Threat Watch

Microsoft, FS-ISAC, ESET and Others Coordinate Takedown of Trickbot

On Monday, October 12th, a coalition of companies and organizations cooperated to help over one million victims of the Trickbot malware through legal action and technical takedowns. The coalition included Microsoft’s Digital Crimes Unit, Symantec, ESET, Lumen, NTT, and the Financial Services Information Sharing and Analysis Center (FS-ISAC). Microsoft won a court order from the United States District Court for the Eastern District of Virginia that gave the company the authority to disable communication to the IP addresses of the botnet’s Command and Control (C2) servers, render the content stored on the servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers. Taking action on the court order required the cooperation of many companies, Internet Service Providers, and Computer Emergency Readiness Teams (CERTs) across the globe. As a result of the efforts, all of the currently infected victims of Trickbot can be identified. It will take a long time to notify all of the companies and individuals to clean up the malware on their systems, but at least for the time being, it should not be possible for the threat actors behind the botnet to use it to deliver additional malware. Trickbot has been used in the past to deliver Ryuk ransomware as well as other threats.

ANALYST NOTES

Even though the Trickbot infrastructure has been disrupted, defenders still need to be aware of the other methods that the threat actors behind Ryuk and other ransomware are continuing to use to compromise systems. The BazarLoader and BazarBackdoor phishing campaigns have recently been used to deliver Cobalt Strike beacon, take over entire domains, and then deliver ransomware to a majority of systems across the network. Organizations should invest in email threat scanning and employee education to spot malware delivered via email. Unpatched servers, especially VPN and other public-facing remote access servers, have been leveraged in conjunction with the Zerologon vulnerability to devastating effect. It is important for all organizations to have a regular patch maintenance program, and to change all passwords after any exposure of a vulnerability. In many cases, threat actors exploit the vulnerable servers just to steal passwords and then come back later, even after the server is patched, to gain remote access with a valid password. Ideally, all remote access services should require strong multi-factor authentication instead of just a password.