Microsoft collaborated with cybersecurity companies and government agencies to take down the million-device Trickbot botnet to help protect the November 3rd US Presidential election and stop the global spread of ransomware and other malware. The botnet has been used to distribute a variety of malicious code, including the Ryuk ransomware variant, which the US government has cited as a potential threat vector against the election.
Microsoft obtained a court order from the US District Court, Eastern District of Virginia, providing legal permission to disable the servers that host Trickbot, says Tom Burt, the Microsoft's corporate vice president of customer security and trust. "We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world," Burt says. "We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems."[1]
Media sources reported last week that US Cyber Command had launched a counterstrike designed to take down Trickbot at least temporarily in the run-up to the election. Microsoft says the malicious operators behind Trickbot will immediately attempt to recover. "We fully anticipate Trickbot's operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them," Burt stated.
Microsoft was able to determine how the Trickbot botnet operated, including the infrastructure the malware used to communicate with and control victim computers, the way infected computers talk with each other and the botnet's mechanisms to evade detection and attempts to disrupt its operation. This information enabled Microsoft's researchers to identify the exact IP addresses of the servers used to support the botnet so they could be disabled.
With this developed cyber evidence, the US Court granted approval for Microsoft and various partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators and block any effort by the Trickbot operators to purchase or lease additional servers.[2]
Microsoft's Digital Crimes Unit worked with its Financial Services Information Sharing and Analysis Center, as well as security firms such as ESET, Lumen's Black Lotus Labs, NTT and Symantec, a division of Broadcom, to help take down Trickbot. "In 2020 alone, our automatic platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, giving us an excellent viewpoint of the different [command and control] servers used by this botnet," reports ESET.
Microsoft's Digital Crimes Unit used a new and legal weapon against Trickbot. "Our case includes copyright claims against Trickbot's malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” stated Burt.
A former US Department of Homeland Security (DHS) undersecretary of cyber and infrastructure who now serves as a Nozomi Networks adviser shared, "The Microsoft takedown is an example of exactly the kind of 'whole of a nation' and even 'whole of the world' approach we need." The private sector must work with government agencies and the courts, as well as international partners, "to identify and disrupt the bad guys."
Trickbot was first released in 2016 as a banking Trojan but has steadily been developed and evolved. More recently, the malware has been used to distribute a variety of other malicious code, including the Ryuk ransomware variant.
"Trickbot's modular architecture allows it to perform a vast array of malicious actions using a variety of plug-ins," says ESET. "It can steal all kinds of credentials from a compromised computer and, more recently, has been observed mostly as a delivery mechanism for more damaging attacks, such as ransomware." Trickbot is spread primarily through phishing attacks; the emails contain malicious attached Microsoft Word or Excel documents. This is what put Trickbot on the Microsoft security team’s radar.
The federal government has issued a steady stream of alerts regarding hackers attempting to disrupt the November 2020 elections. Earlier in October 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of potential Emotet ransomware attacks. On 01 October 2020, CISA and the FBI warned of potential distributed denial-of-service attacks designed to disrupt the process. Additional warnings were issued to the public to be wary of disinformation campaigns intended to either sway a person's vote or spread lies and rumors about the candidates. The current Twitter and Facebook debate is just one example of potential disinformation campaign.[3]
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. Articles on ransomware can be viewed for free at https://redskyalliance.org
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.bankinfosecurity.com/microsoft-others-dismantle-trickbot-botnet-a-15156?rf=2020-10-13_ENEWS_SUB_BIS__Slot9_ART15156
[2] https://securityboulevard.com/2020/10/us-cyber-command-and-microsoft-are-both-disrupting-trickbot/
[3] https://theintercept.com/2020/10/15/facebook-and-twitter-cross-a-line-far-more-dangerous-than-what-they-censor/
Comments
At the same time Hold Security reports that malicious operators are thinking to recoup losses and even discussing to significantly increase ransom demands which in the past were often set as 10% of the victim company’s annual revenues.
Hackers will likely adapt to the attempts to take the Trickbot servers down.
But Microsoft is promising that they will continue their pressure on the malicious infrastructure, so the battle is not over yet!
We will continue to monitor and inform you on important developments, meanwhile be safe, update, receive cybersecurity services to protect yourself from phishing, drive-by, and ransomware!"
Holler is you need extra research on Trickbot, or for that matter - any cyber security matters.