fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

TrickBot Malware Under Siege From All Sides, And It’s Working

TrickBot Malware Under Siege From All Sides, And It’s Working

The Trickbot malware operation is on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet’s command and control servers.

Initial disruption actions seemed to leave the botnet unphased as its operators were able to rebuild the infrastructure and the network of infected computers.

Although the battle is not over yet, the latest score in the fight against Trickbot clearly shows that the work of the coalition headed by Microsoft’s Digital Crimes Unit (DCU) has had a serious impact.

TrickBot faces coordinated takedown operation

On October 12, Microsoft and its partners announced that they had taken down some Trickbot C2s.

This was possible after the U.S. District Court for the Eastern District of Virginia granted a request to take down 19 IP addresses in the U.S. that Trickbot used to control infected computers.

The partnership includes ESETLumen’s Black Lotus LabsNTT Ltd, Broadcom’s Symantec enterprise business, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Microsoft Defender team.

Before this, the U.S. Cyber Command reportedly tried to cripple the botnet ahead of the presidential elections by pushing a configuration file to infected computers that cut them off from the controlling servers.

The partners knew right off the bat that this initial salvo would not bring down Trickbot and described it as an ongoing disruption effort with no guarantee of completely taking down the botnet.

Also Read: The Importance of DPIA And Its 3 Types Of Processing

Trickbot C2 servers following the initial disruption led by Microsoft
source: Microsoft

Last week, cybersecurity company Intel 471 saw that Trickbot continued to infect new computers, helped by its long time partner, Emotet, which also spreads QBot.

“The Emotet bots reached out to their controllers and received commands to download and execute Trickbot on victim machines. The Trickbot group tag that Intel 471 identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more” – Intel 471

A bounce back was expected

Researchers at Lumen’s Black Lotus Labs told BleepingComputer that Trickbot administrators are constantly rotating the C2 IP addresses and change the infected hosts, making disruption efforts a serious challenge.

They also use different servers to communicate to the bots and to deliver plugins dedicated to specific tasks (steal passwords, steal traffic, propagate the malware).

Intel 471 notes that Trickbot administrators last week updated the plugin server configuration file with 15 new IPs. They kept two older addresses along with the server’s .onion domain, reachable through the Tor anonymity network.

Sherrod DeGrippo, Senior Director of Threat Research at Proofpoint, told BleepingComputer that Trickbot campaigns had switched to new C2 channels. She added that the initial actions against the botnet did not cause “a direct noticeable change in malicious email disruption leveraging Trickbot.”

Also Read: Data Storage Security Standards: What Storage Professionals Need To Know

The tables are turning

In a blog post today, Microsoft provides an update on the Trickbot disruption operation saying that together with its partners across the world they worked to disable 94% of Trickbot’s critical infrastructure.

“As of October 18, we’ve worked with partners around the world to eliminate 94% of Trickbot’s critical operational infrastructure including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online”

– Microsoft

Microsoft says that on October 18, 120 out of 128 Trickbot servers have fallen across the world since the beginning of the operation.

Trickbot’s core infrastructure includes internet-of-things (IoT) devices for controlling the botnet. Microsoft and its partners identified seven of them, all in the process of being disabled.

This success does not mean the fight is getting to an end. Trickbot’s unique architecture requires constant action against it to minimize resurrection chances.

These efforts will continue until at least November 3, the day of the U.S. Presidential election, aided by new court orders to take down freshly activated servers in the country.

“As we continue to cut off these new servers, our partners are also working to clean and remediate the compromised IoT devices, especially routers, that the Trickbot operators are using as non-traditional command-and-control infrastructure”

– Microsoft

As TrickBot is hosting command and control servers on customer and business routers, Microsoft is working with internet service providers (ISPs) to help fix the devices without interrupting legitimate traffic.

For the time being, Trickbot administrators are busy setting up new infrastructure, which takes time and a toll on the frequency of fresh attacks.

Microsoft says that they were able to identify new servers and go through the legal channels to disable them in less than three hours. In one case, a hosting provider took down a Trickbot server in less than six minutes since receiving the notification about the illegal activity.

In a Trickbot malware sample distributed on October 19, Intel 471 identified 16 new C2 botnet servers dispersed globally, none of them currently responding to requests from infected systems.

Tough to kill

Some Trickbot servers are still active in Brazil, Colombia, Indonesia, and Kyrgyzstan, Intel 471 says. Furthermore, the botnet’s administrators still have partners willing to spread their malware.

Even if these efforts do not cause Trickbot to dwindle into extinction, the botnet may die on its own; but only because threat actors are moving to BazarLoader, a trojan increasingly used by Trickbot operators to target high-value enterprises and deploy Ryuk ransomware on their networks.

“Prior to the disruption, we had already observed some actors that were previously distributing Trickbot switch to BazaLoader, which has been linked by code similarity to Trickbot”

– Sherrod DeGrippo, Proofpoint

DeGrippo also said that Proofpoint has not seen any direct evidence about Trickbot targeting election-related organizations or of its distribution with election-themed messages.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us