2022, a South African financial services firm decided to try Darktrace’s technology and immediately discovered an ongoing ransomware attack attempting to encrypt the most valuable data.
The first sign of compromise was a corporate mail server making unusual HTTP connections to a remote endpoint and communicating with a malicious server over the Internet. His understanding of the business and the normal behavior of this particular mail server enabled the AI to identify the threatening activity.
The compromised server then attempted network reconnaissance and lateral movements to increase its presence within the organization. Further investigation revealed that attackers obtained the credentials of 11 employees, including several C-level executives. As the attack spread rapidly, more and more corporate devices began communicating with the malicious remote server.
The AI quickly interrupted further attempts to communicate with the malicious server, but allowed normal operations to continue. With the attack safely under control, Darktrace helped the company’s security team conduct a full investigation and ensure the attack was fully neutralized.
5. AI Stops Log4j Exploit At A Global Financial Services Company
The Log4Shell Vulnerability which went public in late 2021 is one of the most serious and widespread exploits ever. Some think it has affected hundreds of millions of devices and as a zero-day it has bypassed many traditional security tools.
Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services company with assets in excess of $5 billion, was targeted in March 2022.
The attackers used a Log4j vulnerability to gain access to one of the company’s virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server started downloading a shell script from a suspicious remote endpoint, triggering an immediate warning from the company’s AI-powered security measures.
Convinced of the seriousness of the threat by the alert, the company’s security team immediately deployed AI technology to take accurate action against the threat and maintain regular business activities on the VDI server.
Rapid action by this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, most likely saving the company from a ransomware attack.