Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»Sprawling Qakbot Malware Takedown Spans 700,000 Infected Machines
    Cyber Security

    Sprawling Qakbot Malware Takedown Spans 700,000 Infected Machines

    justmattgBy justmattgAugust 29, 2023No Comments5 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    The infrastructure behind the infamous Qakbot malware, a favorite tool of cybercriminals far and wide, has been taken down by the Feds in an operation code-named “Duck Hunt.”

    Official remediators also proactively connected to compromised computers to neutralize Qakbot infections on tens of thousands of victim machines, according to the US Department of Justice (DoJ), which said that they did so with “lawful access.”

    Qakbot (aka Qbot) is typically used as a first-stage implant, infecting computers after an unwitting target opens a malicious attachment in an email. Once it compromises a machine, it enslaves it to a botnet infrastructure, and then lays in wait for further instructions. The resulting persistent network of infections can then deliver, as needed, additional malware on demand.

    Thus, after emerging in 2007 as a banking Trojan it has evolved to become part of the initial access broker market on the Dark Web, with its operators renting access to their lattice of compromised machines to any paying cybercriminal. Qakbot has been a key enabler for a plethora of different campaigns by various threat actors, delivering payloads ranging from ransomware to cryptominers to spyware.

    Proactive State Elimination of Qakbot Infections

    The DoJ and the FBI announced Tuesday that in a joint action with France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, global law enforcement identified and accessed more than 700,000 Qakbot-infected computers worldwide — including more than 200,000 in the US. Qakbot infections tend to affect home users and business users equally, according to recent Secureworks research.

    “To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file,” according to the DoJ’s Qakbot takedown announcement released Tuesday. “This uninstaller — created to remove the Qakbot malware — untethered infected computers from the botnet and prevented the installation of any additional malware.”

    Previous disruptions have also taken a proactive tack when it comes to endpoint cleanup, though the practice can be controversial. For instance, in May, the FBI used a custom tool called Perseus as part of what it dubbed “Operation Medusa,” aimed at disabling the Snake malware on compromised computers; Snake was a signature malware used by the Russia-sponsored Turla advanced persistent threat (APT).

    Perseus issued commands that caused the Snake malware to overwrite its own vital components, and was executed on machines without users’ active consent thanks to a search warrant issued by a US magistrate judge authorizing the remote access.

    Roger Grimes, data-driven defense evangelist at KnowBe4, noted that the decision to redirect exploited nodes to a safer server in order to do proactive cleanup was a risk with a positive payoff.

    “This sort of proactive cleaning up used to be rare and often contested, even by many cybersecurity experts,” he said in an emailed statement. “If not done correctly, the removal could go badly wrong. I’m glad the FBI and its partners have decided proactive cleanup was worth the risk. It improves not only the exploited people and organizations who have Qakbot installed, but the next innocent victims.”

    For its part, the DoJ is calling the effort “one of the largest US-led disruptions of a botnet infrastructure” ever carried out.

    “The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”

    Qakbot’s Down but Not Likely Out

    While a win is a win, prior takedowns of Qakbot’s spiritual brethren Trickbot and Emotet have demonstrated that the impact of such disruptions to the cyber underground may not be that significant in the long term, according to Chester Wisniewski, field CTO of applied research at Sophos.

    “Disrupting the Qakbot botnet…will impose significant inconvenience on the botnet’s operators and dependent criminal groups,” he noted via email. “Sadly this will not stop Qakbot’s masters from reconstituting it and continuing to profit from our security failures. Any time we can raise the cost for criminals to operate their schemes we must take advantage of those opportunities, but this doesn’t mean we can rest on our laurels[.] We must continue to work to identify those responsible and hold them accountable to truly disable their operations.”

    Mandiant researchers agreed but noted that the harrying of any part of the increasingly professional landscape of cybercrime partnerships amounts to an ethical responsibility, given that ransomware in particular is a major national security challenge due to the involvement of adversarial nation-states like Russia or North Korea.

    “The underpinnings of this business model are solid, and this problem is not going away anytime soon; many of the tools we have at our disposal aren’t going to have long-lasting effects,” said Sandra Joyce, vice president of Mandiant Intelligence — Google Cloud, in a statement. “These groups will recover and they will be back. But we have a moral obligation to disrupt these operations whenever possible.”

    As for what this means for businesses from an operational perspective, Kimberly Goody, Mandiant senior manager for financial analysis, said to expect some short-term fractures within the criminal ecosystem that could give rise to new partnerships that defenders need to keep their eyes on.

    “Actors who were using Qakbot in ransomware intrusions, for example, may pivot to underground communities for initial access providers, resulting in more varied initial access tactics in the near term,” she noted.

    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleChinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
    Next Article DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑