Saturday, 2 September 2023

A battle has been won, but the war against computer hackers continues

 TechRepublic announces that a major malicious botnet has been taken down. A botnet is (summarised from wikipedia), a logical collection of Internet-connected devices, such as computers, smartphones or Internet of things (IoT) devices, each of which runs one or more bots (software applications that run automated tasks (scripts) over the Internet). While it is conceivable that there legitimate uses for botnets, the majority are built on the PCs etc. of unwitting victims of a computer virus.

Bots can be used to create multiple synthetic personalities to sign on to the various social media. This is probably their most blatant manifestation in creating the appearance of a multitude of people praising a particular product, or pushing a dubious opinion like denying climate change or anti-vaxxing. There are more malign applications, though. In the case of the Qakbot network which has just been cracked by the FBI:

Over the course of its more than 15-year campaign, Qakbot (aka Qbot and Pinkslipbot) has launched some 40 worldwide ransomware attacks focused on companies, governments and healthcare operations, affecting some 700,000 computers. Qakbot, like almost all ransomware attacks, hit victims through spam emails with malicious links, according to the Justice Department. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits (here’s the department’s seizure warrant).

According to the DOJ, the action represented the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activities.

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland in a statement.


But the fight is not over.

Will Qakbot reappear after some retooling to sidestep new defenses? [Richard] Suls of WithSecure said it could happen. “The creators of these botnets are often highly skilled (sometimes nation states and/or APTs) and to that effect, we have seen botnets return from the grave, often with modifications,” he said, pointing to Kelihos, which was sinkholed In September 2011 and returned in January 2012 as a new version.

“One way we’ve seen botnets reconfigured and resurrected is when their source code is leaked,” said Suls. “For instance, the Zbot malware, whose source code hit the internet, allowing multiple actors the ability to view, update and use the base code for their own botnets. There is no doubt in my mind that botnet code is available for purchase in the darker corners of the internet.”

Jess Parnell, vice president of security operations at threat intelligence firm Centripetal, said the success of Qakbot proves the weakest link is the least sophisticated.

“Some might think that a simple spam email or SMS message is harmless, but as we are constantly seeing, organizations all over the globe are getting hit daily by major cyberattacks that are oftentimes disguised as something else,” he said. “By staying informed, proactive and collaborative, organizations can significantly reduce their risk of falling victim to cyberattacks.”

No comments: