Security Experts:

Hacked Smart Fish Tank Exfiltrated Data to 'Rare External Destination'

Insiders attached two Raspberry Pi devices to a corporate healthcare network to help divert staff to a phishing website to phish staff credentials. An internet-connected smart fish tank transferred 10GB of data to an adversary's server in Finland.

These are two of nine real-life examples presented in the Darktrace Global Threat Report 2017 (PDF). Darktrace was founded in Cambridge UK in 2013, combining mathematicians and machine learning (ML) experts from the university with intelligence experts from MI5 and GCHQ. The firm's approach is to mimic the human body's immune system in cyber. 

For example, from the company's website, "Darktrace Antigena replicates this function of the human immune system, by creating 'digital antibodies' in response to in-progress threats." The purpose is to slow the rate of infection enough to give security teams an adequate response window before irreparable damage is done.

The seven additional cases described in the report include a ransomware infection; IoT devices co-opted into a DoS attack; a banking trojan; a former employee's compromised credentials; discovery of a vulnerability in a third-party cloud storage supplier; discovery of data theft by a former employee; and an attacker's attempt to use a corporate network in a bitcoin mining operation.

These incidents were detected by Darktrace over the last year. Each of the descriptions includes a summary of the incident, the anomalous activity detected by Darktrace, and the action taken to defend the network. 

A weakness in the report is that it is sparse on details. A Darktrace spokesman explained that this is due to customer usage. How each customer uses its technology is different and Darktrace itself isn't privy to that information. It examines network behavior, but not traffic content. The result is that the information provided gives examples of incidents detected by Darktrace, but little technical detail on the incident itself.

For example, in one case Darktrace quickly detected the attachment of two Raspberry Pis on the internal network that were redirecting users to a look-alike external website. "The redirected users were being presented with a fake login page and 'security survey' where they were required to enter their usernames and passwords," says the report. Darktrace detected this in real-time because it detects deviations from normal network behavior -- and the sudden appearance and operation of two Raspberry Pis was abnormal.

"The Raspberry Pis quickly disappeared from the network," it continued. But what it doesn't say is whether sufficient forensic data was gathered to be able to determine the insider or insiders responsible for the act -- in other words the report does not say whether the threat was eliminated (and the insider terminated or prosecuted) or whether this particular malicious insider threat continues.

"Darktrace is regularly used for forensic analysis," Justin Fier, director for cyber intelligence & analysis at Darktrace, told SecurityWeek. "The organization may have used it to help apprehend the insiders but we cannot confirm."

Fier also explained the lack of detail in the smart fish tank incident. "A North American casino," says the report, "recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules." For security, the tank was configured to communicate its data via a VPN.

Nevertheless, Darktrace quickly detected "anomalous data transfers from the fish tank to a rare external destination." In fact, 10GB of data was transferred outside of the network, via the fish tank. What isn't specified, however, is what the data comprised, where on the network it came from, how it was moved to the fish tank for exfiltration, nor whether the malware methodology used to acquire the data before exfiltration was also discovered.

Fier explained, "Darktrace doesn't look at the content of files, so we don't know [what data was exfiltrated], though the communications took place on a protocol that is normally associated with audio and video. The attacker somehow gained access to the corporate network, and then either brute-forced or used stolen credentials to log onto the fish tank VPN."

A third example involves corporate IoT devices being co-opted into a DDoS botnet. "Designers at an architectural firm were using smart drawing pads to enable them to quickly send schematics and drawings to clients and other staff members," says the report. However, the default logon credentials were not changed, leaving the devices vulnerable.

Darktrace soon detected 'highly unusual volumes of data being sent outside of the network.' "This was identified as a denial-of-service attack. The pads were responding to a specific type of request for information commonly used to disable the target's systems by flooding it with superfluous traffic," says the report. It gives no information on how the DDoS attack operated, who was the target, nor whether the devices had become part of a known botnet.

Darktrace was unable to give SecurityWeek any further details on the variant of botnet or its targets.

The report then states, "Involvement in the attack could have legal implications for the firm had their infrastructure been responsible for damaging another network." This is a stretch. While there may be a technical possibility, there is almost zero likelihood of a successful action against a company with infected devices used in a DDoS attack -- the sheer difficulty in determining which devices out of potentially hundreds of thousands caused precisely what damage to which targets is simply too complex.

Challenged on this, Fier replied, "We don't know of any instances where such involvement in DDoS attacks has led to a company being held liable."

There is value in this report, as itprovides genuine examples of the originality and inventiveness of attackers, and demonstrates that Darktrace is able to detect them. However, describing it as a 'Global Threat Report' is ambitious. The subtitle, 'Selected Case Studies', would be more realistic and accurate.

Earlier this month, Darktrace announced that it had raised $75 million in a Series financing round.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.