Microsoft Take-Down of Trickbot Ransomware Bot, Security Experts Reacted Inline with Election Security

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog

Security Experts | Informationsecuritybuzz.com

Microsoft today took actions today “to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific distributors of ransomware,” which “cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems… “Today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses, and universities from the various malware infections Trickbot enabled.”

EXPERTS COMMENTS
Saryu Nayyar

| October 14, 2020

Saryu Nayyar, CEO, Gurucul

It will take more to put a real dent in Cybercrime.

The coordinated effort to take down TrickBot shows that there is hope to counter malicious actors at scale. When organizations cooperate in support of everyone’s shared best interests, we can all benefit. But this is just a first step. It will take more to put a real dent in Cybercrime, starting with a solid security posture in our own environments, and ending with coordinated industry and law enforcement efforts to prosecute the attackers.

 

| October 14, 2020

Chloé Messdaghi, VP of Strategy, Point3 Security

Hackers – not to be confused with attackers – have an important role to play moving forward.

Microsoft has truly done an important service in thwarting Trickbot – it’s especially important because so many cities, towns, and tribal jurisdictions across the US rely on outdated technology including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by Trickbot.

It’s a great start but a new Gallup study finds that only 59% of Americans have full confidence in our election process and faith that our votes are going to be accurately tallied nationwide. Misinformation plays a serious role in this doubt. It’s an enormous problem that will almost certainly cause some suppression of votes. It’s imperative that the public and private sectors come together and work closely on this. Also, our political parties must help by rejecting disinformation, because we’re now in an era when people don’t know what to trust. Near-real-time fact-checking is urgently needed, as are greater reliance on open source technologies, a strong emphasis on vulnerability reporting programs and disclosure, and close collaboration with the hacker community.

At DefCon’s Voting Village (@VotingVillageDC), we saw hackers from around the world focusing on voting technologies to find and help fix vulnerabilities, and ensure that voting systems are safe. Hackers come at this with a zero-trust mindset that informs our skepticism and strengthens our commitment to harden our systems – against ransomware, misinformation campaigns, and other types of threats. Hackers – not to be confused with attackers – have an important role to play moving forward.

 

| October 14, 2020

Jeff Valentine, CTO, CloudCheckr

Microsoft effectively helped the public to have confidence in the eventual election results by eliminating one possible attack vector.

Many people think that election security is only about electronic vote counting and tabulation, but the real issues are more insidious and harder to prevent. In this case, the service Microsoft identified and shut down could have been used as a springboard for ransomware attacks, and if any of the affected systems were used during the electron process – perhaps in coordinating the distribution of staff or communicating directions on how to report results or voter lists – this could have affected the election in incalculable ways. Microsoft effectively helped the public to have confidence in the eventual election results by eliminating one possible attack vector.

 

| October 14, 2020

Andrea Carcano, Co-founder and CPO, Nozomi Networks

By proactively getting in front of Necurs, Microsoft was able to significantly disrupt the botnet.

This isn’t the first time that Microsoft has leveraging trademark laws to chase down botnets operators. They used the tactic back in 2011 to take down Rustock. IoT botnets are among the fastest-growing categories of attacks, and Trickbot alone has impacted millions of computers. While botnet operators are using every trick in the book to expand their malicious activity, defenders, for obvious reasons, have to comply with the law when implementing the countermeasures. But as Microsoft’s actions show, this doesn’t mean that you can’t be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.

In general, it can be quite challenging to disrupt the malicious activities of botnets, and Microsoft has a history of stepping up with aggressive countermeasures. In March, Microsoft called on its technical and legal partners in 35 countries to disrupt Necurs, a popular hybrid peer-to-peer botnet. By analysing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months. Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure. By proactively getting in front of Necurs, Microsoft was able to significantly disrupt the botnet.

While this type of dismantling of a peer-to-peer botnet might not be feasible for the average organisation, there is still a lot that the security team defending your network can do.

Start by considering the three main phases where botnet typically leave behind a lot of network artifacts:

Bot deployment: this is where the bot is deployed into a target system member of the network, for instance through an exploit or by brute-forcing the credentials.

Communication with the peer-to-peer botnet: this occurs during peer discovery, configuration updates, and commands reception.

Malicious activity: the actual malicious activity the botnet was created for, such as sending spam, distributing ransomware, or bot propagation towards other systems.

Then, use the right tools to detect and disrupt botnet activity.

As businesses become more reliant upon IoT, we can expect that botnet activity will also evolve and grow. And while they can be tricky to defend against, by their very nature, botnets leave behind a lot of information that security defenders can use to track them and prevent future attacks. What’s important is ensuring your security practice incorporates a plan to address botnets. Understand their implications so you can identify which security measures to take. Then chose the right tools – and community resources to detect and disrupt future botnet activity.

 

| October 14, 2020

Suzanne Spaulding, Adviser , Nozomi Networks

Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election.

The Microsoft take-down is an example of exactly the kind of whole-of-nation, even whole-of world, approach we need. The private sector working with government at all levels, including state and local governments who’ve been victims and multiple federal entities, including the courts, as well as international partners, all coming together to identify and disrupt the bad guys. Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election because ransomware is a threat that CISA Director Chris Krebs says keeps him up at night. If malicious actors were able to disrupt the election, by locking up voter registration databases or systems involved in the vote tabulation or reporting, they could undermine public confidence in the legitimacy of the election.

botnet
External Link: Microsoft Take-Down of Trickbot Ransomware Bot, Security Experts Reacted Inline with Election Security

Share this page:

Related Posts