Microsoft today took actions today “to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific distributors of ransomware,” which “cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems… “Today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses, and universities from the various malware infections Trickbot enabled.”
Major efforts from both the private and public sector were used to disrupt TrickBot operations in the leadup to the US presidential election. Microsoft obtained an order in the Eastern District of Virginia last week that gave the tech giant control over the TrickBot botnet, a global network it describes as the largest in the world. The US Cyber Command also conducted operations against TrickBot to damage and disrupt the organization itself as well as the group’s cybercrime as-a-service operation. TrickBot’s malware strain has several arms, including Ryuk ransomware, which has made it difficult to pinpoint and destroy.
Ryuk ransomware, which can shut down entire networks until a ransom payment is made, is often delivered through phishing emails. The continued prevalence of ransomware attacks through phishing underscores just how critical it is for both the public and private sector to invest in comprehensive integrated email security solutions combined with cybersecurity training to ensure that employees are adequately prepared to spot suspicious emails. While TrickBot operations may be hampered for now, the organization—and others like it—will continue to find new ways to launch cyberattacks taking advantage of unhardened networks and untrained employees as their way in.
Many people think that election security is only about electronic vote counting and tabulation, but the real issues are more insidious and harder to prevent. In this case, the service Microsoft identified and shut down could have been used as a springboard for ransomware attacks, and if any of the affected systems were used during the electron process – perhaps in coordinating the distribution of staff or communicating directions on how to report results or voter lists – this could have affected the election in incalculable ways. Microsoft effectively helped the public to have confidence in the eventual election results by eliminating one possible attack vector.
This isn’t the first time that Microsoft has leveraging trademark laws to chase down botnets operators. They used the tactic back in 2011 to take down Rustock. IoT botnets are among the fastest-growing categories of attacks, and Trickbot alone has impacted millions of computers. While botnet operators are using every trick in the book to expand their malicious activity, defenders, for obvious reasons, have to comply with the law when implementing the countermeasures. But as Microsoft’s actions show, this doesn\’t mean that you can\’t be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.
In general, it can be quite challenging to disrupt the malicious activities of botnets, and Microsoft has a history of stepping up with aggressive countermeasures. In March, Microsoft called on its technical and legal partners in 35 countries to disrupt Necurs, a popular hybrid peer-to-peer botnet. By analysing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months. Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure. By proactively getting in front of Necurs, Microsoft was able to significantly disrupt the botnet.
While this type of dismantling of a peer-to-peer botnet might not be feasible for the average organisation, there is still a lot that the security team defending your network can do.
Start by considering the three main phases where botnet typically leave behind a lot of network artifacts:
Bot deployment: this is where the bot is deployed into a target system member of the network, for instance through an exploit or by brute-forcing the credentials.
Communication with the peer-to-peer botnet: this occurs during peer discovery, configuration updates, and commands reception.
Malicious activity: the actual malicious activity the botnet was created for, such as sending spam, distributing ransomware, or bot propagation towards other systems.
Then, use the right tools to detect and disrupt botnet activity.
As businesses become more reliant upon IoT, we can expect that botnet activity will also evolve and grow. And while they can be tricky to defend against, by their very nature, botnets leave behind a lot of information that security defenders can use to track them and prevent future attacks. What’s important is ensuring your security practice incorporates a plan to address botnets. Understand their implications so you can identify which security measures to take. Then chose the right tools – and community resources to detect and disrupt future botnet activity.
The Microsoft take-down is an example of exactly the kind of whole-of-nation, even whole-of world, approach we need. The private sector working with government at all levels, including state and local governments who\’ve been victims and multiple federal entities, including the courts, as well as international partners, all coming together to identify and disrupt the bad guys. Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election because ransomware is a threat that CISA Director Chris Krebs says keeps him up at night. If malicious actors were able to disrupt the election, by locking up voter registration databases or systems involved in the vote tabulation or reporting, they could undermine public confidence in the legitimacy of the election.
Microsoft has truly done an important service in thwarting Trickbot – it’s especially important because so many cities, towns, and tribal jurisdictions across the US rely on outdated technology including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by Trickbot.
It’s a great start but a new Gallup study finds that only 59% of Americans have full confidence in our election process and faith that our votes are going to be accurately tallied nationwide. Misinformation plays a serious role in this doubt. It’s an enormous problem that will almost certainly cause some suppression of votes. It’s imperative that the public and private sectors come together and work closely on this. Also, our political parties must help by rejecting disinformation, because we’re now in an era when people don’t know what to trust. Near-real-time fact-checking is urgently needed, as are greater reliance on open source technologies, a strong emphasis on vulnerability reporting programs and disclosure, and close collaboration with the hacker community.
At DefCon’s Voting Village (@VotingVillageDC), we saw hackers from around the world focusing on voting technologies to find and help fix vulnerabilities, and ensure that voting systems are safe. Hackers come at this with a zero-trust mindset that informs our skepticism and strengthens our commitment to harden our systems – against ransomware, misinformation campaigns, and other types of threats. Hackers – not to be confused with attackers – have an important role to play moving forward.