Cyber Command and Microsoft pile in on TrickBot

The Risky Biz newsletter for October 13, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Cyber Command, Microsoft pile in on TrickBot

In late September, private sector threat analysts planning a takedown of the TrickBot botnet were surprised to discover that somebody was already a step ahead of them.

On September 22 and again on October 1, an unknown party pushed a new configuration file to TrickBot infected-devices that redirected command and control (C2) traffic back to the infected machine’s own loopback address (127.0.0.1). The attacker also fed bogus records into TrickBot’s database of infected devices.

It looked, according to Risky Business host Patrick Gray, like an operation “straight from a whiteboard at Cyber Command”. By Friday, four US Government sources had told Ellen Nakashima at The Washington Post that it actually was a Cyber Command Op. Her article asserts the operation extended USCC’s ‘persistent engagement’ model to the TrickBot group.

The operation took place just a few days before a separate effort to disrupt TrickBot kicked into gear. On October 6, Microsoft appeared before a US court and successfully argued that because Trickbot executables are often disguised as components of the Windows operating system, the malware’s authors had violated Microsoft’s IP rights under the US Digital Millennium Copyright Act. Microsoft and FS-ISAC showed the court a brief of evidence that included analysis of TrickBot malware and its C2 infrastructure by ESET, NTT, Symantec and Black Lotus Labs, the cyber security division of Lumen (previously CenturyLink).

Mike Benjamin, head of Black Lotus Labs told Risky.Biz that the consortium felt the need to impose costs on TrickBot operators because of the role the malware often plays in ransomware campaigns. His team helped to enumerate TrickBot’s network infrastructure, providing Microsoft’s lawyers a list of C2 to go after.

Microsoft now has a legal template to disrupt any TrickBot infrastructure hosted in the United States: specifically to “disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers”.

Initially, we should only expect to see an impact from this Microsoft-led initiative on TrickBot C2 hosted in the US. But Benjamin explained that the court case provides Lumen, NTT and other large network operators with the legal cover required to act on TrickBot C2s on its infrastructure more broadly. Lumen has started null-routing the IP addresses it associates with TrickBot C2s, and hopes that other service providers contacted by Microsoft will do the same.

Another source close to the effort told Risky.Biz that Microsoft will ask service providers in around 20 countries to honour the spirit of the US court order. But that leaves plenty of countries that host TrickBot C2 (like Russia, for example) that probably won’t. TrickBot C2s are distributed fairly evenly around the world and have bounced back quickly from previous disruptions.

“Our goal is to raise the cost of an actor being successful. Even if we can get rid of half of the available infrastructure on earth for them to run control servers, that’s absolutely worth the effort,” Benjamin said.

What isn’t clear is how effective these C2 takedowns will be against fallback methods built into TrickBot. Intel 471 analysts note that Trickbot infections can connect to backup C2s via Tor onion services or domains controlled by the EmerDNS decentralised DNS. (We’re still thinking through the ramifications of TrickBot C2 being forced onto those services. It’s likely feasible for enterprises to block outbound Tor connections and EmerDNS lookups, which might explain why these C2 methods were never TrickBot’s defaults.)

We also don’t know what legal authority Cyber Command relied on to take action against TrickBot, which is (mostly?) a non-state actor. The most obvious case might be made that Cyber Command was acting against perceived threats to election security under its statutory authorities.

We certainly think it’d be more fun if USCC recognised top Russian ransomware crews as targets in perpetuity. That’d, you know, give the hounds some daily exercise.

“Seven eyes” exhume E2EE gripes

For a third year running, public safety officials across the Five Eyes countries (Australia, Canada, New Zealand, United Kingdom and United States) have published a communique on the topic of E2EE (end to end encryption).

The joint statement rehashes the usual arguments about lawful access to encrypted content. The only difference is that they’ve now recruited the governments of India and Japan to the campaign.

Specifically, the communique calls on the technology sector to:

  • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
  • Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
  • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

At the risk of repeating ourselves: the use of E2EE in and of itself doesn’t prevent a service provider from responding to a lawful access request – service providers could choose to build mechanisms into their platforms that allows for access to user content when served with a warrant. But here be dragons: any such proposals will be pretty fraught in the details. So the can gets kicked down the road once again. We can hardly wait for the 2021 statement.

Everybody is using the Netlogon bug

As expected, cybercrime gangs and APTs zeroed in on a bug in Microsoft’s Netlogon protocol faster than flies on dung.

Microsoft warned that TA505, a Russian-speaking adversary that provides initial access and ongoing support to numerous ransomware gangs, used the vulnerability for lateral movement in recent attacks. Microsoft previously warned that Iranian state-backed attackers were also toying with it.

CISA and the FBI published a detailed account of how the bug was used in recent state-backed attacks on US state and local governments. Threat actors continue to rely on known flaws in network devices for initial access – with a particular penchant for a 2019 bug in Fortinet VPN devices and the MobileIron bug discussed in our last two newsletters – before using the Netlogon bug as their express ticket to domain admin.

Big game crew holds Software AG to ransom

A ransomware crew has published sensitive documents about the employees of Software AG, Germany’s second-largest enterprise software provider, after the company refused to pay a US$20 million ransom.

Catalin Cimpanu at ZDNet broke the news that the company’s network was infected October 3 by the ‘CL0P’ ransomware group. The attackers claim to have stolen 1TB of data and are growing impatient for a return on their investment.

Software AG said that systems used to provide cloud services to clients were not compromised in the attack.

You’ve got mail

To: Russia, Ukraine, Mongolia and the ‘stans
From: China
The team at Cyberscoop did their homework on ‘SlothfulMedia’, the malware US Cyber Command dumped on VirusTotal last week. Analysts link the malware to a state-backed group in China that has targeted Russia (ooooh!), Ukraine, India, Kazakhstan, Kyrgyzstan and Malaysia.

To: Vietnamese dissidents in Germany
From: Ocean Lotus
Vietnam’s military hacking team Ocean Lotus is targeting Vietnamese dissidents in Europe. It’s also gone after German journalists who told the dissidents’ stories.

Ivan’s back

After taking a little time off, the operators of the Emotet botnet are back on deck this week. So now is a good time to read a fresh breakdown of Emotet malware by the folks at CISA. If you want a feel for the scale of Emotet, an Italian AV company now maintains haveibeenemotet, which tells you if your domain has been imitated or targeted in Emotet lures. Cute.

Qihoo 360 gives China a brief, filtered look outside

Tuber, a Qihoo 360-backed browser surged to five million users on Friday after users learned it could provide access to banned sites like YouTube and Facebook, albeit via mechanisms that filtered out politically sensitive content. By Saturday, Tuber had been removed from all app stores.

Three reasons to actually be cheerful this week:

  1. Label all the things: Singapore launched a security labelling scheme for IoT devices, starting with home routers/hubs. Vendors can self-declare to score a one or two star rating for basic hygiene, but kit must be independently tested for three or four stars.
  2. Deplatforming the fascists: Google worked with one of its hosting resellers to kick the Proud Boys website off its service. There’s now also a league table called nazis.wtf that ranks hosting providers by how often they turn a blind eye to fascist content.
  3. Deplatforming the nutters: Facebook and Instagram banned groups, pages or accounts that claim to be part of QAnon.

Can’t we split the fare?

Former Uber CISO Joe Sullivan is suing his former employer for refusing to help cover his legal costs after the Department of Justice charged him with obstruction of justice and misprision over his handling of a 2016 data breach.

DOJ squashes fake news sites

The US Department of Justice seized 92 domains registered by an Iran-based disinformation network.

Belgian telco drops Huawei for Nokia

Orange Belgium is replacing Huawei kit in its mobile network with Nokia equipment, according to Reuters.

Plug, plug, plug

Last week we moderated a brief fireside chat on critical infrastructure security with former US Secretary of Homeland Security Kirstjen Nielsen and Telstra CEO Andy Penn, as part of an Atlantic Council event.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.