Microsoft and Other Tech Companies Take Down TrickBot Botnet

Days after the US Government took steps to disrupt the notorious TrickBot botnet, a group of cybersecurity and tech companies has detailed a separate coordinated effort to take down the malware’s back-end infrastructure.

The joint collaboration, which involved Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, ESET, Financial Services Information Sharing and Analysis Center (FS-ISAC), NTT, and Broadcom’s Symantec, was undertaken after their request to halt TrickBot’s operations were granted by the US District Court for the Eastern District of Virginia.

The development comes after the US Cyber Command mounted a campaign to thwart TrickBot’s spread over concerns of ransomware attacks targeting voting systems ahead of the presidential elections next month. Attempts aimed at impeding the botnet were first reported by KrebsOnSecurity early this month.

Microsoft and its partners analyzed over 186,000 TrickBot samples, using it to track down the malware’s command-and-control (C2) infrastructure employed to communicate with the victim

Read More
Read More

Microsoft attempts takedown of global criminal botnet

Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election.

The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with a court order Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers. “We’re sure that they are going to notice and it will be hard for them to get back

Read More
Read More

Microsoft helped disrupt the infamous Trickbot botnet

It’s not just the US government racing to disrupt the Trickbot botnet ahead of elections. Microsoft has revealed that it and multiple partners (including ESET, Lumen’s Black Lotus Labs, NTT, Symantec and FS-ISAC) have taken steps to disrupt Trickbot. The tech giant obtained a court order and used “technical action” to prevent the botnet from either starting new infections or activating any dormant ransomware.

The company’s court approval let it disable IP addresses for Trickbot’s command-and-control servers, suspend services to the operators, make server content inaccessible, and block the operators from buying or leasing more servers. On top of this, Microsoft even make copyright claims against Trickbot for reportedly makign “malicious use” of the company’s code.

Microsoft was primarily concerned that Trickbot’s operators would use the botnet to disrupt the imminent US election through ransomware. Attackers could lock down systems maintaining voter rolls or reporting on election night results, the

Read More
Read More

Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August in a set of written responses to Washington Post questions. “The Department of Defense, and Cyber Command specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”

Trickbot is malware that can steal financial data and drop other malicious software onto infected systems. Cyber criminals have used it to install ransomware, a particularly nasty form of malware that encrypts users’ data and for which the criminals then demand payment — usually in cryptocurrency — to unlock.

Brian Krebs, who writes the

Read More
Read More

New Ttint IoT botnet caught exploiting two zero-days in Tenda routers

Tenda

Image via Tenda website

For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.

Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.

But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.

It didn’t just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router’s firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.

“Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure […] that that moves around.

Read More
Read More