Tag Archive for: effort
FBI-Led Global Effort Takes Down Massive Qakbot Botnet
A multinational action called Operation “Duck Hunt” — led by the FBI, the Department of Justice, the National Cybersecurity Alliance, Europol, and crime officials in France, Germany, the Netherlands, Romania, Latvia and the U.K. — was able to gain access to the Qakbot network and shut down the malicious botnet, which has affected 700,000 computers worldwide.
Jump to:
Qakbot nets nearly $58 million in ransom in just 18 months
Over the course of its more than 15-year campaign, Qakbot (aka Qbot and Pinkslipbot) has launched some 40 worldwide ransomware attacks focused on companies, governments and healthcare operations, affecting some 700,000 computers. Qakbot, like almost all ransomware attacks, hit victims through spam emails with malicious links, according to the Justice Department. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits (here’s the department’s seizure warrant).
According to the DOJ, the action represented the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activities.
“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland in a statement.
SEE: LockBit, Cl0P expand ransomware efforts (TechRepublic)
FBI Director Christopher Wray said on the FBI’s website that the victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.
FBI injects computers with uninstaller file to dislodge Qakbot
The FBI said that, as part of the operation, it gained access to Qakbot’s infrastructure and identified hundreds of thousands of infected computers worldwide, including more than 200,000 in the U.S. As part of the action, the Bureau…
‘Nitrogen’ Ransomware Effort Lures IT Pros via Google, Bing Ads
Hackers are planting fake advertisements — “malvertisements” — for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.
The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised WordPress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads.
Researchers from Sophos are calling the campaign “Nitrogen.” It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that “hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.”
“The key thing here is that they’re targeting IT people,” says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organization’s most sensitive systems, he says, “is actually a fairly efficient and effective way of targeting.”
Honeypots for IT Pros
Search engine surfers who click on a Nitrogen malvertisement will typically end up on a phishing page mimicking the actual download page for the software they’re attempting to download — for example, “winsccp[.]com,” with that extra “c” subtly added in.
In one case, instead of a mere phishing page, the researchers discovered a compromised WordPress site at mypondsoftware[.]com/cisco. The researchers noted that “all other links on the myponsdsoftware[.]com point to legitimate cisco.com Web pages, except for the download link for this particular installer,” which directs to a malicious phishing page.
Hitting “download” on any of these pages will download a trojanized ISO installer, which sideloads a malicious dynamic link library (DLL) file. The DLL file does, in fact, contain the user’s desired software, but also initial access malware.
From here, the malicious attack chain establishes a connection to attacker-controlled command and control (C2) infrastructure, and drops…
Router Rebooter Without The Effort
It’s one of the rituals of our age, rebooting the family router when the bandwidth falters. Flip the power, and after half a minute or so your YouTube video starts up again. Consumer-grade router hardware is not the most reliable computing equipment you will own, as [Nick Sayer] found out when the router at his vacation home wasn’t reliable enough to support his remote monitoring equipment. His solution is an auto-reboot device, that power-cycles the offending device on command.
An obvious method might be to switch the mains supply, but instead he’s taken the simpler option of switching the DC from the router’s wall wart power supply with a cunning arrangement of three MOSFETs to keep the router defaulting to on under all conditions except when it is commanded to power down by the ATtiny microcontroller overseeing it. This chip provides extra fail-safe and debouncing functions to ensure no accidental rebooting.
Driving the circuit is a Raspberry Pi that handles the house monitoring, on which a Python script checks for Internet access and asks for a reboot if there is none. For extra safety it requires access to be down for a sustained period before doing so in case of a router firmware upgrade.
This isn’t the first router rebooter, for a mains-switching ESP8266 take a look at this one.
Router picture: Asim18 [CC BY-SA 3.0]