Microsoft fights botnet after Office 365 malware attack

samgush

Posts: 16   +0
Why it matters: Microsoft has announced that it has successfully disrupted Trickbot’s botnet after it had ensnared some of its Office 365 users. The company submitted a legal request to take down the botnet infrastructure ran by hackers.

Microsoft fights botnet after Office 365 malware attack

According to Microsoft, its Defender Antivirus team has been working alongside major cybercrime partners to collect samples and unravel critical information related to the botnet scheme. Participants in the cybersecurity data exchange group include FS-ISAC, Lumen’s Black Lotus Labs, ESET, Symantec, and NTT.

According to filed court documents, Microsoft sought permission to take over domains and servers belonging to the malicious Russia-based group. It also wanted legal assent to block IP addresses associated with the plot and prevent the entities behind it from purchasing or leasing servers.

The requests were part of a grander plan of action to destroy data stored in the hackers' systems. The intention was first to block access to servers controlling over 1 million infected machines. This move would be a crucial step in halting control of over an additional 250 million breached email addresses.

Microsoft has said that Trickbot’s strategy was mostly successful because it used a custom third-party Office 365 app. Tricking users into installing it allowed perpetrators to bypass passwords instead of relying on the OAuth2 token. Through this technique, they could access compromised Microsoft 365 user accounts and sensitive data associated with them, such as email content and contact lists.

In the court documents, Microsoft laments that Trickbot used authentic-looking Microsoft email addresses and other company information to malign its clients. It argues that the network used its name and infrastructure for malicious purposes, thereby tarnishing its image.

Through this technique, they were able to access compromised Microsoft 365 user accounts.

Tricking users into installing it gave perpetrators the opportunity to bypass passwords and instead rely on the OAuth2 token (credit: YouTube).

Researchers first detected the Trickbot network in 2016. It began as a banking Trojan and developed later into a multiplex malware installer. The updated worm went on to compromise millions of devices worldwide. The entities behind the network have, over the years, leased access to infected systems to other cybercrime syndicates. Analysts widely refer to this as Malware-as-a-Service (MaaS).

Despite Microsoft's and US government agencies' best efforts to take down Trickbot, security experts at Intel471 warn that the recent move appears to have had minimal impact. According to the company, the botnet network is extensively decentralized and utilizes IP masking networks such as Tor to obscure server locations. This elaborate approach minimizes damage caused by targeted takedowns.

As noted in the company’s latest report, “Microsoft’s list of Trickbot IP addresses contained four IP addresses at the time of this report and were being pushed by Trickbot’s operators as Trickbot command and control servers. At the time of this report, Intel 471 has not seen any significant impact on Trickbot’s infrastructure and ability to communicate with Trickbot-infected systems."

Permalink to story.

 

Uncle Al

Posts: 7,508   +6,004
All that talent, all that money, all that power ..... and they still can't solve the problem ..... Sounds like they need some new talent, starting at the TOP.
 
  • Like
Reactions: wiyosaya

wiyosaya

Posts: 5,416   +3,487
Good comparison .... perhaps we need to develop our own "Special Forces" to fight against them as JFK did when he signed in on the SF .....
Agreed. I know that history says that JFK was far perfect in several aspects, however, if we had a president in this day and age that had even half as much leadership ability and integrity as JFK had, the world would likely be a much better place. JFK was on a level of his own and is a difficult comparison for any of our recent presidents.

EDIT: At least someone is trying to do something about it.
 

captaincranky

Posts: 16,141   +4,907
You don't see the gorillas in the background?
I see the chimp right up front,snarling like he's having a psychotic break. The gorillas appear to be a bit more chill

(And I was trying to be a bit more diplomatic than you in correcting his spelling.)
So you're trying to pass off a snarky remark as diplomatic?

I thought admitting I had to use the spell check, as an, ""admission absolves guilt, paradigm..
 
Educate end users. Use a solid mail filtering service. Maintain your DNS text records, DMARC settings. Manage your mail identity and reputation.
 

Wizwill

Posts: 123   +56
Educate end users. Use a solid mail filtering service. Maintain your DNS text records, DMARC settings. Manage your mail identity and reputation.
Any data placed online has been effectively given away. I can't think of any way to be certain IP (intellectual property) won't be comprised by a determined attacker.

Cloud services simply collect data in nicely-cataloged files, similar to a bait ball.

Properly secured private servers, with no Internet or wireless capability (wired Ethernet only) and apps that keep all processes onboard your own servers, desktops and devices are the most-secure methods we have currently.

I advise clients not to keep contact lists, IP or financial data in the cloud. Both current VPNs and encryption are porous and provide little solid protection from theft.



 

moon982

Posts: 38   +5
What is point of Microsoft or the government buying these domains and servers?The bad hackers are just buying hundreds and hundreds of servers and domains and turning them into malware.

Is the US government or Microsoft going to buy all the servers and domains? To stop this? Why? Because that what it may take. If the hackers are buying hundreds of servers and domains every day.

But the hackers could just put hundreds of new bad servers on the internet. So it never ending thing.
 

captaincranky

Posts: 16,141   +4,907
The problem would sort itself out, if they would simply publicize names of people behind it.
Whose names should be published? As far as I can tell, the people who were unwittingly part of the botnet, should be rather described as "victims".

As far as the operators of the CnC servers go, they might be in Albania, Croatis, Serbia, or any number of other countries, including Russia.

The FBI just has issued arrest warrants for six Soviet hackers. They did publish their names.

Now, what are the chances they're going to just hop on on of those big old Ilyushin II-106, and willingly come over here to answer those charges?

Or, what good would it possibly do to gossip about them with the neighbors?
 
Last edited:

Endymio

Posts: 691   +553
The FBI just has issued arrest warrants for six Soviet hackers...Now, what are the chances they're going to just hop on on of those big old Ilyushin II-106, and willingly come over here to answer those charges?
Given at least two of the six were born after the Soviet Union ceased to exist, and the fact that the Il-106 never flew -- the chances are slim. That is what you meant, right?
 

captaincranky

Posts: 16,141   +4,907
Given at least two of the six were born after the Soviet Union ceased to exist, and the fact that the Il-106 never flew -- the chances are slim. That is what you meant, right?
I just pulled an aircraft number out of my a**, it's really that simple. I knew I had you lookin' out for me, so what harm could it cause.?

The TU-330 was cancelled as well, so I opted out on the that.

It's pretty obvious that you know all there is to know, so why not cut this poor uninformed dummy some slack?

BTW, do you think Russia will hand those six over to the US, and what aircraft would they use to bring them here?

BTW, I'm pretty sure Putin has convinced himself that the Soviet Union still exists. So, I just use "Soviets", and Russians" as synonyms. Do you have some sort of critique about that as well?

If you think I"m wrong about that, you should probably interview some people in Crimea, or the Ukraine in general.