Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/19/2020
02:00 PM
Adam Caudill
Adam Caudill
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Trickbot, Phishing, Ransomware & Elections

The botnet has taken some hits lately, but that doesn't mean the threat is over. Here are some steps you can take to keep it from your door.

The last few weeks have been rough for the operators of the Trickbot botnet, a malware-as-a-service operation, who are facing coordinated attacks from both the US Cyber Command and Microsoft, with the aid of a number of partners. Trickbot's operators went from successful, with over a million infections, to becoming the target of the US military and major corporations — and Reuters is reporting that indictments resulting from an FBI investigation will be unsealed soon.

This story that has a bit of everything: international intrigue, attacks on healthcare providers, phishing at a vast scale (using topics such as COVID-19 and Black Lives Matter as lures), the Internet of Things, counter-hacking, ransomware, stolen government secrets, novel legal techniques, and even a potential election impact. There is enough here for a techno-thriller.

Related Content:

Decoding the Verizon DBIR Report: An Insider's Look Beyond the Headlines

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

While Trickbot has taken some hard punches, it's probably not done. Its command and control (C2) servers are spread across the world, some far from the reach of the court order that Microsoft is using to take many of them down. There are also signs that the people behind Trickbot are fighting back, bringing new servers up as others go down. Disrupting a botnet is one thing, but killing it is another.

Like many botnets, Trickbot has a history of being used for a variety of things, sending phishing emails to spread further, capturing credentials from victims' browsers, and distributing ransomware (Ryuk, in this case) — encrypting files and demanding payment for their return. As is often the case, the full harm caused by a botnet like this is hard to quantify, but with over a million infections, it's safe to say the harm has been substantial. And remember that one of the victims was a major healthcare provider. While the impact on the provider's level of clear isn't clear today, one must wonder if health outcomes were affected.

A Novel Legal Approach
Microsoft has leveraged the courts to take down other botnets, though this time it used a new legal maneuver: copyright violation. To secure the order to take down the IP addresses used by the Trickbot C2 servers, Microsoft pointed out that all programs that run on Windows require the use of the Windows SDK (for example, the header files for the Windows API), and the SDK's license includes a provision that prohibits its use "in malicious, deceptive, or unlawful programs." In addition, Microsoft claimed trademark infringement and other violations of law, as it has done in previous cases.

In essence, the argument is that any program that targets Windows that is malicious, deceptive, or illegal violates the license associated with the SDK, and thus is a violation of Microsoft's copyright. This has provided Microsoft (and the makers of other operating systems) a new method to fight the creators of malware.

It's a Phish … Again
Often, the route to infection starts with an email, something catchy or important in the subject line, and an attachment or a link to a file. If the file is opened, the victim is tricked into activating a malicious macro, and then the system is compromised. Security tools are disabled, data is stolen from a variety of sources, and attacks against other systems are launched.

Phishing — from mass emails sent indiscriminately to spear-phishing that's highly targeted and customized — is a threat that year after year continues to be among the largest threats to both business and end users. This omnipresent threat is one that everyone should be aware of and take steps to protect themselves from. Here are several ways to do this:

  • Email systems should be set up to scan for and block known threats.

  • User's systems should be configured to disable dangerous features, such as macros in Office documents (unless absolutely needed).

  • Email attachments should be treated as suspicious by default; users should never assume that any attachment is trustworthy unless they are expecting it and it's coming from a trusted sender. Assume it's malicious unless there's a good reason to believe otherwise.

  • Just because it looks like it's from someone recognizable doesn't mean it is; anything that looks odd or suspicious should be confirmed out-of-band before clicking links or opening attachments.

It's always better to err on the side of caution when dealing with email, especially when anything seems off.

Ransomware Attacks & Election Security
In the United States, there are more than 10,000 separate election jurisdictions, using some combination of city, county, and state technical resources. Each of these represents a target for organized ransomware operations, targets that offer increasing value as the election approaches.

As vulnerable targets are found, operators may wait until the time is best, when it’s most lucrative to strike. As we approach an election that may bring both record turnouts and controversy, any delays or disruptions are sure to draw nationwide attention and raise questions about the integrity of the outcome. This means that anything that is even loosely related to elections is a prime target, and officials would be desperate to recover as quickly as possible.

Understanding this tactic of ransomware operators makes it easy to see why it’s important to act sooner rather than later.

The Future of Trickbot
Trickbot itself may or may not survive this effort to end its attacks, but the techniques will and the code behind it may — and once it's gone, there will be a replacement. Criminals are making a significant amount of money with these operations, and there will always be another one ready to replace the one that gets shut down.

While this disruption is a real victory, vigilance is still required.

Adam Caudill is a principal security engineer at 1Password, and has 20 years of experience in research, security and software development. Adam's main areas of focus include application security, secure communications and cryptography. He is also an active blogger, speaker ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23727
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).
CVE-2020-28175
PUBLISHED: 2020-12-03
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges
CVE-2020-13524
PUBLISHED: 2020-12-03
An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim n...
CVE-2020-13525
PUBLISHED: 2020-12-03
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-23726
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).