Botnet fights back after Microsoft’s election security takedown
When Microsoft and its coalition of partners attacked the infrastructure supporting the popular Trickbot malware, they identified 69 servers and routers hosting the botnet around the world.
A week after Microsoft Corp. led a global attack against one of the world's most prolific malware groups, the company says it's winning an ongoing battle to temporarily destabilize the malicious botnet ahead of the U.S. presidential election.
When Microsoft and its coalition of partners attacked the infrastructure supporting the popular Trickbot malware, they identified 69 servers and routers hosting the botnet around the world.As of Oct. 18, they'd compromised 62 of them, according to a Microsoft statement. A botnet is a network of computers infected with malware.
In response, Microsoft observed Trickbot's operators attempt to add 59 new servers to try to salvage their botnet. But those, too, were successfully infiltrated by Microsoft's team within hours of adoption, according to the company.
In all, Microsoft officials said they've “taken down” 120 of those 128 systems.
“As we expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled,” according to Microsoft's statement. “We fully expect that Trickbot's operators will continue looking for ways to stay operational. What we're seeing suggests Trickbot's main focus has become setting up new infrastructure, rather than initiating fresh attacks.”
Microsoft and its partners started their attack on Oct. 9 after winning a court order to disrupt Trickbot, known for infecting and stealing troves of data before exposing victims to ransomware attacks. Cyber-attackers use ransomware to lock users out of their own computers, while demanding payment in exchange for a key to regain access. The threat of ransomware in the days leading up to the Nov. 3 presidential election remains a credible cybersecurity threat against voting systems, according to the U.S. Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.
In less than a week, Microsoft's operation has produced results.
When the attack started, Trickbot's system included “many thousands” of active victims, which have since been reduced to “just more than 200,” said Alex Holden, founder of the information security investigations firm Hold Security LLC. However, Trickbot's operators are still armed with the login credentials stolen from its many millions of victims breached in the last five years. Those could still be used to execute a damaging elections-related ransomware attack, if those credentials include access to state and local governments, he said.
“The botnet is down but not out,” said Holden, whose specializes in investigating complex malware systems. “It's not mission accomplished.”
Along with activating existing credentials, Trickbot may also attempt to salvage its malicious network by renting space from other botnet operators. This will likely take weeks or months, Holden said.
Microsoft's Tom Burt, corporate vice president for customer security & trust, said it would be a victory just to stifle Trickbot until the U.S. elects its next president. Getting rid of the botnet altogether is a monumental task that will require support from a global coalition, he said. That includes the continued support of internet service providers and server hosts around the world, including in the U.S., Germany, South Korea, Indonesia, Kyrgyzstan, Brazil and Cambodia, he said.
In the days after Microsoft announced its attack, skeptics such as cyber researchers at Proofpoint Inc. and Intel 471 questioned Microsoft's ability to successfully execute a sustained attack. “Typically, these types of actions don't result in a direct reduction of threat activity,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
Intel 471 found that Trickbot had returned as early as Oct. 15. However, Microsoft's early efforts have mitigated some of that skepticism.
“If you can't arrest them, disruption is the next best thing,” said Mark Arena, chief executive officer of Intel 471. “But these guys can and have added new servers all the time. A definitive takedown is asking a lot, but if Trickbot operators are busy on the run trying to fix their infrastructure, then maybe they can keep them on the run until the election.”
Written by Kartikay Mehrotra.