TECHNOLOGY

Microsoft attempts takedown of global criminal botnet

Oct 12, 2020, 5:01 PM
cybercrime Trickbot...
FILE - A woman walks in front of the Microsoft stand during the Cybersecurity Conference in Lille, northern France, Wednesday Jan. 29, 2020. Microsoft announced legal action Monday, Oct. 12, 2020 seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election. (AP Photo/Michel Spingler)
(AP Photo/Michel Spingler)

Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election.

The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with an order that Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers.

“We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”

OTHER TECH STORIES:  Dave & Dujanovic: The dark web and its dangers for kids

Cybersecurity experts said that Microsoft’s use of a U.S. court order to persuade internet providers to take down the botnet servers is laudable. But they add that it’s not apt to be successful because too many won’t comply and because Trickbot’s operators have a decentralized fall-back system and employ encrypted routing.

Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders.” And the cybersecurity firm Intel 471 reported no significant hit on Trickbot operations Monday and predicted “little medium- to long-term impact” in a report shared with The Associated Press.

But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said that a temporary Trickbot disruption could, at least during the election, limit attacks and prevent the activation of ransomware on systems already infected.

The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by the U.S. military’s Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking providers to deny hosting to domains used by command-and-control servers.

A U.S. policy called “persistent engagement” authorizes U.S. cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation jockeys during U.S. midterm elections in 2018.

Created in 2016 and used by a loose consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware in the computers of unwitting individuals and websites. In recent months, its operators have been increasingly renting it out to other criminals who have used it to sow ransomware, which encrypts data on target networks, crippling them until the victims pay up.

One of the biggest reported victims of a ransomware variety sowed by Trickbot called Ryuk was the hospital chain Universal Health Services, which said all 250 of its U.S. facilities were hobbled in an attack last month that forced doctors and nurses to resort to paper and pencil.

U.S. Department of Homeland Security officials list ransomware as a major threat to the Nov. 3 presidential election. They fear an attack could freeze up state or local voter registration systems, disrupting voting, or knock out result-reporting websites.

While cybersecurity experts say the operators of Trickbot and affiliated digital crime syndicates are Russian speakers mostly based in eastern Europe, they caution that they are motivated by profit, not politics. They do, however, operate with impunity with no interference from the Kremlin as long as their targets are abroad.

Trickbot is a particularly robust internet nuisance. Called “malware-as-a-service,” its modular architecture lets it be used as a delivery mechanism for a wide array of criminal activity. It began mostly as a so-called banking Trojan that attempts to steal credentials from online bank account so criminals can fraudulently transfer cash.

But recently, researchers have noted a rise in Trickbot’s use in ransomware attacks targeting everything from municipal and state governments to school districts and hospitals. Ryuk and another type of ransomware called Conti — also distributed via Trickbot — dominated attacks on the U.S. public sector in September, said Callow of Emsisoft.

Alex Holden, founder of Milwaukee-based Hold Security, tracks Trickbot’s operators closely and said the reported Cybercom disruption — involving efforts to confuse its configuration through code injections — succeeded in temporarily breaking down communications between command-and-control servers and most of the bots.

“But that’s hardly a decisive victory,” he said, adding that the botnet rebounded with new victims and ransomware.

The disruption — in two waves that began Sept. 22 — was first reported by cybersecurity journalist Brian Krebs.

The AP could not immediately confirm the reported Cybercom involvement.

Today’s Top Stories

Technology

In this image provided by NASA, the Earth and its moon are seen from NASA's Orion spacecraft on Mon...
Jackie Wattles, CNN

NASA’s Orion reaches record-breaking distance from Earth

NASA confirmed that Orion had reached the midpoint of its uncrewed mission around the moon — about 270,000 miles (434,523 kilometers) from Earth.
17 hours ago
Former US President Donald Trump's Twitter account has been reinstated on the platform....
Clare Duffy and Paul LeBlanc, CNN

Elon Musk restores Donald Trump’s Twitter account

Former US President Donald Trump's Twitter account has been reinstated on the platform.
11 days ago
With employees with the company, the future of Twitter is in uncertain. Photo credit: Justin Sulliv...
Oliver Darcy, CNN Business

Inside Twitter as ‘mass exodus’ of staffers throws platform’s future into uncertainty

With employees leaving the company, the future of Twitter is uncertain.
12 days ago
NASA's Space Launch System (SLS) rocket with the Orion spacecraft aboard is seen on Nov. 12 at NASA...
Jackie Wattles, CNN

Historic moon mission troubleshoots fuel leak issue hours before launch

The Artemis I mission to the moon could finally take place this week.
15 days ago
FILE - A Tesla owner charges his vehicle at a charging station in Topeka, Kan., Monday, April 5, 20...
Peter Valdes-Dapena, CNN Business

Tesla officially makes its charging standard available to other companies

Tesla has invited other automakers to build cars with charging ports that can work with Tesla's charging format and for other charging companies to add Tesla-style plugs to their chargers.
18 days ago
Former US President Donald Trump's Twitter account has been reinstated on the platform....
BARBARA ORTUTAY AP Technology Writer

Twitter Blue signups unavailable after raft of fake accounts

Blue checkmark "verification" was unavailable for purchase Friday after the social media platform was flooded by impostor accounts approved by Twitter.
19 days ago

Sponsored Articles

Happy joyful smiling casual satisfied woman learning and communicates in sign language online using...
Sorenson

The best tools for Deaf and hard-of-hearing workplace success

Here are some of the best resources to make your workplace work better for Deaf and hard-of-hearing employees.
Team supporters celebrating at a tailgate party...
Macey's

8 Delicious Tailgate Foods That Require Zero Prep Work

In a hurry? These 8 tailgate foods take zero prep work, so you can fuel up and get back to what matters most: getting hyped for your favorite
christmas decorations candles in glass jars with fir on a old wooden table...
Western Nut Company

12 Mason Jar Gift Ideas for the 12 Days of Christmas [with recipes!]

There are so many clever mason jar gift ideas to give something thoughtful to your neighbors or friends. Read our 12 ideas to make your own!
wide shot of Bear Lake with a person on a stand up paddle board...

Pack your bags! Extended stays at Bear Lake await you

Work from here! Read our tips to prepare for your extended stay, whether at Bear Lake or somewhere else nearby.
young boy with hearing aid...
Sorenson

Accommodations for students who are deaf and hard of hearing

These different types of accommodations for students who are deaf and hard of hearing can help them succeed in school.
Young woman receiving laser treatment...
Form Derm Spa

How facial plastic surgery and skincare are joining forces

Facial plastic surgery is not only about looking good but about feeling good too. The medical team at Form Spa are trained to help you reach your aesthetic outcomes through surgery and through skincare and dermatology, too.
Microsoft attempts takedown of global criminal botnet